Download presentation
Presentation is loading. Please wait.
Published byPhebe Bates Modified over 7 years ago
1
Module 1: Introducing Active Directory® Domain Services
Course 6425C Module 1: Introducing Active Directory® Domain Services Presentation: 90 minutes Lab: 30 minutes Module Goal This module will provide a foundation for concepts and terminology related to Active Directory® Domain Services (AD DS) as a technology and as a solution. By the end of the module, students will have created a single domain forest, and will know enough about AD DS to understand the importance of what they’ve done. The lessons and topics in this module can be “driven home” for novices, skimmed or skipped for advanced classes, or skipped and “returned to” at appropriate times. The module’s only lab is the creation of a domain, so even the lab can be skipped for courses based on time constraints or adequate student expertise. The most important guidance for instructors is to keep this module high level. Every concept, term, and component is returned to and detailed in later modules. What’s important is that students have an understanding for the business purpose for AD DS, the basic function of a directory service, and the interactions of its components. They need to have just enough understanding of logical and physical structural components and of concepts such as trusts and replication. Ensure that they are not distracted as these terms are touched upon in the later modules. So, don’t try to teach more than what is in this module. This module helps the students see “the forest”; later modules take a close look at each tree. Be certain to read the instructor note on the Lesson Overview slide for Lesson 2. Objectives After completing this lesson, you will be able to: Position the strategic role of a directory service in an enterprise in relation to identity and access. Explain authentication and authorization processes. Identify the major components of AD DS. Understand the requirements for installing a domain controller to create a new forest. Identify the roles of and relationships between AD DS, AD LDS, AD RMS, AD FS, and AD CS. Module Exam Objectives Configuring the Active Directory Infrastructure: Configure a forest or domain Preparation for Demos To prepare for demos in this module, start 6425C-NYC-DC1. NYC-DC1 is the fully populated, WS2008 functional level, single domain controller forest. Log on as Administrator with the password, Pa$$w0rd. Preparation for Labs There is one lab that occurs at the end of this module. If you wish to save time, you can ask students to start the virtual machine at the start of the module. The virtual machine used in Lab is 6425C-NYC-SVR-D. Module 1 Introducing Active Directory® Domain Services 1
2
Module 1: Introducing Active Directory® Domain Services
Course 6425C Module Overview Module 1: Introducing Active Directory® Domain Services Overview of Active Directory, Identity, and Access Active Directory Components and Concepts Install Active Directory Domain Services -blank- 2
3
Lesson 1: Overview of Active Directory, Identity, and Access
Course 6425C Lesson 1: Overview of Active Directory, Identity, and Access Module 1: Introducing Active Directory® Domain Services Information Protection Identity and Access Authentication and Authorization Authentication Access Tokens Security Descriptors, ACLs, and ACEs Authorization Stand-Alone (Workgroup) Authentication Active Directory Domains: Trusted Identity Store Active Directory, Identity, and Access Active Directory IDA services -blank- 3
4
Information Protection
Course 6425C Information Protection Module 1: Introducing Active Directory® Domain Services This is only a setup for the lesson. There is enough room for detail later. Message to students: The industry as a whole is focused on information protection. This includes Microsoft and is exemplified by its Trustworthy Computing initiative. Objective: Present an “industry” perspective that will set the stage for discussing how Microsoft implements these concepts. Lesson flow: Do not go too deep into these information protection “industry” acronyms. This is only a setup for the lesson. There is enough room for detail later. This will help students understand that few of the high-level functions of Active Directory are Microsoft- specific. They all fit into wider industry efforts centered around information protection and security. There is a short definition of each acronym in the student handbook. The most important terms used on the slide and in the student text are detailed on upcoming slides. It is not recommended that you dive deeply into the three information protection acronyms on the slide: it’s a worm hole that does not add value to the first few minutes of the class. Instead, emphasize that the entire industry is focused on protection and security, and there are several “frameworks” within which to think about protection and security. References Microsoft Identity and Access Solutions: There are other third-party references available on these topics, which can be found by doing a web search. It’s all about connecting users to the information they require securely IDA: Identity and Access AAA: Authentication, Authorization, Accounting CIA: Confidentiality, Integrity, Availability, and Authenticity 4
5
Module 1: Introducing Active Directory® Domain Services
Course 6425C Identity and Access Module 1: Introducing Active Directory® Domain Services Objective: Introduce the most fundamental concepts and terms. Lesson flow: High-level slide. Details on subsequent slides. Note to students: We’re moving slowly into Microsoft’s implementation of information protection, but terms such as Access Control List (ACL) and concepts are still industry standards. Use this slide to set up the most fundamental concepts and terminology related to identity and access (IDA), and the components, processes, and technologies related to IDA on Windows® systems. Begin the discussion of identity and access by telling students what they already know: that the job of an information technology (IT) pro is to connect users with the information they require to get their jobs done. And, because users require different levels of access to different classes of information, we must manage associating the correct users with the correct levels of access—a task broadly known as information protection. At the core of information protection are two critical concepts: identity and access or IDA. Explain that in a secured system, each user is represented by an identity. In Windows systems, the identity is the user account, and the accounts from one or more users are maintained in an identity store, also known as a directory database. Don’t go as far as mentioning Active Directory by name, because the lesson will build from stand-alone (workgroup) systems on which the directory database is the Security Accounts Manager (SAM) to the need for a centralized (domain) directory database, Active Directory. An identity is called a security principal in Windows systems, and security principals are uniquely identified by an attribute called the security identifier (SID). Don’t yet introduce the concept that groups, computers, and inetOrgPerson objects are security principals. Two of those are only security principals in a domain. These come later. Explain that on the other end of a secured system is the resource to which the user requires access. The resource is secured with permissions, and each permission specifies a pairing of a specific level of access with an identity. Many Windows resources, including and most significantly files and folders on NTFS volumes, are secured by an aptly-name security descriptor that contains a discretionary access control list (DACL) in which each permission takes the form of an access control entry (ACE). You can explain now, or on one of the next few slides, that although DACL and ACE are technically accurate terms, most administrators and documentation, including this course, refer to the ACL and “permissions.” Identity: User account Saved in an identity store (directory database) Security principal Represented uniquely by the SID Resource: Shared Folder Secured with a security descriptor DACL or “ACL” ACEs or “permissions” 5
6
Authentication and Authorization
Course 6425C Authentication and Authorization Module 1: Introducing Active Directory® Domain Services A user presents credentials that are authenticated by using the information stored with the user’s identity The system creates a security token that represents the user with the user’s SID and all related group SIDs Objective: Summarize the big picture of authentication and authorization. Lesson flow: Still high-level. Each step summarized on this slide is detailed over the next four slides. References Logon and Authentication Technologies: Authorization and Access Control Technologies: A resources is secured with an ACL: Permissions that pair a SID with a level of access The user’s security token is compared with the ACL of the resource to authorize a requested level of access 6
7
Module 1: Introducing Active Directory® Domain Services
Course 6425C Authentication Module 1: Introducing Active Directory® Domain Services Authentication is the process that verifies a user’s identity Credentials: At least two components required Objective: Fully flesh out the terminology, concepts, and components of authentication. By the end of this slide, users should fully understand what authentication is. Define authentication as a process that verifies the user’s identity… that answers the question, “Is the user who she says she is?” To achieve this, the user must identify herself, with a user name called a logon name, and the user must prove herself by providing a secret known only to herself into the system, such as a password. Mention that the most common way for users to authenticate is by providing a user name and password. However, some computer systems also support authentication based on smart cards, one-time passwords, or biometric information, such as fingerprint scans. Each of these act as credentials. Introduce the concept that there are two basic types of authentication: local and remote (or network) logon. Although the processes involved are very similar, the difference is called out in various places, including separate user rights for local versus network logon. So it is worthwhile for students to be familiar with the concepts and terminology. It is too early for novice students to introduce the complex behavior of Kerberos authentication, which only applies in a domain (not workgroup) environment. So keep the discussion focused on the general concepts and components of authentication, not on a specific authentication protocol. User name Secret, for example, password Two types of authentication Local (interactive) Logon–authentication for logon to the local computer Remote (network) Logon–authentication for access to resources on another computer 7
8
Module 1: Introducing Active Directory® Domain Services
Course 6425C Access Tokens Module 1: Introducing Active Directory® Domain Services User’s Access Token Objective: Flesh out the concept of the security access token to a level that is appropriate for your students’ experience and knowledge. You shouldn’t take too much time, but by the end of this slide there shouldn’t be much question left as to what an access token is and, in particular, that it contains the user and group SIDs. Explain that one of the outcomes of authentication is the generation of a security token. Explain that the security token is a representation of the user’s full identity to the system. It is created when the Local Security Authority (LSA) authenticates the user. It contains the user’s SID, the SIDs for the groups to which the user belongs, and the user’s privileges. Emphasize that the security token is generated locally. A security token is never transmitted over the network, and no Windows system would even think of accepting a security token created by the local security authority of another system. Point out that this actually means when you log on to a system, that system creates a security token that represents who you are to that system, and when you connect to a server to access a file, that server creates a security token that represents who you are to that server. You may very well belong to different local groups, or have different privileges on the server than you do on the system to which you logged on. It is not recommended to go into detail about what privileges and other access information mean, and how they are stored by the token or used by the system. You can provide a generic definition of these elements, or skip it entirely. User SID Member Group SIDs Privileges (“user rights”) Other access information 8
9
Security Descriptors, ACLs and ACEs
Course 6425C Security Descriptors, ACLs and ACEs Module 1: Introducing Active Directory® Domain Services Security Descriptor Objective: Flesh out the terminology and components related to a security descriptor. Lesson Flow: You should not digress into a discussion of NTFS permissions or effective permissions, but rather focus on clarifying terminology. Explain that many resources, including, most significant files and folders on NTFS volumes are secured with security descriptors. Security descriptors contain the system ACL (SACL), which itself contains information about the object owner and auditing settings, and the DACL, often referred to as the ACL even though there are technically two ACLs. Administrators spend most of their time managing the DACL, which itself is made up of one or more ACEs, or permissions. Optionally, introduce students to the most technical terminology by explaining that an ACE is a pairing of a security identifier representing the user (or computer or group), called the Trustee, and the level of access to which the user is being allowed or denied, represented as an Access Mask. Summarize by explaining that the ACE defines who (the Trustee represented by the SID) can or can't do what (represented by the access mask). SACL DACL or “ACL” ACE Trustee (SID) Access Mask ACE Trustee (SID) Access Mask 9
10
Module 1: Introducing Active Directory® Domain Services
Course 6425C Authorization Module 1: Introducing Active Directory® Domain Services Authorization is the process that determines whether to grant or deny a user a requested level of access to a resource Three components required for authorization Objective: Ensure that the concepts, terminology, and processes related to authorization are completely clear. Lesson flow: Again, you should steer clear from discussions of specific types of authorization such as NTFS authorization and effective permissions, and rather you should focus on the concepts as they apply to all forms of authorization. Lesson flow: Before continuing from this slide, pause to ask if there are any questions. This is the end of the “story” of Authentication and Authorization. Define authorization as the process that determines whether to grant a user a requested level of access to a resource. Three components are required for authorization. The security subsystem must know which resource the user is trying to access, what type of access is being requested, and the system must know who the user is, which is represented by the user’s security token. The security subsystem is then able to read the DACL of the resource and find the first ACE that allows or denies the requested level of access to any SID in the user’s token. Optional “Internals” Note: Because most users will be familiar with the fact that deny permissions always override allow permissions, and that explicit permissions always override inherited permissions, these effects are achieved because the ACEs in the ACL are ordered correctly. In an ACL, explicit ACEs come before inherited ACEs, and within those two groups, deny permissions come before allow permissions. The security subsystem then examines the ACL of the resource, comparing the SIDs in the ACEs to the SIDs in the security token. The first ACE that matches determines whether the user is allowed (if the ACE is an Allow ACE) or denied (if the ACE is a Deny ACE) access to the resource. If no match is found, access is denied. It is not recommended that you digress into a discussion of effective permissions, but most students will be familiar with the end results, and this little bit of detail will be interesting to students who are looking for more “internals” and for whom the information you’re presenting is already quite familiar. Resource Access Request Security Token User’s Access Token Other access information List of user rights Group SID User SID System finds first ACE in the ACL that allows or denies the requested access level for any SID in the user’s token Security Descriptor DACL or “ACL” ACE Trustee (SID) Access Mask SACL 10
11
Stand-Alone (Workgroup) Authentication
Course 6425C Stand-Alone (Workgroup) Authentication Module 1: Introducing Active Directory® Domain Services The identity store is the SAM database on the Windows system No shared identity store Multiple user accounts Management of passwords is challenging Objective: Define stand-alone (workgroup) configurations and clarify the management and security disadvantages of the model. Note: Build “script” is in the instructor notes. Present this scenario of a user (the green user) logging on to his or her desktop. In order to do that, the user must be authenticated, and therefore must have an identity in the only identity store trusted [note the intentional introduction of the word “trust” here, which sets the stage for intra domain trusts and trusts with other domains] by the LSA of the system, specifically the SAM. The user then needs to open a file in a shared folder on a server. The server, too, must authenticate the user for remote (network) logon. The only identity store trusted by the LSA of the server is its SAM database. Therefore, in order for the user to be authenticated, [CLICK TO BUILD] the user must also have an account in the SAM of the server. Not only must the user be authenticated with an account on the server, but because the server trusts only its local SAM as an identity store, permissions can only be assigned to security principals (Trustees) in the local SAM. If the user name and password of the account are the same as the account on the users desktop, the authentication process will occur but will be transparent to the user. If the user name or password are different, the user will be prompted for credentials. Ask students to consider what happens when the user changes his or her password on the desktop. Unless the user also changes the password on the server, the user will be prompted for credentials each time he or she accesses the shared folder. Because there is no shared identity store, there must be multiple user accounts, and the management of passwords becomes a challenge. The problem only gets worse as you add additional users to the story. [CLICK TO BUILD] The orange user must have an account on his or her desktop, and if the user requires access to resources on the server, there must be a separate account [CLICK TO BUILD] on the server, and again the synchronization of passwords and other account management tasks becomes twice as difficult. [CLICK TO BUILD] The blue user also needs one account on his or her desktop, and another on the server. Explain how the problem quickly becomes unmanageable, and therefore not secure, as more users, more resources, and more servers are introduced into the environment. 11
12
Active Directory Domains: Trusted Identity Store
Course 6425C Active Directory Domains: Trusted Identity Store Module 1: Introducing Active Directory® Domain Services Centralized identity store trusted by all domain members Centralized authentication service Hosted by a server performing the role of an AD DS domain controller Objective: A centralized directory service such as Active Directory provides a single identity store, authentication service, and point of management for administration. Drive home the advantages of a single identity store for security and manageability. 12
13
Active Directory, Identity, and Access
Course 6425C Active Directory, Identity, and Access Module 1: Introducing Active Directory® Domain Services An IDA infrastructure should: Store information about users, groups, computers and other identities Authenticate an identity Kerberos authentication used in Active Directory provides single sign-on. Users are authenticated only once. Control access Provide an audit trail Objective: Active Directory (and AD DS specifically) is the core component of IDA. It is how Microsoft implements the broad industry concepts (IDA, AAA, CIA) laid out on the first slide. Define AD DS and mention that there are other services. Use this slide to wrap up discussion of identity and access, and the strategic role of AD DS as an enabler of IDA for enterprise networks. Be sure students understand that what was “Active Directory” in Windows Server 2003 is now AD DS and other services have been added into the AD family. Explain to students that AD DS, while a prominent player, is not the only component of IDA supported by Windows Server 2008 R2. You can list the other Active Directory services, but do not go into any detail about the roles they play. The slide also presents, for the first time, the term “Kerberos.” Use this opportunity to associate Kerberos with authentication. Point out that AD DS uses an industry standard authentication protocol—it was not “invented by Microsoft.” You need not go into detail about Kerberos authentication at this time. Keep focused on ensuring that students understand the role of Active Directory. In the next lesson, you will introduce students to the concepts, terminology, processes and technologies of Active Directory itself. Kerberos authentication mechanisms are not enumerated in the course, but can be an excellent trainer value-add. It is recommended to discuss Kerberos workings in Lesson 14, the last module of the course, but if you have a particularly advanced class and want to “digress” for a moment, you could discuss Kerberos here. 13
14
Active Directory IDA Services
Course 6425C Active Directory IDA Services Module 1: Introducing Active Directory® Domain Services Active Directory IDA services : Active Directory Lightweight Directory Services (AD LDS) Active Directory Certificate Services (AD CS) Active Directory Rights Management Services (AD RMS) Active Directory Federation Services (AD FS) Objective : Besides Active Directory, there are several other services that rely on AD DS and provide various authentication and authorization services. In this topic, you should briefly dicsuss four additional IDA services, and their purpose in AD DS environment. Do not go into the details, but give an high-level overview. For students who want to learn more about these services, direct them to 6426B training. 14
15
Lesson 2: Active Directory Components and Concepts
Course 6425C Lesson 2: Active Directory Components and Concepts Module 1: Introducing Active Directory® Domain Services Active Directory as a Database Active Directory Data Store Domain Controllers Demonstration: Active Directory Schema Organizational Units Domain Forest Tree Replication Sites Global Catalog Functional Levels DNS and Application Partitions Trust Relationships VERY IMPORTANT NOTES! This lesson introduces students to the concepts, terminology, processes, and technologies of Active Directory. It is probably one of the more important modules in the entire course. To provide a reasonable learning curve and instructional design for students of all levels, the first half to two-thirds of the class uses single domain controller environment so that students can focus on data management tasks and Group Policy. Only in the later part of the course are additional domain controllers, domains, trees, and forests introduced as service management scenarios are addressed. Therefore, concepts including domain functional level, replication, global catalog, and trust relationships are not detailed until later modules that cover specific service management topics that incorporate those concepts. However, some of the earlier modules that address data management scenarios require a reference to these concepts. For example, when discussing group membership, it is important to discuss which group scopes allow members from trusted domains—there is a reference to trust relationships. A critical outcome of this module is that students understand just enough about each and every major component and concept of Active Directory, that they are not caught off guard when the initial references are made before those components, and concepts have been covered in complete detail. The lesson has been designed to provide that “just enough” level of detail. It is important that you as an instructor ensure that students are on the same page, at that level, at the end of this module. It is therefore important that you avoid the temptation to dive too deep, or to answer student questions that will take you on a digression into the details that are covered later in the course. It could be far too easy to teach the entire course within this single lesson. You will have to manage questions and student expectations, especially those from more experienced students, and give them the confidence that their questions will be answered in more than enough detail later in the course. Hopefully, the level of detail and technical terminology that you provided even in the introduction to Active Directory in the previous lesson will have begun to instill confidence in the more experienced students that this course will move rapidly into territory that is new and of interest to them. Fortunately, Module 2 is designed in great part to provide that “spark” of excitement to more experienced students. This “intro” lesson no longer arbitrarily separates objects into “logical structure” and “physical structure” objects. Instead, it lays out the components of Active Directory in a progressive “story.” When you boil it down, there is nothing in the Active Directory Schema that says an organizational unit (OU) is a logical object and a site is a physical object. That was just the way things used to be explained. It is recommended that you do not try to retrofit these slides into legacy instructional design related to logical versus physical objects. 15
16
Active Directory as a Database
Course 6425C Active Directory as a Database Module 1: Introducing Active Directory® Domain Services Active Directory is a database Each “record” is an object Users, groups, computers, and so on Each “field” is an attribute Logon name, SID, password, description, membership, and so on Identities (security principals or “accounts”) Services: Kerberos, DNS, and replication Accessing the database Windows tools, user interfaces, and components APIs (.NET, VBScript, Windows PowerShell) LDAP Objective: Begin this lesson with the fundamental assertion that Active Directory is, in the end, a database and the services that support or leverage that database. By framing Active Directory as a database, you will be able to draw comparisons and contrasts to database concepts and terminology that will be familiar to your students. Explain that each record in the Active Directory database represents an object such as a user, group, or computer. Don’t list any additional objects such as sites or organizational units, as they will be introduced later in this lesson. Explain that each field in the database is an attribute for that object. Attributes include name, SID, password, description, and membership (for group object). You can mention other attributes as appropriate, but try to keep them focused on attributes of users, groups, and computers—the most familiar objects. Remind students that Active Directory is an integral piece of IDA: it acts as the identity store. Those identities are “security principals.” In the first lesson, users were highlighted as the security principal. This is the opportunity to mention that security principals include users, security groups, and computers. Make sure those three object classes are comfortable for students before mentioning inetOrgPerson objects. You can describe inetOrgPerson objects as a close relative of a user account. They are supported in Active Directory primarily for interoperability with certain third-party directory services. You can explain that few enterprises actually use inetOrgPerson objects. These objects are not mentioned elsewhere in the course, but it is good (particularly for certification purposes) for students to know there are actually four security principals in an AD DS enterprise. Point out that you can “get in” to Active Directory several ways. Be sure to mention and define Lightweight Directory Access Protocol (LDAP), and to point out that it, too, is an industry standard. 16
17
Active Directory Data Store
Course 6425C Active Directory Data Store Module 1: Introducing Active Directory® Domain Services %systemroot%\NTDS\ntds.dit Logical partitions Domain naming context Schema Configuration Global catalog (Partial Attribute Set) DNS (application partitions) SYSVOL %systemroot%\SYSVOL Logon scripts Policies Message: The database we’re discussing is actually a file and a folder. NTDS.DIT as the “database” supporting the objects and attributes, and SYSVOL as a “database” (of sorts) supporting policy- based management (scripts and policies). Objective: Discuss or show the ntds.dit file and SYSVOL. Mention that there are logical partitions within NTDS.DIT. Do not go too deep. Discuss or show the interface the ntds.dit file. Using the slide, mention that the single database has logical partitions. You shouldn’t go into too much detail yet; simply mention that there are “sections” or partitions that store particular types of information. You can point out that one of the partitions is the schema, which you have just discussed, and the domain partition. You can describe the Domain NC as the partition contains user, computer, and group objects—the partition that most admins will be modifying on a day-to-day basis. Do not provide details about remaining partitions. Skip or simply list them, but let students know that the other partitions will be described as this and later lessons progress. Mention that another important store of Active Directory information is SYSVOL. Students will be familiar with the concept of logon scripts, and you just touched on Group Policy, so you can mention that many components that make Group Policy work are stored in, and distributed to clients from, SYSVOL. Point out that SYSVOL is shared and available to all domain users & computers. PAS DNS *Domain* Configuration Schema NTDS.DIT 17
18
Module 1: Introducing Active Directory® Domain Services
Course 6425C Domain Controllers Module 1: Introducing Active Directory® Domain Services Servers that perform the AD DS role Host the Active Directory database (NTDS.DIT) and SYSVOL Replicated between domain controllers Kerberos KDC service: Performs authentication Other Active Directory services Best practices Availability: At least two in a domain Security: Server Core and RODCs Message: The database and services are hosted on servers called domain controllers. Objective: Introduce terms and concepts mentioned below. Continue by mentioning that domain controllers, that is servers performing the AD DS role, host the Active Directory database, SYSVOL, an authentication service such as Kerberos Key Distribution Center service (KDC) and other Active Directory services. For redundancy purposes, it is best to have at least two available domain controllers. Highlight that all domain controllers in a domain essentially are equal. Each domain controller holds a copy of the directory store, and updates can be made to the AD DS data on all domain controllers except for read- only domain controllers (RODCs). Emphasize the importance of having multiple domain controllers in each domain. This provides load balancing, but more importantly, it also provides recoverability if a server failure occurs. Mention that all domain controllers engage in authentication and authorization, thus making it a redundant system with fewer fail-points. The slide is intentionally vague about best practices. You can, if you would like, go into slightly more detail about putting domain controllers in remote sites to protect against an unavailable wide area network (WAN) connection. You can also talk about increasing the number of domain controllers to account not only for redundancy but for performance as well. It is recommended that you do not go too deeply into issues of domain controller placement however, because Module 13 (sites and replication) provides a better platform from which to share guidance about domain controller placement. Mention Server Core and RODCs. They are detailed in later modules but you can point out that there are options, in addition to physical security, for ensuring the security of domain controllers. 18
19
Demonstration: Active Directory Schema
Course 6425C Demonstration: Active Directory Schema Module 1: Introducing Active Directory® Domain Services In this demonstration, you will see How the Schema acts as a blueprint for Active Directory by exploring the following Attributes and Object classes: Attributes objectSID sAMAccountName unicodePwd member Description Classes User Group Message: The definition or “blueprint” of what can be contained in the database is the Schema. Objective: Give students a tour of the Schema to prepare them with an understanding of attributes, object classes, and the way objects come to exist in Active Directory. Make a transition to this slide by asking students, “How does Active Directory know that it is able and allowed to create a record of a user object, and that a user object must have a logon name, password, and SID?” The answer is because there is a part of Active Directory called the schema that serves as a blueprint for the rest of the directory service, specifying the types of objects (object classes) that are allowed, and the attributes of those objects (attributes). Demonstration steps Start 6425C-NYC-DC1 and log on as Administrator with the password, Pa$$w0rd. Open D:\AdminTools\ADConsole.msc. Expand Active Directory, and then expand Active Directory Schema. Review the Attributes container. Attributes are definitions of a property and of its behavior. While scrolling through attributes, notice a couple of attributes whose purpose (if not name) is familiar. Open the Properties of each. objectSID (SID has been mentioned so often already, point out its attribute first) sAMAccountName (what most admins call the “user name”) Discussion point: attribute defines the type of an attribute (string in this case) unicodePwd member Discussion point: Attributes can be multivalued. When used with a group, it is the list of one or more members. description Open the Classes container. While scrolling through, point out a couple of already familiar object classes, including user, computer, and group. Explain that object classes are created by referring to attributes in the “pool” of attributes that you just showed them. Open the group object class and demonstrate that it refers to the member attribute. 19
20
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 1: Introducing Active Directory® Domain Services Before moving on from the slide, students should understand the following: Object classes define what can be stored in the directory. Attributes define the properties of those objects. The Schema is a part of Active Directory that acts as a blueprint by defining object classes and attributes. One of the goals of this slide is to allow you to dive into what is considered an “internal” (very detailed) aspect of AD DS. This will “wake up” and excite the more experienced students in your class. You can determine the right balance of information to provide at this point. You can go into more detail about the schema, perhaps describing the relationship between object classes. For example, a user is a child of person and an associate of securityPrincipal. It is not recommended that you discuss details of schema management or modification at this point, but it might be useful if you’re working with advanced students to give them a more detailed view of how the schema itself works. Extra information, in case you are asked or wish to share some “internals”: the unicodePwd stores the hash of the password. The userPassword attribute is used to change/reset a password—it is write-only. When you change a password, a “write” is made to userPassword. The system then calculates the hash and stores it in unicodePwd. You can never “read” userPassword. It is as if you’ve thrown the password down a hole and it has been changed on the way down. You can (with credentials and heavy lifting) read the hash (unicodePwd) but it is the result of a one-way function (OWF) so it is not easy to reverse-engineer it to the original password (a process called “hacking”). 20
21
Module 1: Introducing Active Directory® Domain Services
Course 6425C Organizational Units Module 1: Introducing Active Directory® Domain Services Objects Users Computers Organizational Units Containers that can be used to group objects within a domain Create OUs to: Delegate administrative permissions Apply Group Policy Message: Active Directory can contain millions of objects. To improve manageability of the objects, they can be put into collections called containers or OUs. Objective: Get the term “OU” defined and understood. Focus on their existence to collect objects, and briefly touch on the highest level points shown on the slide. Active Directory is designed to support millions of objects. How do you secure, manage, and organize those objects? With “container” (in quotes) type objects called OUs. Introduce students to the concept of containers and OUs, and explain that the primary difference is that, although both objects are a form of container, OUs enable you to manage configuration of objects using a Group Policy. You are encouraged to mention as “bullet points” that OUs are created to support delegation and policy. But don’t go into more detail. Do not allow yourself to be taken into a digression related to OU design. If that begins to happen, remind students that this lesson is all about introducing them to the components of Active Directory, not about detailing any one of them. 21
22
Module 1: Introducing Active Directory® Domain Services
Course 6425C Domain Module 1: Introducing Active Directory® Domain Services Requires one or more domain controllers All domain controllers replicate the Domain naming context (Domain NC) The domain is the context within which Users, Groups, Computers, and so on are created “Replication boundary” Trusted identity source: Any domain controller can authenticate any logon in the domain The domain is the maximum scope (boundary) for certain administrative policies Password Lockout Message: One or more domain controllers service AD DS in a domain. Objective: Summarize the characteristics of a domain Lesson flow: Do not spend too much time on the slide. 22
23
Module 1: Introducing Active Directory® Domain Services
Course 6425C Forest Module 1: Introducing Active Directory® Domain Services A collection of one or more Active Directory domain trees First domain is the forest root domain Single configuration and schema replicated to all domain controllers in the forest A security and replication boundary Message: One or more trees make up the entirety of an Active Directory instance, called a forest. Objective: Define terms and emphasize that the forest is the true boundary of all security and replication Define the forest as one or more Active Directory domain trees. Mention that the first domain installed in the forest, called the forest root domain, has some special characteristics that will be covered in later modules, but that the most important characteristic is the existence of several important groups including Enterprise Admins and Schema Admins. The Enterprise Admins group, in effect, owns and can access all objects in all resources in all domains in the forest. You might choose to point out that, because this is locked for power, most organizations choose to keep the Enterprise Admins group empty on a day-to-day basis, adding accounts to it only temporarily and on an as needed basis. Ask students to describe the structure they see on the slide: A two-tree, seven domain forest. If students raise a question about having more than one domain in a forest or about domain design, ask that the discussion be delayed until Module 15, when all of the nuances of AD DS have been laid out. Lesson 2 of Module 15 supports design discussions. 23
24
Module 1: Introducing Active Directory® Domain Services
Course 6425C Tree Module 1: Introducing Active Directory® Domain Services One or more domains in a single instance of AD DS that share contiguous DNS namespace Message: The Domain Name Service (DNS) names of domains in AD make up one or more trees. Objective: Introduce the term “tree” as a less important concept related purely to the DNS namespace Mention that a “tree” is the result of the DNS namespace used by your domains. A tree is a distinct portion of the DNS namespace. A tree can be one domain (for example, a single domain, single tree forest) or more than one domain, as long as those domains share a contiguous DNS namespace. Be sure that students understand that a tree is simply two or more domains that share a contiguous DNS namespace. If two domains do not share a namespace, they make up separate trees in the forest. There is no need to go into the distinction between the “diagramming” of a forest from a DNS perspective (in which case proseware.com and treyresearch.net would be at the same level) versus a “trust path” perspective (shown on the slide with the forest root domain at the “top”). This information is covered in Module 15. However, the slide is created to give you the flexibility to do so if you want to. treyresearch.net proseware.com antarctica.treyresearch.net 24
25
Module 1: Introducing Active Directory® Domain Services
Course 6425C Replication Module 1: Introducing Active Directory® Domain Services Multimaster replication Objects and attributes in the database Contents of SYSVOL are replicated Several components work to create an efficient and robust replication topology and to replicate granular changes to AD The Configuration partition of the database stores information about sites, network topology, and replication Message: The domain controllers in a domain replicate between each other. Objective: Domain controllers replicate Active Directory in a multimaster fashion using a topology and technologies discussed in Module 13. Lesson flow: Focus on the Domain NC. A later slide supports discussion of the Schema and Configuration replication throughout the forest. The goal of this slide is simply to introduce the concept of replication so that students understand that both the contents of Active Directory and the SYSVOL are replicated between domain controllers. Be sure to enforce that replication is both efficient and robust. Details will be covered in Module 13, but far too often, students are quite concerned about the impact of replication, which in the real world is rarely a significant issue, let alone a design driver. By seeding the idea that replication is efficient and robust, it will be less likely that concerns about replication will distract students from what they need to learn between now and Module 13. This slide also explains the additional partition of the Active Directory database that was shown on an earlier slide: Configuration. DC2 DC1 DC3 25
26
Module 1: Introducing Active Directory® Domain Services
Course 6425C Sites Module 1: Introducing Active Directory® Domain Services An Active Directory object that represents a well- connected portion of your network Associated with subnet objects representing IP subnets Intrasite vs. intersite replication Replication within a site occurs very quickly (15–45 seconds) Replication between sites can be managed Service localization Log on to a domain controller in your site Message: You can control replication and service localization using Active Directory Sites. Objective: Introduce term and purpose of Sites and Subnets at a high level Use the concept of replication to transition to a discussion of sites. Explain that Active Directory sites are objects that represent a well-connected portion of your network. A site may be larger than what you consider a network site. For example, you might have two campuses in a metro area that you consider to be different sites, but if they are well connected, you might choose to represent them as a single Active Directory site. Introduce the concept that sites are logical objects in Active Directory that represent physical characteristics (geographic “sites”) of your network. You can draw a parallel to the fact that a user object “represents” a human being, and a computer object “represents” a computer. Explain that the sites enable you to control (or “throttle”) replication. You have the ability to manage replication between sites. Describe the concept of service localization by using the example of logon. Sites allow a client to identify the “best” instance of a distributed service. In the case of logon, sites allow Windows clients to locate a domain controller in their site, rather than authenticating to a domain controller on the other side of the world. Only if a domain controller is not available in the site will the client attempt to authenticate against a domain controller in another site. As with other concepts, do not go into too much detail. Module 13 covers sites, service localization, and replication in great detail. Site A Site B 26
27
Global Catalog Partial Attribute Set or Global Catalog
Course 6425C Global Catalog Module 1: Introducing Active Directory® Domain Services Partial Attribute Set or Global Catalog Contains every object in every domain in the forest Contains only selected attributes A type of index Can be searched from any domain Very important for many applications Domain A PAS Objective: Define the “problem” created [for example, for searching] in a multidomain environment and the “solution” (global catalog) and introduce the internals (partial attribute set). Lesson flow: Tell the story described in the instructor notes below. Remind students that if there is more than one domain in the forest, the configuration and schema are replicated to all domains in the forest but the information in the domain naming context is replicated only between domain controllers in that domain. How, then, can a user in one domain search for objects in another domain? The Global Catalog is referred to regularly before it is covered in detail in Module 12. Therefore it is important that, on the slide, you introduce students to the global catalog in such a way that they understand its purpose, its contents, and the reason many organizations are choosing to make every domain controller a global catalog server. The visual on the slide is designed to help you tell a story. A user in Domain B (green user) is searching for another user by first and last name. The other user (orange user) is in Domain A within the same forest. Because the Domain NC is replicated only to domain controllers within a domain, the details about the orange user are known only to the domain controllers in Domain A. There would be no way for the green user in Domain B to “find” the orange user in Domain A, because the data in the Domain NCs is not shared. The global catalog’s primary purpose is to support directory queries. Explain that it contains information about every object in every domain in the forest, but to improve performance and reduce size, it does not contain every attribute. Instead, it contains only the attributes that are more likely to be useful inquiries. First name and last name are certainly two of those attributes. So the global catalog, or partial attribute set (PAS) contains the indexed attributes for users in other domains. Most search tools are directed to global catalog servers automatically, and there must be at least one in the domain, so when the green user searches by first name or last name for the Orange user, the global catalog will return a result, along with a reference to the full user object in the source domain (Domain A). If the green user drills for details that the global catalog cannot provide, the client will simply open the source object in Domain A. Highlight the importance of the Global Catalog for applications (particularly Microsoft® Exchange Server). Therefore, Active Directory should be designed correctly before applications such as Exchange Server are introduced. The Global Catalog is detailed in Module 12. Instructor note: So that you know where the course is going, the recommendation of the course is the current “best practice” guidance: Make every domain controller a global catalog. Of course, there will be (very limited) situations where this is not appropriate, but in the vast majority of enterprises, and almost all enterprises running Exchange, this will be the best practice. Domain B PAS 27
28
Module 1: Introducing Active Directory® Domain Services
Course 6425C Functional Levels Module 1: Introducing Active Directory® Domain Services Domain functional levels Forest functional levels New functionality requires that domain controllers are running a particular version of Windows Windows 2000 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Cannot raise functional level while domain controllers are running previous Windows versions Cannot add domain controllers running previous Windows versions after raising functional level Objective: Define functional levels. Ensure that students know that functional level relates only to the domain controllers. Lesson flow: Define the concept of functional levels. Lesson 1 of Module 15 returns to the concept and summarizes the features of each functional level. The module also has a lab in which students experiment with and raise functional levels. In this introductory module, students are not yet assumed to understand Password Setting Object (PSO), Read Only Domain Controllers (RODCs), and other features that are part of each functional level, so you will return to “wrap up” functional levels in Module 15, after each of the features has been detailed. Present the terms domain functional level and forest functional level and describe them as switches that enable new functionality that has been introduced by newer versions of Windows. Be certain that students understand that it is only the domain controllers that must be running at least a certain version of Windows in order to raise the functional level to that version. It does not matter what version of Windows is being run on domain member workstations or servers. As you discussed, functional levels mention one or two features that are easy for students to understand the benefit of. For example, at domain functional level Windows Server 2008, you are able to implement fine- grained password policies so that, for example, you can require users that are members of administrative groups to maintain longer passwords, and change the more frequently, and nonadministrative users. Students will understand the business value of such a feature. You can then use that understanding to encourage students to upgrade domain controllers as quickly as reasonably possible to the newest version of Windows, and then to raise the functional level of the domain. Point out that some applications/services will have dependencies on functional level. Also make sure that students understand that one domain can be at a higher functional level while another domain in the forest is at a lower functional level. However, the forest functional level cannot be raised until all domains are at the appropriate domain functional level. Again, the goal of this slide is to introduce students to the concepts, but you do not have to go into too much detail. Functional levels are described in a later module. As long as students understand the idea that, once domain controllers are running a newer version of Windows, they are able to take advantage of newer features, students will be able to understand references to functional levels in earlier modules. 28
29
DNS and Application Partitions
Course 6425C DNS and Application Partitions Module 1: Introducing Active Directory® Domain Services Active Directory and DNS are closely integrated One-to-one relationship between the DNS domain name and the logical domain unit of Active Directory Complete reliance on DNS to locate computers and services in the domain A domain controller acting as a DNS server can store the zone data in Active Directory itself—in an application partition Objective: Active Directory and DNS are tightly integrated, and DNS data can be stored in Active Directory. It is necessary that students in this class have a basic understanding of DNS. This slide is meant to allow you to touch briefly upon the close relationship between DNS and Active Directory. This slide should be used only lightly, as the next modules presume out-of-box default DNS configuration. All details about DNS can be saved for discussion in Module 11. What is useful to point out is that if a domain controller is itself a DNS server, you can store the DNS database (the zone) in Active Directory itself. Depending on the experience level of your students, you may want to downplay or skip over the detail of DNS being stored in an application partition, or you may want to point out the business value of an application partition for other Active Directory–aware applications. You could briefly extend the concept of application partitions to mention that Active Directory can similarly support other applications and services not directly related to AD DS. The benefit of doing so is that you are able to take advantage of the efficient, robust, and well-maintained replication topology and technologies used by your domain controllers. PAS DNS Domain Configuration Schema 29
30
Module 1: Introducing Active Directory® Domain Services
Course 6425C Trust Relationships Module 1: Introducing Active Directory® Domain Services Extends concept of trusted identity store to another domain Trusting domain (with the resource) trusts the identity store and authentication services of the trusted domain A trusted user can authenticate to, and be given access to resources in, the trusting domain Within a forest, each domain trusts all other domains Trust relationships can be established with external domains Objective: Extend the concept of trust to cover domain trust relationships. Use this slide to introduce the concept of trusts. Explain a trust relationship by returning to the concept of a workgroup. In its default, stand-alone configuration (workgroup), a Windows system trusts only its own identity store—its SAM database. When a computer joins a domain, it extends its realm of trust to include the shared identity store and authentication service provided by the domain controllers of the domain. Now, the server will authenticate and can assign permissions to a user that is not in its SAM, but rather in the trusted identity store in the domain. With that introduction is a small step to the concept of trust relationships, in which a domain extends its roam of trust to include an identity store and authentication service provided by another domain. Users in the trusted domain/identity store can now be authenticated by and assign resources in the trusting domain. You do not have to go much further than this. Module 15 details multiple domains scenarios and trust relationships, and gives you the opportunity to present interesting ways to remember “trusted” and “trusting.” Do not go to that point in this module. Simply take the existing concepts of workgroup and trust and help students see the path to domain trust relationships. Trusted Domain Trusting Domain 30
31
Lesson 3: Install Active Directory Domain Services
Course 6425C Lesson 3: Install Active Directory Domain Services Module 1: Introducing Active Directory® Domain Services Install and Configure a Domain Controller Prepare to Create a New Forest with Windows Server 2008 R2 Instructor notes are minimal in this lesson because it is a simple technical lesson. 31
32
Install and Configure a Domain Controller
Course 6425C Install and Configure a Domain Controller Module 1: Introducing Active Directory® Domain Services Install the Active Directory Domain Services role by using the Server Manager 1 Objective: Outline the major steps of installing and configuring a domain controller. Students will perform these steps in the Lab for this module. In this Module, the focus is on a new Windows Server 2008 forest with a single domain tree with a single domain, and a single domain controller. Modules will explore more complex multisite topologies, multidomain controller domains, multiple domain forests, and multiple forest models. Run the Active Directory Domain Services Installation Wizard 2 Choose the deployment configuration 3 Select the additional domain controller features 4 Select the location for the database, log files, and SYSVOL folder 5 Configure the Directory Services Restore Mode Administrator Password 6 32
33
Prepare to Create a New Forest with Windows Server 2008 R2
Course 6425C Prepare to Create a New Forest with Windows Server 2008 R2 Module 1: Introducing Active Directory® Domain Services Domain’s DNS name (contoso.com) Domain’s NetBIOS name (contoso) Whether the new forest will need to support domain controllers running previous versions of Windows (affects choice of functional level) Details about how DNS will be implemented to support AD DS Default: Creating domain controller adds DNS Server role as well IP configuration for the domain controller IPv4 and, optionally, IPv6 User name and password of an account in the server’s Administrators group. Account must have a password. Location for data store (ntds.dit) and SYSVOL Default: %systemroot% (c:\windows) Objective: Describe the information that should be collected before creating a new forest during installation. Before beginning to create a new domain or forest, you must collect certain configuration information that will be requested during installation. 33
34
Module 1: Introducing Active Directory® Domain Services
Course 6425C Lab: Install an AD DS Domain Controller to Create a Single Domain Forest Module 1: Introducing Active Directory® Domain Services Exercise 1: Perform Post-Installation Configuration Tasks Exercise 2: Install a New Windows Server 2008 Forest with the Windows Interface Exercise 3: Raise Domain and Forest Functional Levels Scenario You have been hired to improve identity and access at Contoso, Ltd. The company currently has one server in a workgroup configuration. Employees connect to the server from their personal client computers. In anticipation of near-term growth, you have been tasked with improving the manageability and security of the company’s resources. You decide to implement an AD DS domain and forest by promoting the server to a domain controller. You have just finished installing Windows Server 2008 R2 from the installation DVD. Exercise 1 In this exercise, students will prepare the server by performing post-installation configuration tasks. Exercise 2 In this exercise, students will add the AD DS role and create the forest and domain by promoting HQDC01 to be the first domain controller in the contoso.com forest. Exercise 3 In this exercise, students will raise domain and forest functional level to Windows Server 2008 R2. Logon information Virtual machine 6425C-NYC-SVR-D Logon user name Administrator Password Pa$$w0rd Estimated time: 30 minutes 34
35
Module 1: Introducing Active Directory® Domain Services
Course 6425C Lab Scenario Module 1: Introducing Active Directory® Domain Services You have been hired to improve identity and access at Contoso, Ltd. The company currently has one server in a workgroup configuration. Employees connect to the server from their personal client computers. In anticipation of near-term growth, you need to improve the manageability and security of the company’s resources. You decide to implement an AD DS domain and forest by promoting the server to a domain controller. You have just finished installing Windows Server 2008 R2 from the installation DVD. -blank- 35
36
Module 1: Introducing Active Directory® Domain Services
Course 6425C Lab Review Module 1: Introducing Active Directory® Domain Services What can you do with the Initial Configuration Tasks console? What must you do before starting the dcpromo wizard? Which tool is used to raise the domain functional level? Lab Review What can you do with the Initial Configuration Tasks console? Answer : This console is used to perform some basic administrative tasks such changing time zone or computer name. What must you do before starting the dcpromo wizard? Answer : You must add the Active Directory Domain Services role. Which tool is used to raise the domain functional level? Answer : The Active Directory Domains and Trusts tool is used to raise the domain functional level. 36
37
Module Review and Takeaways
Course 6425C Module Review and Takeaways Module 1: Introducing Active Directory® Domain Services Review Questions Common Issues Related to AD DS Installation Best Practices Related to AD DS Installation Tools Review Questions What is the main difference between authentication and authorization? Answer: Authentication is the process of providing credentials from user to identity store or an authentication service. By performing authentication, no right to access resource is granted. Authentication only confirms the identity of a user. On the other hand, authorization is a process of granting rights to access a specific resource based on an ACL. To proceed with authorization, authentication must first be performed. Why is global catalog important in a multidomain environment? Answer: Because the domain controllers in your domain will not contain information about objects in other domains, you must rely on the global catalog, which has the indexed, partial attribute set for all objects in other domains. Which tools can you use to install AD DS? Answer: First, you must use Server Manager to install the AD DS role, and after that you should run dcpromo to make the server a domain controller. Common Issues Related to AD DS Installation Best Practices Related to Active Directory Domain Services Use strong password for Directory Service Restore Mode. Make all domain controllers into Global Catalog servers. Use static IP addresses for domain controllers. Issue Troubleshooting tip Dcpromo wizard cannot perform installation of AD DS You must be local administrator to perform Active Directory installation You cannot start dcpromo.exe You must first install AD DS role using Server Manager You cannot raise forest to Windows Server R2functional level Check that all domains in forest are raised to Windows Server R2 functional level 37
38
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 1: Introducing Active Directory® Domain Services Tools Tool Use for Where to find it Server Manager Add AD DS role Administrative Tools Initial Configuration Tasks Perform post installation tasks on Windows Server R2 Enter Oobe.exe in Run window Dcpromo.exe Installation of Active Directory Domain Services and making server Domain Controller Type dcromo.exe in Run windows or use Server Manager to run it. 38
39
Module 2: Administering Active Directory® Securely and Efficiently
Course 6425C Module 2: Administering Active Directory® Securely and Efficiently Module 2 Administering Active Directory® Securely and Efficiently Presentation: 65 minutes Lab: 60 minutes Objectives After completing this module, you will be able to: Describe and work with Active Directory administration tools. Describe the purpose and functionality of custom consoles and least privilege. Locate objects in Active Directory. Administer Active Directory by using Windows PowerShell. About This Module Whereas Module 1 covered the fundamental concepts related to Active Directory and AD DS, Module 2 covers the fundamental concepts and skills related to administering AD DS. In this module, you will introduce the concepts and tools used to administer Active Directory objects in a secure and efficient (best practice) manner. Less experienced students will gain the skills to perform basic administration tasks. All students will learn to administer AD DS with best practice skills, including Run As Administrator with secondary credentials (for secure administration), custom MMC consoles, Saved Queries, and the DS commands. The instructional design goal of this module is to ensure that when students are asked to perform specific administrative tasks in later modules, they have an understanding of: The AD DS snap-ins and the Active Directory Administrative Center. Common user interface components such as Select dialog boxes. Best practices like Run As Administrator. Tools for navigating and finding objects in Active Directory, such as Saved Queries. PowerShell commands. Do not make the mistake of diving into discussions of particular object classes (users, groups, and computers) or of specific administrative tasks in this module. Stay focused on the tools, skills, and concepts related to administration at a high level. See the instructor notes regarding the delegation content in Module 8. You may, optionally, deliver Lesson 1 of Module 8 (Delegation) after Lesson 4 of this module.
40
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 2: Administering Active Directory® Securely and Efficiently Preparing for the demos in this module Start 6425C-NYC-DC1. Log on as Pat.Coleman_Admin, with the password, Pa$$w0rd. After NYC-DC1 has started, start 6425C-NYC-SVR1 and 6425C-NYC-CL1. Preparation for Labs There are three labs in this module. The labs have dependencies between each other so students should not shut down the virtual machines after each lab. If you wish to prepare for them now and save time taken for startup, you should ask students to start the virtual machine now. The virtual machine used in all labs is 6425C-NYC-DC1.
41
Module Overview Work with Active Directory Administration Tools
Course 6425C Module Overview Module 2: Administering Active Directory® Securely and Efficiently Work with Active Directory Administration Tools Custom Consoles and Least Privilege Find Objects in Active Directory Use Windows PowerShell to Administer Active Directory Discuss the objectives of the module listed on this slide from the “higher-level” perspective of the two main goals of this module, which are to: Establish methods for working securely when administering Active Directory, which will be carried forward for all remaining modules. This is not a course where students will log on as Administrator to their computers. Rather, they log on with a standard user account, following best practices of least privilege. Share some of the most valuable secrets of efficient administration that are often learned only after months or years of experience, including: Working with customized MMC consoles. Controlling the view of objects in Active Directory. Mastering the many interfaces with which to search Active Directory. Administering from the command line. .
42
Lesson 1: Work with Active Directory Administration Tools
Course 6425C Lesson 1: Work with Active Directory Administration Tools Module 2: Administering Active Directory® Securely and Efficiently Active Directory Administration Snap-Ins What Is the Active Directory Administrative Center? Find Active Directory Administration Tools Demonstration: Perform Administrative Tasks by Using Active Directory Administrative Tools -blank-
43
Active Directory Administration Snap-Ins
Course 6425C Active Directory Administration Snap-Ins Module 2: Administering Active Directory® Securely and Efficiently Active Directory Users and Computers Manage most common day-to-day objects, including users, groups, computers, printers, and shared folders Active Directory Sites and Services Manage replication, network topology, and related services Active Directory Domains and Trusts Configure and maintain trust relationships and the domain and forest functional level Active Directory Schema Administer the Schema Objective: List the four major Active Directory administrative snap-ins. The course will be spending time with each of them, so do not cover these too deeply at this point. This is simply a list of the four most common snap-ins used to administer AD DS. References Active Directory Domain Services: Managing Active Directory from MMC: Install the Active Directory Schema snap-in:
44
What Is the Active Directory Administrative Center?
Course 6425C What Is the Active Directory Administrative Center? Module 2: Administering Active Directory® Securely and Efficiently Task-oriented tool based upon Windows PowerShell Objective: Describe the Active Directory Administrative Center. Point out that this is a task-oriented tool based upon Windows PowerShell®. Also point out the installation requirements for this tool. Reference Active Directory Administrative Center: Getting Started
45
Find Active Directory Administration Tools
Course 6425C Find Active Directory Administration Tools Module 2: Administering Active Directory® Securely and Efficiently Active Directory snap-ins are installed on a domain controller Server Manager: Users and Computers, Sites and Services Administrative Tools folder Install the RSAT on a member client or server Windows Server 2008 Server Manager Features Add Feature Remote Server Administration Tools Windows Vista SP1, Windows 7 Download RSAT from Double-click the file, then follow the instructions in the Setup Wizard Control Panel Programs And Features Turn Windows Features On Or Off Remote Server Administration Tools Objective: Ensure that students can find the AD DS administrative tools. Point out that adding the AD DS role installs the Active Directory snap-ins automatically. The snap-ins in Server Manager are in the Administrative Tools folder. Emphasize that RSAT must be installed and enabled to administer Active Directory from a machine other than a domain controller. On Windows Server 2008 machines, the RSAT can be added as a feature. On Windows Vista SP1 (and newer versions) and Windows 7 clients, you must download the RSAT, install the RSAT, and then turn the RSAT feature on. Ask students if anyone has ever installed the RSAT and then wondered why the tools did not appear. Point out this common problem: The RSAT is installed but no administrative tools appear. It is important to remember that you must also turn on the RSAT feature—installing the RSAT is not enough. This is done in Control Panel, Programs and Features, by choosing Turn Windows Features On Or Off. A tip to share with students: Add the administrative tools to your Start menu. By default, administrative tools are not added to the Start menu on Windows Vista clients. You can make the administrative tools easier to access by adding them to your Start menu. Right-click the Start button and click Properties. Click Customize. If you are using the default Start menu, scroll to System Administrative Tools, and click Display on the All Programs menu and the Start menu or Display on the All Programs menu. If you are using the Classic Start menu, click Display Administrative Tools. Click OK. Reference Remote Server Administration Tools Pack:
46
Course 6425C Demonstration: Perform Administrative Tasks by Using Active Directory Administration Tools Module 2: Administering Active Directory® Securely and Efficiently In this demonstration, you will see: How to perform administrative tasks by using Active Directory Users and Computers How to perform administrative tasks by using Active Directory Administrative Center Objective: Demonstrate basic administrative tasks with Active Directory Users and Computers. See tasks in instructor notes. If not already started, start 6425C-NYC-DC1 and log on as Pat.Coleman_Admin, with the password, Pa$$w0rd. Open Active Directory Users and Computers from the Administrative Tools folder. Viewing objects Select several containers, starting with the domain, some organizational units, and the Users container. Show that the details pane displays the objects in the container. Refreshing the view Emphasize that you must select a container (domain, organizational unit, or container) in the console tree and then click Refresh or press F5. If an item in the details pane is selected, the Refresh command does not refresh the view of all objects in the container. Creating objects Create a simple sample user account in the User Accounts\Marketing organizational unit to demonstrate that. You right-click a container, click New, and then click object. The New Object—objectType Wizard steps you through creating the object. Only a subset of available properties is presented during object creation, including, of course, those that are required. Configuring object attributes Open the Properties dialog box for the user object you just created, to demonstrate that: You right-click an object and then click Properties to configure the attributes of an object. There are many attributes that were not presented during object creation. Attributes are organized on tabs. You can make changes on different tabs and those changes will persist until you click OK or Apply. You don’t have to apply changes before navigating to another tab. Clicking OK or Apply are both valid ways of saving your changes. The only difference is that OK closes the dialog box, whereas Apply leaves the dialog box open and with focus.+
47
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 2: Administering Active Directory® Securely and Efficiently Viewing all object attributes Demonstrate the Attribute Editor tab. Open the Properties of the user object and point out that there is no tab called Attribute Editor. Close the Properties box, and then click the View menu and select Advanced Features. Open the Properties of the user again and show that the Attribute Editor tab has appeared. Mention that when Advanced Features is viewed, the Security, Object, and other tabs appear, and containers in the console tree that were previously hidden. Active Directory administrators often find it helpful to work with Advanced Features turned on, even though it adds a little “clutter” to the interface. Scroll quickly through the list of attributes to demonstrate that there are dozens of attributes. Highlight several attributes that are both understandable and potentially useful, such as carLicense, division, employeeID, employeeNumber, and employeeType. Double-click division to edit the value. Do not go into detail about any specific attribute or about whether or how to use these “hidden” attributes. Just point out that the attributes exist, and that the Attribute Editor exposes them. Draw a comparison to ADSI Edit for students that know of that snap-in. Using Active Directory Administrative Center Open Active Directory Administrative Center from the Administrative Tools folder. Point out the Navigation pane and how you can change from List to Tree View. Change back to List View. Show how to Reset a Password for Contoso\Alan.brewer. Reset the password to Pa$$w0rd. Perform a Global Search for Don Roessler. Show how to perform tasks such as Add to group, Disable, and Locate. Show the Properties of Don Roessler.
48
Lesson 2: Custom Consoles and Least Privilege
Course 6425C Lesson 2: Custom Consoles and Least Privilege Module 2: Administering Active Directory® Securely and Efficiently Demonstration: Create a Custom MMC Console for Administering Active Directory Secure Administration with Least Privilege, Run As Administrator, and User Account Control Demonstration: Secure Administration with User Account Control and Run As Administrator
49
Course 6425C Demonstration: Create a Custom MMC Console for Administering Active Directory Module 2: Administering Active Directory® Securely and Efficiently In this demonstration, you will see: How to create a custom MMC console with multiple snap-ins How to register the Active Directory Schema snap-in Where to save a custom console Start 6425C-NYC-DC1. Log on to NYC-DC1 as Pat.Coleman_Admin, with the password, Pa$$w0rd. Open the Run box and run the following command with administrative credentials: D:\Labfiles\Lab02a\Lab02a_Setup.bat. This command unregisters the schema mmc snap-in. In this demonstration, create a custom MMC console with all four of the Active Directory management snap-ins. This demonstration is a preview of an upcoming lab. Click the Start button. In the Search programs and files box, type mmc.exe, and then press Enter. Click Yes in the User Account Control dialog box. An empty MMC console appears. Maximize it. Click File, and then click Add/Remove Snap-in. If snap-ins are missing, install RSAT and turn on the snap-ins. In the Add Or Remove Snap-ins dialog box, click Active Directory Users and Computers from the Available Snap-ins list, and then click the Add button to add it to the Selected Snap-ins list. Repeat for Active Directory Sites and Services and Active Directory Domains and Trusts. Notice that the Active Directory Schema snap-in is not available to add. Click OK to close the Add or Remove Snap-ins dialog box. Register the Schema management snap-in: Open a command prompt as administrator, type regsvr32.exe schmmgmt.dll, and then press Enter. Click OK. Close the command prompt. Return to the MMC console and click File, and then click Add/Remove Snap-in. Add the Active Directory Schema snap-in. Click OK to close the Add Or Remove Snap-ins dialog box. Click File, click Save, and save the console as C:\AdminTools\ADConsole.msc. Be sure to save the console to a new folder. In the next demo, you will open the console with a different user account that will not have access to your Desktop or Document folders. Close MMC. Questions Have you built a custom MMC console? What snap-ins have you found useful? Why did you build your own console? If a student suggests an answer related to least privilege and running the console as an administrator, use that answer as a transition to the next topic. Reference Add, Remove, and Organize Snap-ins and Extensions in MMC 3.0:
50
Course 6425C Secure Administration with Least Privilege, Run As Administrator, and User Account Control Module 2: Administering Active Directory® Securely and Efficiently Maintain at least two accounts A standard user account An account with administrative privileges Log on to your computer as a standard user Do not log on to your computer with administrative credentials Start administrative consoles with Run As Administrator Right-click the console and click Run As Administrator Click Use another account Enter the user name and password for your administrative account Objective: Understand the importance of User Account Control and secondary logon. Discuss the reasons behind non-administrative logon. Report the fact that many organizations do not allow administrators to log on directly with their administrative credentials. Ask students: Why it is risky to log on with administrative credentials? The privileges of the credentials could be used, accidentally or intentionally, to harm the environment. Ask students: What is the disadvantage of logging on with standard-user, non-administrative credentials? It is difficult to perform administrative tasks if you have to repeatedly enter administrative credentials. Describe the concept of using Run As Administrator to run processes that require elevation. The processes you start, run with an elevated credential, but the Explorer shell, and all processes that it spawns, run with standard user privileges. You will be demonstrating Run As Administrator next, so you do not have to detail the steps shown on this slide—it can be a reference for students as you perform the demonstration. Reference Using Run as:
51
Course 6425C Demonstration: Secure Administration with User Account Control and Run As Administrator Module 2: Administering Active Directory® Securely and Efficiently In this demonstration, you will see: How to run a custom console as an administrator Why it is important to save a custom console to a shared location Objective: Demonstrate Run As Administrator. 1.Log off from NYC-DC1. 2.Log on with user-level credentials: CONTOSO\Pat.Coleman, with the password, Pa$$w0rd. 3.Open the C:\AdminTools folder you created in the previous demonstration. 4.Right-click the ADConsole.msc console and click Run as administrator. 5.Enter the credentials of your administrative account, CONTOSO\Pat.Coleman_Admin, with the password, Pa$$w0rd. 6.Click Yes. Optionally, open Task Manager and click Show processes from all users. Enter the same credentials: CONTOSO\Pat.Coleman_Admin; Pa$$w0rd. Point out that explorer.exe is running as Pat.Coleman, while mmc.exe is running with the credentials, Pat.Coleman_Admin. Point out why it’s important that users save custom consoles to a location that is accessible to both their user and administrative accounts. The administrator account (Pat.Coleman_Admin) may not have immediate access to the Desktop, Documents, or other folders that the user account (Pat.Coleman) has access to. If Pat.Coleman (user) saves the console to a location accessible only to that account, and runs it from there, the moment the process is elevated to the administrator (Pat.Coleman_Admin) account, it can no longer access the console. 7. At the end of the demo, log off from NYC-DC1 and log back on as Contoso\Pat.Coleman_Admin, with the password, Pa$$w0rd. Reference Using Run as:
52
Lab A: Administer Active Directory by Using Administrative Tools
Course 6425C Lab A: Administer Active Directory by Using Administrative Tools Module 2: Administering Active Directory® Securely and Efficiently Exercise 1: Perform Basic Administrative Tasks by Using Administrative Tools Exercise 2: Create a Custom Active Directory Administrative Console Exercise 3: Perform Administrative Tasks with Least Privilege, Run As Administrator, and User Account Control In this lab, students will create a custom Active Directory administrative console, then run the console and other administrative tools as an administrator. Lab Objectives Perform basic administrative tasks by using administrative tools. Create a custom console with the snap-ins required to perform typical AD DS administrative tasks. Perform administrative tasks while logged on with non-privileged credentials. Scenario In this exercise, you are Pat Coleman, an Active Directory administrator at Contoso, Ltd. You are responsible for a variety of Active Directory support tasks, and you have found yourself constantly opening multiple consoles from the Administrative Tools folder in Control Panel. You have decided to build a single console that contains all of the snap-ins you require to do your work. Additionally, the Contoso IT security policy is changing, and you will no longer be permitted to log on to a system with credentials that have administrative privileges, unless there is an emergency. Instead, you are required to log on with non-privileged credentials. Exercise 1 In this exercise, students experience basic administrative tasks in the Active Directory Users and Computers snap-in and the Active Directory Administrative Center. Exercise 2 In this exercise, students create a custom console with the snap-ins required to perform typical AD DS administrative tasks. Exercise 3 In this exercise, students perform administrative tasks while logged on with standard user credentials. NOTE: Do not shut down the virtual machines after you finish this lab because the settings you have configured here will be used in Lab B. Logon information Virtual machine 6425C-NYC-DC1 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 30 minutes
53
Course 6425C Lab Scenario Module 2: Administering Active Directory® Securely and Efficiently In this exercise, you are Pat Coleman, an Active Directory administrator at Contoso, Ltd. You are responsible for a variety of Active Directory support tasks, and you have found yourself constantly opening multiple consoles from the Administrative Tools folder in Control Panel. You have decided to build a single console that contains all the snap-ins you require to do your work. Additionally, the Contoso IT security policy is changing, and you will no longer be permitted to log on to a system with credentials that have administrative privileges, unless there is an emergency. Instead, you are required to log on with non- privileged credentials. -blank-
54
Course 6425C Lab Review Module 2: Administering Active Directory® Securely and Efficiently Which snap-in are you most likely to use on a day-to-day basis to administer Active Directory? When you build a custom MMC console for administration in your enterprise, what snap-ins will you add? Lab Review Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: Which snap-in are you most likely to use on a day-to-day basis to administer Active Directory? Answer: Answers will vary. Most students will use Active Directory Users and Computers regularly, to administer users, computers, and groups. Note: If a student suggests a different snap-in, ask the student to explain and justify his or her choice. Question: When you build a custom MMC console for administration in your enterprise, what snap-ins will you add? Answer: Answers will vary. The answer will depend on students' job responsibilities and experience level. Note: Get students to think about what tools they can and should add to a custom console, with the goal of having one console with every tool needed to do their jobs.
55
Lesson 3: Find Objects in Active Directory
Course 6425C Lesson 3: Find Objects in Active Directory Module 2: Administering Active Directory® Securely and Efficiently Scenarios for Finding Objects in Active Directory Demonstration: Use the Select Users, Contacts, Computers, or Groups Dialog Box Options for Locating Objects in Active Directory Users and Computers Demonstration: Control the View of Objects in Active Directory Users and Computers Demonstration: Use the Find Command Determine Where an Object Is Located Demonstration: Use Saved Queries Demonstration: Find Objects by Using Active Directory Administrative Center -blank-
56
Scenarios for Finding Objects in Active Directory
Course 6425C Scenarios for Finding Objects in Active Directory Module 2: Administering Active Directory® Securely and Efficiently When you assign permissions to a folder or file Select the group or user to which permissions are assigned When you add members to a group Select the user or group that will be added as a member When you configure a linked attribute such as Managed By Select the user or group that will be displayed on the Managed By tab When you need to administer a user, group, or computer Perform a search to locate the object in Active Directory, instead of browsing for the object Objective: Think about all the times you need to “select” a user, group, or computer, and the tools you use to search for or specify that object. Discuss the scenarios in which you must search for or select an object from Active Directory. Involve the students—what scenarios require searching or selecting? What tools and user interfaces are applied?
57
Course 6425C Demonstration: Use the Select Users, Contacts, Computers, Service Accounts, or Groups Dialog Box Module 2: Administering Active Directory® Securely and Efficiently In this demonstration, you will see: How to select users with the Select dialog box Objective: This is UI training. Make sure everyone knows all the ins-and-outs of the Select dialog box, and the variety of ways it can be used. The first scenarios mentioned on the previous slide (selecting users or groups to assign permissions, and adding members to a group) each involve using the Select dialog boxes. Step users through examples of using the Select dialog boxes. If not already started, start 6425C-NYC-DC1 and log on as Pat.Coleman_Admin, with the password, Pa$$w0rd. Add users to the Instructors group (in the Groups\Role OU) by using the Members tab of the group. Open Active Directory Users and Computers and then browse to the Groups\Role OU. Open the Properties of the Instructors security group and perform the following steps: On the Members tab, click Add. Type linda;joan and click Check Names. This demonstrates a full first name and partial first name, and that semicolons delimit multiple users. Type carole and click OK. This demonstrates that OK will also check names. Click Add. Type tony;jeff and click OK. Pick Tony Krijnen and Jeff Ford. This demonstrates the Multiple Names Found box, and shows that it works with semicolons also. Add a user to the Instructors group by using the Add To Group command of the user. Browse to the User Accounts\Employees OU. Right-click Pat Coleman and click Add to a group. Type Instr and click Check Names. This demonstrates the resolution of a group. Point out that Computers are not included by default. Click OK. Set up the scenario: You want to deploy Microsoft Office Visio® to NYC-CL1. It is licensed per computer, not per user, so the deployment of Visio should be targeted to a computer object (like most software). You have a group that represents the computers that should have Visio. Open the APP_Visio group from the Groups\Application OU. On the Members tab, try to add NYC-CL1. Point out that it fails. Try again. This time, click the Object Types button and select Computers.
58
Options for Locating Objects
Course 6425C Options for Locating Objects Module 2: Administering Active Directory® Securely and Efficiently Sorting: Use column headings to find the objects based on the columns Searching: Provide the criteria for which you want to search Objective: This is an overview slide. Both Sorting and Searching are demonstrated in the next slides. Point out that navigating, browsing, or hunting through Active Directory is usually not the most efficient way to locate an object. Both the Active Directory Users and Computers and the Active Directory Administrative Center allows you to sort and search, each of which can help you locate an object more quickly. Use this slide to set up the concepts of sorting and searching, then move on quickly to demonstrations. Reference Search Active Directory:
59
Course 6425C Demonstration: Control the View of Objects in Active Directory Administrative Tools Module 2: Administering Active Directory® Securely and Efficiently In this demonstration, you will see: How to add or remove columns in the details pane How to sort objects based on columns in the details pane Objective: Demonstrate the use of sorting and column-choosing to facilitate locating objects in AD. In the User Accounts OU, add the Last Name column and arrange it so that it is the second column. A common complaint is that it is difficult to locate users in Active Directory Users and Computers because the Name column, which displays the common name (CN) attribute, is displayed as FirstName LastName by default. That makes finding "Bill Malone" difficult: is he listed as Bill or William? The solution is to add the Last Name column. Then you can sort by last name. While you are arranging columns, you can point out that the Type column is not necessary, because all objects in the OU are users. You can remove that column. Sort by the Last Name column. Point out that this solves the problem. It is not necessary--in fact, it is not recommended--to configure the Name of users (the cn attribute) in the LastName, FirstName format. Advanced technical note and tip Unfortunately, some organizations resolve this problem of finding users in Active Directory Users and Computers by configuring the CN as LastName, FirstName. This is not recommended! Instead, use the Last Name column to solve the problem. Sharing this tip is a good setup for one of the advantages of Saved Queries.
60
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 2: Administering Active Directory® Securely and Efficiently To add the Last Name column to the details pane in the Active Directory Users and Computers console: 1. Click the View menu, and then click Add/Remove Columns. 2. In the Available columns list, click Last Name. 3. Click the Add button. 4. In the Displayed columns list, click Last Name, and then click Move Up two times. 5. In the Displayed columns list, click Type, and then click Remove. 6. Click OK. 7. In the details pane, click the Last Name column header to sort alphabetically by last name. To add the Last Name column to the details pane in the Active Directory Administrative Center: 1. In the details pane, right-click a column heading, and then click Select Columns. 2. In the Available Columns list, click Last Name. 3. Click the >> button. 4. In the Selected columns list, click Last Name, and then click Move Up two times. 5. In the Selected columns list, click Type, and then click <<.
61
Demonstration: Use the Find Command
Course 6425C Demonstration: Use the Find Command Module 2: Administering Active Directory® Securely and Efficiently In this demonstration, you will see: How to search for objects in Active Directory by using the Find command Objective: Demonstrate finding objects in Active Directory. Select the Employees OU and then find users named Dan. Point out that the status bar shows the number of items found. By default, the In box scopes the search to the container currently selected in the snap-in's console tree. You may need to expand the search to the entire domain or directory. In a large environment, a search may take too much time or return too many results, so you may need to narrow down the search to a specific OU by clicking the Browse button. Change the scope to Entire Directory and search again. Point out the number of items found on the status bar. Point out that the Name box is a "starts with" search. For a true wildcard search, you must choose Custom Search from the Find drop-down list, then define the search on the Advanced tab. Demonstrate that you can right-click objects in the results list. The context menu that appears allows you to perform some administrative tasks. Optional Open Network from the Start menu and show the Search Active Directory command. Point out that it does not enable any administrative commands. Advanced Tip To search for users that are members of a group, click the Advanced tab. Click the Field button and point to User. From the User menu, choose MemberOf. Set the criteria to Is (Exactly). Enter the distinguished name of a group (demo: CN=Finance,OU=Role,OU=Groups,DC=contoso,DC=com). You might give a brief definition of distinguished name, but there is a slide later in the module that supports a full definition of distinguished name.
62
Determine Where an Object is Located
Course 6425C Determine Where an Object is Located Module 2: Administering Active Directory® Securely and Efficiently Ensure that Advanced Features is enabled Find the object Open its Properties dialog box Click the Object tab View the Canonical name of object or In the Find dialog box, click View, click Choose Columns, and then add the Published At column Objective: How to find an object, and then determine where it is actually located in Active Directory. This can be effectively presented as a continuation of your demonstration of the Find command. You should already have enabled Advanced Features in previous demonstrations, so the Object tab should be visible for the objects you searched for on the previous slide. Point out the Canonical name field and how it can be used to determine the location of an object.
63
Demonstration: Use Saved Queries
Course 6425C Demonstration: Use Saved Queries Module 2: Administering Active Directory® Securely and Efficiently In this demonstration, you will see: How to create a saved query How to distribute a saved query Why saved queries are an efficient and effective tool for administration Objective: Saved Queries are a valuable tool for virtualizing your administrative views of objects in Active Directory; monitoring object health; and performing administrative tasks. Transition from the earlier topic of the Find command by mentioning that if you are regularly having to locate certain objects, you can save yourself time by saving the search as a saved query. Demonstrate creating saved queries. If not already started, start 6425C-NYC-DC1 and log on to NYC-DC1 as Pat.Coleman_Admin, with the password, Pa$$w0rd. Create a saved query called All User Objects that returns all user objects in the domain. In Active Directory Users and Computers, right-click Saved Queries, point to New, and then click Query. In the New Query dialog box, type All User Objects in the Name box. Click Define Query. From the Name drop-down list, choose Has a value. Click OK two times. Point out that saved queries can “virtualize” your view of your Active Directory: It doesn't matter where an object is located (for example, in the Employees, Contractors, or Admin Identities OUs), just that it meets search criteria. Create a saved query called Non-Expiring Passwords that returns user objects with passwords that do not expire. 1. Right-click Saved Queries, point to New, and then click Query 2. In the New Query dialog box, type Non-Expiring Passwords in the Name box. 3. Click Define Query. Select the Non expiring passwords check box. Click OK twice. Note that all users in the sample domain are set to non-expiring passwords for the purpose of the course only. Point out that saved queries can create "health check" views of your Active Directory. Discuss the fact that saved queries are saved with the instance of the snap-in in the console, which can then be distributed. The best practice is to create a custom administrative console with the saved queries you require. You can distribute the console to other administrators. Mention that you can also export and import saved queries. Demonstrate that you can right-click a query and click Export Query Definition, and then right-click the Saved Queries node and click Import Query Definition. By exporting a saved query as an XML file, you can allow other administrators to import the query into their consoles.
64
Course 6425C Demonstration: Find Objects by Using Active Directory Administrative Center Module 2: Administering Active Directory® Securely and Efficiently In this demonstration, you will see: How to find objects by using the Active Directory Administrative Center How to save queries by using the Active Directory Administrative Center Objective: Use the Active Directory Administrative Center to perform searches and save queries. If not already started, start 6425C-NYC-DC1 and log on to NYC-DC1 as Pat.Coleman_Admin, with the password, Pa$$w0rd. Create a saved query called Global Catalog servers that returns all Global Catalog Servers in the domain. In Active Directory Administrative Center, in the left pane, click Global Search. In the Global Search pane, click Add criteria. Select the check box next to Computers running as a given domain controller type. 4.Click Add. 5. Click the Any domain controllers link and then choose Global catalogs. 6. Click Search. Note that any domain controller that is configured as a Global Catalog is displayed. 7. Click the Save button. 8. In the text box, type Global Catalog Servers, and then click OK. 9. Click the Queries button to view the saved query. 10. Log off from NYC-DC1 when you complete the demonstration.
65
Lab B: Find Objects in Active Directory
Course 6425C Lab B: Find Objects in Active Directory Module 2: Administering Active Directory® Securely and Efficiently Exercise 1: Find Objects in Active Directory Exercise 2: Use Saved Queries In this lab, students will use a variety of methods and interfaces to make it easier to locate objects in Active Directory. Lab Objectives Locate objects in Active Directory. Use saved queries to virtualize the view of Active Directory Scenario Contoso now spans five geographic sites around the world, with over 1,000 employees. As your domain has become populated with so many objects, it has become more difficult to locate objects by browsing. You are tasked with defining best practices for locating objects in Active Directory for the rest of the team of administrators. You are also asked to monitor the health of certain types of accounts. Exercise 1 In this exercise, you will use several tools and interfaces that make it easier for you to find an object in Active Directory. Exercise 2 In this exercise, you will create saved queries with which administrative tasks can be more efficiently performed. NOTE: Do not shut down the virtual machines after you finish this lab because the settings you have configured here will be used in Lab C. Logon information Virtual machine 6425C-NYC-DC1 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 15 minutes
66
Course 6425C Lab Scenario Module 2: Administering Active Directory® Securely and Efficiently Contoso now spans five geographic sites around the world, with over 1,000 employees. As your domain has become populated with so many objects, it has become more difficult to locate objects by browsing. You are tasked with defining best practices for locating objects in Active Directory for the rest of the team of administrators. You are also asked to monitor the health of certain types of accounts.
67
Course 6425C Lab Review Module 2: Administering Active Directory® Securely and Efficiently In your work, what scenarios require you to search Active Directory? What types of saved queries could you create to help you perform your administrative tasks more efficiently? Lab Review Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: In your work, what scenarios require you to search Active Directory? Answer: The correct answer will be based on your own experience and situation. Question: What types of saved queries could you create to help you perform your administrative tasks more efficiently?
68
Lesson 4: Use Windows PowerShell to Administer Active Directory
Course 6425C Lesson 4: Use Windows PowerShell to Administer Active Directory Module 2: Administering Active Directory® Securely and Efficiently What Is Windows PowerShell? Installation Requirements for Windows PowerShell 2.0 Overview of the Windows PowerShell Syntax Windows PowerShell Cmdlets for Active Directory Demonstration: Manage Users and Groups by Using PowerShell -blank-
69
What Is Windows PowerShell?
Course 6425C What Is Windows PowerShell? Module 2: Administering Active Directory® Securely and Efficiently Windows PowerShell is not a scripting language At least, it is not only a scripting language PowerShell is an engine designed to run commands that perform administrative tasks, for example: Creating user accounts Configuring services Deleting mailboxes PowerShell provides a foundation that Microsoft GUI-based administrative tools can build upon Actions can be accomplished in the command-line console Actions can also be invoked within GUIs by running PowerShell commands in the background Windows PowerShell 2.0 is not just a scripting language; it is a general-purpose environment for running commands that accomplish administrative tasks. Windows PowerShell is accessible through many means such as a command-line interface, and it is also embedded within graphical management tools that want to use the shell’s capabilities, such as in Microsoft Exchange Server 2007 and newer versions. Windows PowerShell seeks to be the one-stop-shop for administrative tasks, powering both command-line use, scripts (batch files), and GUIs.
70
Installation Requirements for Windows PowerShell 2.0
Course 6425C Installation Requirements for Windows PowerShell 2.0 Module 2: Administering Active Directory® Securely and Efficiently Windows PowerShell is pre-installed by default in Windows Server 2008 R2 and Windows 7 Windows PowerShell is a web download for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 Windows PowerShell requires Microsoft .NET Framework 2.0 with Service Pack 1 Active Directory Module for Windows PowerShell is included with Windows Server 2008 R2 Active Directory Module for Windows PowerShell is installed with AD DS or AD LDS Windows PowerShell is pre-installed on Windows 7 and Windows Server 2008 R2. An older version is available as an option in Windows Vista and Windows Server 2008. Windows PowerShell 2.0 is downloadable for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 (RTM). The graphical tool “ISE” is preinstalled in Windows 7, and is available as an installation option for Windows Server 2008 R2. It is included in the download for other versions of Windows.
71
Overview of the Windows PowerShell Syntax
Course 6425C Overview of the Windows PowerShell Syntax Module 2: Administering Active Directory® Securely and Efficiently All Windows PowerShell cmdlets use the same syntax Mention that each cmdlet is formed with a verb and a noun. Mention some of the common verbs (Get, Set, New, Remove, and Search). Then, discuss how pipelining works to send data between cmdlets. Point out how to get help in PowerShell, such as: Use the Get-Help <cmdlet name> cmdlet, where <cmdlet name> is the name of the cmdlet that you want to research. For more detailed information, you can run any of the following cmdlets: Get-Help <cmdlet name> -Detailed Get-Help <cmdlet name> -Full Get-Help <cmdlet name> -Examples Verb Noun Parameters Example Get ADUser <string> Get-Aduser Don Set Set-Aduser –Department “Marketing” -Filter Get-Aduser –Filter ‘Name –like “*”’ Cmdlets can be pipelined to other cmdlets: Get-ADuser Don | Set_Aduser –Department “Marketing”
72
Windows PowerShell Cmdlets for Active Directory
Course 6425C Windows PowerShell Cmdlets for Active Directory Module 2: Administering Active Directory® Securely and Efficiently PowerShell provides cmdlets to assist in the following: User, Computer, and Group Management Organizational Unit Management Password Policy Management Search and Modify Objects Forest and Domain Management Domain Controller and Operations Master Management Managed Service Account Management Describe the management-related tasks that can be performed by using Windows PowerShell. Reference Active Directory Administration with Windows PowerShell
73
Demonstration: Manage Users and Groups by Using Windows PowerShell
Course 6425C Demonstration: Manage Users and Groups by Using Windows PowerShell Module 2: Administering Active Directory® Securely and Efficiently In this demonstration, you will see how to: Create a new OU Create a new user Move a user to a new OU View group membership Add members to a group Set the password on a new user and enable the user account Objective: Use Windows PowerShell to manage users and groups. Detailed Demonstration Steps Note: You require the 6425C-NYC-DC1 virtual machine to complete this demonstration. Log on to the virtual machine as Contoso\Administrator with the password of Pa$$w0rd. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Module for Windows PowerShell. To create a new OU, type the following command. new-adorganizationalunit Test1 new-adorganizationalunit Test2 To create a new user, type the following (Note: by default, the user will be created in the Users container if no other option is specified. For this demo, the account is created in the New Users OU.) new-aduser -name TestUser1 -department IT -city "New York" -organization "Contoso" To move the user to another OU, type the following command. get-aduser -filter 'Name -eq "TestUser1"' | move-adobject -targetpath "ou=Test2,dc=contoso,dc=com" To get a group and view its members, type the following command. get-adgroup -filter "Name -eq 'Domain Admins'“ get-adgroup -filter "Name -eq 'Domain Admins'" | get-adgroupmember To add a new user to a group, type the following command. add-adgroupmember "Marketing" testuser1 To set the password and enable a user account, type the following command. Set-ADAccountPassword testuser1 -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Pa$$w0rd1" -Force) get-aduser -filter 'Name -eq "TestUser1"' | enable-adaccount
74
Lab C: Use Windows PowerShell to Administer Active Directory
Course 6425C Lab C: Use Windows PowerShell to Administer Active Directory Module 2: Administering Active Directory® Securely and Efficiently Exercise: Use PowerShell Commands to Administer Active Directory In this lab, students will use Windows PowerShell to administer Active Directory. Lab Objectives Use Windows PowerShell to administer Active Directory from the command line. Scenario Contoso is growing, and changes need to be made to objects in Active Directory. You are an administrator of AD DS, and you know that it is easier to view, create, delete, and modify objects by using Windows PowerShell. Exercise: In this exercise, you will use Windows PowerShell to perform basic administrative tasks. Logon information Virtual machine 6425C-NYC-DC1 Administrative user name Contoso\Administrator Password Pa$$w0rd Estimated time: 15 minutes
75
Course 6425C Lab Scenario Module 2: Administering Active Directory® Securely and Efficiently Contoso is growing, and changes need to be made to objects in Active Directory. You are an administrator of AD DS, and you know that it is easier to view, create, delete, and modify objects by using Windows PowerShell.
76
Course 6425C Lab Review Module 2: Administering Active Directory® Securely and Efficiently Which common Active Directory cmdlet parameter is used to limit search results to matches based on attributes? Which common Active Directory cmdlet parameter is used to specify the attributes that you want in your query results? How can you see a list of all attributes that are available for an Active Directory object? Lab Review Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: Which common Active Directory cmdlet parameter is used to limit search results to matches based on attributes? Answer: -filter. Question: Which common Active Directory cmdlet parameter is used to specify the attributes that you want in your query results? Answer: Properties Question: How can you see a list of all attributes that are available for an Active Directory object? Answer: Get-ADUser -Filter * -Properties * -ResultSetSize 1 | fl *
77
Module Review and Takeaways
Course 6425C Module Review and Takeaways Module 2: Administering Active Directory® Securely and Efficiently Review Questions Tools Windows Server 2008 R2 Features Introduced in this Module Review Questions What are the four main snap-ins used for Active Directory administration? Answer: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and Active Directory Schema. 2. Is the Active Directory Administrative Center based upon an MMC? Answer: No, it is based upon Windows PowerShell. List some of the tasks that can be performed with Windows PowerShell Answer: User, Computer, and Group Management Organizational Unit Management Password Policy Management Search and modify objects. Forest and Domain Management Domain Controller and Operations Master Management Managed Service Account Management Tools Windows Server 2008 R2 Features Introduced in this Module Tool Use for Where to find it Active Directory Users and Computers Managing an Active Directory domain Administrative Tools Active Directory Administrative Center Windows PowerShell Windows Server 2008 R2 feature Description Active Directory Administrative Center Used to manage Active Directory Domain Services Active Directory Module for Windows PowerShell Used to manage Active Directory Domain Services using Windows PowerShell
78
Module 3: Managing Users and Service Accounts
Course 6425C Module 3: Managing Users and Service Accounts Module 3 Managing Users and Service Accounts Presentation: 45 minutes, Lab: 45 minutes Module Goal Provide coverage of administrative tasks related to the creation and management of user objects and their “account” attributes. Early lessons cover fundamentals; later lessons cover automation. Lesson 1 focuses on the administration of user accounts in Active Directory®: creation, configuration, and administration (for example, password resets). Lesson 2 expands the discussion to look at the other properties of a user object. Lesson 3 describes bulk import and export operations by using Comma Separated Value Directory Exchange (CSVDE) and Lightweight Directory Access Protocol Data Interchange Format Directory Exchange (LDIFDE). Objectives Create and administer user accounts. Configure the account-related properties of a user object. Automate the creation of user accounts. Create and administer managed service accounts. Preparation for Labs There are four labs that occur during the course of the module. The labs have dependencies between each other, so students should not shut down the single virtual machine required after each lab. If you wish to prepare for them now and save time taken for startup, you should ask students to start the virtual machines now. The virtual machine used in all labs is 6425C-NYC-DC1.
79
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 3: Managing Users and Service Accounts Preparation for Demos To prepare for demos in this module, start the 6425C-NYC-DC1 virtual machine and log on to NYC-DC1. Log on as a standard user account (either the pre-created Pat.Coleman account or create an account for yourself) and run the Active Directory Users and Computers snap-in as an administrator (either the pre- created Pat.Coleman_Admin account or create an account for yourself that is a member of Domain Admins).
80
Module 3: Managing Users and Service Accounts
Course 6425C Module Overview Module 3: Managing Users and Service Accounts Create and Administer User Accounts Configure User Object Attributes Automate User Account Creation Create and Configure Managed Service Accounts Objective: Discuss the role and importance of user accounts. Ask students to describe some of the tasks they or their colleagues perform on a day-to-day basis to support user accounts. Ask students to estimate the percentage of help desk calls at a typical organization that are for password reset. Ask students if any of them work in organizations where there are mass influxes or mass exoduses of users (for example, in educational institutions). How much work is it to manage user accounts during those intense periods of change? Ask students if any of them are concerned about security and therefore about the integrity of user accounts.
81
Lesson 1: Create and Administer User Accounts
Course 6425C Lesson 1: Create and Administer User Accounts Module 3: Managing Users and Service Accounts User Account Create Users with Windows PowerShell Demonstration: Create a User Object Name Attributes Account Attributes User Account Management -blank-
82
Module 3: Managing Users and Service Accounts
Course 6425C User Account Module 3: Managing Users and Service Accounts A user account: Enables authentication of a user with attributes, including a user logon name and password Is a security principal with a security identifier (SID) that can be assigned permissions to resources A user account can be stored: In Active Directory, where it enables logon to the domain and can be assigned permissions to resources anywhere in the domain Domain user accounts are administered with Active Directory snap-ins and commands In the local SAM database of a member computer, where it enables logon to the local computer and can be assigned permissions to local resources Local user accounts are administered with the Local Users and Groups snap-in Objective: Introduce user accounts and clarify terminology. The terminology used in the beginning of the module is user account, because that is what most administrators call a user object. Later lessons refer to the user object to be more technically purist. There’s technically no such thing as a user account—there’s the user object, which has a subset of properties such as the security identifier (SID), logon names, password, and account flags, which make up what would be considered the account. For most audiences, it won’t be necessary to elaborate on this technicality, but the information is in the student handbook in the event that there is any confusion. If a question is raised, you can explain that the terms account and object are used interchangeably by administrators when referring to users. Reference Active Directory Users and Computers Help: Managing Users: Create a New User Account:
83
Create Users with PowerShell
Course 6425C Create Users with PowerShell Module 3: Managing Users and Service Accounts New-ADUser –Name <string> [Parameters] -Name: Name of user to create. If no other parameters are provided, this will also be the SAM Account name. [Parameters]: Parameters may include: -SAMAccountName: The name with which the user logs on. -AccountPassword: Used to set the account password. If this is not provided, the password is null and the account disabled. -Enabled: Used to enable the account. If this is not provided, the account is disabled by default. -Path: Used to specify the location where the object should be created. By default, it will be created in the Users container. Get-Help New-ADUser –detailed: Use to get full explanations of the parameters that can be used. Objective: Windows® PowerShell® can be used to create users. Consider opening the Active Directory Module for Windows PowerShell and use the Get-Help New-ADUser command to display a list of parameters. Discuss the most important parameters. References Creating a User with Windows PowerShell:
84
Demonstration: Create a User Object
Course 6425C Demonstration: Create a User Object Module 3: Managing Users and Service Accounts In this demonstration, you will learn: How to create a user How to configure the properties of a user object Objective: Cover the basics of user account creation so that New User UI is familiar. Students may be familiar with the process of creating and configuring user accounts. If they are, as you perform the demonstration, ask them to provide the next steps for creating user accounts and for configuring settings. The student handbook includes the procedure for creating a user account, including details about each attribute that appears in the New Object - User dialog box. These details are included to answer any questions students might have about what they are seeing in the interface. However, you should be careful not to go into too much detail about the specific attributes of a user object, or about any user administrative tasks other than creating the object. Later topics in this module cover everything students will want and need to know about user . The steps below are identical to those in one of the exercises in this module, so you will be previewing the lab to the students. Logon and virtual machine information for demos is on SLIDE 2 for the entire module. Before performing this demonstration, open Windows Explorer and browse to D:\Labfiles\Lab03a. Run the Lab03a_Setup command with administrative credentials. Create a user account: Expand contoso.com and then expand the User Accounts OU. Right-click the Employees OU, point to New, and then click User. In First name, type the user’s first name: Chris. 4. In Last name, type the user’s last name: Mayo. 5. In User logon name, type the user’s logon name: Chris.Mayo. 6. In the User logon name (pre-Windows 2000) text box, enter the pre-Windows 2000 logon name: Chris.Mayo. 7. Click Next. 8. Type Pa$$w0rd in the Password and Confirm password boxes. Point out that the default password policy for an Active Directory domain requires a password of seven or more characters. Additionally, the password must contain three of four character types: uppercase (A-Z), lowercase (a-z), numeric (0-9), and non-alphanumeric (for example, The password cannot contain any of the user’s name or logon name attributes. Optionally, attempt to create the user account with a password that does not meet the policy, so that students can see the error that appears. In a production environment, you should use a unique, strong password for each user account that you create. 9. Ensure that User must change password at next logon is selected, and then click Next. 10. Review the summary and click Finish.
85
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 3: Managing Users and Service Accounts References Active Directory Users and Computers Help: Managing Users: Create a New User Account: 85
86
Module 3: Managing Users and Service Accounts
Course 6425C Name Attributes Module 3: Managing Users and Service Accounts User logon name (pre-Windows 2000): sAMAccountName Unique in domain 20-character limit User logon name: userPrincipalName (UPN) Name + UPN suffix Unique in forest Name or Full Name: cn (common name) Unique in OU so that the relative distinguished name (RDN) is unique in the OU, so that, in turn, the object’s distinguished name (distinguishedName attribute) is unique in the forest Display name: displayName Exchange global address list (GAL) Best if unique, but not technically required to be unique CONTOSO\Tony.Krijnen Objective: Discuss the name attributes and the real world challenges of managing name attributes. Discuss the name attributes listed on the slide, highlighting the role and unique requirement for each name. Another module discussed common names (CNs), relative distinguished names (RDNs), and distinguished names (DNs). If you did not discuss those concepts, you will need to introduce them as you discuss the cn (common name). Each must have a unique cn (within the OU), userPrincipalName (within the forest), and sAMAccountName (within the domain). Practical Advice sAMAccountName. Ideally, a unique identifier such as an employee ID that is not tied to the user’s actual name. That will reduce the possibility that there will be two users with the same name or a user who wishes to change his or her name. There is a 20-character limit (enforced by SAM). The attribute itself is 256 characters. userPrincipalName. Ideally, the same as the user’s address, which must be unique to the forest (and to the whole world, for that matter) cn: firstName lastName displayName: lastName, firstName References Object Names: Question What do you do in your organization to ensure the uniqueness of name attributes, and what naming conventions do you use? Elicit suggestions from students who have experience in production Active Directory environments. Tony Krijnen Krijnen, Tony
87
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 3: Managing Users and Service Accounts Time and audience permitting, this slide can open up a discussion of some very important and real considerations. Discuss the following challenges and proposed solutions, and find out what your students’ organizations are doing, if anything, to meet the challenges. REAL WORLD DISCUSSION: sAMAccountName and the “two Scott Mitchells” problem Many organizations use initials or some combination of first and last name to generate the sAMAccountName. That approach can be problematic, because any good-sized organization is likely to have users with names similar enough that the rules for generating the sAMAccountName would generate a duplicate name, so exceptions have to be built into the system; eventually, the rules will be riddled with exceptions. This problem is solved if the employee number or some other unique attribute of the users is used for the sAMAccountName. If you have the ability to direct the naming conventions at your organization, a unique, name-independent logon name is recommended. REAL WORLD DISCUSSION: sAMAccountName, %username%, and user name changes Many organizations are learning the hard way that using names or initials for the sAMAccountName can be problematic, because if a user changes his or her name, every configuration that refers to %username% must be modified; -- for example, roaming profile folders, redirected folders, and anything that was configured with the %username% based on the user’s former name. Name changes happen for several reasons, including marriage. Many organizations simply require that users retain their old user name after marriage. That is less problematic than the reverse scenario, in which a relationship ends because of divorce or even abuse. In such situations, users cannot be expected to retain their old user name and, in fact, have gone to court in some scenarios to break the ties to their old name. Therefore, we recommend that you use a unique and independent sAMAccountName that is not directly tied to a user’s name—for example, an employee ID. One concern that organizations have with using random sAMAccountNames is that users will forget their logon names. Not to worry! Users shouldn’t be logging on by using their pre-Windows 2000 logon name anyway! The User Principal Name (UPN) can be used as a logon name instead. REAL WORLD DISCUSSION: userPrincipalName (UPN) The UPN must be unique in the forest. addresses, which must be unique for the whole world, certainly meet that requirement. Consider using addresses as UPNs. Users are highly unlikely to forget them. REAL WORLD DISCUSSION: Unicode Discuss the pros and cons of Unicode in these attributes, based on the relevance of Unicode to your locale.
88
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 3: Managing Users and Service Accounts Time and audience permitting, this slide can open up a discussion of some very important and real considerations. Discuss the following challenges and proposed solutions, and find out what your students’ organizations are doing, if anything, to meet the challenges. REAL WORLD DISCUSSION: cn (common name) and the “two Scott Mitchells” problem The CN must be unique in the OU in order for the RDN to be unique, and therefore, for the DN to be unique. This becomes problematic when you have “two Scott Mitchells.” If you have a single, flat OU for users that already contains a user named Scott Mitchell, and you hire a second Scott Mitchell, his user object cannot have the same common name as the first. Unfortunately, there’s no perfect answer to this problem for all organizations. Design a naming standard that applies a single rule for all CNs. Perhaps the CN should include an employee’s number—for example, Scott Mitchell (645928). If your OU structure for user accounts is flat, or if your organization is large, be prepared to address this challenge. REAL WORLD DISCUSSION: cn (common name) and the FirstName LastName versus LastName, FirstName problem Additionally, many organizations choose to configure the cn attribute as LastName, FirstName because, by doing so, they can sort users by last name in the Active Directory Users and Computers snap-in. This is not a recommended method to achieve the goal. Instead of using a last-name-first format for cn, the cn should be FirstName LastName. Add the Last Name column to your view in the Active Directory Users and Computers snap-in by clicking the View menu and choosing Add/Remove Columns. Then click the Last Name column header to sort by last name. [Note: The detail in this paragraph may be too much to cover in class.] Demonstrate creating a user with the Full Name configured as LastName, FirstName. With Advanced Features selected in the View menu, open the Properties of that user and click the Attribute Editor tab. Locate the distinguishedName attribute. Point out that the CN becomes LastName\, FirstName. The backslash is used to "escape" the comma character, because the comma is a reserved character in a DN and is used to delimit the components of the CN. It is perfectly reasonable to configure the displayName attribute as LastName, FirstName. This solves a related problem: finding users in the Exchange global address list (GAL). Unfortunately, when you create a user account, the Full Name field in the New Object - User dialog box is used to populate both the cn and the displayName attributes. So you should enter FirstName LastName for Full Name when creating the object. Then, after the object has been created, you can use the Rename command, the Attribute Editor, or some other procedure to change the displayName attribute to LastName, FirstName. ADVANCED TIP: You can change the format used to create the displayName by using ADSIEdit to change the value of the createDialog attribute of the following object in the Configuration: CN=user-Display,CN=409,cn=DisplaySpecifiers The attribute can use the following tokens: %<sn>, %<givenName>, and %<initials>. So %<sn>, %<givenName> would set the default format to LastName, FirstName. For more details, see .
89
Module 3: Managing Users and Service Accounts
Course 6425C Account Attributes Module 3: Managing Users and Service Accounts Logon Hours Log On To User must change password at next logon User cannot change password Password never expires Account is disabled Store password by using reversible encryption Smart Card is required for interactive logon Account is trusted for delegation Account expires Objective: Discuss important account attributes. Point out the obvious options: User must change password at next logon User cannot change password Password never expires Account is disabled Then discuss these options, which are commonly used and likely to appear in examinations: Logon Hours Log On To Account expires Remaining options can be discussed if time permits, or users can read about them on their own. Optionally, mention that some of these properties are stored in a single attribute called, UserAccountControl. References . User Properties - Account Tab:
90
User Account Management
Course 6425C User Account Management Module 3: Managing Users and Service Accounts Account Management involves the following tasks: Renaming a user account Resetting a user password Unlocking a user account Disabling or enabling a user account Moving a user account Deleting a user account Objective: Identify account management tasks. Consider demonstrating each of these tasks by using Active Directory Users and Computers, The Active Directory Administrative Center, and the Active Directory Module for Windows PowerShell. Use examples from the workbook so that students can follow along. Questions: Discuss these questions: 1. What are the security implications of administrators having the right to reset user passwords? Access to resources to which the user has permission Ability to "impersonate" a user and perform tasks that the administrator should not be performing, without accurate auditing of who actually did it Denial of service: Administrator accidentally or intentionally resets a user's password and the user cannot authenticate 2. Who should be able to reset the password for standard users? For accounts with administrative privileges? For service accounts? Guide students to an understanding that, typically, there is a tiered management of accounts whereby the help desk can change user passwords, but not administrator passwords; the admins who can change admin and service account passwords are a small, well-trained group 3. What business practices for password reset are in place at your organization? Elicit as much diverse experience as possible. Are there organizations in which password reset has been removed as an administrative task, and is instead supported by a password reset Web application? 4. Other than forgotten passwords, have you experienced other scenarios that lead to account lockout? You can initiate the conversation by discussing a common cause of account lockout: drives mapped with alternate credentials. When the password for the alternate credentials changes or is expired, the mapped drive may attempt repeatedly to connect, leading to an account lockout.
91
Lab A: Create and Administer User Accounts
Course 6425C Lab A: Create and Administer User Accounts Module 3: Managing Users and Service Accounts Exercise 1: Create User Accounts Exercise 2: Administer User Accounts In this lab, students will create and administer user accounts. The goal of the lab is to provide a comprehensive experience with both user-interface and command-line tools for creating and administering Active Directory user accounts. Scenario You are the administrator of Contoso, Ltd., an online university for adult education. Two new employees have been hired: Chris Mayo and Amy Strande. You must create accounts for these users. After some time, Chris Mayo leaves the organization, and his account must be administered according to the company policy for user account life-cycle management. Exercise 1 In this exercise, students will create user accounts with both the Active Directory Users and Computers snap- in and Windows PowerShell. Exercise 2 In this exercise, students will perform common tasks that support user accounts through their life cycle in Active Directory. Before the students begin the lab, read the scenario associated with each exercise to the class. This will reinforce the broad issue that the students are troubleshooting and will help to facilitate the lab discussion at the end of the module. Remind the students to complete the discussion questions after the last lab exercise. NOTE: Do not shut down the virtual machines after you finish this lab because the settings you have configured here will be used in Lab B. Logon information Virtual machine 6425C-NYC-DC1 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 10 minutes
92
Module 3: Managing Users and Service Accounts
Course 6425C Lab Scenario Module 3: Managing Users and Service Accounts You are the administrator of Contoso, Ltd, an online university for adult education. Two new employees have been hired: Chris Mayo and Amy Strande. You must create accounts for these users. After some time, Chris Mayo leaves the organization, and his account must be administered according to the company policy for user account life-cycle management.
93
Module 3: Managing Users and Service Accounts
Course 6425C Lab Review Module 3: Managing Users and Service Accounts In this lab, which attribute can be modified to prompt for the password when you are creating a user account with Windows PowerShell? What happens when you create a user account that has a password that does not meet the requirements of the domain? Lab Review Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: In this lab, which attribute can be modified to prompt for the password when you are creating a user account with Windows PowerShell? Answer: -AccountPassword (Read-Host –AsSecurestring “AccountPassword”) Question: What happens when you create a user account that has a password that does not meet the requirements of the domain? Answer: The account is created, but it is disabled. It cannot be enabled until a password that meets the requirements of the domain is configured.
94
Lesson 2: Configure User Object Attributes
Course 6425C Lesson 2: Configure User Object Attributes Module 3: Managing Users and Service Accounts A Tour of User Attributes View All Attributes Modify Attributes of Multiple Users Modify User Attributes by Using Windows PowerShell Demonstration: Create a User Template Create Users with Templates -blank-
95
A Tour of User Attributes
Course 6425C A Tour of User Attributes Module 3: Managing Users and Service Accounts In this demonstration, you will learn: How to access the properties of a user The role of each tab in the user Properties dialog box Objective: Give a tour of user object attributes. If it is not already started, start the 6425C-NYC-DC1 virtual machine and log on to NYC-DC1. Log on as user Pat.Coleman, with the password, Pa$$w0rd Run the Active Directory Users and Computers snap-in as an administrator (use the Pat.Coleman_Admin account with the password, Pa$$w0rd). Open the properties of a user account (use the Jeff Ford account in the Employees OU) and step through a quick tour of user attributes. The goals of the tour are: Illustrate the diversity of attributes Emphasize the importance of configuring attributes after creating a user Highlight particularly interesting attributes. There is another topic that goes into detail about the user name attributes and the attributes on the Account tab, so you should not give those attributes more than passing mention during the tour. Organize the tour by the categories of attributes listed in the student handbook: Account attributes: The Account tab Personal information: The General, Address, Telephones, and Organization tabs User configuration management: The Profile tab Group membership: The Member Of tab Terminal services: The Terminal Services Profile, Environment, Remote Control, and Sessions tabs Remote access: The Dial-in tab Applications: The COM+ tab (We recommend that you skip this tab as it is well beyond the scope of this course.)
96
Module 3: Managing Users and Service Accounts
Course 6425C View All Attributes Module 3: Managing Users and Service Accounts The Attribute Editor tab In Active Directory Users and Computers, click the View menu, and then select Advanced Features Objective: The Attribute Editor provides visibility to useful attributes that do not appear on other tabs of a user’s Properties dialog box. The Attribute Editor was covered in another module. If you have already discussed, demonstrated, or performed labs with the Attribute Editor, then simply remind students that it is available if Advanced Features are enabled. If you have not yet covered the Attribute Editor, spend time showing students that the tab appears only when Advanced Features is enabled in the Active Directory Users and Computers View menu. Using the illustration on the slide, or continuing the demonstration from the previous slide, emphasize that there are a number of attributes for an object that are not presented in the Properties dialog box. These hidden attributes include some very useful ones, such as employeeID, employeeNumber, employeeType, division, assistant, and carLicense. Question: Are you using any of the hidden attributes in your organization? If so, how do you interact with those attributes (read them and modify them)? Elicit discussion and input from students whose organizations use these hidden attributes. It's possible that no student works at such an organization. In that case, open the Attribute Editor tab of a user object and scroll through the attributes. Ask students if they see any attributes that could provide value to them in their organization.
97
Modify Attributes of Multiple Users
Course 6425C Modify Attributes of Multiple Users Module 3: Managing Users and Service Accounts Procedure for modifying attributes Select multiple users (for example, by using CTRL+click) Right-click any one of the selected users, and then click Properties Attributes that can be modified General: Description, Office, Telephone Number, Fax, Web page, Account: UPN suffix, Logon hours, Computer restrictions (logon workstations), all Account options, Account expires Address: Street, P.O. Box, City, State/province, ZIP/Postal Code, Country/region Profile: Profile path, Logon script, Home folder Organization: Job Title, Department, Company, Manager Objective: You can multi-select users and change a subset of properties. If possible, demonstrate the steps: Select multiple users and open the Properties dialog box.
98
Modify User Attributes by Using PowerShell
Course 6425C Modify User Attributes by Using PowerShell Module 3: Managing Users and Service Accounts Get-AdUser returns attributes of objects Get-ADUser UserDN… [-parameter value] UserDN : distinguishedName of the user Parameter: Name of attribute value: Value for attribute (or use * for all attributes) Set-ADUser modifies specified attributes Set-ADUser UserDN [-parameter value] Parameter value: Attribute and value to be modified Example using both cmdlets together Get-ADUser Tony.Krijnen | Set-ADUser –office "Stockholm" Objective: Use Windows PowerShell to work with user attributes. References Setting a User’s Profile Attributes: Modifying an Attribute for Several Users at Once
99
Demonstration: Create a User Template
Course 6425C Demonstration: Create a User Template Module 3: Managing Users and Service Accounts In this demonstration, you will learn: What a template user account is, and why it is useful How to create a template user account Objective: Create and use a user account template. In this demonstration, you will walk students through the creation and use of template user accounts. Begin by describing the concept of templates—ensure students understand why they are helpful and how they are used. Right-click the Employees OU, point to New, and then click User. Leave the First name and Last name boxes empty. In the Full name box, type _Sales User. Point out to students that the underscore prefix will put the template at the top of the user list in the OU, making it easier to find. In User Logon name, type: Template.Sales. In the User logon name (pre-Windows 2000) text box, enter the pre-Windows 2000 logon name: Template.Sales. Click Next. Type Pa$$w0rd in the Password and Confirm password boxes. Ensure that User must change password at next logon is selected. Select Account is disabled. Review the summary and click Finish.
100
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 3: Managing Users and Service Accounts Right-click _Sales User, and then click Properties. Click the Member Of tab. Click Add. Type Sales and click OK. The Multiple Names Found dialog box appears. Select Sales and click OK. Click the Organization tab. In Department, type Sales. In Company, type Contoso, Ltd. Click the Change button in the Manager section. Type Anibal Sousa and click OK. Click the Account tab. In the Account Expires section, click End Of, and then select the last day of the current year. Click OK. Now demonstrate creating a user from the template Right-click _Sales User, and then click Copy. In First name, type Amy. In Last name, type Strande. In User logon name, type Amy.Strande. Confirm that the User logon name (pre-Windows 2000) is also Amy.Strande, and click Next. In Password and Confirm password, type Pa$$w0rd. Clear Account is disabled. Click Next, review the summary, then click Finish. Open the object and show the configured attributes. Reference Copy a User Account:
101
Create Users with Templates
Course 6425C Create Users with Templates Module 3: Managing Users and Service Accounts General tab. No properties are copied Address tab. P.O. box, city, state or province, ZIP or postal code, and country or region are copied Note that the street address itself is not copied Account tab. Logon hours, logon workstations, account options, and account expiration Profile tab. Profile path, logon script, home drive, and home folder path Organization tab. Department, company, and manager Member Of tab. Group membership and primary group Objective: Copying a template copies only a subset of attributes. Some very useful attributes are not copied. Draw attention to the similarities that the user accounts of people working in similar parts of an organization might have: group memberships or department attributes, for example. Emphasize that not all attributes are copied. In fact, most are not copied. Even some attributes that you would think would be copied, such as office, are not copied. So it is important that you know which attributes are and are not copied. It is not helpful to configure attributes that won’t be copied. Many administrators consider the list of copied attributes to be somewhat limited. For example, you might want the job title and street address attributes to be copied. Advanced Tip: You can modify which attributes are copied to a new user. To do this, open the Active Directory Schema snap-in, view the desired attribute properties, and select (or clear) the Attribute is copied when duplicating user check box. You can modify or add only the attributes that are instances of the user class. See Knowledge Base article at for instructions. You will be well served to use more advanced methods for automating the creation of user accounts, including DS commands, Windows PowerShell, VBScript, CSVDE, and LDIFDE. Question: Discuss this question, which also appears in the student handbook. What other methods do you use to create new user accounts with common attributes? Do students use scripts or automation to provision users? Increasing numbers of organizations have automated tools to provision users in Active Directory based on changes made in a human resources database. Microsoft Identity Lifecycle Manager (ILM) is one example of such metadirectory tools.
102
Lab B: Configure User Object Attributes
Course 6425C Lab B: Configure User Object Attributes Module 3: Managing Users and Service Accounts Exercise 1: Examine User Object Attributes Exercise 2: Manage User Object Attributes Exercise 3: Create Users from a Template In this lab, students will use command-line and user-interface tools to configure the attributes of one or more user objects. They will also create a user account template and copy it as the basis for a new user account. Scenario You are the administrator of Contoso, Ltd, an online university for adult education. Changes in the Sales department require you to modify attributes of Sales users. Additionally, you decide to make it easier to create new accounts for sales people by preparing a user account template. Exercise 1 In this exercise, students will examine the attributes of a user object. Exercise 2 In this exercise, students will manage the attributes of user objects. Exercise 3 In this exercise, students will create a user account template and then generate a new user account based on that template. Before the students begin the lab, read the scenario associated with each exercise to the class. This will reinforce the broad issue that the students are troubleshooting and will help to facilitate the lab discussion at the end of the module. Remind the students to complete the discussion questions after the last lab exercise. NOTE: Do not shut down the virtual machines after you finish this lab because the settings you have configured here will be used in the Lab C. Logon information Virtual machine 6425C-NYC-DC1 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 15 minutes
103
Module 3: Managing Users and Service Accounts
Course 6425C Lab Scenario Module 3: Managing Users and Service Accounts You are the administrator of Contoso, Ltd, an online university for adult education. Changes in the Sales department require you to modify attributes of Sales users. Additionally, you decide to make it easier to create new accounts for sales people by preparing a user account template.
104
Module 3: Managing Users and Service Accounts
Course 6425C Lab Review Module 3: Managing Users and Service Accounts What are the options for modifying attributes of new and existing users? Lab Review Use the question on the slide to guide the discussion after students have completed the lab exercises. Question: What are the options for modifying the attributes of new and existing users? Answer: Multiselecting users and opening the Properties dialog box, using the DSMod command, and creating a user account based on a user account template. It is also worth pointing out to students that user account templates, while an interesting concept, are not regularly utilized in the real world. This is because they don't support many attributes that administrators would want to copy to a new account; and an administrator must still configure a number of properties during and after creating a new user based on the template. Scripting is a far more powerful way to provision user accounts. Even commands such as CSVDE and LDIFDE, covered in the next lesson, can offer more value than user account templates.
105
Lesson 3: Automate User Account Creation
Course 6425C Lesson 3: Automate User Account Creation Module 3: Managing Users and Service Accounts Export Users with CSVDE Import Users with CSVDE Import Users with LDIFDE Import Users with Windows PowerShell -blank-
106
Export Users with CSVDE
Course 6425C Export Users with CSVDE Module 3: Managing Users and Service Accounts Export filename.ldf Active Directory CSVDE.exe Objective: You can export data from Active Directory by using CSVDE. Comma Separated Value Directory Exchange (CSVDE) uses a comma-separated value (CSV) file as input to make changes to the directory. CSV files are written in text format and can be edited by using any text editor. For best viewing and editing of CSV files, use Microsoft® Office Excel®. Mention that one of the best ways to view the format for the CSVDE file is to export data from AD DS by using CSVDE. Because of the large amount of data that is exported with these commands, suggest that students start by exporting an OU with only a few users (using the -d switch). They should also learn the command switches for specifying the columns to export (the -l switch). It is not expected that you go into any depth about the LDAP query language or the LDAP attribute names. You can tell users they will experience examples in the Lab for this lesson. References CSVDE: LDAP Query Syntax: Import CSV (comma-separated value, or comma-delimited text) Can be edited with simple text editors such as Notepad or Microsoft Office Excel CSVDE.exe csvde -f filename -d RootDN -p SearchScope -r Filter -l ListOfAttributes RootDN. Start of export (default = domain) SearchScope. Scope of export (Base,OneLevel,Subtree) Filter. Filter within the scope (LDAP query language) ListOfAttributes. Use the LDAP name
107
Import Users with CSVDE
Course 6425C Import Users with CSVDE Module 3: Managing Users and Service Accounts Export filename.ldf Active Directory CSVDE.exe Objective: CSVDE allows you to import users from a CSV file. Point out that the default mode for CSVDE is export, and that you must specify –i to perform an input. Also mention that CSVDE cannot import passwords, and therefore, accounts are created in a disabled state if there is any password policy in effect, and CSVDE cannot modify existing users. In fact, CSVDE will generate an error and stop processing the .csv file if it encounters an object that already exists. The –k switch instructs the CSVDE command to skip the line that generated an error and continue to the next line. References CSVDE: Import CSVDE.exe csvde –i -f filename [-k] i. Import–default mode is export k. Continue past errors (such as Object Already Exists) Cannot import passwords, so users are created as disabled Cannot modify existing users
108
Import Users with LDIFDE
Course 6425C Import Users with LDIFDE Module 3: Managing Users and Service Accounts Export filename.ldf Active Directory LDIFDE.exe Objective: You can use LDIFDE to import users into Active Directory. You can use the following two tools to import or export data from Active Directory: LDAP Data Interchange Format Directory Exchange (LDIFDE) uses an LDAP Data Interchange Format (LDIF) file as input to make changes to the directory. LDIF files are written in text format, and you can edit them by using any text editor. Mention that one of the best ways to view the format for the LDIFDE file is to export data from Active Directory Domain Services (AD DS) by using LDIFDE. Because of the large amount of data that is exported with these commands, suggest that students start by exporting an OU with only a few users. Consider showing students a sample LDF file in Notepad, and stepping students through the syntax. A sample file is in D:\Labfiles\Lab03c\NewUsers.ldf. References LDIFDE: Import LDAP Data Interchange Format (LDIF) LDIFDE.exe ldifde [-i] [-f filename] [-k] i. Import–default mode is export k. Continue past errors (such as Object Already Exists) Cannot import passwords, so users are created as disabled Can modify or remove existing users
109
Import Users with Windows PowerShell
Course 6425C Import Users with Windows PowerShell Module 3: Managing Users and Service Accounts Export filename.csv Active Directory Windows PowerShell Objective: You can use Windows PowerShell to import users into Active Directory. You can use the following two cmdlets to import objects into Active Directory. Import-CSV New-ADUser Import Import-CSV New-ADUser Import-CSV Users.csv | foreach {New-ADUser - SamAccountName $_.SamAccountName -Name $_.Name - Surname $_.Surname -GivenName $_.GivenName -Path "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" - AccountPassword (ConvertTo-SecureString -AsPlainText $_.SamAccountName -Force) -Enabled $true}
110
Lab C: Automate User Account Creation
Course 6425C Lab C: Automate User Account Creation Module 3: Managing Users and Service Accounts Exercise 1: Export and Import Users with CSVDE Exercise 2: Import Users with LDIFDE Exercise 3: Import Users by Using Windows PowerShell In this lab, students will use the CSVDE and LDIFDE commands to import users into Active Directory. Exercise 1 In this exercise, students will use the CSVDE command to export user attributes and to create new user accounts from a comma-delimited text file. Exercise 2 In this exercise, students will use LDIFDE to import two users. Exercise 3 In this exercise, students will use Windows PowerShell to import users. Before the students begin the lab, read the scenario associated with each exercise to the class. This will reinforce the broad issue that the students are troubleshooting and will help to facilitate the lab discussion at the end of the module. Remind the students to complete the discussion questions after the last lab exercise. Logon information Virtual machine 6425C-NYC-DC1 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 10 minutes
111
Module 3: Managing Users and Service Accounts
Course 6425C Lab Scenario Module 3: Managing Users and Service Accounts You are the administrator of Contoso, Ltd., an online university for adult education. You are hiring several new employees. The Human Resources department has provided you with extracts from their database, in both comma-delimited text format and in LDIF format. You want to import those data files to create user accounts for the new hires.
112
Module 3: Managing Users and Service Accounts
Course 6425C Lab Review Module 3: Managing Users and Service Accounts What scenarios lend themselves to importing users with CSVDE and LDIFDE? Lab Review Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: What scenarios lend themselves to importing users with CSVDE and LDIFDE? Answer: If you are importing a large quantity of users, CSVDE and LDIFDE add significant value. Also, CSVDE and LDIFDE give you the ability to configure most user attributes, unlike templates, which support a very limited number of attributes. Elicit students' thoughts as to which scenarios lend themselves to importing versus creating accounts manually in ADUC, using scripting, or with user account templates. Certainly, if you are importing a large number of users, CSVDE or LDIFDE add significant value. Propose the scenario of a university that must create accounts for 2,000 new students each semester.
113
Lesson 4: Create and Configure Managed Service Accounts
Course 6425C Lesson 4: Create and Configure Managed Service Accounts Module 3: Managing Users and Service Accounts Challenges of Using Standard User Accounts for Services What Is a Managed Service Account? Configure and Administer Managed Service Accounts -blank-
114
Challenges of Using Standard User Accounts for Services
Course 6425C Challenges of Using Standard User Accounts for Services Module 3: Managing Users and Service Accounts Challenges to using standard user accounts for services include: Extra administration effort to manage the service account password Difficulty in determining where a domain-based account is used as a service account Extra administration effort to mange the SPN Objective: Identify challenges to using standard user accounts as service accounts. Discuss with the students the following: What types of applications do they use that have service accounts? How do they manage service accounts? (relate to password management, changes to the server\account name, and so on.) What challenges have they encountered with service accounts? Reference What’s New in Service Accounts in Windows Server 2008 and Windows 7:
115
What Is a Managed Service Account?
Course 6425C What Is a Managed Service Account? Module 3: Managing Users and Service Accounts Used to automate password and SPN management for service accounts used by services and applications Describe the concept of managed service accounts. You may want to mention that Windows 7 also supports managed service accounts, and a similar type of account called a “virtual account”, which is basically a managed local account on the computer that can be used to access a domain environment, and does not require password management. Also point out that even though AD DS based upon Windows Server ® 2003 and Windows Server 2008 both support managed service accounts, you can only use managed service accounts on servers that run Windows Server 2008 R2, or on Windows 7-based computers. Reference Managed Service Accounts Requires a Windows Server 2008 R2 server installed with: .NET Framework 3.5.x Active Directory module for Windows PowerShell Recommended to run with AD DS configured at the Windows Server 2008 R2 functional level Can be used in a Windows Server 2003 or 2008 AD DS environment: With Windows Server 2008 R2 schema updates With Active Directory Management Gateway Service
116
Configure and Administer Managed Service Accounts
Course 6425C Configure and Administer Managed Service Accounts Module 3: Managing Users and Service Accounts Create a managed service account: New-ADServiceAccount [-SAMAccountName <String>] [-Path <String>] Install a managed service account on the host server: Install-ADServiceAccount -Identity <ADServiceAccount> Associate the service account with the intended service Objective: Use PowerShell to configure and administer a managed service account. Introduce each of these three tasks. You may want to consider demonstrating this process as you introduce the commands. As an example, you can use any existing service to associate the account. Reference PowerShell Commands for Managed Service Accounts
117
Lab D: Create and Administer Managed Service Accounts
Course 6425C Lab D: Create and Administer Managed Service Accounts Module 3: Managing Users and Service Accounts Exercise: Create and Associate a Managed Service Account In this lab, students will use Windows PowerShell to create and associate a managed service account. Exercise: In this exercise, students will create a managed service account, associate it with NYC-SVR1, and then assign the service account to a service located on NYC-SVR1. Logon information Virtual machine 6425C-NYC-DC C-NYC-SVR1 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Administrator Password Pa$$w0rd Estimated time: 10 minutes
118
Module 3: Managing Users and Service Accounts
Course 6425C Lab Scenario Module 3: Managing Users and Service Accounts You are a network administrator for Contoso, Ltd. You have been asked to implement a managed service account for an application that will be installed on NYC-SVR1.
119
Module 3: Managing Users and Service Accounts
Course 6425C Lab Review Module 3: Managing Users and Service Accounts You need to obtain a list of all the managed service accounts in the domain. Which cmdlet would you use? Which cmdlet can be used to reset the password of a managed service account? Lab Review Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: You need to obtain a list of all the managed service accounts in the domain. Which command would you use? Answer: The Get-ADServiceAccount cmdlet would be used to obtain a list of managed service accounts in the domain. Question: Which cmdlet can be used to reset the password of a managed service account? Answer: The Reset-ADServiceAccountPassword cmdlet would be used to reset a password of a specific managed service account.
120
Module Review and Takeaways
Course 6425C Module Review and Takeaways Module 3: Managing Users and Service Accounts Review Questions Windows Server 2008 R2 Features introduced in this module Review Questions and Answers Question: Which administration tool should you use to create and manage user accounts within your organization? Answer: Answers will vary; however, options include Active Directory Users and Computers, Active Directory Administrative Center, or the Active Directory Module for Windows PowerShell. Question: Which user account attributes will be important to use within your network environment? Answer: Answers will vary, but should be based upon attributes listed in the user account properties. Windows Server 2008 R2 Features Introduced in this Module Windows Server 2008 R2 feature Description Active Directory Module for Windows PowerShell Used to run Active Directory cmdlets for administering various AD DS tasks. Managed Service Accounts Used to automate password and SPN management for service accounts used by applications and services.
121
Module 4: Managing Groups Module 4 Managing Groups
Course 6425C Module 4: Managing Groups Module 4 Managing Groups Presentation: 55 minutes, Lab: 35 minutes Module Goal Describe both the technical and the business best practices related to the management of groups in an Active Directory® domain. Objectives After completing this lesson, you will be able to: Describe the role of groups in managing an enterprise. Administer groups by using the built-in tools in Windows Server 2008. Describe the best practices for managing groups Preparation for Demos. To prepare for demos in this module, start 6425C-NYC-DC1. Preparation for Labs There are two labs which occur during the course of the module. The labs have dependencies between each other so students should not shut down the single virtual machine required when finished Lab A. If you wish to prepare for them now and save time taken for startup, you should ask students to start the virtual machines now. The virtual machines used in both labs are 6425C-NYC-DC1.
122
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 4: Managing Groups About This Module This module covers groups differently than previous courses. First, the course no longer uses the AGDLP mnemonic to teach group nesting. The course uses IGDLA, instead of AGDLP: Identity, Global group, Domain Local group, Access. This new teaching device further emphasizes and aligns with industry-standard terminology. Identity is a key concept across Microsoft technologies. Access is an important concept in these and other technologies. Not all access is implemented with permissions. For example, user logon rights and privileges are types of access that are not implemented as permissions. Second, before teaching the “technical” implementation of a group strategy by using Active Directory group scopes and nesting, the module first emphasizes the purpose of groups and their role in allowing an organization to move towards role-based management. From a technical point of view, the end result is the same when managing resource access: user identities are nested into global groups, which are in turn nested into domain local groups that are given access to resources. But it is more important that students understand that groups in this model are serving two purposes: to identify users based on their roles (global groups, in this case), and to perform management tasks such as managing access to a resource (domain local groups, in this case). In other role-based management scenarios, covered later in this course, the same two-tiered concept applies, but different group scopes are used. If students focus on the concepts of role-based management, they will be better prepared to manage a variety of scenarios. Just as some organizations have not implemented IGDLA in a pure sense, many organizations will not implement role-based management in its purest form. The tiered nesting of groups becomes more important as the organization or the management scenario becomes more important. After the first two lessons of this module, students should have a solid understanding of both the concepts of role-based management and how to implement role-based management in a resource access management scenario. Students should also understand that the extent to which they adhere to role-based management (or IGDLA, for that matter) is a choice they can make for each management scenario. Although role-based management (or IGDLA) requires a bit more investment at the beginning to implement, it pays off as the environment changes and becomes more complex, because the group infrastructure is in place to manage change. In the real world, organizations both large and small, have discovered the manageability benefits of role-based management. One very large insurance company (tens of thousands of users) implemented a quite pure, complex role-based management of access to shared folders and files, and found that support costs plummeted and backup times were reduced by 75%. A very large defense contractor implemented role-based management for Active Directory delegation and administrative rights, and then didn't have to touch the access control lists (ACLs) in Active Directory for several years. A large financial firm implemented role-based management to reduce the cost and effort related to compliance and auditing. Smaller organizations can benefit as much or more from role-based management implementations by using Active Directory groups as described in this module. In a smaller organization, it is typical that one user will play several roles, and that those roles will change as the organization grows in response to its environment. This is in stark contrast to larger organizations, in which roles are typically more narrowly defined and constant. So although it may seem like a lot of extra work to set up a role group in a resource access management group when, in a small organization, only one user needs access to that resource, it is an investment that can pay off as roles change.
123
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 4: Managing Groups If you are unfamiliar with discussing role-based management, prepare for teaching this module by thoroughly understanding the in-depth content provided with in the first lesson. In some ways, role-based management is just another way to talk about IGDLA, but there are subtle and important distinctions. The use of practical, real-world terminology rather than the focusing on technicalities such as group scope provides significant value to students. You can read more about role-based management in the Windows® Administration Resource Kit: Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008).
124
Module 4: Managing Groups
Course 6425C Module Overview Module 4: Managing Groups Overview of Groups Administer Groups Best Practices for Group Management Discuss the importance of using groups, and point out that in this course (depending on the modules you are delivering), groups will be used to: Manage access to network resources (this module). Identify administrative and user roles (throughout). Assign unique password policies. Assign user logon rights and privileges. Filter Group Policy. Delegate administrative permissions in Active Directory. And more. Groups are the management backbone of identity and access (IDA) because it simply is not manageable to assign permissions and other resources to each user, individually, in a good-sized organization.
125
Lesson 1: Overview of Groups
Course 6425C Lesson 1: Overview of Groups Module 4: Managing Groups Role-Based Management: Role Groups and Rule Groups Define Group Naming Conventions Group Type Group Scope Local Groups Domain Local Groups Global Groups Universal Groups Summary of Group Scope Possibilities Develop a Group Management Strategy Default Groups Special Identities -blank-
126
Role-Based Management: Role Groups and Rule Groups
Course 6425C Module 4: Managing Groups Objective: Explain and emphasize the importance of role-based management. To solve manageability and scalability problems in a real-world, dynamic environment, two types of groups are necessary: groups that define roles, and groups that define business rules, such as a resource access management rule about who can read the sales folders. Role groups are easily understood: They identify users based on characteristics such as job function or location. Rule groups represent a management task, in this case, the task of managing who can read the sales folders. As you can see with this example of resource access management, the rule group is assigned the appropriate permission to all resources (in this case, three separate shared folders). The ACL is clean and understandable. After the assignment of the ACL, all future management takes place in the membership of the rule group. If another group of users (role) requires the same access to the same resources, add the role group to the rule group. If an “exception” user, for example the CEO’s assistant, requires the same access to the same resources, add the user to the rule group. The focus of access management is once again on a single point of management: the rule group. After establishing the appropriate permission on the ACLs, you can manage access by managing the membership of the rule group. This reduces your management burden significantly. You can now: Add and remove users or groups to the rule group without touching ACLs and therefore without triggering folder-wide backup. Easily answer “Who can read the Sales folders?” by enumerating the membership of one group, ACL_Sales Folders_Read. Easily answer “What can Scott Bishop get to?” by enumerating the membership of the user. No need to examine every ACL on every server to audit what a user can get to. Points to consider and possibly to discuss: Point out the RBM “Three Rs”: Role, Rule, and Resource What other types of “Resources” are there? Examples: Applications, for example. You can use RBM to manage the deployment of an application to users. A rule group would control who receives the application. Roles and “exception” users would be nested into the rule group. Your application management technology (for example, Group Policy Software Installation or Microsoft System Center Configuration Manager) would use the group as a scope or collection for targeting deployment. Configuration. Perhaps you lock down desktops, but have a group (of administrators, for example) for whom the desktop is not locked down. A rule group would be used to filter the lockdown policy so that members of the rule group are allowed access. distribution lists. <<Continued>> Identity Role Group Rule Group Resources Access Management
127
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 4: Managing Groups Point out that there will often be individual identities in a rule group. These identities are the “exception”—the rule applies to them even though they are not members of specified roles. If you start seeing too many users in a rule group, it indicates that those users might share a characteristic that should be used to define a new role. For this collection of resources (the “Sales Folders”) you would probably have at least two access management rule groups: ACL_Sales Folders_Read and ACL_Sales Folders_Edit, for example, or some other group that provides a higher level of write-enabled access. Do not digress into the “correct” permissions for Contribute, Edit, or Modify access levels. This course is not meant to teach NTFS permissions. The point is simply that, for each level of access that you do choose to implement on an ACL of a resource collection, you’ll create a rule group that allows you to manage access without having to touch the ACLs. Role-based management is not new or specific to Windows or Active Directory. It’s an industry-wide approach to managing, securing, and scaling a dynamic environment. Other Microsoft products emphasize role-based management directly. Active Directory and NTFS permissions are examples of technologies that are late to the game of role-based management, and that can benefit greatly from role-based management. The use of groups to achieve role-based management is the primary component of role-based management, but is not the only component of role-based management. An enterprise must also consider: Tools or processes that ensure the correct implementation of the rule. For example, you must ensure that the only group that has Read permission to the three sales folders is ACL_Sales Folders_Read. This can be done, first, by auditing the folders for any change to permissions. Second, a process can be implemented that provisions folders and prevents non-compliant changes to permissions. Auditing and reporting. Automated role management. For example, you might use a script or product to synchronize your human resources database with the role groups in Active Directory, so that when a user’s job is changed, the role groups are automatically updated. There are additional requirements. There are issues related to how many groups a user can belong to. These issues are detailed in the Windows Administration Resource Kit: Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008). The issues relate to the token size (managed by the MaxTokenSize registry value), the way that SIDs are passed to web applications, and the maximum size of the Kerberos PAC. In the end, the Kerberos PAC is often the first “hard limit” that is reached: a user can belong to a maximum of 1,024 groups. See the Windows Administration Resource Kit for more details. You can assure students that many enterprises, including very large Fortune 100 organizations, are implementing role- based management successfully. So while there are issues that must be addressed, they can be resolved. Reference For more information about role-based management, see Windows Administration Resource Kit: Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008).
128
Define Group Naming Conventions
Course 6425C Define Group Naming Conventions Module 4: Managing Groups Name properties Group name: cn and name of group must be unique within OU Group name (pre-Windows 2000 Server): sAMAccountName of group must be unique in domain Use the same name (unique in the domain) for both properties Naming conventions Role groups: Simple, unique name, such as Sales or Consultants Management groups: For example, ACL_Sales Folders_Read Prefix: Management purpose of group, such as ACL Resource identifier: What is managed, such as Sales Folders Suffix: Access level, such as Read Delimiter: Separates name components, such as underscore (_) Objective: Enforce the value of naming conventions, set out the design guidelines for a solid naming convention, and provide examples of what a naming convention might look like. Consistent naming conventions are a tremendous step towards manageability. It doesn’t matter what specific naming convention is used, as long as one is used. However, the recommendations on the slide and in the Student handbook have been developed by working with numerous large clients and have proven to be very useful. After discussing naming conventions, you can optionally show students the Groups OU on NYC-DC1. Point out that groups are also organized into OUs that align with each group type. This makes groups easier to find, but more importantly, supports delegation. For example, the contoso.com domain might not allow administrators to modify the membership of Role groups. Instead, the membership of role groups might be driven automatically from definitions of user roles in the human resources database. Also point out the saved queries in D:\AdminTools\ADConsole.msc that give easy administrative access to different types of groups. You can also discuss how an organization might migrate to a more strategic naming convention. It is not necessary to start “from scratch.” Instead, an organization can define standards that will apply to all new groups moving forward. Over time, old groups can be renamed. An intermediate step can also include creating a new group with the correct naming standard, and then nesting old groups into the new group. Over time, the old groups can be removed, and their members can be added directly to the new groups. The bottom line is that a naming convention is very important, and that you don’t have to change your entire Active Directory overnight. Reference For more information about managing groups effectively, see Windows Administration Resource Kit: Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008).
129
Module 4: Managing Groups
Course 6425C Group Type Module 4: Managing Groups Distribution groups Used only with applications Not security-enabled (no SID); cannot be given permissions Objective: Understand distribution and security groups. You can use distribution groups to send messages to collections of users, but only with applications such as Microsoft® Exchange. Stress that distribution lists are not assigned a security identifier (SID), so they cannot be listed in discretionary access control lists (DACLs). You use security groups to assign rights and permissions to groups of users and computers. A security group is assigned a SID, which checks access whenever a user who is a member of a security group tries to access a network resource. Note: You no longer need to discuss domain functional level and its impact on groups. Windows Server® does not support Windows 2000 Mixed domain functional level. In practice Many organizations use only security groups, because they can also be used for . Best practice, however, is to use a distribution group if the group does not require access to resources, to avoid bloat of the security token. Type can be changed. Security groups Security principal with a SID; can be given permissions Can also be enabled
130
Module 4: Managing Groups
Course 6425C Group Scope Module 4: Managing Groups Four group scopes Local Global Domain Local Universal Characteristics that distinguish each scope Replication: Where are the group and its membership stored? Membership: What types of objects, and from which domains, can be members of the group? Availability (Scope): Where can the group be used? In what scopes of groups can the group be a member? Can the group be added to an ACL? Objective: Present the list of group scopes and the characteristics that distinguish the scopes. This is a setup slide. Details for each scope are on the following slides. This slide sets up the list of four group scopes and the three defining characteristics of each scope. The next slides lay out the replication, membership, and availability (scope) of each group scope. The last slide in the sequence summarizes membership nesting possibilities. Depending on your audience and time constraints, you might want to move quickly through the individual group scope slides that follow, allowing them to be more of a reference for students than actively discussed slides. Even in this scenario, you should spend time on this slide, helping students understand what makes scopes different: replication, membership, and availability.
131
Module 4: Managing Groups
Course 6425C Local Groups Module 4: Managing Groups Replication Defined in the SAM database of a domain member or workgroup computer Membership not replicated to any other system Membership: Local group can include as members Any security principals from the domain: users (U), computers (C), global groups (GG), or domain local groups (DLG) U, C, GG from any domain in the forest U, C, GG from any trusted domain Universal groups (UG) defined in any domain in the forest Availability/scope Limited to the machine on which the group is defined; can be used for ACLs on the local machine only Cannot be a member of any other group Objective: Describe the purpose of Local Groups. Students may ask, “Why?,” to the statement, "We do not recommend creating custom local groups on domain members." In addition to local groups being unwieldy to create and manage (because you must connect to the server), there is no redundancy with local groups, unlike domain local groups, which are replicated to all domain controllers. If a machine must be rebuilt and the resources can be retrieved from disk, permissions granted to domain local groups will continue to function. Permissions granted to local groups will be lost. Local groups are a single point of failure. There are limited scenarios in which local groups make sense, but they are truly limited. If you want to discuss such scenarios, draw from your own experience and the experience of your students.
132
Module 4: Managing Groups
Course 6425C Domain Local Groups Module 4: Managing Groups Replication Defined in the domain naming context Group and membership replicated to every DC in domain Membership: Domain local group can include as members Any security principals from the domain: U, C, GG, DLG U, C, GG from any domain in the forest U, C, GG from any trusted domain UG defined in any domain in the forest Availability/scope Can be on ACLs on any resource on any domain member Can be a member of other domain local groups or of machine local groups Well-suited for defining business management rules Objective: Describe the purpose of domain local groups. Note: You no longer need to discuss domain functional level and its impact on group nesting. Windows Server 2008 does not support Windows 2000 Mixed domain functional level.
133
Module 4: Managing Groups
Course 6425C Global Groups Module 4: Managing Groups Replication Defined in the domain naming context Group and membership is replicated to every DC in domain Membership: Global group can include as members Only security principals from the same domain: U, C, GG, DLG Availability/scope Available for use by all domain members, all other domains in the forest, and all trusting external domains Can be on ACLs on any resource on any computer in any of those domains Can be a member of any DLG or UG in the forest, and of any DLG in a trusting external domain Well-suited for defining roles Objective: Describe the purpose of global groups. Note: You no longer need to discuss domain functional level and its impact on groups. Windows Server does not support Windows 2000 Mixed domain functional level.
134
Module 4: Managing Groups
Course 6425C Universal Groups Module 4: Managing Groups Replication Defined in a single domain in the forest Replicated to the global catalog (forest-wide) Membership: Universal group can include as members U, C, GG, and UG from any domain in the forest Availability/scope Available to every domain and domain member in the forest Can be on ACLs on any resource on any system in the forest Can be a member of other UGs or DLGs anywhere in the forest Useful in multidomain forests Defining roles that include members from multiple domains Defining business management rules that manage resources in multiple domains in the forest Objective: Describe the purpose of universal groups. Note: You no longer need to discuss domain functional level and its impact on the availability of universal groups. Windows Server 2008 does not support Windows 2000 Mixed domain functional level. A later module covers global catalog in detail. Try to avoid extensive discussion of global catalog and focus on the fact that the definition of the universal group is forest-wide.
135
Summary of Group Scope Possibilities
Course 6425C Summary of Group Scope Possibilities Module 4: Managing Groups Group Scope Members from Same Domain Members from Domain in Same Forest Members from Trusted External Domain Can be Assigned Permissions to Resources Local U, C, GG, DLG, UG and local users GG, UG GG On the local computer only Domain Local GG, DLG, UG Anywhere in the domain Universal N/A Anywhere in the forest Global Anywhere in the domain or a trusted domain Objective: Enforce the replication scope and membership characteristics of each group scope. Use the table to describe group scopes. Consider drawing a diagram with several domains that shows where groups can be created and the implications of each group scope. Question: What types of objects can be members of a global group in a domain? Answer: Global groups can contain only users and other global groups from the same domain. U User C Computer GG Global Group DLG Domain Local Group UG Universal Group
136
Develop a Group Management Strategy
Course 6425C Develop a Group Management Strategy Module 4: Managing Groups Identities (users or computers) are members of Global groups that collect members based on those members' roles, which are members of Domain Local groups that provide management of some kind, such as management of resource access which are Assigned Access to a resource (for example, on an ACL) Multidomain forest: IGUDLA Objective: The module began with role-based management (business requirements), then looked at the technical characteristics of Active Directory groups. Now you bring the two together and summarize how group management in Active Directory (IGDLA) provides role-based management. Note: The course uses IGDLA instead of AGDLP to further emphasize and align with industry-standard terminology. Identity is a key concept across Microsoft technologies. Access is an important concept in these technologies. Not all access is implemented with permissions. For example, user logon rights and privileges are types of access that are not implemented as permissions. This topic wraps up the discussion of role-based management, group scope, group membership, and nesting possibilities. Share the IGDLA acronym with students and draw the close relationship between IGDLA and role-based management. IGDLA is how Windows implements the “Three Rs” of role-based management. The slide also illustrates how role-based management, implemented with IGDLA, scales well to incorporate roles defined in trusted domains. The scenario shown on the slide is described in the Student Handbook. Emphasize to the students that certification exams tend to include questions that address both the possible membership strategies and best practice membership strategies (IGDLA). The last bullet point, IGUDLA, allows you to take the discussion to options for group management strategy in a multidomain forest. From a nesting perspective, global groups from any domain in the forest can be members of universal groups, and universal groups can be members of any domain local groups in the forest. This is important to remember for the certification exams. However, as mentioned on the earlier slide about universal groups, universal groups can serve as both forestwide role definitions and forestwide management groups, so in many cases the universal group will replace the global group, the domain local group, or both, leading to IUA, IGUA, or IUDLA.
137
Module 4: Managing Groups
Course 6425C Default Groups Module 4: Managing Groups Default local groups in the BUILTIN and Users containers Enterprise Admins, Schema Admins, Administrators, Domain Admins, Server Operators, Account Operators, Backup Operators, Print Operators Reference to their rights and privileges in Student Handbook Issues with these groups Highly overdelegated Account Operators, for example, can log on to a domain controller Protected Users who are members of these groups become protected and are not unprotected when removed Best practice: Keep these groups empty and create custom groups with the rights and privileges you require Objective: Describe the purpose of default groups. Keep the default (Builtin) groups empty, except for Administrators and Domain Admins, which should be tightly controlled. Discuss protection and AdminSDHolder. Many built-in groups are assigned a set of user rights automatically. These rights determine what each group and their members can do within a domain’s or forest’s scope. User rights authorize members of a group to perform specific actions, such as logging on to a local system or backing up files and folders. For example, a member of the Backup Operators group has the right to perform backup operations for all of the domain’s controllers. The best practice is to create custom groups with the specific rights and permissions you require, and not to use the overdelegated built-in groups. This also helps you avoid AdminSDHolder problems. Discuss AdminSDHolder to an extent that is appropriate for your audience. References For more information about protected accounts, see: Knowledge Base article at Knowledge Base article at If you want to search the Internet for resources, use the keyword, adminSDHolder. Microsoft TechNet provides an exhaustive reference to the default groups in a domain and to the default local groups. For reference information about local and domain groups, go to For reference information about default local groups, go to Default groups Windows Server 2008 Future Resources
138
Module 4: Managing Groups
Course 6425C Special Identities Module 4: Managing Groups Membership is controlled by Windows: Cannot be viewed, edited, or added to other groups Can be used on ACLs Examples Anonymous Logon: Represents connections to a computer without a user name and password Authenticated Users: Represents identities that have been authenticated, but does not include the Guest identity Everyone: Includes Authenticated Users and Guest (but not Anonymous Logon by default in Windows Server 2003/2008) Interactive: Users logged on locally or with Remote Desktop Network: Users accessing a resource over the network Objective: Describe the purpose of special Identities. Users become members of special identities simply by interacting with the operating system. For example, when users log on locally to a computer, they become members of the Interactive group. Because these groups are created by default, you can grant user rights and permissions to these special groups, but you cannot modify or view their memberships. Additionally, group scopes do not apply to special groups. Reference Special identities
139
Lesson 2: Administer Groups
Course 6425C Lesson 2: Administer Groups Module 4: Managing Groups Tools for Group Management Demonstration: Create a Group Object Manage Group Membership Convert Group Type and Scope Copy Group Membership Delete Groups -blank-
140
Tools for Group Management
Course 6425C Tools for Group Management Module 4: Managing Groups To create and manage groups in AD DS, you can use : Active Directory Users and Computers GUI-based console for management of Active Directory objects Active Directory Administrative Center (R2 only) New GUI-based console built on PowerShell Windows PowerShell with Active Directory Module (R2 only) New command-line based tool DS commands Old command-line based tools
141
Demonstration: Create a Group Object
Course 6425C Demonstration: Create a Group Object Module 4: Managing Groups In this demonstration, you will learn: How to create a group by using Active Directory Users and Computers How to configure group properties How to change group scope by using Windows PowerShell with Active Directory Module Objective: Keep this very basic. Familiarize students with the user interfaces that are used to create and modify groups so that, as you continue with this module and its demos, students don’t have to pay attention to the UI and can focus on more important information. The focus of this slide is: 1. To teach basic object creation steps. 2. To emphasize the importance of configuring properties after creating the object. Do not get caught up in any details about group objects, including group type and group scope. These will be covered in depth later in this module. The detailed procedure and information in the Student Handbook related to group type and scope is intended to provide simple answers to any questions that might arise as students see those options in the interface. The guidance is high-level and generalized, though generally accurate. However, we recommend that you encourage students to wait until the appropriate topics later in this module for detailed answers to their questions. Note: You require the 6425C-NYC-DC1 virtual machine to complete this demonstration. Log on to the virtual machine as Contoso\Administrator with the password of Pa$$w0rd. Create a group by using Active Directory Users and Computers 1. Open the Active Directory Users and Computers snap-in. 2. In the console tree, expand the node that represents your domain such as contoso.com, and navigate to the OU or container (such as Users) in which you want to create the group. For the purpose of this demo, use the Groups\Role OU. 3. Right-click the Role OU, point to New, and then click Group. The New Object - Group dialog box appears 4. Type the name of the new group in the Group name box. For the purpose of this demonstration, type ITConsultants for the name of group. Most organizations have naming conventions that specify how group names should be created. Be sure to follow the guidelines of your organization. By default, the name you type is also entered as the Group name (pre-Windows® 2000). It is very highly recommended that you keep the two names the same. 5. Do not change the name in the Group name (pre-Windows 2000) box.
142
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 4: Managing Groups 6. Choose the Group type. A Security group is a group that can be given permissions to resources. It can also be configured as an distribution list. A Distribution group is an –enabled group that cannot be given permissions to resources and is therefore used only when a group is an distribution list that has no possible requirement for access to resources. For this demo, click Security 7. Select the Group scope. A Global group is typically used to identify users based on criteria such as job function, location, etc. A Domain local group is used to collect users and groups who share similar resource access needs, such as all users who need to be able to modify a project report. A Universal group is typically used to collect users and groups from multiple domains. For this demo, click Global. 8. Click OK. Group objects have a number of properties that are useful to configure. These can be specified after the object has been created. Configure Group: Properties: 1. Right-click the ITConsultants group, and then click Properties. 2. Enter the properties for the group. Be sure to follow the naming conventions and other standards of your organization. The group’s Members and Member Of tabs specify who belongs to the group and what groups the group itself belongs to. The group’s Description field, because it is easily visible in the details pane of the Active Directory Users and Computers snap-in, is a good place to summarize the purpose of the group and the contact information for the individual(s) responsible for deciding who is and is not a member of the group. The group’s Notes field can be used to provide more detail about the group. The Managed By tab can be used to link to the user or group that is responsible for the group. The contact information on the Managed By tab is populated from the account specified in the Name box. The Managed By tab is typically used for contact information so that if a user wants to join the group, you can decide who in the business should be contacted to authorize the new member. However, if you select the Manager can update membership List option, the account specified in the Name box will be given permission to add and remove members of the group. This is one method to delegate administrative control over the group. To change the user or group that is referred to on the Managed By tab, click the Change button underneath the Name box. By default, the Select User, Contact, or Group dialog box that appears does not, despite its name, search for groups. To search for groups, you must first click the Object Types button and select Groups. 3. Click OK. 142
143
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 4: Managing Groups Change Group Scope by using Windows PowerShell with Active Directory Module Open Windows PowerShell with Active Directory Module from Administrative Tools in Start Menu. Be sure to open as administrator. When command line environment is opened, type the following command, and then press Enter. Set-ADGroup -Identity ITConsultants –GroupScope Universal Open Active Directory Users and Computers console and check if the group scope is changed from Global to Universal. Reference Create a New Group: 143
144
Manage Group Membership
Course 6425C Manage Group Membership Module 4: Managing Groups Methods The group's Members tab (Add/Remove) The member's Member Of tab (Add/Remove) The member's Add to a group command (Add) You are always changing the member attribute memberOf is a backlink attribute updated by Active Directory Changes to membership do not take effect immediately Requires logon (for a user) or startup (for a computer) Token built with SIDs of member groups at those times Account for replication of membership change to the user or computer's domain controller Tip: Change group membership on a DC in the user's site Objective: Expose students to all of the ways that group membership can be managed. The slide discusses skills and concepts related to managing group membership. User interface methods for managing group membership It is likely that many of your students will have already used most or all of the methods described on the slide, so you can simply remind students that there are at least three ways to manage group membership in the Active Directory Users and Computers snap-in. Information in the Student handbook details the behavior of the Select dialog boxes. The Select dialog boxes were covered in another module in this course. If you did not deliver that module, it is worth demonstrating the behavior of the Select dialog box to point out some of the useful tips, tricks, and nuances of the interface. Other methods for changing group membership, including DSMod and LDIFDE, are covered in the next lesson. The Member and memberOf attributes It is useful for students to understand the internal workings of the forward link and back link attributes, member and memberOf. First, it is a deep, "internal," bit of information that will be interesting to more advanced students who are probably already familiar with the methods for managing group membership. Second, it may help students understand that although they may have full control over a user object, they won't be able to change the user's Member Of tab if they don’t have permission to the group object. Helping membership take effect quickly It is critical that new students know that users must log off from and log on for a group membership change to take effect. For more experienced students, you can share the tip of making group membership changes on a domain controller in the user's site. Demonstrate how to change a domain controller to which the Active Directory Users and Computers snap-in is connected.
145
Convert Group Type and Scope
Course 6425C Convert Group Type and Scope Module 4: Managing Groups In Active Directory Users and Computers, you can change group type: Security to distribution (* lose permissions assigned to group) Distribution to security In Active Directory Users and Computers, you can change the group scope: Global to universal Domain local to universal Universal to global Universal to domain local You cannot change DL G or G DL directly, but you can change DL U G or G U DL. Change prevented if memberships are invalid—fix, then retry dsmod group GroupDN –secgrp { yes | no } –scope { l | g | u } Objective: Group scope can be changed in any direction at any time, as long as the group’s membership doesn’t break nesting rules. Explain to the students that both the group type and the group scope can be changed. The Active Directory Users and Computers snap-in or the DSMod command can be used. Highlight the requirements and restrictions of changing group type for scope. If a group is changed from a security group to a distribution group, it loses its SID. Therefore, any permissions assigned to the group are no longer valid. Even if you change the group back to a security group, at which point the group is assigned a new SID, the permissions previously assigned to the old SID will not apply. Furthermore, you will not be able to change group scope if membership rules will be violated. For example, if a global group is a member of another global group, you cannot change the first group to either universal or domain local scope, because neither universal nor domain local groups can be members of a global group. Membership rule violations must be identified and rectified before scope can be changed.
146
Module 4: Managing Groups
Course 6425C Copy Group Membership Module 4: Managing Groups Copy members from one group to another Copy memberships of one user to another dsget group "CN=Sales,OU=Role,OU=Groups,DC=contoso,DC=com" –members | dsmod group "CN=Marketing,OU=Role,OU=Groups,DC=contoso,DC=com" –addmbr Objective: DSGet and DSMod can copy group membership. Point out the creative use of piping to copy members (retrieved by DSGet) to another group (using DSMod). The list of DNs produced by DSGet is substituting for the "missing" DNs after the -addmbr switch. In the second example, the DNs produced by DSGet are substituting for the GroupDN missing after the dsmod group. dsget user "SourceUserDN" –memberof | dsmod group –addmbr "TargetUserDN"
147
Module 4: Managing Groups
Course 6425C Delete Groups Module 4: Managing Groups Active Directory Users and Computers: Right-click, Delete DSRm command dsrm ObjectDN ... [-subtree [-exclude]] [-noprompt] [-c] -noprompt prevents prompting to confirm each deletion -c continues if an error occurs (such as access denied) -subtree deletes the object and all child objects -subtree -exclude deletes all child objects but not the object itself Deleting a security group has significant impact SID is lost and cannot be re-established by re-creating group Tip: First, record all members and delete all members for a test period, to evaluate any unintended side effects Objective: Delete groups. Emphasize the significance of deleting a group. dsrm "CN=Public Relations,OU=Role,OU=Groups, DC=contoso,DC=com"
148
Lab A: Administer Groups
Course 6425C Lab A: Administer Groups Module 4: Managing Groups Exercise 1: Implement Role-Based Management by Using Groups Exercise 2 (Advanced Optional): Explore Group Membership Reporting Tools Exercise 3 (Advanced Optional): Understand "Account Unknown" Permissions This lab is designed to provide a comprehensive experience with both user-interface and command-line tools for managing Active Directory groups. Share best practice guidance related to the business use of groups for enterprise management. Scenario To improve the manageability of resource access at Contoso, Ltd., you have decided to implement role-based management. The first application of role-based management will be to manage who can access the folders containing sales information. You must create groups that manage access to that sensitive information. Business rules are that Sales and Marketing employees, and a team of Consultants, should be able to read the Sales folders. Additionally, Bobby Moore requires Read access. Finally, you have been asked to discover a way to produce a list of group members, including those who are in nested groups; and a list of a user's group membership, including indirect or nested membership. Exercise 1 In this exercise, students will implement role-based management by using groups. Exercise 2 In this exercise, students will explore group membership reporting tools. Exercise 3 In this exercise, students will explore the usage of “Account Unknown” permissions. Before the students begin the lab, read the scenario associated with each exercise to the class. This will reinforce the broad issue that the students are troubleshooting and will help to facilitate the lab discussion at the end of the module. Remind the students to complete the discussion questions after the last lab exercise. Logon information Virtual machine 6425C-NYC-DC1 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 25 minutes
149
Module 4: Managing Groups
Course 6425C Lab Scenario Module 4: Managing Groups To improve the manageability of resource access at Contoso, Ltd., you have decided to implement role-based management. The first application of role-based management will be to manage who can access the folders containing sales information. You must create groups that manage access to that sensitive information. Business rules are that Sales and Marketing employees, and a team of Consultants, should be able to read the Sales folders. Additionally, Bobby Moore requires Read access. Finally, you have been asked to discover a way to produce a list of group members, including those who are in nested groups; and a list of a user's group membership, including indirect or nested membership.
150
Module 4: Managing Groups
Course 6425C Lab Review Module 4: Managing Groups Describe the purpose of global groups in terms of role- based management. What types of objects can be members of global groups? Describe the purpose of domain local groups in terms of role-based management of resource access. What types of objects can be members of domain local groups? If you have implemented role-based management and are asked to report who can read the Sales folders, what command would you use to do so? Lab Review Use the questions on the slide to guide the debriefing after students have completed the lab exercises. Question: Describe the purpose of global groups in terms of role-based management. Answer: Global groups are generally used to define roles. Question: What types of objects can be members of global groups? Answer: Global groups can include as members users and other roles (global groups) from the same domain. Question: Describe the purpose of domain local groups in terms of role-based management of resource access. Answer: Domain local groups are generally used to define a scope of management, such as managing a level of access to a resource. Question: What types of objects can be members of domain local groups? Answer: Domain local groups can contain roles (global groups) and individual users from any trusted domain in the same forest or an external forest, and other domain local groups in the same domain. Finally, domain local groups can contain universal groups from anywhere in the forest. Question: If you have implemented role-based management and are asked to report who can read the Sales folders, what command would you use to do so? Answer: You would use the DSGet command.
151
Lesson 3: Best Practices for Group Management
Course 6425C Lesson 3: Best Practices for Group Management Module 4: Managing Groups Best Practices for Documenting Groups Protect Groups from Accidental Deletion Delegate Membership Management with the Managed By Tab -blank-
152
Best Practices for Documenting Groups
Course 6425C Best Practices for Documenting Groups Module 4: Managing Groups Why document groups? Easier to find them when you need them Easier to understand how and when to use a group Establish and adhere to a strict naming convention Prefix, for example, helps distinguish APP_Budget from ACL_Budget_Edit Prefix helps you find the group in the Select dialog box Summarize a group's purpose with its description Appears in Active Directory Users and Computers details pane Detail a group's purpose in its Notes field Objective: Ensure that the purpose of a group is well documented. Point students to screen shots in the Student Handbook, which shows examples of using a prefix to help find the right group in a Select dialog box and of a Notes property and a Description property.
153
Protect Groups from Accidental Deletion
Course 6425C Protect Groups from Accidental Deletion Module 4: Managing Groups In the Active Directory Users and Computers snap-in, click the View menu and make sure that Advanced Features is selected. Open the Properties dialog box for a group. On the Object tab, select the Protect Object From Accidental Deletion check box. Click OK. Objective: Protect groups from accidental deletion.
154
Delegate Membership Management with the Managed By Tab
Course 6425C Delegate Membership Management with the Managed By Tab Module 4: Managing Groups The Managed By tab serves two purposes: Provide contact information for who manages the group Allow specified user (or group) to modify group membership if Manager Can Update Membership List is selected Tips Must click OK (not just Apply) to change the ACL on the group To set a group in the Name box, click Change, click Object Types, and then click Groups Objective: Delegate group membership management with the Managed By tab.
155
Lab B: Best Practices for Group Management
Course 6425C Lab B: Best Practices for Group Management Module 4: Managing Groups Exercise 1: Implement Best Practices for Group Management In this lab, students will: Create well-documented groups with Active Directory Users and Computers. Delegate group membership management by using the Managed By tab. Protect groups from accidental deletion. Scenario Your implementation of role-based management at Contoso has been highly successful. As the number of groups in the domain has increased, you've come to realize that it is important to record groups thoroughly and to prevent administrators from accidentally deleting a group. Finally, you want to allow the business owners of resources to manage access to those resources by delegating to those owners the right to modify the membership of appropriate groups. Exercise 1 In this exercise, students will record, delegate, and secure groups. Before the students begin the lab, read the scenario associated with the exercise to the class. This will reinforce the broad issue that the students are troubleshooting and will help to facilitate the lab discussion at the end of the module. Remind the students to complete the discussion questions after the lab exercise. Logon information Virtual machine 6425C-NYC-DC1-A Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 10 minutes
156
Module 4: Managing Groups
Course 6425C Lab Scenario Module 4: Managing Groups Your implementation of role-based management at Contoso has been highly successful. As the number of groups in the domain has increased, you've come to realize that it is important to document groups thoroughly and to prevent administrators from accidentally deleting a group. Finally, you want to allow the business owners of resources to manage access to those resources by delegating to those owners the right to modify the membership of appropriate groups.
157
Module 4: Managing Groups
Course 6425C Lab Review Module 4: Managing Groups What are some benefits of using the Description and Notes fields of a group? What are the advantages and disadvantages of delegating group membership? Lab Review Use the questions on the slide to guide the debriefing after students have completed the lab exercises. Question: What are some benefits of using the Description and Notes fields of a group? Answer: Better documented groups are easier to find and understand and are less likely to be misused for purposes other than their intended purpose. Question: What are the advantages and disadvantages of delegating group membership? Answer: Delegating group membership allows IT to get "out of the middle." In most organizations, when a user needs access to a resource, he or she contacts IT, IT contacts the business owner to get approval, and then IT adds the user to the groups. Delegating allows the request to go straight to the business owner, who can then make the change to the group.. A useful point to elicit during discussion is that delegation is not right in every scenario for every organization. Its usefulness depends on your information security policies, your processes, and the tools you make available to users.
158
Module Review and Takeaways
Course 6425C Module Review and Takeaways Module 4: Managing Groups Review Questions Common Issues Related to Group Management Real-World Issues and Scenarios Best Practices Related to Group Management Tools Windows Server 2008 R2 Features Introduced in this Module Review Questions Members of the Sales department in a company, which has branches in multiple cities, travel frequently between domains. How will you provide these members with access to printers on various domains that are managed by using domain local groups? Answer: In this situation, you can create a group with domain local scope and assign it permission to access the printer. Put the Sales user accounts in a group with global scope, and then add this group to the group having domain local scope. When you want to give the Sales users access to a new printer, assign the group with domain local scope permission to access the new printer. All members of the group with global scope automatically receive access to the new printer. You are responsible for managing accounts and access to resources for your group members. A user in your group transfers into another department within the company. What should you do with the user’s account? Answer: Although your company may have an HR representative with AD DS permissions to move user accounts, the best solution involves having the user account moved into the appropriate OU of the new department. In this manner, the Group Policies associated with the new department will be enforced. If applying the correct Group Policies is important, the user’s account should be disabled until somebody with appropriate security permissions can move it into the new OU. Which group scope can be assigned permissions in any domain or forest? Answer: Universal groups scope can be assigned permission in any domain or forest. Common Issues Related to Group Management Issue Troubleshooting tip Cannot convert group scope Check if conversion scenario is supported. Cannot add group to another group Check if desired nesting scenario is supported. Cannot create group in AD DS Check if you have necessary permissions to create group objects.
159
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 4: Managing Groups Real-World Issues and Scenarios 1. A project manager in your department is starting a group project that will continue for the next year. Several users from your department and other departments will be dedicated to the project during this time. The project team must have access to the same shared resources. The project manager must be able to manage the user accounts and group accounts in AD DS. However, you do not want to give her the project manager permission to manage anything else in AD DS. What is the best way to do this? Answer: Create a new global security group. Add the project members to the group. Create a new OU outside your department’s OU. Assign full control of the OU to the project manager. Add the global group to the new OU. Add resources to the OU, such as shared files and printers. Keep track of the project, and delete the global group when the work finishes. You can keep the OU if another project requires it. However, you should delete it if there is no immediate need for it. Best Practices Related to Group Management When managing access to resources, try to use both rule and role groups. Use Universal groups only when necessary as they add weight to replication traffic. Use Windows PowerShell with Active Directory Module for batch jobs on groups. Avoid adding users to Built-in and Default Groups. Tools Windows Server 2008 R2 Features Introduced in this Module Tool Use Where to find it Active Directory Users and Computers Manage groups Administrative Tools Windows Power Shell with Active Directory Module Installed as Windows Feature DS utilities Command line Feature Description Windows PowerShell with Active Directory Module New administration utility for Active Directory, based on Windows PowerShell
160
Module 5: Managing Computer Accounts
Course 6425C Module 5: Managing Computer Accounts Module 5 Managing Computer Accounts Presentation: 45 minutes Lab: 45 minutes Module Goal Provide deep coverage of administrative tasks and best practices related to the creation and management of computer objects and their account attributes. Objectives After completing this lesson, you will be able to: Create computer accounts and join them to a domain. Administer computer objects and accounts by using the Windows® Interface and command-line tools. Describe and perform the Offline Domain Join process.
161
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 5: Managing Computer Accounts The goal of this module is to introduce students to best practices related to the administration of computer objects in Active Directory. But chances are very good that all of your students have, at one point or another, joined a computer to the domain, and most likely they have used the quick-and-easy method of opening the tabs on the Computer Properties dialog box on the computer, changing its membership to join the domain, and thereby creating a computer account "on the fly" in the default Computers container. Most of your students have probably performed this task many times, so it is well ingrained. Unfortunately, it is not a best practice, because the computer account ends up in a container that is neither delegated nor configured (with GPOs) correctly according to company standards. Often, this gap is addressed by moving the computer object into the correct OU as a second step, which leaves the computer unsecured for a period of time and is a step that is often forgotten. You should help students understand why this process that they have performed so many times is suboptimal, and why it is beneficial, when possible, to pre-stage computer accounts or in some other way to tightly manage the creation and joining of computers. At the end of this module, students will be introduced to a new feature of Windows Server® 2008 R2 Active Directory–Offline Domain Join. Be sure to keep focus on scenarios where this feature should be used, and how to use it. Preparation for Demos To prepare for the demos in this module: 1. Start 6425C-NYC-DC1. 2. Log on to NYC-DC1 as Pat.Coleman, with the password, Pa$$w0rd. 3. Run the Active Directory Users and Computers snap-in with administrative credentials (Pat.Coleman_Admin, with the password, Pa$$w0rd).
162
Module 5: Managing Computer Accounts
Course 6425C Module Overview Module 5: Managing Computer Accounts Create Computers and Join the Domain Administer Computer Objects and Accounts Perform an Offline Domain Join
163
Lesson 1: Create Computers and Join the Domain
Course 6425C Lesson 1: Create Computers and Join the Domain Module 5: Managing Computer Accounts Workgroups, Domains, and Trusts Requirements for Joining a Computer to the Domain The Computer’s Container and Organizational Units Prestage a Computer Account Join a Computer to the Domain Secure Computer Creation and Joins Automate Computer Account Creation Import Computers with CSVDE Import Computers with LDIFDE Create Computer Accounts with DSAdd and PowerShell Create and Join Computers with NetDom and PowerShell
164
Workgroups, Domains, and Trusts
Course 6425C Workgroups, Domains, and Trusts Module 5: Managing Computer Accounts In workgroup, SAM is the authority for authentication Identity is local to each computer In domain, Active Directory is the authority for authentication Computers have a “trust relationship” with the domain Objective: Review the concepts of workgroups and domains. This will set the stage for a discussion of joining computers to a domain. This slide has a build. START The slide shows a two-computer workgroup Start by discussing the key points about a workgroup. In a workgroup, the authority of identity is the local Security Accounts Manager (SAM) database. Each computer maintains its own unique identity store, and there is no shared identity. Provide a scenario-based example that is supported by the graphics on the slide. A user can log on to a desktop, which will authenticate the user against its local SAM database. But that user’s authentication is valid only for that desktop. If the user wants to connect to a server in the workgroup, the server must have a local account for the user in its SAM database. If the user name and password on the server just happen to be identical to the user name and password on the desktop, the user will not notice the authentication. Windows authenticates automatically, behind the scenes. But if the server does not have an account with the exact same user name and password, the user will be prompted for credentials when he or she tries to connect. Make sure students understand the problem: Maintaining duplicate user accounts in a workgroup environment may not be a problem if there are only two computers, but the model does not scale well because there is no way to keep the user names and passwords synchronized between the individual SAM databases of workgroup computers.
165
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 5: Managing Computer Accounts BUILD Active Directory appears, providing a centralized authority for identity and authentication. An AD DS domain provides a centralized identity store and authority for authentication. When computers join a domain, they establish a "trust relationship" with the domain. Because they trust the domain, and its ability to authenticate users, it is no longer necessary to maintain user accounts in the local SAM database. Logon is handled by the domain. Now, when a user logs on, the computer authenticates the user with the domain and builds a security token on the computer that contains the SIDs of the user and the user's groups. Depending on the sophistication of your students, you might choose to use terminology such as "ticket" as you describe domain authentication and logon. The art on the slide looks like a ticket, and of course what is happening involves Kerberos tickets. Authentication by the domain is sent to the server when the user needs to access the server. When the user needs access to the server, the domain provides an authentication that the server trusts. Again, you may choose to discuss this process as the domain "issuing a ticket" for the server. Don't go into too much detail about Kerberos authentication, as that is not the point of this module, but if you use correct Kerberos terminology, you will begin to familiarize students with it. It will be helpful if you emphasize that this process involves the domain members trusting the domain for authentication. Using the word trust achieves two things. First, it helps students understand why, when a computer's secure channel is broken, the error that appears indicates that "the computer has lost its trust relationship with the domain.” Second, you are setting the stage for a discussion of multidomain environments, in which trust is extended yet one more step to another domain. When a computer belongs to a domain that trusts another domain, identity can be authenticated either against the local SAM database, the domain's Active Directory database, or that of the trusted domain. Explain this to students only if questions suggest that they are ready to hear it. Module 14 goes into more detail about trust relationships between domains.
166
Requirements for Joining a Computer to the Domain
Course 6425C Requirements for Joining a Computer to the Domain Module 5: Managing Computer Accounts You must have permissions in Active Directory Domain Services that allow you to join a computer to the domain You must be a member of the local Administrators group on the computer to change its domain or workgroup membership A computer object should exist in the directory service If it does not already exist, you must also have permission to create a computer account in domain Objective: Focus students’ attention on the very high-level requirements for joining a computer to the domain. Some or all of these requirements will be understood by students already, and all will be detailed in subsequent slides. Do not go into depth now. Treat this as a high-level list of requirements that frame a discussion of security and manageability as the lesson progresses. Flow: The flow of this lesson is to first describe the correct, best practices, and along the way to teach some important concepts. Later in the lesson, you will discuss the types of practices that may currently be in place, and determine why those practices might be less than ideal. Requirements for joining a computer to the domain: A computer should exist. You must have permissions to the computer object to join a computer to it. You must be an administrator of the computer. It is possible that students might point out that you can join a computer to the domain without a computer object already existing. In fact, this is the way most administrators join a computer to the domain: they simply go into the System Properties of the computer, join it to the domain, and it creates an account in the default computer container “on the fly." All of this is true, but what is happening is that Windows attempts to join the domain to an existing object, doesn't find the object, so it fails back and creates a computer object in the default computer container. The step of creating a computer object, either by an administrator before the join or by Windows during the join, is necessary before the computer can join the domain. It uses a different set of permissions in Active Directory (your permission to create a computer object) than the join itself, and if you do not happen to have permissions to create computer objects in the default computer container, the join will fail. The bottom line is that it is a requirement for the computer object to exist prior to the join, but Windows helps meet that requirement automatically.
167
The Computer’s Container and Organizational Units
Course 6425C The Computer’s Container and Organizational Units Module 5: Managing Computer Accounts The default Computers container is a container, not an organizationalUnit object Cannot link GPOs to a container Cannot create sub-OUs in a container Best practice is to create OUs for computer objects Servers Typically subdivided by server role Client computers Typically subdivided by region Divide OUs based first on administration, then to facilitate configuration with Group Policy Objective: Emphasize the best practice of creating custom OUs for computer objects, rather than relying on the default Computers container. Help students understand just enough about delegation (assigning permissions to OUs) and about configuration (linking Group Policy objects (GPOs) to OUs)) to understand how they might choose to design OU branches for clients and for servers. Later modules go into detail about Group Policy and delegation, and their impact on OU design. So don't go into too much detail here, but rather use the opportunity to gently introduce students to these concepts. It might be helpful here to show the OU structure of the sample contoso.com domain. The design driver for the OU structure in the sample domain is administrative delegation. In the Servers OU, there are sub-OUs for each server role, because there are discrete administrative teams for each class of server. In the Client Computers OU, there are sub-OUs for each location, because there is a desktop support function at each location that requires delegations to create computer objects and join computers to domain at that specific location. So the OU design was completely driven by delegation. It just so happens that the design also makes it easy to scope configuration by using GPO links to location-specific OUs for computers. Delegation is discussed in detail in Module 8. A later topic, “Secure Computer Creation and Joins,” provides details about delegating specific computer management tasks.
168
Prestage a Computer Account
Course 6425C Prestage a Computer Account Module 5: Managing Computer Accounts Prestage (pre-create) a computer in the correct OU Right-click the OU and choose New Computer Computer Name and Computer Name (Pre-Windows 2000) should be the same User or group box delegates permissions to the specified account to join the computer to the domain Objective: Describe the basics of creating a computer account. Details are not necessary at this point as they are covered in later topics. Define prestaging as pre-creating. Both terms are used in documentation and in exams. Point out that by prestaging the account, you fulfill the first two requirements for joining a computer to a domain: The computer object exists, and you have specified who has permissions to join a computer with the same name to the domain.
169
Join a Computer to the Domain
Course 6425C Join a Computer to the Domain Module 5: Managing Computer Accounts The System Properties dialog box or window Prompts for domain credentials Requires restart Objective: Describe the basics of joining a computer to the domain. Ideally, you should demonstrate the interface used to join a computer to the domain. You don't need to actually join the computer to the domain–you can stop just short.
170
Secure Computer Creation and Joins
Course 6425C Secure Computer Creation and Joins Module 5: Managing Computer Accounts Prestage computer objects in the correct OUs Computer is in the correct OU and does not require moving Group Policy applies to the computer immediately after joining the domain Tighter security of computer OU and Computers container Configure the default computer container redircmp "DN of OU for new computer objects" Restrict the ability of users to create computers By default, any user can join 10 machines to the domain Requires no prestaging Change the ms-DS-MachineAccountQuota value to 0 Delegate to appropriate groups the permission to create computer objects in the appropriate OUs Objective: Discuss the four major tasks required to secure computer account management in Active Directory. You are now moving beyond the mechanics of creating a computer account and joining it to the domain and into the more advanced topics related to securing and managing computer accounts. The student manual lists the permissions required to delegate common computer management tasks. Delegation is discussed in Module 8, so just explain to students that the information in the student manual is for reference, and that you’ll discuss delegation in Module 8. Question: What two things determine whether you can join a computer account to the domain? Answer: To join a computer to a prestaged account, you must be given permission on the account to join it to the domain. If the account is not prestaged, the ms-DS-MachineAccountQuota attribute will determine the number of computers you can join to the domain in the default computer container without explicit permission. Tip The redircmp.exe command redirects the default computer container to a specified OU. Redirusr.exe does the same for the default user container.
171
Automate Computer Account Creation
Course 6425C Automate Computer Account Creation Module 5: Managing Computer Accounts CSVDE Import (create) or export computer accounts LDIFDE Import (create), modify, or export computer accounts DSAdd Create computer accounts and set initial properties NetDom Create computer accounts Join machines to domain Windows PowerShell with Active Directory Module Create and manage computer accounts Objective: This is an overview that sets up the following slides that detail each command.
172
Import Computers with CSVDE
Course 6425C Import Computers with CSVDE Module 5: Managing Computer Accounts Export filename.ldf Active Directory CSVDE.exe Objective: CSVDE CSVDE is also discussed in the modules that cover users and groups. If you have already delivered one or both of those modules, you can focus on the last bullet point on the slide, which is unique to computers. Point out that the default mode for CSVDE is export, and that you must specify –i to perform an input. Reference CSVDE: Import CSVDE.exe csvde –i -f filename [-k] -i: Import (default mode is export) -k: Continue past errors (such as Object Already Exists) Include userAccountControl column (set to 4096) and sAMAccountName column (set to computername$)
173
Import Computers with LDIFDE
Course 6425C Import Computers with LDIFDE Module 5: Managing Computer Accounts Export filename.ldf Active Directory LDIFDE.exe Objective: LDIFDE Mention that one of the best ways to view and to learn about the format for the LDIFDE file is to export data from AD DS by using LDIFDE. Consider showing students a sample LDF file in Notepad, and stepping students through the syntax. There is a sample in the student handbook. TIP Both CSVDE and LDIFDE are able to import and export objects by using their respective file formats. Both commands are in the export mode by default and require the ‑i option to specify import mode. Only LDIFDE is capable of modifying existing objects or removing objects. Reference LDIFDE: Import Lightweight Directory Access Protocol Data Interchange Format (LDIF) LDIFDE.exe ldifde [-i] [-f filename] [-k] -i: Import Default mode is export -k: Continue past errors Object already exists dn: CN=FILE25,OU=File, OU=Servers, DC=contoso,DC=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: FILE25 userAccountControl: 4096 sAMAccountName: FILE25$
174
Create Computer Accounts with DSAdd and PowerShell
Course 6425C Create Computer Accounts with DSAdd and PowerShell Module 5: Managing Computer Accounts DSAdd creates objects in Active Directory dsadd computer ComputerDN ComputerDN: The distinguished name (DN) of the computer In Active Directory Module for PowerShell, use: New-ADComputer -SamAccountName DESKTOP123 –Path ‘OU=Client Computers,DC=contoso,DC=com' Objective: DSAdd Discuss the use of DSAdd to create computers and usage on New-ADComputer in PowerShell to perform the same task.
175
Create and Join Computers with NetDom
Course 6425C Create and Join Computers with NetDom Module 5: Managing Computer Accounts Create an account netdom add ComputerName /domain:DomainName [/ou:"OUDN"] [/ UserD:DomainUsername /PasswordD:DomainPassword] Join the domain (and, if necessary, create an account) netdom join MachineName /Domain:DomainName [/OU:"OUDN"] [/UserD:DomainUsername][/PasswordD:{DomainPassword|* } ] [/UserO:LocalUsername] [/PasswordO:{LocalPassword|*} ] [/SecurePasswordPrompt] [/REBoot[:TimeInSeconds]] In Active Directory Module for PowerShell: Use Add-Computer cmdlet Objective: NETDOM The NetDom join command on the slide is complex. Discuss the command in the following steps: Where the account will be created With which domain credentials the account is created and joined in AD DS With which local credentials (member of the local Administrators group on the computer) the computer's Workgroup/Domain membership is changed That the /SecurePasswordPrompt option applies to both the O (local) and the D (domain) credentials: if * is supplied for either the O or D password, a secure prompt will appear for entry of the password Time until reboot Point out that NetDom.exe is a particularly powerful command because you can use it in a script that performs other actions, and because the command can be used remotely to join a computer to the domain. The command takes two sets of credentials: the O user name/password must be a local administrator on the computer; the D user name/password is for the domain and must have permissions to join the computer to its object. At the end of this topic, you should also discuss joining computers to a domain by using PowerShell.
176
Lab A: Create Computers and Join the Domain
Course 6425C Lab A: Create Computers and Join the Domain Module 5: Managing Computer Accounts Exercise 1: Join a Computer to the Domain with the Windows Interface Exercise 2: Secure Computer Joins Exercise 3: Manage Computer Account Creation The goals of this lab are to provide a comprehensive experience with both user interface and command-line tools for managing Active Directory computers, and to prepare students to recognize and troubleshoot computer account problems. Scenario You are an administrator for Contoso, Ltd. During a security audit, it was identified that there is no control over the creation of new computer accounts: both clients and servers are being added to the domain with no assurance that process is being followed. In fact, a number of computer accounts were discovered in the Computers container. These computer objects were for active computer accounts, but the computers had not been created in or moved to the correct OUs within the Client Computers or Servers OUs according to standard procedures. You’ve been tasked with improving the procedures. Exercise 1 In this exercise, students will join a computer to the domain by using the Windows interface, and then you will remove the machine from the domain. Exercise 2 In this exercise, students will implement best practices to secure the joining of machines to the domain. Exercise 3 In this exercise, students will implement several best practices for creating computer accounts and joining machines to the domain. NOTE: Do not shut down the virtual machines after you finish this lab as the settings you have configured here will be used in Lab B. Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-SVR2 Logon user name Pat.Coleman_Admin Administrative user name Administrator Password Pa$$w0rd Estimated time: 20 minutes
177
Module 5: Managing Computer Accounts
Course 6425C Scenario Module 5: Managing Computer Accounts You are an administrator for Contoso, Ltd. During a security audit, it was identified that there is no control over the creation of new computer accounts: both clients and servers are being added to the domain with no assurance that a process is being followed. In fact, a number of computer accounts were discovered in the Computers container. These computer objects were for active computer accounts, but the computers had not been created in or moved to the correct OUs within the Client Computers or Servers OUs according to standard procedures. You’ve been tasked with improving the procedures.
178
Module 5: Managing Computer Accounts
Course 6425C Lab Review Module 5: Managing Computer Accounts What did you learn about the pros and cons of various approaches to creating computer accounts in an AD DS domain? What are the two credentials that are necessary for any computer to join a domain? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: What did you learn about the pros and cons of various approaches to creating computer accounts in an AD DS domain? Answer: Answers may vary depending on your own experience and situation. Question: What are the two credentials that are necessary for any computer to join a domain? Answer: The necessary credentials are the local credentials that are in the local Administrators group of the computer, and domain credentials that have permissions to join a computer to the computer account.
179
Lesson 2: Administer Computer Objects and Accounts
Course 6425C Lesson 2: Administer Computer Objects and Accounts Module 5: Managing Computer Accounts Configure Computer Attributes Move a Computer Computer Accounts and Secure Channel Recognize Computer Account Problems Reset a Computer Account Rename a Computer Disable and Enable a Computer Delete and Recycle Computer Accounts
180
Configure Computer Attributes
Course 6425C Configure Computer Attributes Module 5: Managing Computer Accounts Useful attributes Description Location Used by location-aware applications such as Search For Printers Example: US\WA\SEA\HQ\Building33\Floor3\Q04\1531 Managed By Link to user who is the primary user of the computer Link to group that is responsible for the computer (servers) Member Of Groups: Group Policy filtering, software deployment dsmod computer "ComputerDN" [-desc "Description"] [-loc "Location"] In PowerShell, use: Set-ADComputer cmdlet Objective: Use computer attributes to provide documentation and to improve manageability of computer objects. Location Attribute: Optional Detail Discuss the location attribute and how it can be used by location-aware applications such as Search For Printers. The client understands its location from the location attribute of its object in Active Directory. A Group Policy setting can configure computers so that when the Search For Printers window appears, the Search In box is pre-populated with the computer's location, which will then limit search results to printers in the same location. Printers have a location attribute that must be configured for this functionality to work. Location should be a hierarchy, as shown on the slide, with locations separated by a backslash. Although the computer object’s location attribute is one way to inform the client of its location, it is typically more manageable to configure the computer's location by using Group Policy, or by associating locations with Active Directory sites or subnets. The latter option–associating locations with IP subnets–is the most powerful approach and is therefore the best practice. A computer will change its location attribute as it moves between subnets. Managed By Inform students that the Managed By tab is a link for contact information purposes only. The object (user or group) in the managedBy attribute is not granted any rights over the object in Active Directory or administrative rights to the computer. Questions for Students Does your organization use the location attribute, and if so, for what purposes? Does your organization use the Managed By attribute, and if so, for what purposes? Does your organization put computers in groups, and if so, for what purposes?
181
Module 5: Managing Computer Accounts
Course 6425C Move a Computer Module 5: Managing Computer Accounts Using Active Directory Users and Computers Drag and drop Right-click the computer, and then click Move dsmove ObjectDN [-newname NewName] [-newparent ParentDN] -newname NewName: Used to rename a computer -newparent ParentDN: Used to move a computer to the OU specified by ParentDN Using Windows PowerShell with pipelining: Get-ADComputer | Move-ADObject Objective: Move a computer. Advanced information about the delegation of ability to move computers Delegation is covered in another module, but if you receive a question such as "Who can move computers?" or if you want to discuss delegation at a very high level, you may do so here. You must have appropriate permissions to move an object in Active Directory. Default permissions allow Account Operators to move computer objects between containers, including the Computers container and any OUs, except into or out of the Domain Controllers OU. Members of the built-in Administrators group, which includes Domain Admins and Enterprise Admins, can move computer objects between any containers, including the Computers container, the Domain Controllers OU, and any other OUs. There is no way to delegate the specific task of moving an object in Active Directory. Instead, your ability to move a computer is derived from your ability to delete an object in the source container and create an object in the destination container. When you move the object, you are not actually deleting and re-creating it; those are just the permissions that are evaluated to allow you to perform a move. Note of caution about moving objects Again, neither delegation nor Group Policy are covered in this module, but as much as possible, help students understand: Before you move a computer, consider the implications to delegation and configuration. The target OU may have different permissions than the originating OU, in which case the object will inherit new permissions affecting who is able to further manage the object. The target OU may also be within the scope of different Group Policy objects (GPOs), which would change the configuration of settings on the system itself. Great tip to share with students: Manage Before moving into troubleshooting topics, take a moment to expose the students to the Manage command that appears when you right-click a computer object in Active Directory Users and Computers. Point out that it opens the Computer Management console, focused on the selected computer. Explain that this is a great way to begin troubleshooting a client computer. The tip is intentionally not shown on the slide, so you can share the tip and invite students to write it down.
182
Computer Account and Secure Channel
Course 6425C Computer Account and Secure Channel Module 5: Managing Computer Accounts Computers have accounts sAMAccountName and password Used to create a secure channel between the computer and a domain controller Scenarios where a secure channel can be broken Reinstalling computer, even with same name, generates a new SID and password Restoring a computer from an old backup, or rolling back a computer to an old snapshot Computer and domain disagree about what the password is Objective: Explain the secure channel and how it can be broken. Explain to students that the secure channel between a computer and a domain controller is used for all communication with the domain, including authentication of a user logon to the computer. The secure channel is established when the computer authenticates to the domain by using its user name and password. Like users, computers have logon names and passwords. If the computer is unable to log on successfully, the secure channel is not established. The effect is very similar to when a user enters the wrong user name or password–the user is not able to authenticate to the domain either. There are several scenarios in which the secure channel can be broken. Three of them are listed on the slide. What is not listed on the slide is “Administrator errors in Active Directory.” These can include dangerous Active Directory actions like rolling back a domain controller running to a snapshot. You should mention that there are several ways for an administrator to damage Active Directory (manually, automatically, intentionally, or accidentally), and damage might surface with broken secure channels. Ask students: What scenarios have you encountered in which you identified that the secure channel was broken? How did you know the secure channel was broken? After students have shared their experiences, ask the question a slightly different way: What scenarios have caused you to remove a computer from the domain and then rejoin it to the domain? This is a very common technique used by administrators to reset a secure channel–they often don't realize what they are actually doing by removing the computer and rejoining the domain. If students have not already mentioned the logon message that states “The trust relationship between the workstation and the primary domain failed,” ask the students: Have you ever tried to log on to the domain and had the computer tell you that it could not talk to the domain? What messages did you receive? Help students delineate messages such as "A domain controller is not available," which is typically the result of networking connectivity problems, from messages that mention trust with the domain or otherwise indicate problems with the secure channel. With these setups, move on to the next slide.
183
Recognize Computer Account Problems
Course 6425C Recognize Computer Account Problems Module 5: Managing Computer Accounts Logon messages Event log errors, including key words such as Password Trust Secure channel Relationships with the domain or domain controllers Missing computer account in Active Directory Objective: Recognize computer account problems. A "broken" computer account manifests itself with a variety of symptoms, error messages, and event log entries. One of the most common problems that appears to end users, and generates help desk calls, is shown on the slide. Mention that a user may be able to log on to a machine with a broken secure channel (using cached credentials) but will experience other strange behavior because authentication will not be able to use Kerberos without a functioning secure channel.
184
Reset a Computer Account
Course 6425C Reset a Computer Account Module 5: Managing Computer Accounts Do not simply remove a computer from the domain and rejoin Creates new account: new SID, lost group memberships Options for resetting the secure channel Active Directory Users and Computers Right-click the computer, and then click Reset Account Requires the computer to rejoin the domain and restart DSMod* dsmod computer "ComputerDN" –reset NetDom netdom reset MachineName /domain DomainName /UserO UserName /PasswordO {Password | *} NLTest nltest /server:ServerName /sc_reset:DOMAIN\DomainController Windows PowerShell: Test-ComputerSecureChannel –Repair Objective: Reset a computer account (secure channel). Because NLTest and NetDom reset the secure channel without requiring a reboot, you should try those commands first. Only if not successful should you use the Reset Account command or DSMod to reset the computer account. Resetting the secure channel requires the permission to Reset Password on the computer object. Question A user complains that when she attempts to log on, she receives an error message indicating the trust with the domain has been lost. You want to attempt to reset the secure channel without rebooting her system. What two commands can you use? Answer The NetDom and NLTest commands reset the secure channel without requiring you to rejoin the machine to the domain, and therefore they require no reboot. Note: NLTest and NetDom are native tools for Windows Server® 2008 and therefore are important to understand and do appear on the certification exams. The two commands are not available on Windows Vista® by default; however, some admins have used the versions that are in the Windows Server 2003 Support Tools with reasonable levels of success, but this is not supported.
185
Module 5: Managing Computer Accounts
Course 6425C Rename a Computer Module 5: Managing Computer Accounts Use System Properties of the computer to rename the computer and its account correctly NetDom netdom renamecomputer MachineName /NewName:NewName [/UserO:LocalUsername] [/PasswordO:{LocalPassword|*} ] [/UserD:DomainUsername] [/PasswordD:{DomainPassword|*} ] [/SecurePasswordPrompt] [/REBoot[:TimeInSeconds] ] Windows PowerShell: ReName-Computer Be cautious of the impact that renaming can have on services and on certificates associated with computer's name Objective: Rename a computer.
186
Disable and Enable a Computer
Course 6425C Disable and Enable a Computer Module 5: Managing Computer Accounts Disable a computer if it will be offline for an extended time Similar to disabling a user who is on a leave of absence Prevents secure channel from being established, so users who do not have cached credentials on the computer cannot log on Active Directory Users and Computers Right-click computer, and then click Enable Account or Disable Account DSMod dsmod computer ComputerDN -disabled yes dsmod computer ComputerDN -disabled no Objective: Disable and enable a computer.
187
Delete and Recycle Computer Accounts
Course 6425C Delete and Recycle Computer Accounts Module 5: Managing Computer Accounts Delete a computer with Active Directory Users and Computers Right-click the computer, and then click Delete Delete a computer with DSRm dsrm ObjectDN Delete destroys SID and group memberships When replacing or reinstalling a computer, if computer will play the same role, reset the computer account, instead of deleting it Preserves all attributes of computer, including SID and group memberships You can rename object if computer is being renamed during reinstallation/upgrade This recycles the computer account Objective: Properly dispose of and “recycle” computer accounts. As more organizations use groups with computers as members to filter Group Policy, to manage configuration and deployment of applications, and to manage permissions and rights, it becomes more important than ever to think about computer accounts just like user accounts, and to be careful of destroying SIDs and group memberships of computers. The concept of "recycling" a computer account is a practical option that should be considered when upgrading or reinstalling a computer, so that group memberships and other attributes of the computer are preserved. The value of recycling a computer account is not well documented, but can be leveraged in the real world. It also helps tremendously when systems management tools, such as Microsoft® System Center Configuration Manager are used, because it keeps the relationship between the asset and its configuration.
188
Lab B: Administer Computer Objects and Accounts
Course 6425C Lab B: Administer Computer Objects and Accounts Module 5: Managing Computer Accounts Exercise 1: Administer Computer Objects Through Their Life Cycle Exercise 2: Administer and Troubleshoot Computer Accounts The goals of this Lab are to provide a comprehensive experience with both user interface and command-line tools for managing Active Directory computers, and to prepare students to recognize and troubleshoot computer account problems. Scenario You are an administrator for Contoso, Ltd.. During a security audit, a number of computer accounts were discovered. Those computers no longer exist in the domain. You’ve been tasked with improving the management of computer accounts, and identifying the best practices for administering the entire life cycle of a computer account. Exercise 1 In this exercise, students will configure common attributes of computer objects, including description and ManagedBy. Students will also manage the group membership of computers and move computers between OUs. Exercise 2 In this exercise, students will administer and troubleshoot computer accounts and the secure channel. Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-SVR2 Logon user name Pat.Coleman_Admin Pat.Coleman Administrative user name Administrator Password Pa$$w0rd Estimated time: 15 minutes
189
Module 5: Managing Computer Accounts
Course 6425C Scenario Module 5: Managing Computer Accounts You are an administrator for Contoso, Ltd.. During a security audit, a number of computer accounts were discovered. Those computers no longer exist in the domain. You’ve been tasked with improving the management of computer accounts, and identifying the best practices for administering the entire life cycle of a computer account.
190
Module 5: Managing Computer Accounts
Course 6425C Lab Review Module 5: Managing Computer Accounts What insights did you gain into the issues and procedures regarding computer accounts and administering computer accounts through their life cycle? Lab Review Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: What insights did you gain into the issues and procedures regarding computer accounts and administering computer accounts through their life cycle? Answer: Answers will vary based on your own experience and situation.
191
Lesson 3: Offline Domain Join
Course 6425C Lesson 3: Offline Domain Join Module 5: Managing Computer Accounts What Is an Offline Domain Join? Process for Performing an Offline Domain Join Demonstration: Perfom an Offline Domain Join This lesson should present a new feature of Windows Server 2008 R2 and Windows 7, named Offline Domain join. Because it is pretty simple to use this feature, you should focus on teaching about scenarios where this functionality can be beneficial.
192
What Is an Offline Domain Join?
Course 6425C What Is an Offline Domain Join? Module 5: Managing Computer Accounts An Offline Domain Join allows a client to fully achieve a domain-joined state without ever having communicated with a domain controller A trust relationship between a computer and a domain is established as soon as the network connection with a domain controller is established Requirements No forest or domain functional level requirement No Windows Server 2008 R2 domain controllers required The computer being joined must be a Windows 7 client or a Windows Server 2008 R2 member Objective: Define the Offline Domain Join functionality and explain how it works. You should also discuss some scenarios of usage for this technology, and requirements and limitations for usage.
193
Process for Performing an Offline Domain Join
Course 6425C Process for Performing an Offline Domain Join Module 5: Managing Computer Accounts If a nonadministrator is performing the offline domain join, appropriate rights must be delegated Run the djoin /provision /domain contoso.com /machine DESKTOP123 /savefile C:\desktop123.txt command to provision the computer account object and create the blob file Transfer the blob file with domain information to client computer system hard disk drive Run the djoin /requestODJ /loadfile desktop123.txt /windowspath %SystemRoot% (/localos) to load the blob file in the destination computer Restart the client computer Objective: Describe the Offline Domain Join process. This topic describes the process of offline domain join. You should describe each step provided here, and explain when to use /localos switch. Question: What is the content of the text file that is created during a djoin provisioning process? Answer: This file contains sensitive data that is needed to establish a relationship between a computer and a domain. The data includes the machine account password and other information about the domain, including the domain name, the name of a domain controller, and the SID of the domain. + BLOB BLOB Win7
194
Demonstration: Perform an Offline Domain Join
Course 6425C Demonstration: Perform an Offline Domain Join Module 5: Managing Computer Accounts In this demonstration, you will see how to perform an Offline Domain Join In this demonstration, you should show students how to perform a Domain Join on virtual machines. Detailed Demonstration Steps Note: You require the 6425C-NYC-DC1 virtual machine to complete this demonstration. Log on to NYC-DC1 as Contoso\Administrator, with the password, Pa$$w0rd. Open a Command Prompt with administrative privileges. Type the following command and press Enter. djoin /provision /domain contoso.com /machine NYC-CL2 /savefile NYC-CL2.txt Ensure that the command is completed successfully. Open Active Directory Users and Computers console, navigate to New Computers OU and ensure that NYC-CL2 account is created there. Explain that the next step would be to perform the djoin /requestodj /loadfile command on the workstation or drive that is being provisioned. Students will perform this step in the lab.
195
Lab C: Perform an Offline Domain Join
Course 6425C Lab C: Perform an Offline Domain Join Module 5: Managing Computer Accounts Exercise: Perform an Offline Domain Join The goals of this lab are to provide a comprehensive experience with both user interface and command-line tools for managing Active Directory computers, and to prepare students to recognize and troubleshoot computer account problems. Scenario You are an administrator for Contoso, Ltd. You must provision a large number of new computers in a short period of time. Not all computers can have network connectivity, so you have decided to leverage the Offline Domain Join functionality. In this lab, you will test this functionality on one virtual machine. Exercise In this exercise, students will perfom the Offline Domain Join procedure. Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-CL2 Logon user name Pat.Coleman_Admin Pat.coleman Administrative user name Admin Password Pa$$w0rd Estimated time: 10 minutes
196
Module 5: Managing Computer Accounts
Course 6425C Scenario Module 5: Managing Computer Accounts You are an administrator for Contoso, Ltd. You must provision a large number of new computers in a short period of time. Not all computers can have network connectivity, so you have decided to leverage the Offline Domain Join functionality. In this lab, you will test this functionality on one virtual machine.
197
Module 5: Managing Computer Accounts
Course 6425C Lab Review Module 5: Managing Computer Accounts Instead of copying the file to a functional workstation, what approach can you use to perform an offline domain join? Lab Review Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: Instead of copying the file to a functional workstation, what approach can you use to perform an offline domain join? Answer: You can mount the hard drive and run the djoin /requestODJ command with the /windowspath pointing to the drive letter of the attached drive.
198
Module Review and Takeaways
Course 6425C Module Review and Takeaways Module 5: Managing Computer Accounts Review Questions Common Issues Related to Computer Account Management Real-World Issues and Scenarios Best Practices Related to Computer Account Management Tools Windows Server 2008 R2 Features Introduced in this Module Review Questions What is the main difference between the Computers container and an OU? Answer: You cannot create an OU within a Computers container, so you cannot subdivide the Computers OU. Also, you cannot link a Group Policy object to a container. Because of this, we recommend that you move the newly created computer account from the Computers container to an OU. When should you reset a computer account? Why is it better to reset the computer account than to disjoin and rejoin it to the domain? Answer: You should reset a computer account when the computer is no longer able to authenticate to the domain. That can happen if the operating system is reinstalled, the computer is restored from backup, or the password is out of sync interval. If you just disjoin the computer from a domain and rejoin it instead of resetting the computer account, you risk losing the computer account altogether, which results in the computer’s SID being lost, and, more importantly, its group memberships. When you rejoin the domain, even though the computer has the same name, the account has a new SID, and all the group memberships of the previous computer object must be re-created. When performing an offline domain join, what should you do after you provision a new computer account to the domain by using the djoin.exe utility? Answer: After a new computer account is provisioned, you should transfer the blob text file, with the domain and computer account information, to the destination computer that should be joined to the domain. Then, you should run djoin.exe with /the requestODJ switch. Common Issues Related to Computer Account Management Issue Troubleshooting tip The computer cannot be joined to a domain. Check if the domain controller is available. Check the IP address and DNS settings on a client computer. Check if the account that is being used to join the computer to the domain has appropriate privileges to join computer to domain. Group Policy is not applied to a computer after it is joined to a domain. Check if the computer account is still in the Computers container. You cannot link GPOs to this container. Offline Domain Join is not working as expected. Check if the name of the provisioned computer account is the same as the name of the computer being joined to the domain. Make sure that you do not use the /localos switch if you are mounting a drive from the destination computer.
199
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 5: Managing Computer Accounts Real-World Issues and Scenarios You are working as an IT technician in Contoso, Ltd. You are managing the Windows Server based infrastructure. You have to find a method for joining new Windows 7 based computers to a domain during the installation process without intervention of a user or an administrator. Answer: The best way to do this will be to first provision the computer accounts to AD DS by using the djoin utility with the /provision switch and then use an unattended setup to perform the installation. Using a utility such as Windows System Image Manager, you can perform an unattended domain join during an operating system installation by providing information that is relevant to the domain join in an Unattend.xml file. Best Practices Related to Computer Account Management Always provision a computer account before joining computers to a domain and place them in appropriate OUs. Redirect the default Computer container to another location. Reset the computer account instead of just doing a disjoin and rejoin. Integrate the offline domain join functionality with unattended installations. Tools Windows Server 2008 R2 Features Introduced in this Module Tool Use for Where to find it Windows PowerShell with Active Directory Module Computer account management Administrative Tools CSVDE,LDIFDE Importing computer accounts in AD DS Windows Server command prompt Djoin.exe Offline domain join Lesson Content Subject Lesson 1 and 2 Topics where Windows PowerShell is used Windows PowerShell with Active Directory Module Lesson 3 All topics Offline Domain Join 199
200
Module 6: Implementing a Group Policy Infrastructure
Course 6425C Module 6: Implementing a Group Policy Infrastructure Presentation: 120 minutes Lab: 90 minutes Module Goal Introduce the core components and functionality of the Windows® Group Policy infrastructure. Prepare students for managing Group Policy objects (GPOs), GPO links, and GPO processing. Objectives After completing this lesson, you will be able to: Describe the components and technologies that comprise the Group Policy framework. Implement GPOs. Configure and understand a variety of policy setting types. Understand and configure Group Policy preferences Scope GPOs using links, security groups, WMI filters, loopback processing, and Preference targeting. Describe how GPOs are processed. Locate the event logs containing Group Policy–related events and troubleshoot Group Policy application. Module Exam Objectives Creating and Maintaining Active Directory® Objects: Create and apply GPOs. May include, but is not limited to: enforce, OU hierarchy, block inheritance, and enabling user objects, Group Policy processing priority, WMI, Group Policy filtering, Group Policy Preferences, Group Policy loopback Creating and Maintaining Active Directory Objects: Configure GPO templates. May include, but is not limited to: user rights, ADMX Central Store, administrative templates, security templates, restricted groups, security options, starter GPOs, and shell access policies Maintaining the Active Directory Environment: Monitor Active Directory. May include, but is not limited to: Network Monitor, Task Manager, Event Viewer, ReplMon, RepAdmin, Windows System Resource Manager, Reliability and Performance Monitor, Server Performance Advisor, and RSoP <<continued>> Module 6 Implementing a Group Policy Infrastructure
201
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 6: Implementing a Group Policy Infrastructure Preparation for this module Be certain that you have read the student handbook for this module and are thoroughly comfortable with the three-tiered approach to presenting Group Policy. In the first lesson, students are introduced to concepts, terminology, and the core components of Group Policy so that they understand the big picture. In the second lesson, students are given enough detail to implement a simple Group Policy framework. Then, in the remaining lessons in this module, each component of Group Policy is explored in detail. You must be comfortable with the high level of detail provided in later lessons so that you are not tempted to go into too much detail in Lesson 1. Preparation for Demos To prepare for demos in this module: 1. Start 6425C-NYC-DC1. 2. Log on to NYC-DC1 as Pat.Coleman with the password Pa$$w0rd. 3. Run the Active Directory Users and Computers snap-in with administrative credentials (Pat.Coleman_Admin with the password Pa$$w0rd). Preparation for Labs There are 5 labs, which occur during the course of the module. There are dependencies between the labs, so they should not be shut down after each lab.
202
Module 6: Implementing a Group Policy Infrastructure
Course 6425C Module Overview Module 6: Implementing a Group Policy Infrastructure Understand Group Policy Implement GPOs Manage Group Policy Scope Group Policy Processing Troubleshoot Policy Application -blank-
203
Lesson 1: Understand Group Policy
Course 6425C Lesson 1: Understand Group Policy Module 6: Implementing a Group Policy Infrastructure What Is Configuration Management? Overview of Policies Benefits of Using Group Policy Group Policy Objects GPO Scope Group Policy Client and Client-Side Extensions Group Policy Refresh Review the Components of Group Policy Demonstration: Exploring Group Policy Settings In this lesson, you will provide an overview of Group Policy. The goal of this lesson is to introduce the core concepts, terms, and components of Group Policy, so that students have a big picture understanding of what Group Policy is. They must see the overview, and have a feeling for the pieces and how they fit together. Do not go into too much detail about any one concept, term, or component. Remaining lessons in this module return to each concept, term, and component in great detail. It is highly recommended that you read the text in the student handbook for this lesson, and use that text as a guide or even as a script for delivering this module, as the text provides just enough detail to get students on to the same page, regardless of previous experience levels. It is also highly recommended that, rather than stepping through slides, you demonstrate as much as possible live in the user interface as you discuss policy settings, GPOs, and GPO links. Again, the text in the student handbook provides a guide for this demonstration, using the policy setting that restricts access to the registry tools, following that through a GPO, linking the GPO to an organizational unit (OU), and then perhaps even showing the results of the GPO on a client.
204
What Is Configuration Management?
Course 6425C What Is Configuration Management? Module 6: Implementing a Group Policy Infrastructure A centralized approach to applying one or more changes to one or more users or computers Group Policy: The framework for configuration management in an AD DS domain Setting: Definition of a change or configuration Scope: Definition of the users or computers to which the change applies Application: A mechanism that applies the setting to users and computers within the scope Tools for management, configuration, and troubleshooting Because there are so many moving parts to Group Policy, it is helpful to start by taking a step back from the technology and making sure that students understand the broad concept and business value of configuration management. By presenting configuration management as three elements–setting, scope, and application– you create a framework in students’ minds for understanding the role of each component of Group Policy. Explain that configuration management, Group Policy in particular, enables information technology (IT) administrators to automate the management of users and computers, which simplifies administrative tasks and reduces IT costs. Administrators can implement security settings, enforce IT policies, and distribute software consistently for the local computer or across a given site, domain, or range of organizational units. The Information Assurance topic that builds the case for GPO usage is Configuration Management. This is an industry best practice that requires emphasis. RSoP is also good documentation for the standardization of computers and user accounts. This is also a good place to mention the improvements in the security posture of the organization that can be accomplished with effective Group Policies. GPOs are also a method for mitigating the risk associated with specific security threats facing an organization.
205
Module 6: Implementing a Group Policy Infrastructure
Course 6425C Overview of Policies Module 6: Implementing a Group Policy Infrastructure The granular definition of a change or configuration Prevent access to registry-editing tools Rename the Administrator account Divided between User Configuration ("user policies") Computer Configuration ("computer policies") Define a setting Not configured (default) Enabled Disabled If you choose to demonstrate this slide: Edit the 6425C GPO, but do not take time to explain to students exactly what you are doing, because you will return to the GPO in the next topic. Instead, begin your discussion with the Group Policy Management Editor (GPME) open. Drill down to the two settings shown on the slide, along the way pointing out that there are thousands of settings divided between User Configuration and Computer Configuration. Open the policy setting, Prevent access to registry editing tools, and discuss the three available settings. Point out the double negative, that if you disable the policy that prevents access, you in effect ensure that users can access registry-editing tools. You can also point out that a setting is the granular definition of a change, but the setting itself may contain several changes or variations. For example, this policy setting, if enabled, allows you to go a step further and prevent or allow regedit /s. It is recommended that you demonstrate only this one policy setting, in order to stay focused on the big picture that is the point of this lesson. Lesson 3 provides the opportunity to tour and discuss other policy settings. Policy settings are discussed in detail in Lesson 3.
206
Benefits of Using Group Policy
Course 6425C Benefits of Using Group Policy Module 6: Implementing a Group Policy Infrastructure Apply security settings Manage desktop and application settings Deploy software Manage folder redirection Configure network settings If you choose to demonstrate the slide: Close the GPME that you use to edit the GPO in the previous slide. Point out that the setting you just configured is contained in the 6425C GPO. Remind students that a GPO can contain multiple settings, but by default all settings are set to Not Configured. Point out that the tool you use to manage GPOs is the Group Policy Management console. Mention that you have opened the 6425C GPO for editing by right-clicking the GPO and choosing Edit, which opens the Group Policy Management Editor. The management of GPOs is discussed in detail in Lesson 2.
207
Module 6: Implementing a Group Policy Infrastructure
Course 6425C Group Policy Objects Module 6: Implementing a Group Policy Infrastructure Container for one or more policy settings Managed with the GPMC Stored in Group Policy Objects container Edited with the GPME Applied to a specific level in AD DS hierarchy If you choose to demonstrate the slide: Close the GPME that you use to edit the GPO in the previous slide. Point out that the setting you just configured is contained in the 6425C GPO. Remind students that a GPO can contain multiple settings, but by default all settings are set to Not Configured. Point out that the tool you use to manage GPOs is the Group Policy Management console. Mention that you have opened the 6425C GPO for editing by right-clicking the GPO and choosing Edit, which opens the Group Policy Management Editor. The management of GPOs is discussed in detail in Lesson 2.
208
Module 6: Implementing a Group Policy Infrastructure
Course 6425C GPO Scope Module 6: Implementing a Group Policy Infrastructure Scope Definition of objects (users or computers) to which GPO applies GPO Links GPO can be linked to multiple sites, domain, or organizational unit (OU) (SDOU) GPO link(s) define maximum scope of GPO Security Group Filtering Apply or deny application of GPO to members of global security group Filter application of scope of GPO within its link scope WMI Filtering Refine scope of GPO within link based on WMI query Preference Targeting Mention that a GPO, and all of the settings that it contains, does not take effect until you have defined the scope of that GPO. The first step to scoping a GPO is linking it to a site, domain, or OU. Introduce students to the mnemonic, SDOU. Point out that GPOs apply to users and computers, not to groups, despite the term, “Group Policy.” If you choose to demonstrate the slide, link the CONTOSO Standards GPO to the domain. Enforce the idea that the link or links define the maximum scope of the GPO. Pose a question: What if we don't want the GPO settings to apply to all objects within the scope? Use the question to transition to the concept of security group filtering, emphasizing that such filtering creates a subset of objects within the broader scope of the GPO link. Important Note: The reason this is important to mention, and will be reiterated throughout this module, is that many experienced students rely too heavily on GPO links to manage the scope of GPOs, which often leads them to less-than-ideal Active Directory organizational unit design, at the expense of efficiently applied and managed security (access control lists [ACLs]/delegation). Continue with a very brief discussion of WMI filtering, keeping the discussion very high level. Use the example of a policy setting that you want to apply to only a certain operating system. Define WMI filtering as a way of querying the system and then determining whether to apply a GPO. Wrap up with a mention of Preferences targeting. The goal is simply to introduce the term, and to prepare students for the idea that it is possible, now, to apply only part of a GPO to clients as long as that "part" is part of Preferences. It can't be emphasized enough: Keep it a "big picture" discussion! Scoping GPOs is discussed in Lesson 5.
209
Group Policy Client and Client-Side Extensions
Course 6425C Group Policy Client and Client-Side Extensions Module 6: Implementing a Group Policy Infrastructure How GPOs and their settings are applied Group Policy Client retrieves ordered list of GPOs GPOs are downloaded, and then cached Components called CSEs process the settings to apply the changes One for each major category of policy settings: Security, registry, script, software installation, mapped drive preferences, and so on Most CSEs apply settings only if the GPO as a whole has changed Improves performance Security CSE applies changes every 16 hours GPO application is client driven ("pull") The second half of application is how the policies are actually applied. Use this slide to introduce the concept that Group Policy is applied using client-side ("pull") processes. Introduce students to the idea that there are two major phases to application. First, the Group Policy Client asks Active Directory what GPOs to apply. Then, enhanced GPOs go to the client-side extensions, which actually apply the settings. Present the fact that most CSEs apply settings only if the GPO has changed, in order to improve performance by not needlessly reapplying the same settings over and over. You don't need to go into much more detail than that, as Group Policy application is detailed in Lesson 5. You may optionally choose to discuss the Always Wait For Network At Startup And Logon policy setting as you discuss Group Policy refresh and application. Information about this setting is presented in the student handbook. However, this setting is also presented later in this module in the lesson that details Group Policy application.
210
Module 6: Implementing a Group Policy Infrastructure
Course 6425C Group Policy Refresh Module 6: Implementing a Group Policy Infrastructure When GPOs and their settings are applied Computer Configuration Startup Every minutes Triggered: GPUpdate command User Configuration Logon You have now presented the setting and scope elements of configuration management with Group Policy. Remind students of that fact to bring them back to the original three elements of configuration management. Then, continue with this slide, which is the first half of application. All you need to do is answer this basic question: When do these policies get applied? More detail about Group Policy refresh is provided in Lesson 5.
211
Review the Components of Group Policy
Course 6425C Review the Components of Group Policy Module 6: Implementing a Group Policy Infrastructure Setting Scope Application Tools Use this slide as necessary to ensure that students are on the same page and have a clear understanding of the fundamental components of Group Policy. This is the opportunity to check that the students can see the overview before you dive into the details in the following lessons. Setting A setting defines the change or configuration to be made. Settings can be enabled or disabled, but by default are Not Configured. The effect of enabling or disabling a setting can sometimes be complex to evaluate, so be sure to read the explanatory text and to test all settings before deploying them in production. Settings are "bundled" in a GPO. Scope Scope determines what user(s) or computer(s) will apply a setting. A GPO can be linked to a site, domain, or OU. Within the link scope, a GPO can be filtered with security groups or WMI filters. Within a GPO, Preferences can be targeted. Application Computer settings are applied at startup and every 90 to 120 minutes thereafter. User settings are applied at logon and every 90 to 120 minutes thereafter. At refresh time, the Group Policy client retrieves an ordered list of GPOs, and then CSEs apply the settings within those GPOs. Tools GPOs are managed with the Group Policy Management console. Policy settings within a GPO are configured using the GPME. GPUpdate allows you to manually trigger Group Policy refresh. RSoP tools allow you to evaluate and model the settings that were applied by Group Policy. Event logs allow you to audit Group Policy activities on a client. References Windows Server Group Policy : How Core Group Policy Works: Deploying Group Policy Using Windows Vista: Summary of New or Expanded Group Policy Settings: What's New in Group Policy in Windows Vista :
212
Demonstration: Exploring Group Policy Settings
Course 6425C Demonstration: Exploring Group Policy Settings Module 6: Implementing a Group Policy Infrastructure In this demonstration, you will explore some of the thousands of settings in a Group Policy object Demonstration Steps 1. Switch to NYC-DC1. 2. In the GPMC, right-click the CONTOSO Standards GPO, and then click Edit. 3. Spend time exploring the settings that are available in a GPO. Do not make any changes. 4. Review the division between Computer Configuration and User Configuration. 5. You might remind students of the timing with which computer and user settings are applied. 6. Give students a tour of policy categories and policy settings. Pick out a few settings that you feel are particularly valuable for many organizations. Highlight some settings that are new in Windows Server 2008. Point out that some settings apply to specific versions of the Windows operating system. In the Administrative Templates node, you do not need to go into detail about ADM and ADMX files, as they are discussed in the next module. Throughout the tour, stay focused on the functionality provided by the settings, rather than technical issues related to how those settings are applied or managed. The goal of this topic is to expose new students to the quantity and diversity of settings that can be managed with Group Policy, and to inspire students to explore policy settings to identify the value that Group Policy can offer to their organizations. Question: Which of the new features will you find most useful in your environment? Answer: Answers will vary.
213
Lesson 2: Implement GPOs
Course 6425C Lesson 2: Implement GPOs Module 6: Implementing a Group Policy Infrastructure Local GPOs Domain-Based GPOs Demonstration: Create, Link, and Edit GPOs GPO Storage Manage GPOs and Their Settings In this lesson, you will teach students the fundamentals of actually implementing Group Policy. Stay focused on the fundamentals. The next module will take you one more step further.
214
Module 6: Implementing a Group Policy Infrastructure
Course 6425C Local GPOs Module 6: Implementing a Group Policy Infrastructure Apply before domain-based GPOs Any setting specified by a domain-based GPO will override the setting specified by the local GPOs. Local GPO One local GPO in Windows 2000 Server, Windows XP, Windows Server 2003 Multiple local GPOs in Windows Vista and later Local GPO: Computer settings and settings for all users Administrators GPO: Settings for users in Administrators Non-administrators GPO: Settings for users not in Admins Per-user GPO: Settings for a specific user If domain members can be centrally managed using domain-linked GPOs, in which scenarios might local GPOs be used? Discuss local GPOs. Start with the understanding that local GPOs contain settings that affect only the local machine, and that any settings specified by a domain GPO scoped to that computer will override conflicting settings in local GPOs. Therefore, local GPOs have limited usage scenarios. Mention to students that while, in the real world, local GPOs have limited usage, they do tend to appear on certification exams so it is worth understanding local GPOs. However, this will be the only point in the course in which local GPOs are addressed, and after this only domain-based GPOs will be used. Things to mention: You cannot apply local Group Policy objects to groups (except Administrators versus non-administrators) User settings exist in all local GPOs. Computer settings exist only in the main local GPO. After discussing the details of local GPOs, return the original understanding that, in a domain environment, local GPOs have limited usage scenarios. Ask students to think about what scenarios those might be. Question: If domain members can be centrally managed using domain-linked GPOs, in what scenarios might local GPOs be used? Answer: Keep in mind that local GPOs are designed for non-domain environments. Configure them for your computer at home, for example, to manage the settings for your spouse or children. In a domain environment, settings in domain-based GPOs override conflicting settings in local GPOs, and it is a best practice to manage configuration by using domain-based GPOs. However, if you want to apply policies to local accounts, rather than domain accounts, the local GPOs can be used. Also, you might use local GPOs to configure baseline security settings in your deployment image—settings that will take effect while a new computer is still in a workgroup, prior to joining the domain. References Multiple Local Group Policy objects Step-by-Step Guide to Managing Multiple Local Group Policy Objects
215
Module 6: Implementing a Group Policy Infrastructure
Course 6425C Domain-Based GPOs Module 6: Implementing a Group Policy Infrastructure Created in Active Directory, stored on domain controllers Two default GPOs Default Domain Policy Define account policies for the domain: Password, account lockout, and Kerberos policies Default Domain Controllers Policy Define auditing policies for domain controllers and Active Directory Explain the purpose of two default domain-based GPO. Also, tell students that it is not recommended to change settings in these GPOs, instead they should create new ones. Emphasize that Default Domain Controller Policy is used only on domain controllers.
216
Demonstration: Create, Link, and Edit GPOs
Course 6425C Demonstration: Create, Link, and Edit GPOs Module 6: Implementing a Group Policy Infrastructure In this demonstration, you will see how to: Create a GPO. Open a GPO for editing. Link a GPO. Delegate the management of GPOs. Delete the GPO. Discuss the default connection to PDC emulator. Demonstration Steps Create a GPO Start 6425C-NYC-DC1. Log on to NYC-DC1 as Pat.Coleman with the password Pa$$w0rd. Run Group Policy Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. In the console tree, expand Forest: contoso.com, Domains, and contoso.com, and then click the Group Policy Objects container. In the console tree, right-click the Group Policy Objects container, and then click New. In Name: type CONTOSO Standards, and then click OK. Open a GPO for editing In the details pane of the Group Policy Management console (GPMC), right-click the CONTOSO Standards GPO, and then click Edit. The Group Policy Management Editor (GPME) appears. Close the GPME. Link a GPO In the GPMC console tree, right-click the contoso.com domain, and then click Link an Existing GPO. Select CONTOSO Standards and click OK. Delegate the management of GPOs In the GPMC console tree, click the contoso.com domain. In the details pane, click the Delegation tab. Review the default delegation. In the GPMC console tree, expand the Group Policy Objects container, and then click the CONTOSO Standards GPO.
217
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 6: Implementing a Group Policy Infrastructure Run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. In the console tree, click the Users container. In the details pane, double-click the Group Policy Creator Owners group, and then click the Members tab. Review the default membership. Delete a GPO In the GPMC console tree, in the Group Policy Objects container, right-click the CONTOSO Standards GPO, and then click Delete. Click No. Discuss the default connection to the PDC Emulator In the GPMC console tree, right-click the contoso.com domain, and then click Change Domain Controller. Review the default settings. Optionally, discuss a common approach for delegating to lower-level Admins the ability to manage configuration in their site, division, etc. In this model, higher-level Admins create a GPO and link it to the appropriate OU, and perform other configuration to ensure that the scope of the GPO is correct. Then, they delegate to the lower-level Admins the ability to edit the settings of the GPO. Discuss the pros and cons of this and other models for delegating the management of Group Policy. Finally, discuss the fact that the GPM consoles connect, by default, to a single domain controller: the PDC Emulator. Single master roles, including the PDC Emulator, are discussed in a later lesson, so do not go into detail about how to identify or configure master roles. Instead, focus on the reason why the tools were designed to focus on a single domain controller, and why it is perfectly acceptable in many situations to change the focus of the console to a domain controller local to you.
218
Module 6: Implementing a Group Policy Infrastructure
Course 6425C GPO Storage Module 6: Implementing a Group Policy Infrastructure GPC Stored in AD DS Friendly name, globally unique identifier (GUID) Version GPO Describe the function and location of the Group Policy Container (GPC). Optionally, show a GPC using ADSI Edit. Optionally, show a Group Policy Template (GPT) in SYSVOL. Show students how to identify the GUID of a GPO in the GPM console. Also give them a tip: sort the GPOs in SYSVOL by date, so you can quickly identify the GPO that you have just been working with. GPT Stored in SYSVOL on domain controllers (DCs) Contains all files required to define and apply settings .ini file contains Version What we call a GPO is actually two things, stored in two places Separate replication mechanisms
219
Manage GPOs and Their Settings
Course 6425C Manage GPOs and Their Settings Module 6: Implementing a Group Policy Infrastructure Copy and Paste into a Group Policy Objects container Create a new "copy" GPO and modify it Transfer a GPO to a trusted domain, such as test-to- production Back Up all settings, objects, links, permissions (access control lists [ACLs]) Restore into same domain as backup Import Settings into a new GPO in same or any domain Migration table for source-to-destination mapping of UNC paths and security group names Replaces all settings in the GPO – not a "merge" Save Report Delete Rename Discussion Questions What options might you use to transfer into production a GPO that was used in a test environment? What variables constrained which option you chose? Answers should include copy-and-paste, backing up settings and importing them into a new GPO, and simply manually re-creating a GPO. The most important variable is whether the test environment is in a trusted domain (in which case you can use copy-and-paste) or in a separate environment (in which case you must use the Import Settings command). References GPO Operations: Backing up, Restoring, Migrating, and Copying GPOs:
220
Lab A: Implement Group Policy
Course 6425C Lab A: Implement Group Policy Module 6: Implementing a Group Policy Infrastructure Exercise 1: Create, Edit, and Link Group Policy Objects Exercise 2: Use Filtering and Commenting Scenario You are responsible for managing change and configuration at Contoso, Ltd. Contoso corporate IT security policies specify that computers cannot be left unattended and logged on to for more than 10 minutes. You will therefore configure the screen-saver timeout and password-protected screen-saver policy settings. Additionally, you will lock down access to registry editing tools. Exercise 1: Create, Edit, and Link Group Policy Objects In this exercise, students will create a GPO that implements a setting mandated by the corporate security policy of Contoso, Ltd. and scope the setting to all users and computers in the domain. They will then experience the effect of the GPO. Any remaining time can be used for exploring settings that are made available within a Group Policy object. Exercise 2: Use Filtering and Commenting In this exercise, students will use the new commenting and filtering features of Group Policy to locate and document policy settings. Note: Do not shut down the virtual machines after you finish this lab because the settings you have configured here will be used in subsequent labs. Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-CL1 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 30 minutes
221
Module 6: Implementing a Group Policy Infrastructure
Course 6425C Lab Scenario Module 6: Implementing a Group Policy Infrastructure You are responsible for managing change and configuration at Contoso, Ltd. Contoso corporate IT security policies specify that computers cannot be left unattended and logged on to for more than 10 minutes. You will therefore configure the screen-saver timeout and password-protected screen-saver policy settings. Additionally, you will lock down access to registry editing tools. -blank-
222
Module 6: Implementing a Group Policy Infrastructure
Course 6425C Lab Review Module 6: Implementing a Group Policy Infrastructure Which policy settings are already being deployed by using Group Policy in your organization? Which policy settings did you discover that you might want to implement in your organization? Use the questions on the slide to guide the debriefing after students have completed the lab exercises. Question: Which policy settings are already being deployed using Group Policy in your organization? Answer: Answers will vary. Question: Which policy settings did you discover that you might want to implement in your organization?
223
Lesson 3: Manage Group Policy Scope
Course 6425C Lesson 3: Manage Group Policy Scope Module 6: Implementing a Group Policy Infrastructure GPO Links Group Policy Processing Order GPO Inheritance and Precedence Use Security Filtering to Modify GPO Scope WMI Filters Enable or Disable GPOs and GPO Nodes Target Preferences Loopback Policy Processing -blank-
224
Module 6: Implementing a Group Policy Infrastructure
Course 6425C GPO Links Module 6: Implementing a Group Policy Infrastructure GPO link Causes policy settings in GPO to apply to users or computers within that container Links GPO to site, domain, or OU (SDOU) Must enable sites in the GPM console GPO can be linked to multiple sites or OUs Link can exist but be disabled Link can be deleted, but GPO remains The key point of this topic is to explain what you can do with GPO Link. It is very important to emphasize that GPO link actually connects Group Policy settings to a container in Active Directory. Also, you should explain in which state the link can be, and what are the differences between these states.
225
Group Policy Processing Order
Course 6425C Group Policy Processing Order Module 6: Implementing a Group Policy Infrastructure GPO1 Local Group This slide illustrates the generic Group Policy application order. You can use it to enforce the L-S-D-OU acronym. Then proceed to the next slide, which illustrates a more complex example. GPO2 Site GPO3 GPO4 Domain GPO5 OU OU OU
226
GPO Inheritance and Precedence
Course 6425C GPO Inheritance and Precedence Module 6: Implementing a Group Policy Infrastructure The application of GPOs linked to each container results in a cumulative effect called inheritance Default Precedence: Local Site Domain OU OU… (LSDOU) Seen on the Group Policy Inheritance tab Link order (attribute of GPO Link) Lower number Higher on list Precedent Block Inheritance (attribute of OU) Blocks the processing of GPOs from above Enforced (attribute of GPO Link) Enforced GPOs “blast through” Block Inheritance Enforced GPO settings win over conflicting settings in lower GPOs As you discuss Group Policy inheritance and precedence, ensure that students understand that what is called "inheritance" is really just the effect of repeated, layered application of settings in GPOs in a specific order. You can approach this important discussion of GPO inheritance and precedence in one of three ways: Talk to the points on this slide only. Talk to the first bullet on this slide, then use the visuals on the following three slides to discuss link order, locked inheritance, and enforced links. Create a demonstration in the composer.com domain and, after setting up the first bullet on the slide, demonstrate the remainder in the sample domain, returning to the Group Policy Inheritance tab to show resultant precedence and processing.
227
Use Security Filtering to Modify GPO Scope
Course 6425C Use Security Filtering to Modify GPO Scope Module 6: Implementing a Group Policy Infrastructure Apply Group Policy permission GPO has an ACL (Delegation tab Advanced) Default: Authenticated Users have Allow Apply Group Policy Scope only to users in selected global groups Remove Authenticated Users Add appropriate global groups Must be global groups (GPOs don’t scope to domain local) Scope to users except for those in selected groups On the Delegation tab, click Advanced Deny Apply Group Policy permission Does not appear on the Delegation tab or in filtering section Many organizations struggle with how to maintain governance over Group Policy, and specifically how to effectively test a GPO before rolling it into production. Talk through a simple but completely effective best practice: Use security group filtering to manage the scope of a Group Policy object during testing. Instead of creating a sub-OU to manage the scope of a GPO for testing, link the GPO to the location it belongs in production. But instead of allowing the GPO to apply to Authenticated Users, or to the production security group, configure a security group specifically designed to limit the scope of the GPO to appropriate users and computers. The benefit of this practice is that it gives a much more realistic picture of how the GPO will perform in production, because you are not artificially limiting its scope or precedence by linking it to a separate "test" OU. In other words, you get a better picture for how the GPO interacts with other GPOs that are already in production. And yet, you still maintain full control over the specific users and computers that are within the scope of the test. Advanced Tip: If you remove Authenticated Users and scope a GPO to a specific group, support personnel will not be able to read the policy in order to perform Group Policy management tasks. Be sure to assign appropriate support personnel Read permission to the GPO.
228
Module 6: Implementing a Group Policy Infrastructure
Course 6425C WMI Filters Module 6: Implementing a Group Policy Infrastructure Create a WMI filter WQL Similar to T-SQL Select * FROM Win32_OperatingSystem WHERE Caption="Microsoft Windows XP Professional" AND CSDVersion="Service Pack 3" Use the filter for one or more GPOs You should be familiar with the basic functionality of WMI queries as discussed in this section. Be certain to remember that Windows 2000 systems will apply settings in GPOs with WMI filters because Windows ignores WMI filters during policy processing. Also remember that WMI filters can query based on services and processes on a system, not just hardware. References For more information on WMI and for examples of WMI filters, go to: WMI filtering using GPMC: Windows Management Instrumentation (WMI) software development kit (SDK):
229
Enable or Disable GPOs and GPO Nodes
Course 6425C Enable or Disable GPOs and GPO Nodes Module 6: Implementing a Group Policy Infrastructure GPO Details tab GPO Status drop-down list Enabled: Both Computer Configuration and User Configuration settings will be applied by CSEs All settings disabled: CSEs will not process the GPO Computer Configuration settings disabled: CSEs will not process settings in Computer Configuration User Configuration settings disabled: CSEs will not process settings in User Configuration In addition to explaining the settings in the GPO Status drop-down list, mention the performance benefits gained by specifically disabling nodes of GPOs that have no settings anyway. Ask students to consider what scenarios might lend themselves to disabling a GPO that has settings. Answers might include GPOs that configure strict lockdown in the case of a security incident or that configure disaster recovery settings; in other words, those that are disabled until needed.
230
Module 6: Implementing a Group Policy Infrastructure
Course 6425C Target Preferences Module 6: Implementing a Group Policy Infrastructure Targeting within a GPO Scope = scope of GPO scope of targeting Only possible with preferences Multiple options Test effect Test performance impact Ideally, you should demonstrate the technique of preferences targeting, because preferences themselves are probably new to many students. Additionally, preferences provide several options for targeting settings within a GPO. We recommend that you use a preference that is understandable. For example, create a Drive Maps preference to a departmental shared drive. Such a scenario will allow students to focus not on the effect of the preference itself, but on the targeting. You can suggest filtering this drive mapping based on a security group, and then suggest that the same GPO could map the same drive letter to different departmental shared drives based on a user's membership in a departmental group. Alternatively, the preference could use a Lightweight Directory Access Protocol (LDAP) query against user attributes such as Department or Division. The scope of a targeted preference is the intersection of the scope of the GPO and the scope of the targeting. A user (or computer) must be within both scopes in order to apply the preference setting.
231
Loopback Policy Processing
Course 6425C Loopback Policy Processing Module 6: Implementing a Group Policy Infrastructure At user logon, user settings from GPOs scoped to computer object are applied Create a consistent user experience on a computer Conference rooms, kiosks, computer labs, VDI, RDS, and so on Computer Configuration\Policies\Administrative Templates\System\Group Policy User Group Policy loopback processing mode Replace mode User gets none of the User settings that are scoped to the user and gets only the User settings that are scoped to computer Merge mode User gets the User settings scoped to the user, but those settings are overlaid with User settings scoped to the computer. The computer settings prevail. Talk about scoping GPOs to appropriate systems.
232
Lab B: Manage Group Policy Scope
Course 6425C Lab B: Manage Group Policy Scope Module 6: Implementing a Group Policy Infrastructure Exercise 1: Configure GPO Scope with Links Exercise 2: Configure GPO Scope with Filtering Exercise 3: Configure Loopback Processing Scenario You are an administrator of the contoso.com domain. The Contoso Standards GPO, linked to the domain, configures a policy setting that requires a ten-minute screen saver timeout. An engineer reports that a critical application that performs lengthy calculations crashes when the screens saver starts, and the engineer has asked you to prevent the setting from applying to the team of engineers that uses the application every day. You have also been asked to configure conference room computers to use a 45-minute timeout so that the screen saver does not launch during a meeting. Exercise 1 In this exercise, students will modify the scope of GPOs using GPO links, and they will explore inheritance, precedence, and the effects of Enforced links and Block Inheritance. Exercise 2 In this exercise, students will modify the scope of GPOs using filtering. Exercise 3 In this exercise, students will configure loopback GPO processing. NOTE: Do not shut down the virtual machines after you finish this lab as the settings you have configured here will be used in subsequent labs Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-CL1 Logon user name Pat.Coleman Do not Logon Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 30 minutes
233
Module 6: Implementing a Group Policy Infrastructure
Course 6425C Lab Scenario Module 6: Implementing a Group Policy Infrastructure You are an administrator of the contoso.com domain. The Contoso Standards GPO, linked to the domain, configures a policy setting that requires a ten-minute screen saver timeout. An engineer reports that a critical application that performs lengthy calculations crashes when the screens saver starts, and the engineer has asked you to prevent the setting from applying to the team of engineers that uses the application every day. You have also been asked to configure conference room computers to use a 45- minute timeout so that the screen saver does not launch during a meeting. -blank-
234
Module 6: Implementing a Group Policy Infrastructure
Course 6425C Lab Review Module 6: Implementing a Group Policy Infrastructure Many organizations rely heavily on security group filtering to scope GPOs, rather than linking GPOs to specific OUs. In these organizations, GPOs are typically linked very high in the Active Directory logical structure: to the domain itself or to a first-level OU. What advantages are gained by using security group filtering rather than GPO links to manage the scope of the GPO? Why might it be useful to create an exemption group—a group that is denied the Apply Group Policy permission— for every GPO that you create? Do you use loopback policy processing in your organization? In what scenarios and for what policy settings can loopback policy processing add value? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: Many organizations rely heavily on security group filtering to scope GPOs, rather than linking GPOs to specific OUs. In these organizations, GPOs are typically linked very high in the Active Directory logical structure: to the domain itself or to a first-level OU. What advantages are gained by using security group filtering rather than GPO links to manage the scope of the GPO? Answer: The fundamental problem of relying on OUs to scope the application of GPOs is that an OU is a fixed, inflexible structure within Active Directory, and that a single user or computer can only exist within one OU. As organizations get larger and more complex, configuration requirements are difficult to match in a one- to-one relationship with any container structure. With security groups, a user or computer can exist in as many groups as necessary, and can be added and removed easily without impacting the security or management of the user or computer account. Question: Why might it be useful to create an exemption group—a group that is denied the Apply Group Policy permission—for every GPO that you create? Answer: There are very few scenarios in which you can be guaranteed that all of the settings in a GPO will always need to apply to all users and computers within its scope. By having an exemption group, you will always be able to respond to situations in which a user or computer must be excluded. This can also help in troubleshooting compatibility and functionality problems. Sometimes, specific GPO settings can interfere with the functionality of an application. In order to test whether the application works on a "pure" installation of Windows, you might need to exclude the user or computer from the scope of GPOs, at least temporarily for testing. Question: Do you use loopback policy processing in your organization? In what scenarios and for what policy settings can loopback policy processing add value? Answer: Answers will vary. Scenarios including conference rooms, kiosks, virtual desktop infrastructures, and other "standard" environments should certainly be mentioned.
235
Lesson 4: Group Policy Processing
Course 6425C Lesson 4: Group Policy Processing Module 6: Implementing a Group Policy Infrastructure Detailed Review of Group Policy Processing Slow Links and Disconnected Systems Identify When Settings Take Effect -blank-
236
Detailed Review of Group Policy Processing
Course 6425C Detailed Review of Group Policy Processing Module 6: Implementing a Group Policy Infrastructure Computer starts; RPCSS and MUP are started Group Policy Client starts and obtains an ordered list of GPOs that are scoped to the computer Local Site Domain OU Enforced GPOs GPC processes each GPO in order Should it be applied? (enabled/disabled/permission/WMI filter) CSEs are triggered to process settings in GPO Settings configured as Enabled or Disabled are processed User logs on Process repeats for user settings Every minutes after startup, computer refresh Every minutes after logon, user refresh Use this slide to reinforce the fundamentals of Group Policy processing, and to ensure that all students are on the same page.
237
Slow Links and Disconnected Systems
Course 6425C Slow Links and Disconnected Systems Module 6: Implementing a Group Policy Infrastructure Group Policy Client determines whether link to domain should be considered slow link By default, less than 500 kilobits per second (kbps) Each CSE can use determination of slow link to decide whether it should process Software CSE, for example, does not process Disconnected Settings previously applied will continue to take effect Exceptions include startup, logon, logoff, and shutdown scripts Connected Windows Vista and newer operating systems detect new connection and perform Group Policy refresh if the refresh window was missed while the system was disconnected Discuss the issues associated with slow links and disconnected systems. Make sure that students understand that, when a computer is disconnected, the settings that were previously applied will continue to take effect. There are several exceptions to this rule, most notably that startup, logon, logoff, and shutdown scripts do not run when the system is disconnected. Reference How Core Group Policy Works::
238
Identify When Settings Take Effect
Course 6425C Identify When Settings Take Effect Module 6: Implementing a Group Policy Infrastructure GPO replication must happen GPC and GPT must replicate Group changes must be incorporated Logoff/logon for user; restart for computer Group Policy refresh must occur Windows XP, Windows Vista, and Windows 7 clients Always wait for network at startup and logon User must logoff or logon or the computer must restart for the settings to take effect Manually refresh: GPUpdate [/force] [/logoff] [/boot] Most CSEs do not reapply settings if GPO has not changed Configure in Computer\Admin Templates\System\Group Policy Use this slide to wrap up all of the detail regarding when Windows settings actually take effect. This should answer the question, “When I change a policy setting, when will that setting actually be applied to a user or computer?“ The student handbook contains a lot of good information that will allow you to step through the slide and to answer questions from students. Replication technologies, including the Directory Replication Agent, FRS, and DFS-R, are discussed in a later module. Don't go into detail about the replication technologies themselves, but rather point out that both the GPC and GPT must replicate to the domain controller from which a client is obtaining its policies, and that the GPC and GPT used to different replication technologies that are not always in sync. Other points to make: It is highly recommended that organizations implement the Always Wait For Network At Startup And Logon policy setting. Without that, a change to a policy setting may take several logoff/logon or restart cycles before it takes effect, and there's no good way to predict the exact timing. In order to truly manage the application of new policy settings, enable Always Wait For Network At Startup And Logon. Make sure that students understand that this does not significantly slow down either the startup or logon process. It's not as if users will complain that it is noticeably slower. Also make sure that students understand that when a system is not connected to the network, it ignores this setting, so this setting is not a problem for disconnected laptop users. Most policy settings, particularly managed policy settings, cannot be changed by the user. However, if users are administrators of their machines, it is possible for them to change some settings. Those changes will never be reverted to match the settings specified by the GPOs, because most CSEs will only reapply policy settings when a GPO has changed. The exceptions to this rule are security settings, which are reapplied every 16 hours whether or not the GPO has changed. If an enterprise is concerned about enforcing its policy settings, and if it is possible for users to change those settings, then you should configure the CSEs to reapply policy settings even if the GPO has not changed. The policy processing behavior of each CSE can be configured with Group Policy in the path shown at the bottom of the slide.
239
Lesson 5: Troubleshoot Policy Application
Course 6425C Lesson 5: Troubleshoot Policy Application Module 6: Implementing a Group Policy Infrastructure Resultant Set of Policy Generate RSoP Reports Perform What-If Analyses with the Group Policy Modeling Wizard Examine Policy Event Logs -blank-
240
Resultant Set of Policy
Course 6425C Resultant Set of Policy Module 6: Implementing a Group Policy Infrastructure Inheritance, filters, loopback, and other policy scope and precedence factors are complex RSoP The "end result" of policy application Tools to help evaluate, model, and troubleshoot the application of Group Policy settings RSoP analysis The Group Policy Results Wizard The Group Policy Modeling Wizard GPResult.exe Use this slide to introduce the term and the concepts and tools of RSoP. Remind students how complex it can become to evaluate a resultant set of policy, with factors including inheritance, filters, loopback, the interaction between GPOs in CSEs, and the mind-boggling number of policy settings. Help students understand that resultant set of policy is both a descriptor, meaning "the end result" of policy application, and the name of a collection of tools and processes.
241
Module 6: Implementing a Group Policy Infrastructure
Course 6425C Generate RSoP Reports Module 6: Implementing a Group Policy Infrastructure Group Policy Results Wizard Queries WMI to report actual Group Policy application Requirements Administrative credentials on the target computer Access to WMI (firewall) User must have logged on at least once RSoP report Can be saved View in Advanced mode Shows some settings that do not show in the HTML report View Group Policy processing events GPResult.exe /s ComputerName /h filename Talk in detail about RSoP reports, preferably with demonstrations. Ensure that students understand how to generate, interpret, and save RSoP reports created by the Group Policy Results Wizard in the GPME console or by the GPResult command. Emphasize the critical importance of RSoP reports in analyzing and troubleshooting Group Policy application in an enterprise.
242
Perform What-If Analyses with the Group Policy Modeling Wizard
Course 6425C Perform What-If Analyses with the Group Policy Modeling Wizard Module 6: Implementing a Group Policy Infrastructure Group Policy Modeling Wizard Emulates Group Policy application to report anticipated RSoP Can be used prior to GPO application Recommended in Group Policy design phase Emphasize that the Group Policy Modeling Wizard is not reporting actual Group Policy application, but is rather analyzing and reporting anticipated Group Policy application. Ask students what types of scenarios would lend themselves to using Group Policy Modeling. Among the answers should be scenarios in which users or computers will be moved, or in which group memberships will be changed, in order to evaluate the potential changes to their configuration from Group Policy. Also, modeling can be used to evaluate the impact of a new GPO prior to rolling it into production.
243
Examine Policy Event Logs
Course 6425C Examine Policy Event Logs Module 6: Implementing a Group Policy Infrastructure System log High-level information about Group Policy Errors elsewhere in the system that could impact Group Policy Application log Events recorded by CSEs Group Policy Operational log Detailed trace of Group Policy application Discuss or, better yet, demonstrate the three major logs in which Group Policy events can be found. Also point out that RSoP reports also expose Group Policy events, particularly in the Advanced view. Mention that the Group Policy Operational log is a great way to learn about exactly how Group Policy is applied in Windows. You can trace every step of Group Policy application that was described in the previous lesson.
244
Lab C: Troubleshoot Policy Application
Course 6425C Lab C: Troubleshoot Policy Application Module 6: Implementing a Group Policy Infrastructure Exercise 1: Perform RSoP Analysis Exercise 2: Use the Group Policy Modeling Wizard Exercise 3: View Policy Events Scenario You are responsible for administering and troubleshooting the Group Policy infrastructure at Contoso, Ltd. You want to evaluate the resultant set of policies for users in your environment in order to ensure that the Group Policy infrastructure is healthy, and that all policies are applied for the purposes for which they were designed. Exercise 1 In this exercise, students will evaluate resultant set of policy using both the Group Policy Results Wizard and the GPResults command. Exercise 2 In this exercise, students will use the Group Policy Results Wizard to model the resultant set of policies applied to a user, Mike Danseglio, if he were to log on to a conference room computer, NYC-CL1. Exercise 3 In this exercise, students will locate and examine Group Policy–related events Note: Exercise 2, Task 1 requires greater level of detail in the high level steps compare to other tasks in the module. . Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-CL1 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 30 minutes
245
Module 6: Implementing a Group Policy Infrastructure
Course 6425C Lab Scenario Module 6: Implementing a Group Policy Infrastructure You are responsible for administering and troubleshooting the Group Policy infrastructure at Contoso, Ltd. You want to evaluate the resultant set of policies for users in your environment in order to ensure that the Group Policy infrastructure is healthy, and that all policies are applied as they were intended. -blank-
246
Module 6: Implementing a Group Policy Infrastructure
Course 6425C Lab Review Module 6: Implementing a Group Policy Infrastructure In which situations have you used RSoP reports to troubleshoot Group Policy application in your organization? In which situations have you used, or could you anticipate using, Group Policy modeling? Have you ever diagnosed a Group Policy application problem based on events in one of the event logs? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Answers to each of the questions for this lab will vary. Use the experience of your students to elicit interesting stories related to Group Policy troubleshooting. If your students do not have direct experience, share the experiences you have had, or experiences you have heard from other students or clients. Question: In which situations have you used RSoP reports to troubleshoot Group Policy application in your organization? Answer: The correct answer will be based on your own experience and situation. Question: In which situations have you used, or could you anticipate using, Group Policy modeling? Question: Have you ever diagnosed a Group Policy application problem based on events in one of the event logs?
247
Module Review and Takeaways
Course 6425C Module Review and Takeaways Module 6: Implementing a Group Policy Infrastructure Review Questions Common Issues Related to Group Policy Management Best Practices Related to Group Policy Management Tools Review Questions Question: You have assigned a logon script to an OU via Group Policy. The script is located in a shared network folder named Scripts. Some users in the OU receive the script, while others do not. What might be some causes? Answer: Security permissions might be a problem. If some users do not have read access to shared network folder where scripts are stored, they will not be able to apply policy. Also, security filtering on Group Policy Object might be the cause for this problem. Question: Which GPO settings are applied across slow links by default? Answer: Registry policy and security policy are always applied even when slow link is detected. These settings cannot be changed. Question: You need to ensure that a domain level policy is enforced, but the Managers global group needs to be exempt from the policy. How would you accomplish this? Answer: Set the link to be enforced at the domain level, and use security group filtering to deny Apply Group Policy permission to the Administrators group. Common Issues Related to Group Policy Management Issue Troubleshooting tip Group Policy settings are not applied to all users or computers in OU where GPO is applied Check security filtering on GPO Check WMI filters on GPO Group policy settings sometimes need two restarts to apply Enable wait for network before logon option 247
248
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 6: Implementing a Group Policy Infrastructure Best Practices Related to Group Policy Management Name Group Policy objects so you can easily identify them by name Apply Group Policy Object as high as possible in AD DS hierarchy Use Block Inheritance and Enforced options only when really necessary Make comments on GPO settings Tools Tool Use for Where to find it Group policy reporting RSoP Reporting information about the current policies being delivered to clients. Group Policy Management Console GPResult A command-line utility that displays RSoP information. Command-line utility GPUpdate Refreshing local and AD DS-based Group Policy settings. Dcgpofix Restoring the default Group Policy objects to their original state after initial installation. GPOLogView Exporting Group Policy-related events from the system and operational logs into text, HTML, or XML files. For use with Windows Vista and later versions. Group Policy Management scripts Sample scripts that perform a number of different troubleshooting and maintenance tasks.
249
Module 07: Managing User Desktop with Group Policy
Course 6425C Module 07: Managing User Desktop with Group Policy Module 7 Managing User Desktop with Group Policy Presentation: 30 minutes Lab: 45 minutes Module Goal: Explain common business scenarios in which change and configuration management can be implemented by using specific Group Policy settings. Objectives After completing this lesson, you will be able to: Describe Administrative templates. Understand and configure Group Policy preferences. Deploy software by using Group Policy. Preparation for Demonstrations To prepare for demos in this module: 1. Start 6425C-NYC-DC1. 2. Log on to NYC-DC1 as Pat.Coleman with the password Pa$$w0rd. 3. Run the Active Directory Users and Computers snap-in with administrative credentials (Pat.Coleman_Admin with the password Pa$$w0rd).
250
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 07: Managing User Desktop with Group Policy Module Lab Goal: Provide solid, hands-on experience with the scenarios presented in this module. Module Lab Scenario: Contoso’s enterprise IT project portfolio for this year includes improving the security, compliance, and manageability of the Windows® environment. Due to budget cuts, you must deliver the requirements of those projects without third-party tools. Your manager has asked you, instead, to capitalize on the company’s existing investment in Active Directory®. Preparation for Labs The labs have dependencies between each other so students should not shut down the virtual machines after each lab. If you wish to prepare for them now and save time taken for startup you should ask students to start the virtual machines now. The virtual machines used in Lab A are 6425C-NYC-DC1, 6425C-NYC- SVR1, and 6425C-NYC-CL1.
251
Module 07: Managing User Desktop with Group Policy
Course 6425C Module Overview Module 07: Managing User Desktop with Group Policy Implement Administrative Templates Configure Group Policy Preferences Manage Software with GPSI -blank-
252
Lesson 1: Implement Administrative Templates
Course 6425C Lesson 1: Implement Administrative Templates Module 07: Managing User Desktop with Group Policy What Are Administrative Templates? How Administrative Templates Work Managed Settings, Unmanaged Settings, and Preferences Central Store Demonstration: Work with Settings and the GPOs
253
What Are Administrative Templates?
Course 6425C What Are Administrative Templates? Module 07: Managing User Desktop with Group Policy Discuss or demonstrate the following: The settings that appear in the Administrative Templates node are driven by text files called administrative templates. Administrative templates not only determine what settings appear in the list of settings, but also the groupings of settings within Administrative Templates, and the contents of the dialog boxes that appear when you configure a policy setting. Finally, when you do configure a policy setting, the administrative template responsible for the policy setting space that finds the registry change to be made. Prior to Windows Vista, administrative templates were single files with the .ADM extension. Starting with Windows Vista and Windows Server 2008, administrative templates are now pairs of files (.ADMX and .ADML), one of which (.ADMX) is responsible for defining the location of the setting, the elements of the Properties dialog box, and the registry change to be made, and the other (.ADML) for providing the text of the user interface in a specific language. Show students how to add and remove templates. Optionally, add an .ADM file to demonstrate how Classic Templates appear in the user interface. Mention the ADMX Migrator utility, which enables you to convert .ADM files to the .ADMX format. References ADMX Migrator ADMX Migrator download (Blog) If the group of students is particularly advanced, and if time allows, you can show students how the example policy setting is driven by the administrative templates. Open the Shell-CommandPrompt-RegEditTools .ADMX and .ADML files and search for DisableRegedit. That will get you to the right section. .ADMX .ADML Registry
254
How Administrative Templates Work
Course 6425C How Administrative Templates Work Module 07: Managing User Desktop with Group Policy Policy settings in the Administrative Templates node make changes to the registry HKCU\Software\Microsoft\ Windows\CurrentVersion\ Policies\System DisableRegeditMode 1–Regedit UI tool only 2–Also disable regedit /s In the next topics, you will be diving into detail about managed and unmanaged policy settings, administrative templates, and the central store. Use this slide to set the stage for the discussion. Remind students of the setting that has been used throughout this module as an example: Prevent Access To Registry Editing Tools. Take students one step further by explaining that this, and all other policy settings in the Administrative Templates node, make a change to a registry value. In the case of this setting, the registry value modified is the one shown on the slide. That's about all you need to say at this point; you can move on to the next topic.
255
Managed Settings, Unmanaged Settings, and Preferences
Course 6425C Managed Settings, Unmanaged Settings, and Preferences Module 07: Managing User Desktop with Group Policy Administrative templates Managed policy setting User interface (UI) is locked; user cannot make a change to the setting Changes are made in one of four reserved registry keys Change and UI lock are "released" when the user/computer falls out of scope Unmanaged policy setting UI not locked Makes a change that is persistent; "tattoos" the registry Only managed setting shown by default Set Filter Options to view unmanaged settings Preferences Effects vary Clarify the distinction between managed and unmanaged policy settings. Ensure that students understand the potential problem posed by tattooing the registry. As you discuss the effect of Group Policy preferences, explain that the changes made by preferences are typically permanent "tattoo" changes. However some preferences include an option to remove the preference when the user or computer falls out of scope of the GPO. In these situations, the preference is generally completely deleted. This setting is not restored to the state of the setting prior to the application of the preference.
256
Module 07: Managing User Desktop with Group Policy
Course 6425C Central Store Module 07: Managing User Desktop with Group Policy .ADM files Stored in the GPT Leads to version control and GPO bloat problems .ADMX/.ADML files Retrieved from the client Problematic if the client doesn't have the appropriate files Central Store Create a folder called PolicyDefinitions on a DC Remotely: \\contoso.com\SYSVOL\contoso.com\Policies\ PolicyDefinitions Locally: %SystemRoot%\SYSVOL\contoso.com\ Policies\PolicyDefinitions Copy .ADMX files from your %SystemRoot%\PolicyDefinitions Copy .ADML file from language-specific subfolders (such as en-us) Discuss the management challenges of both classic .ADM files and of the new .ADMX/.ADML files. Discuss or demonstrate the creation of a central store. Students will perform this procedure in a lab as well.
257
Demonstration: Work with Settings and GPOs
Course 6425C Demonstration: Work with Settings and GPOs Module 07: Managing User Desktop with Group Policy In this demonstration, you will see how to: Use filter options to locate policies in administrative templates Add comments to a policy setting Add comments to a GPO Create a new GPO from a starter GPO Create a new GPO by copying an existing GPO Create a new GPO by importing settings that were exported from another GPO Demonstration Steps User Filter Options to locate polices in Administrative Templates 1. Switch to NYC-DC1. 2. Run Group Policy Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. 3. In the console tree, expand Forest: contoso.com, Domains, and contoso.com, and then click the Group Policy Objects container. 4. In the details pane, right-click the 6425C GPO, and then click Edit. The Group Policy Management Editor appears. 5. In the console tree, expand User Configuration, expand Policies, and then click Administrative Templates. 6. Right-click Administrative Templates, and then click Filter Options. 7. Select the Enable Keyword Filters check box. 8. In the Filter for word(s) text box, type screen saver. 9. In the drop-down list next to the text box, select Exact, and click OK. Administrative Templates policy settings are filtered to show only those that contain the words screen saver. 10. Spend a few moments examining the settings that you have found. 11. In the console tree, right-click Administrative Templates under User Configuration, and then click Filter Options. 12. Clear the Enable Keyword Filters check box. 13. In the Configured drop-down list, select Yes, and then click OK. Administrative Template policy settings are filtered to show only those that have been configured (enabled or disabled). 14. Spend a few moments examining those settings. 15. In the console tree, right-click Administrative Templates under User Configuration and clear the Filter On option.
258
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 07: Managing User Desktop with Group Policy Add comments to a policy setting 1. In the console tree, expand User Configuration, Policies, Administrative Templates, and Control Panel, and then click Personalization. 2. Double-click the Enable screen saver policy setting. 3. In the Comment section, type Corporate IT Security Policy implemented with this policy in combination with Password Protect the Screen Saver, and click OK. 4. Double-click the Password protect the screen saver policy setting. 5. In the Comment section, type Corporate IT Security Policy implemented with this policy in combination with Enable screen saver, and click OK. Add comments to a GPO 1. In the console tree of the Group Policy Management Editor, right-click the root node, 6425C[NYC- DC1.CONTOSO.COM], and then click Properties. 2. Click the Comment tab. 3. Type Contoso corporate standard policies. Settings are scoped to all users and computers in the domain. Person responsible for this GPO: your name. This comment appears on the Details tab of the GPO in the GPMC. 4. Click OK and then close the Group Policy Management Editor. Create a new GPO from a starter GPO 1. In the console tree of the GPMC, click the Starter GPOs container. 2. In the details pane, click the Create Starter GPOs Folder button. 3. In the console tree, right-click the Starter GPOs container, and then click New. 4. In Name: type CONTOSO Starter GPO, and then click OK. 5. In the details pane, right-click CONTOSO Starter GPO, and then click Edit. The Group Policy Management Editor appears. Review and edit the settings as desired. 6. Close the Group Policy Starter GPO Editor. 7. In the details pane, right-click CONTOSO Starter GPO, and then click New GPO From Starter GPO. 8. In Name: type CONTOSO Desktop, and then click OK.
259
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 07: Managing User Desktop with Group Policy Create a new GPO by copying an existing GPO 1. In the GPMC console tree, expand the Group Policy Objects container, right-click the CONTOSO Desktop GPO, and then click Copy. 2. Right-click the Group Policy Objects container, click Paste, and then click OK. 3. Click OK. Create a new GPO by importing settings that were exported from another GPO 1. In the GPMC console tree, expand the Group Policy Objects container, right-click the CONTOSO Desktop GPO, and then click Back Up. 2. In Location: type D:\Labfiles\Lab07c, and then click Back Up. 3. When the backup finishes, click OK. 4. In the GPMC console tree, right-click the Group Policy Objects container, and then click New. 5. In Name: type CONTOSO Import, and then click OK. 6. In the GPMC console tree, right-click the CONTOSO Import GPO, and then click Import Settings. The Import Settings Wizard appears. 7. Click Next three times. 8. Select CONTOSO Desktop, and then click Next two times. 9. Click Finish, and then click OK.
260
Lab A: Manage Settings and GPOs
Course 6425C Lab A: Manage Settings and GPOs Module 07: Managing User Desktop with Group Policy Exercise 1: Manage Administrative Templates Scenario You were recently hired as the domain administrator for Contoso, Ltd., replacing the previous administrator, who retired. You are not certain what policy settings have been configured, so you decide to locate and document GPOs and policy settings. You also discover that the company has not leveraged either the functionality or the manageability of administrative templates. Exercise 1 In this exercise, students will examine and manage administrative templates. They will also create a central store of administrative templates to centralize the management of templates. NOTE: Do not shut down the virtual machines after you finish this lab as the settings you have configured here will be used in subsequent labs Logon information Virtual machine 6425C-NYC-DC1 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 30 minutes
261
Module 07: Managing User Desktop with Group Policy
Course 6425C Lab Scenario Module 07: Managing User Desktop with Group Policy You were recently hired as the domain administrator for Contoso, Ltd, replacing the previous administrator, who retired. You are not certain what policy settings have been configured, so you decide to locate and document GPOs and policy settings. You also discover that the company has not leveraged either the functionality or the manageability of administrative templates. -blank-
262
Module 07: Managing User Desktop with Group Policy
Course 6425C Lab Review Module 07: Managing User Desktop with Group Policy Describe the relationship between administrative template files (both .ADMX and .ADML files) and the GPME. When does an enterprise get a central store? What benefits does it provide? What are the advantages of managing Group Policy from a client running the latest version of Windows? Do settings you manage apply to previous versions of Windows? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: Describe the relationship between administrative template files (both .ADMX and .ADML files) and the GPME. Answer: .ADMX files create the user interface for the GPME and determine the registry values that are applied when a policy setting is defined. .ADML files provide the language-specific elements (the text) in the user interface. Question: When does an enterprise get a central store? What benefits does it provide? Answer: A central store is manually created by adding a PolicyDefinitions folder to \\domain\sysvol\domain\Policies. A central store provides a single point of management for administrative templates and reduces the size of Group Policy templates (GPTs). Question: What are the advantages of managing Group Policy from a client running the latest version of Windows? Do settings you manage apply to previous versions of Windows? Answer: If you manage Group Policy with a client running the latest version of Windows, you will be able to use the latest administrative templates, and you will be able to view settings that apply to this and all previous versions of Windows. The policy settings you configure will apply not based on the version of Windows from which you manage Group Policy, but rather based on the versions of Windows to which the policy setting can apply.
263
Lesson 2: Configure Group Policy Preferences
Course 6425C Lesson 2: Configure Group Policy Preferences Module 07: Managing User Desktop with Group Policy What Are Group Policy Preferences? Differences Between Group Policy Preferences and Settings Demonstration: Configure Group Policy Preferences . 263
264
What Are Group Policy Preferences?
Course 6425C What Are Group Policy Preferences? Module 07: Managing User Desktop with Group Policy Group Policy preferences expand the range of configurable settings within a GPO and: Features of Group Policy Preferences: Are not enforced Enable IT pros to configure, deploy, and manage operating system and application settings that were not manageable by using Group Policy Key point here is to define Group Policy Preferences. Easiest way to do it is to describe them as recommended but not enforced settings applied through GPO. Also, Group Policy Preferences provide some more settings not available in standard Group Policy settings. Create: Create a new item on the targeted computer Delete: Remove an existing item from the targeted computer Replace: Delete and re-create an item on the targeted computer Update: Modify an existing item on the targeted computer 264
265
Differences Between Group Policy Preferences and Settings
Course 6425C Differences Between Group Policy Preferences and Settings Module 07: Managing User Desktop with Group Policy Group Policy Preferences Group Policy Settings Are written to the normal locations in the registry that the application or operating system feature uses to store the setting Strictly enforce policy settings by writing the settings to areas of the registry that standard users cannot modify Do not cause the application or operating system feature to disable the user interface for the settings they configure Typically disable the user interface for settings that Group Policy is managing Refresh preferences by using the same interval as Group Policy settings by default Refresh policy settings at a regular interval Are not available on local computers Are available through local Group Policy Explain that where preferences conflict with policies, the Group Policy setting will have precedence. Reference For an overview of Group Policy preferences, see 265
266
Demonstration: Configure Group Policy Preferences
Course 6425C Demonstration: Configure Group Policy Preferences Module 07: Managing User Desktop with Group Policy In this demonstration, you will see how to configure some Group Policy Preferences Detailed Demonstration Steps : On 6425C-NYC-DC1, in GPMC, click the Group Policy Objects folder, in the details pane, right-click the Default Domain Policy, and then click Edit. Expand Computer Configuration, expand Preferences, expand Windows Settings, right-click Shortcuts, point to New, and then click Shortcut. In the New Shortcut Properties dialog box, select Create from the Action list. In the Name box, type Notepad. In the Location box, click the arrow, and then select All Users Desktop. In the Target path box, type C:\Windows\System32\Notepad.exe. On the Common tab, select the Item-level targeting check box, and then click Targeting. In the Targeting Editor dialog box, click New Item, and then click Computer Name. In the Computer name box, type NYC-CL1, and then click OK twice. Under Windows Settings, right click Folders, point to New, and then click Folder. In the New Folder dialog box, select Create from the Action list. In the Path field, type C:\Reports. In the Targeting Editor dialog box, click New Item, and then click Operating System. In the Product list, click Windows Server 2008 R2, and then click OK twice. 266
267
Lab B: Manage Group Policy Preferences
Course 6425C Lab B: Manage Group Policy Preferences Module 07: Managing User Desktop with Group Policy Exercise 1: Configure Group Policy Preferences Exercise 2: Verify Group Policy Preferences Application Scenario You were recently hired as the domain administrator for Contoso, Ltd, In an effort to simplify Group Policy management, including eliminating the need for logon scripts to map drives, you have been asked to deploy several Group Policy Preferences settings that will allow for more flexibility for corporate users. Exercise 1 In this exercise, students will configure Group Policy Preferences. Exercise 2 In this exercise, students will test application of Group Policy Preferences. NOTE: Do not shut down the virtual machines after you finish this lab as the settings you have configured here will be used in subsequent labs Logon information Virtual machine 6425C-NYC-DC1 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 20 minutes
268
Module 07: Managing User Desktop with Group Policy
Course 6425C Lab Scenario Module 07: Managing User Desktop with Group Policy You were recently hired as the domain administrator for Contoso, Ltd. To simplify Group Policy management, which includes eliminating the need for logon scripts to map drives, you need to deploy several Group Policy Preferences settings that will allow for more flexibility for corporate users.. -blank-
269
Module 07: Managing User Desktop with Group Policy
Course 6425C Lab Review Module 07: Managing User Desktop with Group Policy What is the alternate way to provide drive mapping to users, instead of using Preferences? If you apply the Group Policy preferences setting, can you change this setting on client side? Use the questions on the slide to guide the debriefing after students have completed the lab exercises. Question: What is the alternate way to provide drive mapping to users, instead of using Preferences? Answer: You can use logon script configured in ordinary Group Policy settings. Question: If you apply the Group Policy preferences setting, can you change this setting on client side? Answer: Yes, because Group Policy preferences do not enforce settings and not do blocking user interface.
270
Lesson 3: Manage Software with GPSI
Course 6425C Lesson 3: Manage Software with GPSI Module 07: Managing User Desktop with Group Policy Understand GPSI Software Deployment Options Demonstration: Create a Software Distribution Point Create and Scope a Software Deployment GPO Maintain Software Deployed with GPSI GPSI and Slow Links -blank-
271
Module 07: Managing User Desktop with Group Policy
Course 6425C Understand GPSI Module 07: Managing User Desktop with Group Policy Client-side extension (CSE) Installs supported packages Windows Installer packages (.msi) Optionally modified by Transform (.mst) or patches (.msp) GPSI automatically installs with elevated privileges Downlevel application package (.zap) Supported by “publish” option only Requires user to have admin privileges System Center Configuration Manager and other deployment tools can support a wider variety of installation and configuration packages No “feedback” No centralized indication of success or failure No built-in metering, auditing, license management Ensure that students understand that Group Policy Software Installation (GPSI) can install only Windows Installer packages. However, since many applications are available as Windows Installer packages, and since there are tools that allow one to create Windows Installer packages, this is enough to allow GPSI to serve as a valuable software deployment mechanism for many organizations. Touch on the point that GPSI can, technically, deploy any application that supports an unattended installation command using a down level application package (“.zap file”). This file is basically an .ini file that specifies the unattended installation command. However, .zap files can only be deployed using the “publish” option (assign versus publish will be discussed on the next slide). So applications deployed with the .zap files can only appear in the Programs And Features applet in Control Panel. Furthermore, installing applications from .zap files requires that users are local administrators on their computers. Therefore .zap files are very rarely used in the real world. Point out that System Center Configuration Manager and other deployment tools can deploy applications and configuration using a much wider variety of package types. Commercial software deployment tools also provide reporting and feedback mechanisms that support software metering, auditing, and license management. However, even organizations with tools like System Center Configuration Manager might use GPSI for certain scenarios—they can each serve a role in a software deployment infrastructure.
272
Software Deployment Options
Course 6425C Software Deployment Options Module 07: Managing User Desktop with Group Policy Software deployment options Assign application to users Start menu shortcuts appear Install-on-demand File associations made (optional “Auto Install”) Install-on-document invocation Optionally, configure to install at logon Publish application to users Advertised in Programs And Features (Control Panel) Install-on-request Assign to computers Install at startup Talk through the differences between assigning an application to users, publishing an application to users, or assigning an application to computers. After presenting the “facts”, ask students to discuss different scenarios that would be best supported by each option. Be sure in the discussion that the following points are raised: Assigning applications to users can be a bit dangerous, because the applications will follow users to every computer to which they log on. For example, if you were to assign Microsoft Visio® to users, and users were to log on to conference room computers, Visio would end up installed on the conference room computers, which may not be desirable. Most software is licensed per computer, not per user. For this, and the previous reason, it is generally a best practice to deploy software using the assigned-to-computer option. Organizations often want to limit the applications that users install. And often, it is challenging to help users find an application that meets a need that they have. One great feature of the “publish” option is the fact that applications can be categorized. When you go to install applications from Programs And Features in Control Panel, those categories are used to group the available applications. So, for example, if you needed a photo editor, you could go to Programs And Features and when you choose to install an application from the network, the published applications in the Photo Editor category would display each of the applications that the enterprise has approved for you to install to meet that need. Reference Group Policy Software Installation overview:
273
Demonstration: Create a Software Distribution Point
Course 6425C Demonstration: Create a Software Distribution Point Module 07: Managing User Desktop with Group Policy In this demonstration, you will see how to: Create a software distribution point Demonstration Steps 1. Start 6425C-NYC-DC1 and log on as Pat.Coleman with the password, Pa$$w0rd. 2. Start 6425C-NYC-SVR1, but do not log on. 3. Switch to NYC-DC1. 4. Run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. 5. In the console tree, expand the contoso.com domain and the Groups OU, and then click the Application OU. 6. Right-click the Application OU, point to New, and then click Group. 7. Type APP_XML Notepad, and then press Enter. 8. In the console tree, expand the contoso.com domain and the Servers OU, and then click the File OU. 9. In the details pane, right-click NYC-SVR1, and then click Manage. The Computer Management console opens, focused on NYC-SVR1. 10. In the console tree, expand System Tools and Shared Folders, and then click Shares. 11. Right-click Shares, and then click New Share. The Create a Shared Folder Wizard appears. 12. Click Next. 13. In the Folder Path box, type C:\Software, and then click Next. A message appears asking if you want to create the folder. 14. Click Yes. 15. Accept the default Share name, Software, and then click Next. 16. Click Customize permissions, and then click Custom. 17. Click Security. 18. Click Advanced. The Advanced Security Settings dialog box appears. 19. Click Change Permissions. 20. Clear the Include inheritable permissions from this object's parent option. A dialog box appears asking if you want to Add or Remove inherited permissions. 21. Click Add.
274
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 07: Managing User Desktop with Group Policy 22. Select the first permission assigned to the Users group, and then click Remove. 23. Select the remaining permission assigned to the Users group, and then click Remove. 24. Select the permission assigned to Creator Owner, and then click Remove. 25. Click OK two times to close the Advanced Security Settings dialog boxes. 26. In the Customize Permissions dialog box, click the Share Permissions tab. 27. Select the Full Control check box. Security management best practice is to configure least privilege permissions in the ACL of the resource, which will apply to users, regardless of how users connect to the resource, at which point you can use the Full Control permission on the SMB shared folder. The resultant access level will be the more restrictive permissions defined in the ACL of the folder. 28. Click OK. 29. Click Finish. 30. Click Finish to close the wizard. 31. Click Start, click Run, type \\NYC-SVR1\c$, and then press Enter. The Connect to NYC-SVR1 dialog box appears. 32. In the User name box, type CONTOSO\Pat.Coleman_Admin. 33. In the Password box, type Pa$$w0rd, and then press Enter. A Windows Explorer window opens, focused on the root of the C drive on NYC-SVR1. 34. Open the Software folder. 35. Click New folder. A new folder is created and is in "rename mode." 36. Type XML Notepad, and then press Enter. 37. Right-click the XML Notepad folder, and then click Properties. 38. Click Security. 39. Click Edit. 40. Click Add. The Select Users, Computers, Service Accounts, or Groups dialog box appears. <<continued>>
275
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 07: Managing User Desktop with Group Policy 41. Type APP_XML Notepad, and then press Enter. The group is given the default, Read & Execute permission. 42. Click OK twice to close all open dialog boxes. 43. Open the XML Notepad folder. 44. Open the D:\Labfiles\Lab07c folder in a new window. 45. Right-click XMLNotepad.msi, and then click Copy. 46. Switch to the Windows Explorer window, displaying \\NYC-SVR1\c$\Software\XML Notepad. 47. Right-click in the empty details pane, and then click Paste. XML Notepad is copied into the folder on NYC-SVR1. 48. Close all open Windows Explorer windows. 49. Close the Computer Management console.
276
Create and Scope a Software Deployment GPO
Course 6425C Create and Scope a Software Deployment GPO Module 07: Managing User Desktop with Group Policy Computer [or User] Configuration \ Policies \ Software Settings \ Software Installation Right-click New Package Browse to .msi file through network path (\\server\share) Choose deployment option (Recommended: Advanced) Managing the scope of a software deployment GPO Typically easiest to manage with security group filtering Create an app group such as APP_XML Notepad Put users into the group: allows users to access software share in the event that repairs or reinstalls are necessary Put computers into the group if assigning to computers This slide is set to present the main points about creating and scoping a software deployment GPO. However, this topic is much more easily understood with a demonstration. If time permits, do the following: Create a GPO in the Group Policy Objects container named XML Notepad. Edit the GPO and create a computer assigned package for XML Notepad. Point out that you are using a UNC to the software. Whatever path is used in the package is the path that the software installation CSE will use. If you use a local path (for example E:\Software…), that won’t work for clients when they try to access the installation files. Choose the ADVANCED deployment method. Step through the tabs in the package properties dialog box. Point out the following: Deployment Type Deployment Options Uninstall this application when it falls out of the scope… Upgrades: Students will experience this in the lab. Categories: If publishing, these create “groups” of applications in the Programs And Features “install from network” dialog box. Modifications: mention that transforms might be used to automate or customize installation. Link the GPO to the domain. Point out that it would now, theoretically, deploy XML Notepad to all computers. Create a group in Groups\Application called APP_XML Notepad if you did not do so already. Back on the GPO scope, remove Authenticated Users and add APP_XML Notepad. Open ADUC and add a computer (for example, NYC-CL1) to the APP_XML Notepad group. Make sure students understand the results, and the value of the management approach. Note: The demo described above is identical to Tasks 3 & 4 in Lab 07c. If you need more detailed instructions, refer to the Lab 07c Answer Key.
277
Maintain Software Deployed with GPSI
Course 6425C Maintain Software Deployed with GPSI Module 07: Managing User Desktop with Group Policy Redeploy application After successful install, client will not attempt to reinstall app You might make a change to the package Package All Tasks Redeploy Application Upgrade application Create new package in same or different GPO Advanced Upgrades Select package to upgrade Uninstall old version first; or install over old version Remove application Package All Tasks Remove Uninstall immediately (forced removal) or Prevent new installations (optional removal) Don’t delete or unlink GPO until all clients have applied setting Talk through, or demonstrate, the tasks related to maintaining software that has been originally deployed with GPSI. Point out that you can redeploy an application simply by right clicking its package. Ensure that students understand why you might want to redeploy an application—perhaps you have changed the Windows Installer package. Discuss or demonstrate the process of creating an upgrade package. You can simulate upgrading XML Notepad by creating a new package that points to the same Windows Installer package. Just name the package something like XML Notepad 2010 to suggest it is new. Spend a few moments talking about how to remove an application. Start off by reminding students that there is the option to “uninstall the application when it falls out of the scope of management.” If that option is chosen, the application will be uninstalled when the GPO is unlinked, deleted, or scoped in such a way to exclude a computer or user that had previously installed the application. In other words, if you choose that option when creating the original software package, it’s easy! If you don’t choose that option, you must use Group Policy to remove the application. Be sure to leave the GPO active until all clients have applied this setting. If you unlink, delete, or descope the GPO too early, some clients will never remove the application.
278
Module 07: Managing User Desktop with Group Policy
Course 6425C GPSI and Slow Links Module 07: Managing User Desktop with Group Policy The Group Policy Client determines whether the domain controller providing GPOs is on the other side of a slow link Less than 500 kbps by default Each CSE uses the “slow link” determination to decide whether to process By default, GPSI does not process over a slow link You can change slow link processing behavior of each CSE Computer Configuration\Policies\Administrative Templates\ System\Group Policy You can change the slow link threshold Computer [or User] Configuration\Policies\Administrative Templates\System\Group Policy There are a lot of details on the slide, but the concept is simple: the Group Policy Client makes a determination as to whether policies refresh over a slow link, and then each CSE determines whether to process based on the slow link determination.
279
Lab C: Manage Software with GPSI
Course 6425C Lab C: Manage Software with GPSI Module 07: Managing User Desktop with Group Policy Exercise 1: Deploy Software with GPSI Exercise 2: Upgrade Applications with GPSI Scenario You are an administrator at Contoso, Ltd. Your developers require XML Notepad to edit XML files, and you want to automate the deployment and life cycle management of the application. You decide to use Group Policy Software Installation. Most applications are licensed per computer, so you will deploy XML Notepad to the developers' computers, rather than associating the application with their user accounts. Exercise 1 In this exercise, students will use GPSI to deploy XML Notepad to computers including NYC-CL1. Exercise 2 In this exercise, students will simulate deploying an upgraded version of XML Notepad. Note: The deployment of the xml notepad may take two startups to be successful. i.e. instruct the students to restart NYC-CL1 if the package does not appear. Also, “Wait for network” (turn off fast logon optimization) is set for the domain. Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-CL1 6425C-NYC-SVR1 Logon user name Pat.Coleman Do not Logon Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 15 minutes
280
Module 07: Managing User Desktop with Group Policy
Course 6425C Lab Scenario Module 07: Managing User Desktop with Group Policy You are an administrator at Contoso, Ltd. Your developers require XML Notepad to edit XML files, and you want to automate the deployment and life cycle management of the application. You decide to use Group Policy Software Installation. Most applications are licensed per computer, so you will deploy XML Notepad to the developers' computers, rather than associating the application with their user accounts. -blank-
281
Module 07: Managing User Desktop with Group Policy
Course 6425C Lab Review Module 07: Managing User Desktop with Group Policy Consider the NTFS permissions you applied to the Software and XML Notepad folders on NYC-SVR1. Explain why these least privilege permissions are preferred to the default permissions. Consider the methods used to scope the deployment of XML Notepad: Assigning the application to computers, filtering the GPO to apply to the APP_XML Notepad group that contains only computers, and linking the GPO to the Client Computers OU. Why is this approach advantageous for deploying most software? What would be the disadvantage of scoping software deployment to users rather than to computers? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: Consider the NTFS permissions you applied to the Software and XML Notepad folders on NYC- SVR1. Explain why these least privilege permissions are preferred to the default permissions. Answer: The default permissions on a new NTFS folder include inherited permissions that are not least privilege. First, the USERS group is given the ability to add files and folders. In a software distribution folder, only administrators who need to add new applications should have the ability to add files and folders. Second, CREATOR OWNER special identity is given full control. This means that whoever adds a file or folder gets an explicit permission that allows full control, which may or may not be appropriate for each file and folder added to a software deployment point. Third, the USERS group is also given the ability to read all files and folders, which will allow them to install any software in the software distribution folder. Because most software is licensed per computer or per user, you can improve your compliance by allowing only a specified group to read the installation files for each application. The SOFTWARE folder (the root) gives access (full control) only to Administrators and System. The application subfolder, for example XML Notepad, gives read access to a group that is allowed to install the application, such as APP_XML Notepad. Those users can get to the subfolder even though they do not have access to the SOFTWARE folder. Windows allows all authenticated users the "traverse folders" privilege by default, which allows users to navigate to a specific subfolder to which they have access even if they do not have permission to a parent folder. The least privilege ACLs used in this Lab are a perfect example of the value of this user right. Question: Consider the methods used to scope the deployment of XML Notepad: Assigning the application to computers, filtering the GPO to apply to the APP_XML Notepad group that contains only computers, and linking the GPO to the Client Computers OU. Why is this approach advantageous for deploying most software? What would be the disadvantage of scoping software deployment to users rather than to computers? Answer Most software is licensed per computer, so it is important to deploy such applications scoped to computers, rather than to users. The result is the same—the application is deployed to the computers of the users who require the application. If you were to deploy an application to users, it would "follow" the users to whichever computers they logged on to. For example, if a user is logged on to a conference room computer or to a colleague's computer, the application would be installed on those computers as well. By scoping to a group of computers, and linking the GPO to a high-level OU (or even to the domain), it gives you maximum flexibility to deploy the application to whichever computers require it.
282
Module Review and Takeaways
Course 6425C Module Review and Takeaways Module 07: Managing User Desktop with Group Policy Review Questions Common Issues Related to Group Policy Management Real-World Issues and Scenarios Best Practices Related to Group Policy Management Tools Review Questions 1. What is the benefit of having Central Store? Answer: Central Store is a single folder in SYSVOL that holds all the .ADMX and .ADML files that are required. After you have set up Central Store, the GPME recognizes it and loads all administrative templates from Central Store instead of from the local machine. 2. What is the main difference between Group Policy Settings and Group Policy Preferences? Answer: While GPO settings enforce some setting on client side, and disable client interface for modification, Group Policy preferences provide setting but still allows client to modify it. 3. What is the difference between publishing and assigning software through GPSI Answer: If you assign software to user or computer it will be installed without asking user if he wants to install it. Publishing software will allow user to decide if software will be installed or not. Common Issues Related to Group Policy Management Real-World Issues and Scenarios You have a number of logon scripts that map network drives for users. Not all users need these drive mappings, so you must ensure that only the right users get the mappings. You want to move away from using these scripts. Answer: You can achieve this by using Group Policy preferences. There is an option to configure drive mapping, and you can use Preferences Targeting to distribute right mappings to appropriate users. Best Practices Related to Group Policy Management Make comments on GPO settings Use Central Store for Administrative templates when having clients with Windows Vista and Windows 7 Use Group Policy preferences to configure settings not available in Group Policy set of settings Use Group Policy Software Installation to deploy packages in .msi format to a large number of users or computers. Issue Troubleshooting tip Group Policy Preferences are not being applied. Check the preference settings for item targeting or incorrect configuration. Group Policy Software installation does not work for some users Check security settings on network share where software installation package resides Check scoping of Group Policy Object
283
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 6: Implementing a Group Policy Infrastructure Tools Tool Use for Where to find it Group policy reporting RSoP Reporting information about the current policies being delivered to clients. Group Policy Management Console GPResult A command-line utility that displays RSoP information. Command-line utility GPUpdate Refreshing local and AD DS-based Group Policy settings. Dcgpofix Restoring the default Group Policy objects to their original state after initial installation. GPOLogView Exporting Group Policy-related events from the system and operational logs into text, HTML, or XML files. For use with Windows Vista and later versions.
284
Course 6425C Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Module 8 Managing Enterprise Security and Configuration with Group Policy Settings Presentation: 60 minutes Lab: 90 minutes Module Goal: Explain common business scenarios in which change and configuration management can be implemented by using specific Group Policy settings. Objectives After completing this lesson, you will be able to: Delegate the support of computers. Manage security settings. Describe the purpose and functionality of auditing Describe the purpose of Software Restriction Policy and AppLocker. Preparation for Demonstrations To prepare for demos in this module: 1. Start 6425C-NYC-DC1. 2. Log on to NYC-DC1 as Pat.Coleman with the password Pa$$w0rd. 3. Run the Active Directory Users and Computers snap-in with administrative credentials (Pat.Coleman_Admin with the password Pa$$w0rd).
285
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Module Lab Goal: Provide solid, hands-on experience with the scenarios presented in this module. Module Lab Scenario: Contoso’s enterprise IT project portfolio for this year includes improving the security, compliance, and manageability of the Windows® environment. Due to budget cuts, you must deliver the requirements of those projects without third-party tools. Your manager has asked you, instead, to capitalize on the company’s existing investment in Active Directory®. Preparation for Labs The labs have dependencies between each other so students should not shut down the virtual machines after each lab. If you wish to prepare for them now and save time taken for startup you should ask students to start the virtual machines now. The virtual machines used in Lab A are 6425C-NYC-DC1, 6425C-NYC- SVR1, and 6425C-NYC-CL1.
286
Manage Group Membership by using Group Policy Settings
Course 6425C Module Overview Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Manage Group Membership by using Group Policy Settings Manage Security Settings Auditing Software Restriction Policy and Applocker -blank-
287
Lesson 1: Manage Group Membership by Using Group Policy Settings
Course 6425C Lesson 1: Manage Group Membership by Using Group Policy Settings Module 08: Managing Enterprise Security and Configuration with Group Policy Settings What Are Restricted Groups? Demonstration: Delegate Administration by Using Restricted Groups Policies Define Group Membership with Group Policy Preferences -blank-
288
What Are Restricted Groups?
Course 6425C What Are Restricted Groups? Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Restricted Groups policies enable you to manage the membership of groups First, ensure that students understand the scenarios in which restricted Group Policy objects (GPOs) provide value. Then, explain the two policy settings. Emphasize that the Member Of policy setting is cumulative and the Members policy setting is authoritative. Interestingly, if you use both Members and Member Of policy settings, the resultant set of policy is that the precedent Members policy defines the authoritative baseline membership of the group, and then any members added to the group using Member Of policy settings are still added. Also mention that you can configure membership of domain groups by simply configuring a Restricted Group Setting on the Default Domain Controllers Policy. Member Of Policy is for a domain group Specify its membership in a local group Cumulative Members Policy is for a local group Specify its members (groups and users) Authoritative
289
Course 6425C Demonstration: Delegate Administration by Using Restricted Groups Policies Module 08: Managing Enterprise Security and Configuration with Group Policy Settings In this demonstration, you will see how to: Add a domain support group to the local Administrators group of client computers Define the authoritative membership of the local Administrators group of client computers Demonstrate the MEMBER OF version 1. Start 6425C-NYC-DC1 and log on as Pat.Coleman with the password Pa$$w0rd. 2. On NYC-DC1 click Start, point to Administrative Tools and run Group Policy Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. 3. In the console tree, expand Forest:contoso.com, Domains and contoso.com, and then click the Group Policy Objects container. 4. Right-click the Group Policy Objects container, and then click New. 5. In the Name box, type Corporate Help Desk, and then click OK. 6. In the details pane, right-click Corporate Help Desk, and then click Edit. The Group Policy Management Editor appears. 7. In Group Policy Management Editor, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups. 8. Right-click Restricted Groups and click Add Group. 9. Click Browse and, in the Select Groups dialog box, type the name of the group you want to add to the Administrators group—for example, CONTOSO\Help Desk—and click OK. 10. Click OK to close the Add Group dialog box. A Properties dialog box appears. 11. Click Add next to the This group is a member of section. 12. Type Administrators, and click OK. The Properties group policy setting should look similar to the dialog box on the left of the side-by-side dialog boxes shown earlier. 13. Click OK again to close the Properties dialog box. Reinforce that this policy setting does not remove any existing members of the group, and that if multiple GPOs configure different security principals as members of the local Administrators group, all will be members. <continued>
290
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Demonstrate the MEMBERS version 1. In Group Policy Management Editor, go to Computer Configuration\Windows Settings\Security Settings\Restricted Groups. 2. Right-click Restricted Groups, and click Add Group. 3. Type Administrators, and click OK. A Properties dialog box appears. 4. Click Add next to the Members Of This Group section. 5. Click Browse and enter the name of the group you want to make the sole member of the Administrators group—for example, CONTOSO\Help Desk—and click OK. 6. Click OK again to close the Add Member dialog box. The group policy setting Properties should look similar to the dialog box on the left of the side-by-side dialog boxes shown earlier. 7. Click OK again to close the Properties dialog box. Reinforce that this policy setting defines the final membership of the specified local group. If multiple GPOs configure this setting, only the precedent GPOs setting will win. All other members not defined by the precedence of the GPOs Members setting will be removed, except for the local Administrator account.
291
Define Group Membership with Group Policy Preferences
Course 6425C Define Group Membership with Group Policy Preferences Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Create, delete, or replace a local group Rename a local group Change the Description Modify group membership Local Group preferences are available in both Computer Configuration and User Configuration Discussion Questions Question: Why might you want to add the currently logged on user? Answer: While it is not best practice for a user to be logged on as a member of the local Administrators group, there are still applications and functions that require administrative privileges to function properly. In these situations, you might want to allow a user to be a member of the local Administrators group on computers to which the user logs on. As a tip, you can implement the Delete All Members Users option and the At The Current User option. When the preference is processed, all existing user accounts are removed from the group first, and then the current user is added. The user must then log off and log on, at which point the user becomes a member of Administrators. During the next logon policy refresh, the Delete All Member Users setting removes the user's account, and then re-adds it. So, the user remains a member of Administrators as long as the user is within the management scope of the GPO. Question: In what scenario might you want to modify the membership of the local Administrators group of a computer by using a Local Group preference in the User Configuration node of a GPO that scopes the preference not to specific computers, but to specific users? Answer: Answers will vary. This is a fairly advanced question, but here's the scenario: There is a support organization dedicated to helping specific users, such as an Executive Support team that is on call to support executives of an organization. In this administrative model, when an executive has a problem, the Executive Support team should be a member of the Administrators group on whichever machine the executive is logged on. So, the definition of who should be in the Administrators group (Executive Support) should "follow" the executive users rather than be locked (scoped) to a specific set of computers. Reference Group Policy Management Console Help, "Local Users and Groups Extension"
292
Lab A: Use Group Policy to Manage Group Membership
Course 6425C Lab A: Use Group Policy to Manage Group Membership Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Exercise 1: Configure the Membership of Administrators by Using Restricted Groups Policies Scenario You have been asked by the corporate security team to lock down the membership of the Administrators group on client computers. However, you need to provide the centralized help desk with the ability to perform support tasks for users throughout the organization. Additionally, you must empower the local site desktop support team to perform administrative tasks for client computers in that site. Exercise In this exercise, students will use Group Policy to delegate the membership of the Administrators group. They will first create a GPO with a restricted groups policy setting that ensures that the Help Desk group is a member of the Administrators group on all client systems. They will then create a GPO that adds the SEA Support group to Administrators on clients in the SEA OU. Finally, they will confirm that in the SEA OU, both the Help Desk and SEA Support groups are administrators. NOTE: Do not shut down the virtual machines after you finish this lab as the settings you have configured here will be used in subsequent labs. Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-CL1 Logon user name Pat.Coleman Do not Logon Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 15 minutes
293
Course 6425C Lab Scenario Module 08: Managing Enterprise Security and Configuration with Group Policy Settings You have been asked by the corporate security team to lock down the membership of the Administrators group on client computers. However, you need to provide the centralized help desk with the ability to perform support tasks for users throughout the organization. Additionally, you must empower the local site desktop support team to perform administrative tasks for client computers in that site. -blank-
294
Course 6425C Lab Review Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Using only restricted groups policies, what should you do to ensure that the only members of the local Administrators group on a client computer are the Help Desk in the site-specific Support group and to remove any other members from the local Administrators group? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: Using only restricted groups policies, what should you do to ensure that the only members of the local Administrators group on a client computer are the Help Desk in the site-specific Support group and to remove any other members from the local Administrators group? Answer: This is a bit of a tricky question and requires some creative thinking. You can configure a Members policy setting for the Administrators group that adds the Administrator account. This would have the effect of cleaning out all other group members, and of course the Administrator account is already a member of the Administrator forest and cannot be removed. Then, you can configure restricted group policy settings for the Help Desk and the site-specific Support groups, as you did in the Lab. Alternately, you could use a Local Group preference configured to delete all member users and groups.
295
Lesson 2: Manage Security Settings
Course 6425C Lesson 2: Manage Security Settings Module 08: Managing Enterprise Security and Configuration with Group Policy Settings What Is Security Policy Management? Configure the Local Security Policy Manage Security Configuration with Security Templates Demonstration: Create and Deploy Security Templates Security Configuration Wizard Settings, Templates, Policies, and GPOs -blank-
296
What Is Security Policy Management?
Course 6425C What Is Security Policy Management? Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Enterprise IT Security Policy security configuration settings Manage security configuration Create the security policy Apply the security policy to one or more systems Analyze security settings against the policy Update the policy, or correct the discrepancies in the system Tools Local Group Policy and Domain Group Policy Security Templates snap-in Security Configuration Wizard Use this slide to set up the broad concept of this lesson: The goal of an IT pro is to ensure that systems are secure, and in the end that means configuring a security policy that is made up of a number of security settings. Help students understand that security for security's sake provides no value. All security configuration should arise out of a set of business-level security requirements, defined in an IT security policy and information management policy. Just implementing someone else's security checklist does not produce security that's right for your enterprise. In fact, the defaults on Windows Server 2008 are quite secure. You must understand your security requirements before designing the security configuration. Inform students that the goal of this lesson is to understand the mechanisms with which you can manage security settings more effectively. We're not going to worry too much in this lesson about specific settings, their functionality, or their value. Later lessons and modules will address how to secure various aspects of a Windows environment, including administration, authentication, and file system access. This lesson is about the variety of tools you can use to define and deploy security settings—whatever those settings are to you and your enterprise.
297
Configure the Local Security Policy
Course 6425C Configure the Local Security Policy Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Local Security Policy Domain Group Policy Don't spend too much time on this slide. You're simply pointing out that local Group Policy is an option for configuring security policy, but it's not manageable. The visual on this slide, and the text in the Student Manual, starts with the Local Security Policy. Discuss the fact that the Local Security Policy allows you to configure many, but not all security settings. Local Security Policy does not, for example, do anything to file system or registry access control lists (ACLs). You need to "lock down" ACLs using the Security Settings dialog box (the "Security tab" of a file, folder, or registry key properties dialog box). Module 6 discussed local group policy, and posed the question, "Why would you use it?" If you are working with workgroup (not domain) computers, or if you want to ensure that a computer meets a certain level of compliance before it joins the domain, then the Local Security Policy is valuable. But as soon as a system is member of a domain, local security policy is as far from "manageable" as possible—there's no central configuration capability for local security policy. On the other end of the spectrum is domain Group Policy, which of course is centralized and, as seen in the figure, exposes a number of additional settings including file system and registry ACLs. The rest of this lesson fills in the "middle" of this spectrum. You will be showing students how to create Group Policies that are based on the configuration of a server; and how to analyze a server to see whether it remains in compliance with domain policy. It's very important that students understand that this is where they will be "working" in this lesson. That way, they have some perspective as they learn more about security templates and the Security Configuration Wizard. Each of these options produces ways of managing security settings that fall between local and domain policy, and each option allows you to promote a collection of settings to a domain-level configuration policy managed with Group Policy. Reference Server Security Policy Settings:
298
Manage Security Configuration with Security Templates
Course 6425C Manage Security Configuration with Security Templates Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Settings are a subset of domain GPO settings but different than local GPO Security Templates Plain text files Can be applied directly to a computer Security Configuration and Analysis Secedit.exe Can be deployed with Group Policy Can be used to analyze a computer's current security settings against the security template's Although local Group Policy allows you to configure security settings, Security Templates are the first option we discuss that help you manage security policy. Explain that security templates have been around since Windows 2000 Server and really haven't changed at all. So some students might be familiar with them. However, many IT pros never learned about security templates even in Windows 2000 days, so for most students, this will be new information. Explain that security templates are a plain text file that defines security settings. That file—the "template"— can be used to configure the security of one or more computers by manually applying the template; or the template can be used to specify the security settings of a GPO, in which case the settings are applied to any system within the scope of the GPO. Finally, explain the fact that security templates can be used to compare a computer's actual configuration to the desired configuration defined in the template.
299
Demonstration: Create and Deploy Security Templates
Course 6425C Demonstration: Create and Deploy Security Templates Module 08: Managing Enterprise Security and Configuration with Group Policy Settings In this demonstration, you will see how to: Build a custom MMC with the Security Templates snap-in Create a security template Import the template into the Security Settings node of a GPO Demonstrate the creation and deployment of a security template. Explain to students that it's important they understand that this is an option, because there may be scenarios they encounter in production or on the exam that lend themselves to Security Templates. However, the Windows Server 2008 Security Configuration Wizard is generally a better way to create and deploy a security policy. Demonstration Steps 1. Start 6425C-NYC-DC1 . 2. Log on to NYC-DC1 as Pat.Coleman with the password Pa$$w0rd. 3. Click Start and in the search box, type mmc.exe and press Enter. When prompted, supply administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. 4. Click File, and then click Add/Remove Snap-in. 5. In the Available snap-ins list, select Security Templates, then click Add. 6. Click OK. 7. Click File, and then click Save. The Save As dialog box appears. 8. Type C:\Security Management, and then press Enter. 9. In the console tree, expand Security Templates. 10. Right-click C:\Users\Pat.Coleman_Admin\Documents\Security \Templates, and then click New Template. 11. Type DC Remote Desktop, and then click OK. 12. Click Start, point to Administrative Tools and run Group Policy Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. 13. In the console tree, expand Forest:contoso.com, Domains, and contoso.com, and then click the Group Policy Objects container. 14. In the details pane, right-click the Corporate Help Desk, and then click Edit. The Group Policy Management Editor appears. 15. In the console tree, expand Computer Configuration,Policies,Windows Settings, and then click Security Settings. 16. Right-click Security Settings, and then click Import Policy. 17. Select the DC Remote Desktop template, and then click Open.
300
Security Configuration Wizard
Course 6425C Security Configuration Wizard Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Security policy: An .xml file that configures Role-based service configuration Network security, including firewall rules Registry values Audit policy Can incorporate a security template (.inf) Create the policy Edit the policy Apply the policy Roll back the policy Transform the policy into a GPO scwcmd transform /p:"MySecurity.xml" /g:"My New GPO" Discuss or, better yet, demonstrate the Security Configuration Wizard (SCW). Points to make: The SCW is the "next generation" security management tool, the successor to the Security Configuration And Analysis tool. As such, Microsoft has enhanced the functionality but some of the concepts remain the same. Draw parallels between the security template/database and the security policy. Point out that a security template is an .inf file whereas the newer security policy is an XML file. The SCW is role-based and makes recommendations by using a set of defined rules for various server roles. The SCW scans a server and produces a set of baseline settings based on that server's role. You can then modify the settings and save the result as a security policy. The settings scanned and baselined by the SCW include services, registry settings, audit policy, and firewall rules. An SCW policy can incorporate a security template. Ask students why would this be helpful? The answer is that security templates can define settings not considered by the SCW including file system ACLs, restricted groups, and local policies. Any settings that conflict between the SCW's settings and those defined in an imported template are resolved in favor of the SCW's settings. The SCW allows you to roll back an applied policy. You can transform a security policy into a GPO using the scwcmd command. This requires that you are logged on as a domain administrator. Reference Security Configuration Wizard:
301
Settings, Templates, Policies, and GPOs
Course 6425C Settings, Templates, Policies, and GPOs Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Direct configuration of security-related settings Local Security Policy Security templates .inf files that define a wide variety of security settings Security Templates, Security Configuration and Analysis Import into a GPO Security policies Are .xml files that define role-based service startup, firewall rules, audit policies, and registry settings Can include security templates Security Configuration Wizard or scwcmd.exe Transform into a GPO by using scwcmd Modify GPO Wrap up the discussion of security policy management by reviewing the tools and options available to administrators. Point out that in the rapidly evolving area of security policy management, there's no one tool that addresses all scenarios.
302
Lab B: Manage Security Settings
Course 6425C Lab B: Manage Security Settings Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Exercise 1: Manage Local Security Settings Exercise 2: Create a Security Template Exercise 3: Use the Security Configuration Wizard Scenario You are an administrator of the contoso.com domain. To secure the directory service, you want to establish a security configuration to apply to domain controllers that, among other things, specifies who can log on to domain controllers by using Remote Desktop to perform administrative tasks. Exercise 1 In this exercise, students will create a group that allows the contoso.com domain to manage who is allowed to log on to NYC-DC1, a domain controller, using Remote Desktop. They will do so by configuring security settings directly on NYC-DC1. Exercise 2 In this exercise, students will create a security template that gives the SYS_DC Remote Desktop group the right to log on using Remote Desktop. Exercise 3 In this exercise, students will use the Security Configuration Wizard to create a security policy for domain controllers in the contoso.com domain based on the configuration of NYC-DC1. They will then convert the security policy into a GPO, which could then be deployed to all domain controllers by using Group Policy. NOTE: Do not shut down the virtual machines after you finish this lab because the settings you have configured here will be used in subsequent labs. Logon information Virtual machine 6425C-NYC-DC1 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 30 minutes
303
Course 6425C Lab Scenario Module 08: Managing Enterprise Security and Configuration with Group Policy Settings You are an administrator of the contoso.com domain. To secure the directory service, you want to establish a security configuration to apply to domain controllers that, among other things, specifies who can log on to domain controllers by using Remote Desktop to perform administrative tasks. -blank-
304
Course 6425C Lab Review Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Describe the relationship between security settings on a server, Local Group Policy, security templates, the database used in Security Configuration and Analysis, the security policy created by the Security Configuration Wizard, and domain-based Group Policy. Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: Describe a situation where you would use both security templates and the Security Configuration Wizard to secure a server. Answer: Security templates contain some settings that are not available to the Security Configuration Wizard, such as restricted groups, for example. If you need to incorporate these additional settings, you can import a configured security template into the Security Configuration Wizard, and covert it to a GPO.
305
Lesson 3: Auditing Overview of Audit Policies
Course 6425C Lesson 3: Auditing Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Overview of Audit Policies Specify Auditing Settings on a File or a Folder Enable Audit Policy Evaluate Events in the Security Log Inform students that they will learn two things in this lesson: How to configure audit policy and view audit events in the security logs. How to audit access to files and folders. The concepts and procedures (#1) apply to auditing access to files and folders (#2), and to other types of auditing as well. In later modules, the same concepts and procedures will be used to audit authentication and directory service changes. This is just the students’ first foray into auditing.
306
Overview of Audit Policies
Course 6425C Overview of Audit Policies Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Audit events in a category of activities Access to NTFS files/folders Account or object changes in Active Directory Logon Assignment or use of user rights By default, domain controllers audit success events for most categories Goal: Align audit policies with corporate security policies and reality Over-auditing: Logs are too big to find the events that matter Under-auditing: Important events are not logged Tools that help you consolidate and crunch logs can be helpful Spend some time talking about the concepts and procedures related to auditing. At a bare minimum, you should configure audit policies (according to your business/security requirements) and then monitor the security event logs. However, some types of auditing require an additional step: configuring the system ACL (SACL) to specify exactly what activities should be audited. For example, file and folder access requires configuring the Object Access audit policy and specifying, on the Auditing tab of the Advanced Security Settings dialog box, exactly which success and failure events should be audited. Be certain that students understand the dangers of both under- and over-auditing, and that they see the value in aligning audit policy with the (preferably written) IT security and usage policies of their organization. If students start discussing compliance and regulations such as Sarbanes-Oxley (SOX), it’s important to remind them that few if any regulations actually specify what needs to be audited. They simply require an organization to have controls in place. They don’t dictate exactly what those controls should be. For obvious reasons, organizations err on the “over auditing” side when they are subject to oversight and regulation, but it is important not to go overboard!
307
Specify Auditing Settings on a File or a Folder
Course 6425C Specify Auditing Settings on a File or a Folder Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Modify the system access control list (SACL) Properties Advanced Auditing Edit Explain that there are three steps to auditing file and folder access in Windows Server 2008: Specify auditing settings on the files and folders (this slide) Enable audit policy for object access (next slide) View audit events in the security log (following slide) Obviously you can’t view events in the security log until the first two steps are complete, but there is no “correct order” to the first two steps. Both have to be completed, in any order, before audit events are logged.
308
Course 6425C Enable Audit Policy Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Enable auditing for Object Access: Success and/or Failure GPO must be scoped to the server Success/Failure policy setting must match auditing settings (success/failure) The second step is enabling audit policy. Ensure that students understand that audit policy and auditing settings (SACL) are completely independent, and that they must “agree” (for example on success/failure) in order for audit events to be generated. Note: AuditPol.exe can also be used to manage audit policy.
309
Evaluate Events in the Security Log
Course 6425C Evaluate Events in the Security Log Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Security Log Summary Audit Object Access policy must be enabled to audit Success or Failure GPO must be scoped to the server SACL must be configured to audit successful or failed access Security Log must be examined Auditing access to objects such as files and folders requires three components. First, the Audit Object Access policy must be enabled and configured to audit Success or Failure events as appropriate for the scenario. Second, the SACL of the object must be configured to audit successful or failed access. Third, you must examine the Security log. The audit policy is often managed using a GPO, so the GPO must be scoped to apply to the server with the file or folder, which is usually a file server rather than a domain controller.
310
Lab C: Audit File System Access
Course 6425C Lab C: Audit File System Access Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Exercise 1: Configure Permissions and Audit Settings Exercise 2: Configure Audit Policy Exercise 3: Examine Audit Events Scenario In this lab, you will configure auditing settings, enable audit policies for object access, and filter for specific events in the Security log. The business objective is to monitor a folder containing confidential data that should not be accessed by users in the Consultants group. Exercise 1 In this exercise, students will configure permissions on the Confidential Data folder to deny access to consultants. You will then enable auditing of attempts by consultants to access the folder. Exercise 2 In this exercise, students will enable auditing of file system access on file servers using Group Policy. Exercise 3 In this exercise, students will generate audit failure events then examine the resulting security event log messages. Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-CL1 6425C-NYC-SVR1 Logon user name Pat.Coleman Pat.Coleman and Mike.Danseglio Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 30 minutes
311
Course 6425C Lab Scenario Module 08: Managing Enterprise Security and Configuration with Group Policy Settings In this lab, you will configure auditing settings, enable audit policies for object access, and filter for specific events in the Security log. The business objective is to monitor a folder containing confidential data that should not be accessed by users in the Consultants group. -blank-
312
Course 6425C Lab Review Module 08: Managing Enterprise Security and Configuration with Group Policy Settings What are the three major steps required to configure auditing of file system and other object access? What systems should have auditing configured? Is there a reason not to audit all systems in your enterprise? What types of access should be audited, and by whom should they be audited? Is there a reason not to audit all access by all users? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: What are the three major steps required to configure auditing of file system and other object access? Answer: The three major steps are: Configure auditing settings on the file/folder SACL. Enable audit policy for object access in a GPO scoped to the server. Examine event log audit entries. Question: What systems should have auditing configured? Is there a reason not to audit all systems in your enterprise? What types of access should be audited, and by whom should they be audited? Is there a reason not to audit all access by all users? Answer: Auditing should reflect IT security and usage policies. Auditing not only puts a (small) burden on performance of a system, but also generates excessive “noise” that can make finding the “important” events even harder. What, who, and when auditing is performed should be aligned with why auditing is being performed—as driven by your business requirements.
313
Lesson 4: Software Restriction Policy and Applocker
Course 6425C Lesson 4: Software Restriction Policy and Applocker Module 08: Managing Enterprise Security and Configuration with Group Policy Settings What Is a Software Restriction Policy? Overview of Application Control Policies Compare Applocker and Software Restriction Policies Demonstration: How to Configure Application Control Policies
314
What Is a Software Restriction Policy?
Course 6425C What Is a Software Restriction Policy? Module 08: Managing Enterprise Security and Configuration with Group Policy Settings SRPs allow administrators to identify which applications are allowed to run on client computers SRPs can be based on the following: Introduce Software Restriction Policies (SRPs) as the legacy solution for managing application execution. Introduce its basic functionality and key components. This slide is intended only to define and explain SRPs. Do not go into much detail about SRP vs. AppLocker, as this will be covered in a later slide. Ensure that students understand the concept of applying security levels both at the default security level and to individual SRP rules. Explain how these two areas combine to provide to different environments: No applications can run unless allowed by SRP. All applications can run unless restricted by SRP. Reference Using Software Restriction Policies to Protect Against Unauthorized Software Hash Certificate Path Zone SRPs are applied through Group Policy
315
Overview of Application Control Policies
Course 6425C Overview of Application Control Policies Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Application Control Policies are applied in Windows Server 2008 R2 and Windows 7 by using AppLocker AppLocker contains new capabilities and extensions that reduce administrative overhead and help administrators control how users can access and use files, such as .exe files, scripts, Windows Installer files (.msi and .msp files), and DLLs Introduce AppLocker as the replacement for SRP in Windows Server 2008 R2 and Windows 7. List the benefits that AppLocker provides and how it is generally applied in a Windows Server 2008 and Windows 7 environment. Highlight its capability to define specific sets of rules based on user account or security group membership. Also explain that it allows for a very fine definition of application variables when creating rules. References AppLocker Overview AppLocker Walkthrough Benefits of AppLocker: Controls how users can access and run all types of applications Allows the definition of rules based on a wide variety of variables Provides for importing and exporting entire AppLocker policies
316
Compare Applocker and Software Restriction Policies
Course 6425C Compare Applocker and Software Restriction Policies Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Feature SRP AppLocker Rule scope Specific user or group (per GPO) Specific users or groups (per rule) Rule conditions provided File hash, path, certificate, registry path, Internet zone File hash, path, publisher Rule types provided Allow and Deny Default Rule action Allow and deny Implicit Deny Audit only mode No Yes Wizard to create multiple rules at one time Policy import or export Rule collection Windows PowerShell support Custom error messages
317
Demonstration: How to Configure Application Control Policies
Course 6425C Demonstration: How to Configure Application Control Policies Module 08: Managing Enterprise Security and Configuration with Group Policy Settings In this demonstration, you will see how to: Create a GPO to enforce the default AppLocker Executable rules Apply the GPO to the domain Test the AppLocker rule Demonstration Steps: Note: You require the 6425C-NYC-DC1 and 6425C-NYC-CL1 virtual machines to complete this demonstration. Log on to the 6425C-NYC-DC1 as Contoso\Administrator, with the password, Pa$$w0rd. Do not start NYC-CL1 until directed to do so. Create a GPO to enforce the default AppLocker Executable rules. On NYC-DC1, click Start, click Administrative Tools, and then click Group Policy Management. Apply the GPO to the Contoso.com domain. In the Group Policy Management window, expand Forest: Contoso.com. Expand Domains. Expand Contoso.com. Expand Group Policy Objects. Drag the WordPad Restriction Policy GPO on top of the Contoso.com domain container. Click OK to link the GPO to the domain. Close the Group Policy Management console. Click Start, in the Search programs and files box, type cmd, and then press Enter. In the Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy to be updated. Test the AppLocker rule. Start and then log on to the NYC-CL1 as Contoso\Alan.Brewer, with the password, Pa$$w0rd. In the Command Prompt window, type gpupdate /force, and press Enter. Wait for the policy to be updated. Click Start, click All programs, click Accessories, and then click WordPad. Click OK when prompted with a message.
318
Course 6425C Module 08: Managing Enterprise Security and Configuration with Group Policy Settings 21. Click AppLocker, and then right-click and select Properties. 22. On the Enforcement tab, under Executable rules, select the Configured check box and select Enforce rules. 23. Click OK. 24. In the Group Policy Editor, expand Computer Configuration, expand Windows Settings, and then expand Security Settings. 25. Click System Services and then double-click Application Identity. 26. In the Application Identity Properties dialog box, select the Define this policy setting check box. 27. Select Automatic under Select service startup mode, and then click OK. 28. Close Group Policy Management Editor. Apply the GPO to the Contoso.com domain. 1. In the Group Policy Management window, expand Forest: Contoso.com. 2. Expand Domains. 3. Expand Contoso.com. 4. Expand Group Policy Objects. 5. Drag the WordPad Restriction Policy GPO on top of the Contoso.com domain container. 6. Click OK to link the GPO to the domain. 7. Close the Group Policy Management console. 8. Click Start, in the Search programs and files box, type cmd, and then press Enter. 9.mIn the Command Prompt window, type gpupdate /force,and then press Enter.Wait for the policy to be updated. Test the AppLocker rule. 1. Start and then log on to the NYC-CL1 as Contoso\Alan.Brewer,with the password, Pa$$w0rd. 2. Click Start, in the Search programs and files box, type cmd, and then press Enter. 3. In the Command Prompt window, type gpupdate /force,and press Enter.Wait for the policy to be updated. 4. Click Start, click All programs,click Accessories,and then click WordPad. 5. Click OK when prompted with a message.
319
Lab D: Configure Application Control Policies
Course 6425C Lab D: Configure Application Control Policies Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Exercise 1: Configure Application Control Policies Lab objectives: Configure Application Control Policies. Scenario: You have been asked to ensure that a widely used application in the environment that has been recently replaced by a new software suite is no longer used at Contoso, Ltd. Exercise 1: Configuring Application Control Policies Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-CL1 Logon user name Pat.Coleman Alan.Brewer Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 30 minutes
320
Course 6425C Lab Scenario Module 08: Managing Enterprise Security and Configuration with Group Policy Settings You have been asked to ensure that a widely used application in the environment that has been recently replaced by a new software suite is no longer used at Contoso, Ltd.
321
Course 6425C Lab Review Module 08: Managing Enterprise Security and Configuration with Group Policy Settings How can you permit access to only a specific set of applications for a set of computers in your environment? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: How can you permit access to only a specific set of applications for a set of computers in your environment? Answer: Place the computers in an OU, create a GPO and link it to the OU. In the GPO, configure the default AppLocker rules to block applications. Then allow the applications you want the computers to have access to.
322
Module Review and Takeaways
Course 6425C Module Review and Takeaways Module 08: Managing Enterprise Security and Configuration with Group Policy Settings Review Questions Windows Server 2008 R2 Features Introduced in this Module Review Questions 1. In what scenarios, or for what reasons might you want to delete all members, users, or groups? Answer: Answers will vary, but one obvious scenario would be to clean up the membership of the local Administrators group of users who have been added to the group over time, as part of an effort to implement least privilege. 2. Describe the procedure used to apply a security template to a computer. Answer: Use the Security Configuration And Analysis snap-in to create a database. Import the template into the database, and then apply the database settings to the computer by using the Configure Computer Now command. 3. Why must AppLocker rules be defined in a GPO separate from SRP rules? Answer: AppLocker rules are completely separate from SRP rules and cannot be used to manage pre- Windows 7 computers. The two policies are also separate. If AppLocker rules have been defined in a GPO, only those rules are applied. Therefore, define AppLocker rules in a separate GPO to ensure interoperability between SRP and AppLocker policies. Windows Server 2008 R2 Features Introduced in this Module Windows Server 2008 R2 feature Description AppLocker Used to control how users can access and use applications
323
Module 09: Securing Administration Module 9 Securing Administration
Course 6425C Module 09: Securing Administration Module 9 Securing Administration Presentation: 55 minutes Lab: 60 minutes Module Goal Discuss advanced Active Directory® security and administration topics that help an enterprise lock down its administrative model. Experience both the well-documented and under-documented skills and best practices for securing Active Directory administration, with a focus on delegation and change auditing. Objectives After completing this lesson, you will be able to: Delegate administrative permissions. Audit Active Directory administration. Module Exam Objectives Creating and Maintaining Active Directory Objects: Create and apply Group Policy objects (GPOs) Creating and Maintaining Active Directory Objects: Configure audit policy by using GPOs <<continued>.
324
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 09: Securing Administration Preparation for Demos 1. Start 6425C-NYC-DC1. 2. Log on to NYC-DC1 as Pat.Coleman with the password Pa$$w0rd. Preparation for Labs There are two labs that occur during the course of the module. Both use the same single virtual machine and the second lab has dependencies on the first, so you should ask students not to shut down the virtual machine after they complete Lab A. If you wish to save time, you can ask students to start the virtual machine at the start of the module. The virtual machines used in both labs is 6425C-NYC-DC1 and 6425C-NYC-DC2.
325
Module 09: Securing Administration
Course 6425C Module Overview Module 09: Securing Administration Delegate Administrative Permissions Audit Active Directory Administration -blank-
326
Lesson 1: Delegate Administrative Permissions
Course 6425C Lesson 1: Delegate Administrative Permissions Module 09: Securing Administration Understand Delegation View the ACL of an Active Directory Object Property Permissions, Property Sets, Control Access Rights, and Object Permissions Demonstration: Assign a Permission by Using the Advanced Security Settings Dialog Box Understand and Manage Permissions with Inheritance Demonstration: Delegate Administrative Tasks with the Delegation of Control Wizard Report and View Permissions Remove or Reset Permissions on an Object Understand Effective Permissions Design an OU Structure to Support Delegation -blank-
327
Understand Delegation
Course 6425C Understand Delegation Module 09: Securing Administration Scenario The help desk needs to reset passwords for users and force users to change the temporary password at next logon The help desk cannot create or delete users: Delegation is specific or granular The help desk can reset passwords of normal user accounts, not administrative or service accounts: Delegation has a scope Every Active Directory object has permissions. Permissions are called Access Control Entries (ACEs) ACEs are on the Discretionary Access Control List (DACL) The DACL is part of the object's Access Control List (ACL) The ACL also contains the System Access Control List (SACL) The SACL specifies (among other things) auditing settings This introductory slide provides students an understanding of what they are trying to accomplish with delegation, and of terminology that will be used throughout this lesson. First, set out the example shown on the slide. Make sure students understand the business and administrative scenario that is being addressed by delegation: the need to manage and secure changes to Active Directory objects. Along the way, introduce students to the concept that delegation can be quite granular and to the term and concept of scope. Later, this understanding will help students understand the relationship between delegation and OU design. Then, make the transition from the concept of delegation to the technical implementation: permissions on Active Directory objects. Draw the parallel to permissions on files or folders, pointing out that the concepts and terminology are identical.
328
View the ACL of an Active Directory Object
Course 6425C View the ACL of an Active Directory Object Module 09: Securing Administration Ensure Advanced Features are enabled on the View menu in Active Directory Users and Computers Properties Security Advanced Edit Demonstrate the steps shown on the slide while elaborating the following points (optional but recommended). Continue drawing a comparison to ACLs on files and folders. Viewing the ACL on an Active Directory object is the same as viewing it on a file or folder. Right-click the object, click Properties, and then click the Security tab. Just like with a file or folder, the Security tab shows only a high-level overview of permissions. Inform students that in most cases with Active Directory permissions, the Security tab does not offer the granularity of information or functionality to make it useful. In almost every case, you should click Advanced. The Advanced Security Settings dialog box provides the information and functionality you most often require. However, even at this level, you are not seeing all of the details of each permission entry. To see the details of the permission entry, select it, and then click Edit.
329
Module 09: Securing Administration
Course 6425C Property Permissions, Property Sets, Control Access Rights, and Object Permissions Module 09: Securing Administration Permissions can allow (or deny) changes to a specific property Example: Allow Write Mobile Number Permissions can allow (or deny) changes to a property set Example: Allow Write Phone and Mail Options Bundle of properties: Phone and mail properties One-click management of permissions for related properties Permissions can allow (or deny) control access rights Allow Change Password: Must enter old password, then new Allow Reset Password: Enter new password (do not need old) Permissions can allow (or deny) changes to the object Allow Modify Permissions Allow Create Computer Objects Help students understand the nuances of properties, property sets, control access rights, and object permissions. Once again, it may be helpful to demonstrate the points on the slide in the Active Directory Users and Computers interface.
330
Module 09: Securing Administration
Course 6425C Demonstration: Assign a Permission by Using the Advanced Security Settings Dialog Box Module 09: Securing Administration In this demonstration, you will see how to delegate the help desk permission to change the password for Jeff Ford In this demonstration, you will show students how to delegate the help desk group permission to reset the password for Jeff Ford. As you set up this demonstration for students, explain that the example you are showing them is quite extreme: setting permissions on one and only one user object, and using the most complicated user interface to do so. Explain to students that in the next demonstration, you will show them how to use a simple wizard to assign permissions for all users in an OU. However, since you have just spent time exploring the Access Control List Editor interfaces, it makes sense to use the interfaces to actually assign permissions. Students will later appreciate how much complexity is masked by the Delegation Of Control Wizard. Demonstration Steps 1. Start 6425C-NYC-DC1and log on as Pat.Coleman with the password Pa$$w0rd. 2. Click Start, point to Administrative Tools, and run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. 3. Click the View menu and select Advanced Features. 4. Right-click an object such as a user account, and then choose Properties. For this example use Jeff Ford located in the User Accounts\Employees OU. 5. Click the Security tab. 6. Click the Advanced button. 7. Click the Add button. If you have User Account Control enabled, you may need to click Edit, and perhaps enter the administrative credentials to make the Add button will appear. 8. In the Select dialog box, select the security principal to which permissions will be assigned. It is an important best practice to assign permissions to groups, not to individual users. In this example, select your Help Desk group, and then press ENTER. The Permission Entry dialog box appears. 9. Configure the permissions you want to assign. For this example, on the Object tab, scroll down the list of Permissions, and then click Allow:Reset password. 10. Click OK to close each dialog box.
331
Understand and Manage Permissions with Inheritance
Course 6425C Understand and Manage Permissions with Inheritance Module 09: Securing Administration Child objects inherit the permissions of the parent organizational unit or container Top-level OUs inherit permissions from the domain By default, each new object is created with the option Include Inheritable Permissions From This Object's Parent Not every permission is inheritable. Inheritance of a permission is scoped There are three ways to modify the effects of inheritance: Turn off inheritance on child object Deselect Include Inheritable Permissions… Assign an explicit permission Explicit permissions override inherited permissions Change the scope of inheritance on the parent (Apply To) Transition from previous demonstration: Assigning the help desk permission to reset passwords for each individual user object is tedious. But, in Active Directory, it is not a good practice to assign permissions to individual objects. Instead, you should assign permissions at the level of organizational units. First, be sure that students understand the general concepts of inheritance: Permissions on a child object can be inherited from its parent container. Inheritance is the default. Inheritance is generally a good thing, allowing you to define a security policy (an ACL) on a high-level container that is then shared by all objects within that container. Next, show students that inheritance is the result of two things: The child object is set to include inheritable permissions from this object's parent. The permission on the parent is set to apply to descendant objects of the same class as the child object. Most students will be familiar with the first setting. Fewer students completely understand the impact of the parent permission's scope. Third, explain to students that if an inherited permission is not appropriate for an object, there are three ways to change inheritance: Turn off inheritance on the child object. Assign an explicit permission that overrides the inherited permission. Change the scope (Apply To) of the parent permission. In this case, students will probably be very familiar with the first option, less familiar with the second option, and even less familiar with the third. However, the third option is the best practice in most situations, because what you are doing in effect is defining the security policy (ACL) more accurately at its source, rather than trying to override it further down the tree.
332
Module 09: Securing Administration
Course 6425C Demonstration: Delegate Administrative Tasks with the Delegation Of Control Wizard Module 09: Securing Administration In this demonstration, you will use the Delegation Of Control Wizard to assign permissions TRANSITION: In Active Directory, it is not a good practice to use the security interfaces to assign permissions to one object at a time. Rather, the best practice is to use the Delegation Of Control Wizard to assign permissions at the OU level, which are then inherited by objects in the OU. Demonstration Steps Detailed Demonstration Steps 1. On NYC-DC1 click Start, point to Administrative Tools and run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. 2. Right-click the node (domain or OU) for which you want to delegate administrative tasks or control, and choose Delegate Control. In this example, select the Employees OU. The Delegation of Control Wizard appears, to guide you through the required steps. 3. Click Next. You will first select the administrative group to which you are granting privileges. 4. In the Users or Groups page, click the Add button. 5. Use the Select dialog box to select the group, and then click OK. For this example use the Help Desk group. 6. Click Next. You will next specify the task you wish to assign to that group. 7. On the Tasks to Delegate page, select the task. In this example, select Reset User Passwords and Force Password Change at Next Logon. 8. Click Next. 9. Review the summary of the actions that have been performed, and click Finish. The Delegation of Control Wizard applies the ACEs that are required to enable the selected group to perform the specified task. Optionally: Open the Advanced Security Settings for the User Accounts OU and show students the permissions that were assigned. Add the Help Desk group to the AD_User Accounts_Support group and discuss the advantages of role- based management when delegating Active Directory administration.
333
Report and View Permissions
Course 6425C Report and View Permissions Module 09: Securing Administration Use the Advanced Security Settings dialog box Use DSACLs (dsacls.exe) dsacls ObjectDN Example: dsacls "ou=User Accounts,dc=contoso,dc=com" Tell students that beside using graphical interface tools to view and edit permissions, there is also a command-line based utility to perform these tasks. Emphasize that the DSACLs utility can be useful when performing batch jobs of permissions editing or when integrating this process inside applications.
334
Remove or Reset Permissions on an Object
Course 6425C Remove or Reset Permissions on an Object Module 09: Securing Administration No undelegate command Remove permissions manually in the Advanced Security Settings and Permission Entry dialog boxes Reset permissions to default with Active Directory Users and Computers Advanced Security Settings dialog box Restore Defaults Applies default ACL defined in the schema for the object class Reset permissions to default with DSACLs dsacls ObjectDN /s /t Example: dsacls "ou=User Accounts,dc=contoso,dc=com" /s /t
335
Understand Effective Permissions
Course 6425C Understand Effective Permissions Module 09: Securing Administration Permissions assigned to you and your groups cumulate Best practice is to assign permissions to groups, not to individual users In the event of conflicts: Deny permissions override Allow permissions Explicit permissions override Inherited permissions Explicit Allow overrides Inherited Deny Evaluating effective permissions The Effective Permissions tab: Helpful but not very granular Manual analysis Third-party tools Role-based management Use the slide to communicate two important points: How effective permissions are calculated by Windows® It is very difficult to evaluate and report effective permissions, or a "resultant set of permissions" Unfortunately, the Effective Permissions tab does not expose enough permissions to provide the kind of detailed information most administrators require. That means, to report resulting permissions, you must either perform manual analysis, acquire third-party tools, or implement a disciplined, role-based management implementation of delegation. The latter option, which is robust, manageable, and free of charge, is discussed in more detail in the Lab Review answers for Lab A. References The best way to manage delegation in Active Directory is through role-based access control and it is well worth understanding for real-world implementation of delegation. See the Windows® Administration Resource Kit: Productivity Solutions for IT Professionals by Dan Holme (Microsoft® Press, 2008) for more information.
336
Design an OU Structure to Support Delegation
Course 6425C Design an OU Structure to Support Delegation Module 09: Securing Administration Functions of OUs Delegation: Scope permissions for administrative tasks in Active Directory Configuration: Scope the application of GPOs Presentation: Organize and present objects in a logical manner Best Practices for Active Directory OU Design: Create OUs to scope delegation Top/higher-level OUs reflect the administrative model Then divide those OUs to provide scopes for GPOs If there is no way to scope a GPO by linking it to an OU in your design, link the GPO higher and use security group filtering to manage its scope Then, if necessary, create sub-OUs to organize and present Better yet, use Saved Queries to organize and present The main point of this slide is to emphasize that OUs are used to scope the delegation of administration by assigning permissions to higher-level OUs that are then inherited by the objects they contain. Therefore, there is a direct relationship between the structure of your OUs and your administrative model. Because this course is not meant as an architecture course, there is not much detail regarding the process of evaluating an organization's requirements for delegation, configuration, and presentation to derive the correct OU design for that organization. However, this slide summarizes the process and if students’ interest and time allow, you can use this slide to set up a whiteboard discussion about OU design. References See the Windows Administration Resource Kit: Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008) for much more detail regarding OU design.
337
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 09: Securing Administration Optional white board discussion about OU design The most common misconception about OU design is that an organization can choose between a model based on object class or based on division/location. This simplistic view leads many organizations to make the wrong choice. An OU model based on object class would look something like this (very simplistically): Users Division/Location A Division/Location B Division/Location C Computers Groups An OU model based on division (business unit, for example) or location (geography or site) would look something like this (again, very simplistically): The design that is right for one organization is not right for another!
338
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 09: Securing Administration SCENARIO A: Requirements: The organization has a centralized help desk that, for example, can reset passwords for all user accounts, and a centralized deployment team that can add computers to the domain. Administrators at each division determine the configuration (Group Policy) settings they need to apply within their division. People like to think about the organization in terms of divisions or locations (sites) and to see the organization that way. A highly paid consultant recommended the division/location model. The model achieves the second and third requirements quite nicely. Unfortunately, in order to delegate the administrative capabilities, you have to assign permissions at six separate OUs. That obviously does not scale well, and any change to the administrative model will have to be replicated on each OU. This organization would be better served with the object class model. SCENARIO B: The organization has three business units. Each business unit (BU) has a dedicated administrative team that has high levels of autonomy. Each administrative team has full control over objects in its BU. There are common standards of configuration (Group Policy) settings that must be applied to all users and all computers due to customer and compliance requirements. When Windows 2000 was released, the administrator at the time opted for an object class model. The model achieves the second requirement, but now you have to give full control to each BU administrative team at three different OUs. Again, this does not scale well, nor is it easy to manage change over time. This organization would be better served with the division/location model. The Bottom Line In each scenario, OU design was not aligned first with the administrative model, but rather was driven by either configuration or presentation requirements. The only way to effectively manage delegation is to scope ACLs for delegation to a minimum number of high-level OUs. Therefore, delegation requirements should always drive OU design. After an OU design supports delegation, it can be further subdivided to facilitate configuration or even presentation. However, it's important to realize that linking a GPO to an OU is not the only way to effectively manage the scope of Group Policy. GPOs can be easily linked to multiple OUs, and GPO scope is often better managed by linking the GPO to a high-level OU, or even to the domain, and using security groups as filters. The presentation of your Active Directory can be provided by Saved Queries—you shouldn't have to look at the complexity of your OU design very often! Because both configuration and presentation requirements can be managed in ways other than the OU structure, but delegation requirements can be managed only with the OU structure, the three design drivers (delegation, configuration, and presentation) should be evaluated in that order.
339
Lab A: Delegate Administration
Course 6425C Lab A: Delegate Administration Module 09: Securing Administration Exercise 1: Delegate Permission to Create and Support User Accounts Exercise 2: View Delegated Permissions Exercise 3: Remove and Reset Permissions The goal of this lab is to give students hands-on experience with both the Delegation Of Control wizard and the security interfaces that support delegation of administration. Scenario The enterprise security team at Contoso, Ltd has asked you to lock down the administrative permissions delegated to support personnel. Exercise 1 In this exercise, students will delegate to the help desk permission to unlock user accounts, reset passwords, and force users to change passwords at the next logon. This permission will scope only to standard user accounts and will not allow the help desk to change passwords of administrative accounts. Students will also delegate to the User Account Admins group permission to create and delete user accounts, as well as full control over user accounts. Exercise 2 In this exercise, students will view, report, and evaluate the permissions that have been assigned to Active Directory objects. Exercise 3 In this exercise, students will remove delegated permissions and will reset an OU to its schema-defined default ACL. NOTE: Do not shut down the virtual machine after you finish this lab because the settings you have configured here will be used in the subsequent lab. Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-DC2 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 30 minutes
340
Module 09: Securing Administration
Course 6425C Lab Scenario Module 09: Securing Administration The enterprise security team at Contoso, Ltd has asked you to lock down the administrative permissions delegated to support personnel -blank-
341
Module 09: Securing Administration
Course 6425C Lab Review Module 09: Securing Administration When you evaluated the effective permissions for April Meyer on the User Accounts OU, why didn’t you see permissions such as Reset Password in this list? Why did the permission appear when you evaluated effective permissions for Aaron Painter on Aaron Lee's user account? Does Windows make it easy to answer the following questions: Who can reset user passwords? What can XXX do as an administrator? What is the impact of resetting the ACL of an OU back to its schema-defined default? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question When you evaluated the effective permissions for April Meyer on the User Accounts OU, why didn’t you see permissions such as Reset Password in this list? Why did the permission appear when you evaluated effective permissions for Aaron Painter on Aaron Lee's user account? Answer The Effective Permissions list is showing the permissions that apply to the selected object, which in the first case is an organizational unit. One cannot reset the password of an organizational unit, so that permission is not available to be evaluated. When you assign permissions to reset passwords on the OU, the permission does not actually apply to the OU itself, rather it applies to descendent user objects within the OU. The OU is a container, so permissions are available that specify what types of objects can be created in the OU. When you examined permissions on Aaron Lee's user account, the Reset permission appeared because it is available for user accounts. Does Windows make it easy to answer the following questions: Who can reset user passwords? What can XXX do as an administrator? Lead a discussion that addresses the difficulty of reporting delegation. The user interfaces and command-line tools are neither detailed nor "administrator-friendly" enough to be useful reporting tools. What is the impact of resetting the ACL of an OU back to its schema-defined default? You don't necessarily know what permissions are applied to the OU unless you find some way to do detail reporting. Moreover, you don't necessarily know why those permissions were assigned to the OU or by whom. There may be good reasons for some custom, explicit permissions, and removing them may cause something in your environment to break. For example, when you install Microsoft Exchange Server, explicit permissions are applied to certain Active Directory objects.
342
Lesson 2: Audit Active Directory Administration
Course 6425C Lesson 2: Audit Active Directory Administration Module 09: Securing Administration Enable Audit Policy Specify Auditing Settings for Directory Service Changes View Audited Events in the Security Log Advanced Audit Policies Global Object Access Auditing Reason for Access Reporting Demonstration: Advanced Audit Policies -blank-
343
Module 09: Securing Administration
Course 6425C Enable Audit Policy Module 09: Securing Administration Directory Service Access Same policy as in Windows Server 2003 By default, configured to audit success events Event log entry says "a change was made to this object" Difficult to identify what attribute was changed Impossible to know old/new value of attribute Directory Service Changes Identifies the object, the attribute, and the old/new values Not enabled by default Enable from the Command Prompt: auditpol /set /subcategory:"directory service changes" /success:enable The auditpol command is used to enable auditing of directory service changes. References AD DS Auditing Step-by-Step Guide
344
Specify Auditing Settings for Directory Service Changes
Course 6425C Specify Auditing Settings for Directory Service Changes Module 09: Securing Administration Right-click the object Properties Security Advanced Click the Auditing tab Click Add to add an audit entry Specify the group you want to audit (often, Everyone) Select to audit Success or Failure events for one or more specific permissions By default, Domain Admins is configured to audit successful changes to any property by any user (Everyone)
345
View Audited Events in the Security Log
Course 6425C View Audited Events in the Security Log Module 09: Securing Administration Event Viewer Windows Logs Security Each event shows Success/Failure Time Object accessed Identity of user who generated the event Task category
346
Advanced Audit Policies
Course 6425C Advanced Audit Policies Module 09: Securing Administration Windows XP and Windows Server 2003: 9 categories for auditing Configured through Group Policy Windows Vista and Windows Server 2008: 53 auditable events Configured with Group Policy and Auditpol.exe Windows 7 and Windows Server 2008 R2: New category in Group Policy for advanced audit policy All audit settings are configured through Group Policy Much more granular control Located in : Security Settings\Advanced Audit Policy Configuration\Audit Policies The purpose of this topic is to explain new auditing policies in Windows Server® 2008 R2 and Windows 7. Start by comparing audit policies in Windows Server 2003 and Windows Server 2008, and continue with explaining that new auditing policies now provide full and very granular control over auditing settings, and that they are completely configurable through Group Policy. References Advanced Security Audit Policy Settings
347
Global Object Access Auditing
Course 6425C Global Object Access Auditing Module 09: Securing Administration New way to track object access on a per server instead of a per object level Much easier to verify that object access policy is enforced Much easier to comply with company audit policy Can be configured in two categories : File System Registry Located at: Security Settings\Advanced Audit Policy Configuration\Audit Policies\Global Object Access Auditing Before defining what Global Object Access Auditing is, remind students how Object Access is configured. Explain that old approach is to enable Object Access in GPO and then activate it on specific resource in SACL. A global object access audit policy can be used to enforce object access audit policy for a computer, file share, or registry without having to configure and propagate conventional SACLs on object, but to provide auditing on server base.
348
Reason for Access Reporting
Course 6425C Reason for Access Reporting Module 09: Securing Administration Provides additional information in Object Access Auditing Who accessed a resource? What action did the user perform? Why was that type of access possible? – Reason for Access Works only on Windows 7 and Windows Server 2008 R2 Enable the Audit Handle Manipulation setting in Object Access sub-category Information about reason for access provided in open handle event (Event ID : 4656) In this topic, you should focus on additional information that “Reason for Access” auditing provides. Emphasize that all other types of auditing provide various information, but not the information about why someone was able to access a resource. This feature provides that exact thing.
349
Demonstration: Advanced Audit Policies
Course 6425C Demonstration: Advanced Audit Policies Module 09: Securing Administration In this demonstration, you will see how to locate and configure Advanced Audit policies Detailed Demonstration Steps To configure an advanced domain logon audit policy setting 1. Start 6425C-NYC-DC1and log on as Pat.Coleman with the password Pa$$w0rd 2. Click Start, point to Administrative Tools, and then click Group Policy Management. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. 3. In the console tree, double-click Forest: contoso.com, double-click Domains, and then double-click contoso.com. 4. Right-click Default Domain Policy, and then click Edit. 5. Double-click Computer Configuration, double-click Policies, and then double-click Windows Settings. 6. Double-click Security Settings, double-click Advanced Audit Policy Configuration, and then double- click Audit Policies. 7. Browse through sub-categories, show how to configure them. For example, open Account Logon sub- node and show how you can configure four various types of auditing for Account Logon event. Open each setting and show Explain tab with setting description. 8. Click Global Object Access Auditing. 9. Double-click File System, and then select the Define this policy setting check box. Click Configure button 10. Click the Add button and add a user account of your choice here. Click Ok. 11. In Auditing Entry for Global File SACL, place a check mark in Successful and Failed column for List folder/read data and Create files /write data options. 12. Click Ok three times. Note : When you use Advanced Audit Policy Configuration settings, you need to confirm that these settings are not overwritten by basic audit policy settings. The following procedure shows how to prevent conflicts by blocking the application of any basic audit policy settings. To ensure that Advanced Audit Policy Configuration settings are not overwritten: 1. Double-click Security Settings, open Local Policies, and then click Security Options. 2. Double-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings, and then click Define this policy setting. 3. Click Enabled, and then click OK.
350
Lab B: Audit Active Directory Changes
Course 6425C Lab B: Audit Active Directory Changes Module 09: Securing Administration Exercise 1: Audit Changes to Active Directory by Using Default Audit Policy Exercise 2: Audit Changes to Active Directory by Using Directory Service Changes Auditing Scenario The administrators at Contoso Ltd have reported a few times that the membership lists of certain highly privileged groups are not consistent. The lists included people who should not be members of these groups. One possible reason for the inconsistency could be that the membership list of these groups is being changed without following the correct procedure. The enterprise security team at Contoso, Ltd has asked you to provide detailed reports regarding changes to the membership of security-sensitive groups, including Domain Admins. The reports must show the change that was made, who made the change, and when. Exercise 1 In this exercise, students will see the Directory Service Access auditing that is enabled by default in Windows Server 2008 and Windows Server 2003. Exercise 2 In this exercise, students will implement the new Directory Services Changes auditing of Windows Server to reveal the details about changes to the Domain Admins group. Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-DC2 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 30 minutes
351
Module 09: Securing Administration
Course 6425C Lab Scenario Module 09: Securing Administration The administrators at Contoso, Ltd have reported a few times that the membership lists of certain highly privileged groups are inconsistent. The lists included people who should not be members of these groups. One possible reason for the inconsistency could be that the membership list of these groups is changed by following incorrect procedures. The enterprise security team at Contoso, Ltd has asked you to provide detailed reports regarding changes to the membership of security-sensitive groups, including Domain Admins. The reports must show the change that was made, who made the change, and when. -blank-
352
Module 09: Securing Administration
Course 6425C Lab Review Module 09: Securing Administration What details are captured by Directory Services Changes auditing that are not captured by Directory Service Access auditing? Which type of administrative activities would you want to audit by using Directory Services Changes auditing? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question What details are captured by Directory Services Changes auditing that are not captured by Directory Service Access auditing? Answer Directory Services Changes auditing captures important details, including the specific attribute that is changed and the change that was made. Which type of administrative activities would you want to audit using Directory Services Changes auditing? Lead a discussion to elicit suggestions from students. Pose the question: Why not audit all changes in Active Directory? Answer: the volume of event log entries would make finding particularly important changes difficult. Guide students to an understanding that the configuration of Directory Services auditing should be driven by the requirements of an organization's IT Security policies and procedures.
353
Module Review and Takeaways
Course 6425C Module Review and Takeaways Module 09: Securing Administration Review Questions Common Issues Related to Secure Administration Best Practices Common Issues Related to Secure Administration Tools Windows Server 2008 R2 Features Introduced in this Module Review Questions Question: How does Active Directory Users and Computers console indicate to you that you do not have permissions to perform a particular administrative task? Answer The console has different ways of indicating that you do not have permissions to perform a certain task. In some cases, the command that you cannot perform is trimmed (hidden) by the Active Directory Users and Computers snap-in. For example, when you tested whether Aaron Painter could create a new user in the Employees OU, the New menu was not available. In other cases, the command appears but you receive an error message if you attempt to perform it. For example, when Aaron Painter tried to disable Jeff Ford's account or reset Pat Coleman's administrative account password, the command was executed but returned an error message because Aaron's access was denied. Question: What is the benefit of a two-tiered, role-based management group structure when assigning permissions in Active Directory? Answer: There are several benefits. First, it allows you to change "who can do what" without changing a single ACL in Active Directory. If another group or user needs to be able to reset Employee passwords, simply add that group (or user) to the AD_User Accounts_Support group. Second, it makes it easier to report delegation. If you list the members (including nested users) of AD_User Accounts_Support, you instantly know who has permission to reset passwords for users in the User Accounts OU. In other words, role-based management helps overcome some of the difficulties that were identified with reporting. Note: Role-based management is a detailed topic. There are other aspects of role-based management such as discipline and auditing that are required to ensure that the members of a group such as AD_User Accounts_Support have the permissions they are supposed to have. You also need to ensure that the member sof this group have no other permissions, and that no other users or groups have been delegated the same permissions. Question: What is the main benefit of using new Advanced Audit Policies? Answer: New Audit policies provide much more detailed control over auditing and reporting, which enables administrators to better narrow their search for specific information in Security Logs. Also, new policies provide some additional possibilities for auditing such as Global Object Access auditing, and also provide some additional information like in Reason for Access auditing. Common Issues Related to Secure Administration Issue Troubleshooting tip There is no un-delegate command or wizard after you finish delegation of control Use DACL of OU where you delegated administrative control to remove identities whom you want to un-delegate Reason for Access auditing is not working Check if you have enabled Audit Handle Manipulation setting and that you are running Windows 7 or Windows Server R2.
354
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 09: Securing Administration Best Practices Related to Secure Administration Use Delegation of Control Wizard to delegate administrative control instead of placing users in built-in administrative groups Use Advanced Audit Policies for better and more granular audit control Avoid using the block inheritance option when configuring permissions. Tools Windows Server 2008 R2 Features Introduced in this Module Tool Used for Where to find it Group Policy Management Console Editing security policy Administrative Tools Delegation of Control Wizard Delegating administrative control over OU Active Directory Users and Computers Auditpol Configuring auditing Command-line utility Windows Server 2008 R2 feature Description Advanced Audit Policies New settings in Group Policy object for more detailed auditing of various system events Global Object Access Auditing Method to audit on server level instead on object level Reason for access reporting New feature that allows administrators to see why someone was able to access a resource that is being audited.
355
Module 10: Improving the Security of Authentication in an AD DS Domain
Course 6425C Module 10: Improving the Security of Authentication in an AD DS Domain Presentation: 85 minutes Lab: 65 minutes Module Goal Prepare students to improve and enforce security around authentication in their enterprises. Equip students to configure tiered password policies, taking advantage of the new fine-grained password policies in Windows Server® 2008, to audit logon events, and to implement read-only domain controllers in branch offices. Objectives After completing this lesson, you will be able to: Configure password and account lockout policies. Configure auditing of authentication-related activity. Configure RODCs. Module Exam Objectives Creating and maintaining Active Directory objects: Configure account policies Creating and maintaining Active Directory objects: Configure audit policy by using GPOs Configuring the Active Directory infrastructure: Configure Active Directory replication Configuring additional Active Directory server roles: Configure the read-only domain controller (RODC) Preparation for Demos To prepare for demos in this module start 6425C-NYC-DC1 and Log on as Pat.Coleman with the password Pa$$w0rd. Preparation for Labs There are three labs which occur during the course of the module. There are dependencies between each lab therefore you should instruct students not to shut down the virtual machines when they have finished a lab. To prepare for them you should ask students to start the following virtual machines 6425C-NYC-DC1. The other virtual machines will be started as needed during the course of the labs so should not be started now. For specific detail of when they need to be started you should refer to the student hand book or the Lab Answer Keys. Module 10 Improving the Security of Authentication in an AD DS Domain
356
Module 10: Improving the Security of Authentication in an AD DS Domain
Course 6425C Module Overview Module 10: Improving the Security of Authentication in an AD DS Domain Configure Password and Lockout Policies Audit Authentication Configure Read-Only Domain Controllers -blank-
357
Lesson 1: Configure Password and Lockout Policies
Course 6425C Lesson 1: Configure Password and Lockout Policies Module 10: Improving the Security of Authentication in an AD DS Domain Understand Password Policies Understand Account Lockout Policies Configure the Domain Password and Lockout Policy Demonstration: Configure Domain Account Policies Fine-Grained Password and Lockout Policy Understand Password Settings Objects Demonstration: Configure Fine-Grained Password Policy PSO Precedence and Resultant PSO -blank-
358
Understand Password Policies
Course 6425C Understand Password Policies Module 10: Improving the Security of Authentication in an AD DS Domain Implemented via Default Domain GPO Determine password requirements for the whole domain Password policies consist of : Enforce password history: 24 passwords Maximum password age: 42 days Minimum password age: 1 day Minimum password length: 7 characters Password must meet complexity requirements: Enabled Store password using reversible encryption: Disabled Explain that these settings apply to all the domain users unless fine-grained passwords are being implemented. Discuss the advantages of using pass phrases instead of single passwords. Discuss the impact of complexity requirements that demand three of four options: uppercase, lowercase, numeric, and symbol. Mention that if you configure password history, then you should configure minimum password age. Ask students if they understand why that is important. Without minimum age, a user can simply change their password repeatedly History+1 times, and return to their original password.
359
Understand Account Lockout Policies
Course 6425C Understand Account Lockout Policies Module 10: Improving the Security of Authentication in an AD DS Domain Helps mitigate the threat of brute force attacks on user accounts Account lockout policies consist of Account lockout duration: Not defined Account lockout threshold: 0 invalid logon attempts Reset account lockout counter after: Not defined Unlock A user who is locked out can be unlocked by an administrator The Reset account lockout policy can specify a "timeout" period after which the account is automatically unlocked Discuss why some organizations choose not to define account lockout policies: because they can actually create a denial of service scenarios. If a hacker performs a brute force attack against an account used by a service account—your Microsoft® SQL® servers, for example—and the account is locked, eventually the service will fail. Many organizations choose to use auditing, intrusion detection, and other monitoring approaches to mitigate brute force attacks.
360
Configure the Domain Password and Lockout Policy
Course 6425C Configure the Domain Password and Lockout Policy Module 10: Improving the Security of Authentication in an AD DS Domain Domain password policies are defined by the precedent GPO scoped to domain controllers Default Domain Policy GPO Best practices Modify the settings in the Default Domain GPO for password, lockout, and Kerberos policies Do not use the Default Domain GPO to deploy any other policy settings Do not define password, lockout, or Kerberos settings for the domain in any other GPO Policy settings are overridden by options in user account Password never expires Store passwords using reversible encryption Explain that account policies refer to the collection of settings that include password settings, account-lockout settings, and Kerberos version 5 authentication protocol policy settings. Explain the purpose of the account lockout threshold and its associated settings. Briefly discuss Kerberos settings. Stress that you can apply these settings only at the domain level. If you configure these settings at the organizational unit (OU) level, they will affect only the local users of computers. Reference Windows Server 2003 Security Guide Chapter 3: The Domain Policy:
361
Demonstration: Configure Domain Account Policies
Course 6425C Demonstration: Configure Domain Account Policies Module 10: Improving the Security of Authentication in an AD DS Domain In this demonstration, you will see how to configure the domain account policies for Contoso, Ltd, according to their password requirements Scenario Configure the domain account policies to meet the following requirements for passwords: A minimum of 8 characters long. Comply with Windows default complexity requirements. Users must change their password every 90 days. Users cannot change their own password more than once a week. A user cannot reuse their past 20 passwords. Solution Length: 8 characters Complexity: Enforced Max password age: 90 days Min password age: 7 days Enforce password history: 20 Detailed Demonstration Steps Start 6425C-NYC-DC1 and log on to NYC-DC1 as Pat.Coleman with the password Pa$$w0rd. Run Group Policy Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. In the console tree, expand Forest:contoso.com, Domains, and contoso.com. Right-click Default Domain Policy underneath the domain, contoso.com and click Edit. You may be prompted with a reminder that you are changing the settings of a GPO. If so, click OK. Group Policy Management Editor opens. In the console tree, expand Computer Configuration, Policies, Windows Settings, Security Settings, and Account Policies, and then click Password Policy. Please copy these steps to the Inotes section of the PPT (I only tested these steps, not the PPT version) <<continued>>
362
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 10: Improving the Security of Authentication in an AD DS Domain Double-click the following policy settings in the console details pane and configure the settings as indicated: Enforce password history: 20 passwords remembered Maximum password age: 90 Days Minimum password age: 7 days Minimum password length: 8 characters Password must meet complexity requirements: Enabled Close the Group Policy Management Editor window. Close the Group Policy Management window.
363
Fine-Grained Password and Lockout Policy
Course 6425C Fine-Grained Password and Lockout Policy Module 10: Improving the Security of Authentication in an AD DS Domain Fine-grained password and lockout policies allow multiple password and lockout policies to exist in the same domain Domain Policy: Length: 10 Max age: 90 Lockout: 5 in 30 min Reset: 30 min Make the security case for why one might want different password and lockout policies in a domain. Explain that, prior to Windows Server 2008, the only way to have different account policies was to split your directory service to multiple domains, or to invest in third-party tools. Explain that, starting with Windows Server 2008, fine-grained password policies allow you to have different password requirements for different AD DS users or groups. Mention fine-grained password and lockout policies override the domain account policies that you have presented earlier in this lesson. The best practice, therefore, is to use the domain account policy to configure password and lockout settings for the broad user population, and then use fine-grained policies to configure settings for special cases. Additional points you might choose to make while on this slide: As students will see, the policy that determines password and lockout settings for a user must define all password and lockout settings. Policies do not "merge" in any way. That's why, on the slide, the policy that is applying to Finance users defines the lockout policy settings, even though those settings are identical to the settings in the domain policy. The domain policy will apply to all users except for finance, administrative, and service accounts. Note: There can be one, and only one, authoritative set of password and lockout policy settings that apply to all users in a domain. Those settings are configured in the Default Domain Policy GPO. Fine-grained password policies, which apply to individual groups or users in the domain, are implemented using password settings objects (PSOs). Service accounts are a special case for any organization. The challenge, of course, is that if you change the password of a domain account used by a service, you must configure the service with the new password on every machine where the service runs. This can be difficult to manage, which is why many organizations have chosen to use service account passwords that never expire. Of course that is a very troublesome security vulnerability. Alternately, organizations can invest in third-party tools that do the job of resetting and synchronizing service account passwords. In either case, you can improve the security of service accounts with a fine-grained password policy that sets a very long minimum length—particularly important if you are configuring the password to never expire. Additionally, most organizations would prefer that service accounts cannot be locked out, even by brute force attack, because the lockout of service accounts will eventually create a denial of service. Windows Server 2008 R2 introduces a new solution to this problem: Managed service accounts. For more information about managed service accounts, see . Discussion Question and Answer Question: How would you use fine-grained passwords in your environment? Answer: Answers will vary. Reference AD DS: Fine-Grained Password Policies Length: 15 Max age: 45 Lockout: 5 in 60 min Reset: 1 day Administrative accounts Service Accounts Finance users Length: 15 Max age: 60 Lockout: 5 in 30 min Reset: 30 min Password Never Expires Length: 64 Lockout: None
364
Understand Password Settings Objects
Course 6425C Understand Password Settings Objects Module 10: Improving the Security of Authentication in an AD DS Domain A PSO has the following settings available: Password policies Account lockout policies PSO Link Precedence Use this slide to equip students with an understanding of the concepts and terminology related to PSOs. You will be demonstrating the creation of a PSO, and at that time you can go into more detail. Mention that a PSO has all the password policy and account lockout policy settings available that you normally could configure through the default domain policy. A PSO does not contain Kerberos settings. Also mention that PSO has new attributes. For example, the PSO link (a multivalued attribute that is linked to users and/or group objects) and Precedence (an integer value that is used to resolve conflicts if multiple PSOs are applied to a user or group object). Explain that two new object classes exist in Active Directory schema: Password Settings Container, and Password Setting Objects (PSOs). Explain that you implement fine-grained passwords by creating PSOs, which are stored in the password settings container, and then applying them to users or global groups, not to OUs. Reference AD DS: Fine-Grained Password Policies Considerations when implementing PSOs: The Password Settings Container (PSC) and PSOs are new object classes defined by the AD DS schema ü Windows Server 2008 domain functional level required ü PSOs can be created through ADSI Edit or LDIFDE ü PSOs can only be applied to users or global security groups ü
365
Demonstration: Configure Fine-Grained Password Policy
Course 6425C Demonstration: Configure Fine-Grained Password Policy Module 10: Improving the Security of Authentication in an AD DS Domain In this demonstration, you will see how to configure a fine- grained password policy to enhance the security of accounts in the Domain Admins group Demonstration Steps 1. Run Active Directory Users and Computers with administrative credentials and verify that the Current domain functional level is Windows Server User name Pat.Coleman_Admin and password Pa$$w0rd. 2. Run ADSI Edit, with administrative credentials, user name Pat.Coleman_Admin and password Pa$$w0rd. 3. Right-click ADSI Edit, and then click Connect To. 4. Accept all defaults. Click OK. 5. In the console tree, click Default Naming Context. 6. In the console tree, expand Default Naming Context, and then expand DC=contoso,DC=com, and then click CN=System. 7. In the console tree, expand CN=System, and then click CN=Password Settings Container. All PSOs are created and stored in the Password Settings Container (PSC). 8. Right-click CN=Password Settings Container, point to New, and then click Object. The Create Object dialog box appears. It prompts you to select the type of object to create. There is only one choice: msDS-PasswordSettings—the technical name for the object class referred to as a PSO. 9. Click Next. You are then prompted for the value for each attribute of a PSO. The attributes are similar to those found in the domain account policies.
366
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 10: Improving the Security of Authentication in an AD DS Domain 10. Configure each attribute as indicated below. Click Next after each attribute. cn: My Domain Admins PSO. This is the common name of the PSO . msDS-PasswordSettingsPrecedence: 1. This PSO has the highest possible precedence. msDS-PasswordReversibleEncryptionEnabled: False. The password is not stored using reversible encryption. msDS-PasswordHistoryLength: 30. The user cannot reuse any of the last 30 passwords. msDS-PasswordComplexityEnabled: True. Password complexity rules are enforced. msDS-MinimumPasswordLength: 15. Passwords must be at least 15 characters long. msDS-MinimumPasswordAge: 1:00:00:00. A user cannot change his or her password within one day of a previous change. The format is d:hh:mm:ss (days, hours, minutes, seconds). msDS-MaximumPasswordAge: 45:00:00:00. The password must be changed every 45 days. msDS-LockoutThreshold: 5. Five invalid logons within the time frame specified by XXX (the next attribute) will result in account lockout. msDS-LockoutObservationWindow: 0:01:00:00. Five invalid logons (specified by the previous attribute) within one hour will result in account lockout. msDS-LockoutDuration: 1:00:00:00. An account, if locked out, will remain locked for one day, or until it is unlocked manually. A value of zero will result in the account remaining locked out until an administrator unlocks it. 11. Click Finish and close ADSI Edit.
367
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 10: Improving the Security of Authentication in an AD DS Domain Next, link the PSO to the group 12. Run Active Directory Users and Computers as before and in the console tree, expand the System container. If you do not see the System container, then click the View menu of the MMC console, and ensure that Advanced Features is selected. 13. In the console tree, click the Password Settings Container. 14. Right-click My Domain Admins PSO, click Properties and then click the Attribute Editor tab. 15. In the Attributes list, select msDS-PSOAppliesTo, and then click Edit. The Multi-valued Distinguished Name With Security Principal Editor dialog box appears. 16. Click Add Windows Account. The Select Users, Computers, or Groups dialog box appears. 17. Type Domain Admins, and then press Enter. 18. Click OK twice to close the open dialog boxes. 19. In the console tree, expand the contoso.com domain and the Admins OU, and then click the Admin Identities OU. 20. Right-click Pat Coleman (Administrator) and click Properties. 21. Click the Attribute Editor tab. 22. Click the Filter button, and click the Constructed option, so that it is selected. 23. Open the value of the msDS-ResultantPSO attribute. Explain to students that the msDS-ResultantPSO attribute is a constructed attribute, meaning that the resultant PSO it is not a hard-coded attribute of a user, rather it is calculated by examining the PSOs linked to a user in real-time.
368
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 10: Improving the Security of Authentication in an AD DS Domain Question: How could you view the Password Settings Container in Active Directory Users and Computers? Answer: You need to enable the Advanced Features view in Active Directory Users and Computers. Mention that PSOs can also be created by importing an LDIF file with LDIFDE. Question: What utilities can be used to manage PSOs? Choose all that apply: a. ADSI edit b. GPMC c. CSVDE d. LDIFDE e. NTDSUtil f. Active Directory Users and Computers Answer: a, d, and f are correct. Reference AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide:
369
PSO Precedence and Resultant PSO
Course 6425C PSO Precedence and Resultant PSO Module 10: Improving the Security of Authentication in an AD DS Domain A PSO can be linked to more than one group or user A group or user can have more than one PSO linked to it Only one PSO prevails—the Resultant PSO Precedence: Lower value (closer to 1) has higher precedence Global group PSO with highest precedence prevails Any PSOs linked to user override all global group PSOs. User-linked PSO with highest precedence prevails msDS-ResultantPSO attribute of user in Attribute Editor Click the Filter button and ensure Constructed is selected If there are no PSOs, domain account policies apply Best Practices Use only group-linked PSOs. Do not link to user objects. Avoid having two PSOs with the same precedence value PSOs cannot be "linked" to an OU Create a shadow group that contains all users in the OU Explain how PSO conflicts will be resolved. A user or group object can have multiple PSOs linked to it. However, you can apply only one PSO as the effective password policy. You cannot merge, in any way, the settings from other PSOs that are linked to the user or group. The precedence value resolves conflicts. Explain that the precedence attribute has an integer value of 1 or greater. A lower value for the precedence attribute indicates that the PSO has a higher precedence than other PSOs. All PSOs that are applicable to the user based on global group memberships, are compared. The PSO with the lowest precedence value is the resultant PSO. If a PSO is linked directly to the user object, that is the resultant PSO—PSOs linked to groups are ignored. If more than one PSO is linked directly to the user object, a warning message is logged in the event log, and the user PSO with the lowest precedence value is the resultant PSO (again, ignoring global group PSOs). If two PSOs have the same precedence, Active Directory applies the one with the lowest GUID, which is in effect an arbitrary choice. Discuss or show the Resultant PSO attribute of a user in Domain Admins. Don't forget to turn on Advanced Features. If no PSO is linked at all, the Default Domain Policy is applied. Best practice is to assign PSOs only to global groups (avoiding user-linked PSOs), and to ensure no two PSOs have the same precedence. Discuss using “shadow groups” to facilitate applying PSOs to an OU. Explain that in this context, a shadow group is simply a group whose only purpose is to group together users that do not already share a global group membership, so they may have a PSO applied to them. Reference Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
370
Lab A: Configure Password and Account Lockout Policies
Course 6425C Lab A: Configure Password and Account Lockout Policies Module 10: Improving the Security of Authentication in an AD DS Domain Exercise 1: Configure the Domain’s Password and Lockout Policies Exercise 2: Configure a Fine-Grained Password Policy The goals of this lab are to give students a practical, hands-on experience with the tasks required to secure authentication in an AD DS domain—in this lab, through the implementation of lockout, password, and fine grained password policies. Scenario The security team at Contoso, Ltd has tasked you with increasing the security and monitoring of authentication against the enterprise’s AD DS domain. Specifically, you are to enforce a specified password policy for all user accounts, and a more stringent password policy for security sensitive, administrative accounts. Exercise 1 In this exercise, students will modify the Default Domain Policy GPO to implement a password and lockout policy for users in the contoso.com domain. Exercise 2 In this exercise, students will create a PSO that applies a restrictive, fine-grained password policy to user accounts in the Domain Admins group. Students will identify the PSO that controls the password and lockout policies for an individual user. Finally, students will delete the PSO that they created. NOTE: Do not shut down the virtual machine after you finish this lab because the settings you have configured here will be used in subsequent labs in this module Logon information Virtual machine 6425C-NYC-DC1 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 25 minutes
371
Module 10: Improving the Security of Authentication in an AD DS Domain
Course 6425C Lab Scenario Module 10: Improving the Security of Authentication in an AD DS Domain The security team at Contoso, Ltd has tasked you with increasing the security and monitoring of authentication against the enterprise’s AD DS domain. Specifically, you must enforce a specified password policy for all user accounts, and a more stringent password policy for security-sensitive, administrative accounts. -blank-
372
Module 10: Improving the Security of Authentication in an AD DS Domain
Course 6425C Lab Review Module 10: Improving the Security of Authentication in an AD DS Domain What are the best practices for managing PSOs in a domain? How can you define a unique password policy for all of the service accounts in the Service Accounts OU? Lab Review Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: What are the best practices for managing PSOs in a domain? Answer: Each PSO must fully define the appropriate password and account lockout policies, because PSOs do not "merge." Link PSOs to global groups, and not to individual user accounts. Ensure that each PSO has a unique precedence value. Question: How can you define a unique password policy for all of the service accounts in the Service Accounts OU? Answer: PSOs cannot be linked to an OU. You must create a global group that contains the accounts that are in the Service Accounts OU. You can then link a PSO to that group.
373
Lesson 2: Audit Authentication
Course 6425C Lesson 2: Audit Authentication Module 10: Improving the Security of Authentication in an AD DS Domain Account Logon and Logon Events Configure Authentication-Related Audit Policies Scope Audit Policies View Logon Events In this lesson, you should talk about auditing techniques for logon events. Beside talking about basic audit policies, be sure to also discuss (and remind students) about advanced audit policies which are specific to Windows Server 2008 R2.
374
Account Logon and Logon Events
Course 6425C Account Logon and Logon Events Module 10: Improving the Security of Authentication in an AD DS Domain Account logon events Registered by the system that authenticates the account For domain accounts: Domain controllers For local accounts: Local computer Logon events Registered by the machine at which (or to which) a user logged on Interactive logon: User's system Network logon: Server Account Logon Event Be sure that students can distinguish between Account logon events, registered only by the authenticating authority—in the case of domain accounts, a domain controller. Logon events, registered by the system to which a user logs on (interactive logon) or connects to (network logon). Logon Event Logon Event
375
Configure Authentication-Related Audit Policies
Course 6425C Configure Authentication-Related Audit Policies Module 10: Improving the Security of Authentication in an AD DS Domain Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy Windows Server 2008 default is to audit Success events for both account logon and logon events Windows Server 2008 R2 has new and more detailed polices for account logon and logon events Advanced Audit Policies in Windows Server 2008 R2 We recommend that you demonstrate the configuration of audit policies by opening the Default Domain Controllers Policy. Explain to students the four possible configurations of an audit policy. In particular, make sure they understand the difference between Not Defined and Defined for neither Success nor Failure. Point out to students that, by default, Active Directory is configured to audit successful account logon events. Select to audit Failure events as well, and click OK. This will lead to a more interesting demo of event log entries.
376
Scoping Audit Policies
Course 6425C Scoping Audit Policies Module 10: Improving the Security of Authentication in an AD DS Domain Default Domain Controllers Policy Account Logon Events Custom GPO Logon Events Use this slide to describe the best practices for scoping audit policies for logon and account logon events. First, the best practice for configuring account logon events is to modify the Default Domain Controllers Policy. For manageability purposes, there should only be one GPO that specifies auditing settings for domain controllers, and the Default Domain Controllers Policy already exists and contains policy setting definitions for Windows defaults. Modify the settings in this GPO to reflect the requirements of your organization. If you need to monitor logon events (or even account logon events for local accounts) on servers or clients in your environment, the key is to scope the GPO to affect only those clients, so that you are not putting either the performance burden for the log bloat on systems that do not require such auditing. This slide, and the student handbook, reflect a scenario in which a business requirement drives the need to configure auditing for logon events on remote desktop servers and on computers in the human resources department. Domain Controllers Remote Desktop Servers HR Clients
377
Module 10: Improving the Security of Authentication in an AD DS Domain
Course 6425C View Logon Events Module 10: Improving the Security of Authentication in an AD DS Domain Security log of the system that generated the event The domain controller that authenticated the user: Account logon Note: Not replicated to other domain controllers The system to which the user logged on or connected: Logon We recommend that you open the Security log on NYC-DC1 and show examples of account logon events. You can point out the event that was logged when you log on to the system at the beginning of this module. After you have demonstrated the access events, you can demonstrate failures if you showed students how to turn on auditing of failed account logon events earlier in this lesson. Run gpupdate /force as an administrator, then use the Switch User command to generate a failed logon (try to log on with a user name such as Aaron.Painter with an incorrect password). Return to the Security log, refresh the view, and you should see the failure entries at the top of the log. Discuss the challenge of reviewing logs of authentication activity: the logs are distributed across all domain controllers and any domain members are performing logon auditing. Mention to students that in a later module, they will learn to configure Event Forwarding. This feature of the Windows Server 2008 event log enables admins to centrally collect events for audit and analysis.
378
Lab B: Audit Authentication
Course 6425C Lab B: Audit Authentication Module 10: Improving the Security of Authentication in an AD DS Domain Exercise: Audit Authentication The goals of this lab are to give students a practical, hands-on experience with the tasks required to secure authentication in an AD DS domain—in this lab, through the implementation of auditing authentication. Scenario The security team at Contoso, Ltd has tasked you with increasing the security and monitoring of authentication against the enterprise’s AD DS domain. Specifically, you are to create an audit trail of logons. Exercise 1 In this exercise, students will use Group Policy to enable auditing of both successful and unsuccessful logon activity by users in the contoso.com domain. They will then generate logon events and view the resulting entries in the event logs. NOTE: Do not shut down the virtual machines after you are finished with this lab because the settings you have configured here will be used in subsequent labs in this module Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-SVR1 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 20 minutes
379
Module 10: Improving the Security of Authentication in an AD DS Domain
Course 6425C Lab Scenario Module 10: Improving the Security of Authentication in an AD DS Domain The security team at Contoso, Ltd has tasked you with increasing the security and monitoring of authentication against the enterprise’s AD DS domain. Specifically, you need to create an audit trail of logons. -blank-
380
Module 10: Improving the Security of Authentication in an AD DS Domain
Course 6425C Lab Review Module 10: Improving the Security of Authentication in an AD DS Domain You have been asked to audit attempts to log on to desktops and laptops in the Finance division using local accounts such as Administrator. What type of audit policy do you set, and in what GPO(s)? Lab Review Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: You have been asked to audit attempts to log on to desktops and laptops in the Finance division using local accounts such as Administrator. What type of audit policy do you set, and in what GPO(s)? Answer: You will need to enable auditing for successful and failed account logon events. But because the accounts you are interested in are local accounts, which are authenticated by the local security authority on each desktop and laptop, you will need to do so in a GPO that is scoped to apply to the desktops and laptops in the Finance division. The settings do not need to be scoped to domain controllers.
381
Lesson 3: Configure Read-Only Domain Controllers
Course 6425C Lesson 3: Configure Read-Only Domain Controllers Module 10: Improving the Security of Authentication in an AD DS Domain Authentication and Domain Controller Placement in a Branch Office What Are Read-Only Domain Controllers? Prerequisites for Deploying an RODC Installing an RODC Demonstration: Configure a Password Replication Policy Demonstration: Administer RODC Credentials Caching Administrative Role Separation -blank-
382
Authentication and Domain Controller Placement in a Branch Office
Course 6425C Authentication and Domain Controller Placement in a Branch Office Module 10: Improving the Security of Authentication in an AD DS Domain Data Center Personnel Secure facilities Authentication of branch users subject to availability and performance of WAN Branch Office Few, if any, personnel Less secure facilities Improved authentication Security: Exposure of AD database Directory Service Integrity: Corruption at branch replicating to other DCs Administration: Administration requires domain Administrators membership Introduce the concept of a branch office and the typical characteristics of a branch office, which include few, if any, IT personnel—rarely any who should be performing domain service–level administration– and server facilities that are less secure—often a closet or even under someone's desk. Discuss the pros and cons of placing a "traditional" domain controller in a centralized data center versus in a branch office. ?
383
What Are Read-Only Domain Controllers?
Course 6425C What Are Read-Only Domain Controllers? Module 10: Improving the Security of Authentication in an AD DS Domain Data Center Writeable Windows Server 2008 domain controller Password Replication Policy Specifies which user (and computer) passwords can be cached by the RODC Branch Office RODC All objects Subset of attributes No "secrets" Not writeable Users log on RODC forwards authentication Password is cached If password replication policy allows Has a local Administrators group Give students an overview of the concepts of RODCs. The RODC maintains a copy of all objects in the domain and all attributes except for secrets such as password-related properties. When a user logs on in the branch, the RODC forwards the authentication to a domain controller in the hub site. If the Password Replication Policy allows that user's credentials to be cached on that RODC, the RODC caches the credentials and the next logon is authenticated by the RODC. The RODC slowly builds its cache of credentials based on logons and the password replication policy. Because the RODC maintains only a subset of user credentials, if it is lost or compromised, the impact is somewhat lower. Replication is one-way, from the hub site. Corruption that is introduced to the branch office domain controller will not be replicated to any other domain controller. RODCs have the equivalent of a local Administrators group. One or more local support personnel can fully maintain the RODC without granting them the equivalence of Domain Admins.
384
Prerequesites for Deploying an RODC
Course 6425C Prerequesites for Deploying an RODC Module 10: Improving the Security of Authentication in an AD DS Domain Ensure the forest functional level is Windows Server 2003 or higher All domain controllers running Windows Server 2003 or later All domains functional level of Windows Server 2003 or higher Forest functional level set to Windows Server 2003 or higher If the forest has any domain controllers running Windows Server 2003, run adprep /rodcprep Windows Server 2008 CD:\sources\adprep folder Ensure that there is at least one writeable domain controller running Windows Server 2008 Talk students through the four broad steps required to deploy an RODC. Domain and forest functional levels were introduced in the first module and will be covered in detail in a later module. If you are delivering those modules, try to avoid going into great depth about functional levels at this time. Rather, stick to the basic points shown on the slide. Mention that the RODC will replicate its contents of Active Directory from a writable Windows Server domain controller. Make sure that students understand that you only need one Windows Server 2008 domain controller to run adprep /rodcprep in order to introduce an RODC into an otherwise Windows Server 2003 forest. Reference For details regarding other options for installing an RODC, including delegated installation see
385
Module 10: Improving the Security of Authentication in an AD DS Domain
Course 6425C Installing an RODC Module 10: Improving the Security of Authentication in an AD DS Domain Install the RODC Active Directory Domain Services Installation Wizard (dcpromo) Stage delegated installation of an RODC: Domain Controllers OU Talk students through the scenario of helping a nonprivileged IT staff member to create and join an RODC in a remote branch office. The staff member can install Windows Server 2008, and can even run the Active Directory Domain Services Installation Wizard, but does not have administrative credentials that allow him or her to create a domain controller. Use this scenario to position the value of staging the delegated installation of an RODC. Optionally, demonstrate the creation of an RODC account in the Domain Controllers OU, or simply tells students that they will experience staging an RODC in the Lab.
386
Demonstration: Configure a Password Replication Policy
Course 6425C Demonstration: Configure a Password Replication Policy Module 10: Improving the Security of Authentication in an AD DS Domain In this demonstration, you will see how to: View an RODC's password replication policy Configure domain-wide password replication policy Use the Allowed RODC Password Replication Group and the Denied RODC Password Replication Group The groups are added to all new RODCs password replication policies by default Configure RODC-specific password replication policy Provision a Read-Only Domain Controller Account and delegate permissions Note: Before performing this demonstration, if the Domain Controller object for BRANCHDC01 does not yet exist, pre-create it on NYC-DC1 using these steps: 1. Run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. 2. In the console tree, expand the contoso.com domain, and then click the Domain Controllers OU. 3. Right-click Domain Controllers and click Pre-create Read-only Domain Controller Account. The Active Directory Domain Services Installation Wizard appears. 4. Click Next. 5. On the Operating System Compatibility page, click Next. 6. On the Network Credentials page, click Next. 7. On the Specify the Computer Name page, type BRANCHDC01, and then click Next. 8. On the Select a Site page, click Next. 9. On the Additional Domain Controller Options page, click Next. Note that the Read-only domain controller option is selected and cannot be cleared. That is because, of course, you launched the wizard by choosing to pre-create a read-only domain controller account. 10. On the Delegation of RODC Installation and Administration page, click the Set button. The Select User or Computer dialog box appears. 11. Type Aaron.Painter_Admin, and then press Enter. 12. Click Next. 13. Review your selections on the Summary page, and then click Next. 14. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish. Configure a password replication policy 1. Start 6425C-NYC-DC1 log on as Pat.Coleman with the password Pa$$w0rd. 2. Run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. 3. In the console tree, click the Domain Controllers OU. 4. Right-click BRANCHDC01 and click Properties.
387
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 10: Improving the Security of Authentication in an AD DS Domain 5. Click the Password Replication Policy tab and view the default policy. 6. Click Cancel to close the BRANCHDC01 properties. 7. In the Active Directory Users and Computers console tree, click the Users container. 8. Double-click Allowed RODC Password Replication Group. 9. Click the Members tab. 10. Examine the default membership of Allowed RODC Password Replication Group. 11. Click OK. 12. Double-click Denied RODC Password Replication Group. 13. Click the Members tab. 14. Click Cancel to close the Denied RODC Password Replication Group properties. Point out that BRANCHDC01 has two groups that were added to the list by default: Allowed RODC Password Replication Group, and Denied RODC Password Replication Group. Mention that these groups are added to each RODC and given Allow and Deny settings by default. Emphasize that although it is called Password Replication Policy, it is not actually a policy in the likes of Group Policy. In fact, password replication policy is not really a centralized policy at all. Instead, each RODC maintains an individual password replication policy; it's just that the two domain global groups are added to each RODCs password replication policy by default, creating an effect of centralization. But in the end, it is just the allow and deny lists on each RODC that determines what passwords are, and are not cached on the RODC. The most manageable way to ensure that users in a branch have their credentials cached on the RODC will be to have a group, for example Branch Office Users, that is in the Allow List of the RODC. Then, you can simply add users to the Branch Office Users group, and their credentials will automatically be cached by the branch office RODC at the users' next logon. Point out that in the password replication policy for BRANCHDC01, there are in fact custom groups for Branch Office Users and Branch Office Computers. Ask students why it might be important to have computers' credentials cached. Question: What would be the most manageable way to ensure that users in a branch have their credentials cached on an RODC?
388
Demonstration: Administer RODC Credentials Caching
Course 6425C Demonstration: Administer RODC Credentials Caching Module 10: Improving the Security of Authentication in an AD DS Domain In this demonstration, you will review: Policy Usage Reports Accounts Whose Passwords Are Stored On This Read-Only Domain Controller Accounts That Have Been Authenticated To This Read-Only Domain Controller Resultant Policy Prepopulating credentials in the RODC cache For this demonstration, use the virtual machine BRANCHDC01, and open Policy Usage. Demonstration Steps In the Active Directory Users and Computers console tree, click the Domain Controllers OU. In the details pane, right-click BRANCHDC01, and then click Properties. Click the Password Replication Policy tab. Click Advanced. The Advanced Password Replication Policy for BRANCHDC01 dialog box appears. The Policy Usage tab displays Accounts whose passwords are stored on this Read-Only Domain Controller. From the drop-down list, select Accounts Whose Passwords Are Stored On This Read-Only Domain Controller. From the drop-down list, select Accounts that have been authenticated to this Read-only Domain Controller. Click the Resultant Policy tab, and then click Add. The Select Users or Computers dialog box appears. Type Chris.Gallagher, and then press Enter. Click the Policy Usage tab. Click Prepopulate Passwords. The Select Users or Computers dialog box appears. Type the name of the account you want to pre-populate (for example, type Chris.Gallagher), and then click OK. Click Yes to confirm that you want to send the credentials to the RODC. The following message typically appears: Passwords for all accounts were successfully prepopulated. Note that for this demonstration the BRANCHDC01 is not running as so an error is observed. Click OK. Click Close. <<continued>>
389
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 10: Improving the Security of Authentication in an AD DS Domain Ask students what information they would glean by migrating the two reports. What changes might they make to their environment for a user that appears on the first report, who doesn't typically work in that branch office? What changes might they make for a user that appears on the second report who does work in the branch office? Why would computers appear on the second report, and what would you do if you started to see every computer in the branch office listed? The answers to these questions should help students understand that the goal of the reports is to make sure that the RODC is caching the credentials it needs to best perform its job of authenticating users and computers in the branch office, and is not unnecessarily caching credentials for users that don't require authentication in the branch. Ask students: Why would you want to pre-populate credentials in the RODC cache? Help students understand that credential caching on an RODC is not the same as branch cache on Windows Server 2008 R2.
390
Administrative Role Separation
Course 6425C Administrative Role Separation Module 10: Improving the Security of Authentication in an AD DS Domain Allows performing local administrative tasks on the RODC Each RODC maintains a local security account manager (SAM) database of groups for specific administrative purposes DSMgmt command allows you to manage the local roles dsmgmt [enter] local roles [enter] ? [enter] for a list of commands List roles [enter] for a list of roles add username administrators [enter] Ask students to consider what types of administrative tasks might be necessary to perform on a domain controller in a branch office. Answers such as applying updates or troubleshooting hardware or driver problems are good examples. Find out if any students have branch offices with only one server. Does that server act as a domain controller? Is it a dedicated domain controller or does it share roles, acting perhaps as a file server as well? Mention that if a server plays multiple roles, including that of a domain controller, the need for administrative support increases. What administrative tasks might be necessary to perform on a server that acts both as an RODC and as a file server? Backup would be a good example. Reference RODCs are a valuable new feature for improving authentication and security in branch offices. Be sure to read the detailed documentation on the Microsoft Web site at:
391
Lab C: Configure Read-Only Domain Controllers
Course 6425C Lab C: Configure Read-Only Domain Controllers Module 10: Improving the Security of Authentication in an AD DS Domain Exercise 1: Install an RODC Exercise 2: Configure Password Replication Policy Exercise 3: Manage Credential Caching The goals of this lab are to give students a practical, hands-on experience with the tasks required to secure authentication in an AD DS domain—in this lab, through the implementation of read-only domain controllers. Scenario The security team at Contoso, Ltd has tasked you with increasing the security and monitoring of authentication against the enterprise’s AD DS domain. Specifically, you are to improve the security of domain controllers in branch offices. Exercise 1 In this exercise, students will stage a delegated installation of BRANCHDC01 as an RODC, delegated so that Aaron Painter can complete the installation. They will then promote BRANCHDC01 (currently, a workgroup server) using Aaron Painter's credentials. Exercise 2 In this exercise, students will configure domain-wide password replication policy and the password replication policy specific to BRANCHDC01. Logon information Virtual machine 6425C-NYC-DC1 6425C-BRANCHDC01 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Administrator Password Pa$$w0rd Estimated time: 20 minutes
392
Module 10: Improving the Security of Authentication in an AD DS Domain
Course 6425C Lab Scenario Module 10: Improving the Security of Authentication in an AD DS Domain The security team at Contoso, Ltd has tasked you with increasing the security and monitoring of authentication against the enterprise’s AD DS domain. Specifically, you are to improve the security of domain controllers in branch offices. -blank-
393
Module 10: Improving the Security of Authentication in an AD DS Domain
Course 6425C Lab Review Module 10: Improving the Security of Authentication in an AD DS Domain Why should you ensure that the password replication policy for a branch office RODC has, in its Allow list, the accounts for the computers in the branch office as well as the users? What would be the most manageable way to ensure that computers in a branch are in the Allow list of the RODC's password replication policy? Lab Review Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: Why should you ensure that the password replication policy for a branch office RODC has, in its Allow list, the accounts for the computers in the branch office as well as the users? Answer: Computers must authenticate to the domain as well as users, so the logic is the same as with users: you want to improve authentication performance over the WAN and ensure that authentication can continue even if the WAN link is unavailable. Question: What would be the most manageable way to ensure that computers in a branch are in the Allow list of the RODC's password replication policy? Answer: Create a group for computers, for example Branch Office Computers.
394
Module Review and Takeaways
Course 6425C Module Review and Takeaways Module 10: Improving the Security of Authentication in an AD DS Domain Review Questions Common Issues Related to Authentication in an AD DS Domain Real-World Issues and Scenarios Best Practices Related to Authentication in an AD DS Domain Tools Windows Server 2008 R2 Features Introduced in this Module Review Questions Question: In your organization, a number of users deal with confidential files on a regular basis. You need to ensure that all these users have strict account polices enforced. The user accounts are scattered across multiple OUs. How would you accomplish this with the least administrative effort? Answer: Create a shadow global group and place all the appropriate users into that group. Then create and assign a PSO to the group. Question: Where should you define the default password and account lockout policies for user accounts in the domain? Answer: Configure the baseline password and account lockout policies in the Default Domain Policy GPO. Question: What would be the disadvantage of auditing all successful and failed logons on all machines in your domain? Answer: Such an audit policy would generate a tremendous amount of audit entries across every machine in your domain. Managing the security event logs and locating the events that indicate potential problems would be very difficult. It is best to align your audit policy with specific, narrowly-targeted auditing goals and requirements of your organization. Question: What are the advantages and disadvantages of prepopulating the credentials for all users and computers in a branch office to that branch's RODC? Answer: There is no clear-cut answer to this question. Use it to review the strategic role of an RODC. By prepopulating the credentials of users and computers in the branch RODC cache, you ensure that authentication performance is maximized (on the first logon—after that, the credential would have been cached because the users are on the Allow list anyway); and you ensure that, if the WAN link is unavailable on the first logon, users can authenticate. The disadvantage is that, should there be a breach of physical security on the RODC, those credentials are exposed even if the users have not yet logged on in the branch. Common Issues Related to Authentication in Active Directory Issue Troubleshooting tip User is not forced to change the password even if that setting is configured in Default Domain Policy. Check the user account properties in Active Directory Users and Computers. The Password never expires option might be enabled for that specific user. User or group does not have the right PSO applied. Check if you have created multiple PSOs and linked them on the same user or group. If that is correct, you should check the Precedence value. You cannot deploy an RODC. Check if you have at least one Windows Server 2008 or Windows Server 2008 R2 Domain Controller. Check if the domain functional level is Windows Server 2003.
395
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 10: Improving the Security of Authentication in an AD DS Domain Real World Issues and Scenarios You must ensure that all users change their password every 30 days. Company procedures specify that if a user's password will expire while the user is out of the office, the user may change his or her password prior to departure. You must account for a user that is out of the office for up to two weeks. Additionally, you must ensure that a user cannot reuse a password within a one-year time period. How would you configure account policies to accomplish this? Answer : Some answers may vary slightly depending upon how students do the math. Focus on whether students accounted for the requirements correctly, not on whether everyone agrees on exactly the same outcome. Max password age: 30 days Min password age: 16 days (answers between 14 and 17 are acceptable) to account for a user who leaves the office exactly two weeks before the password expires, and wants to change the password Enforce password history: 22 (answers between 21 and 27 are acceptable) to account for the possibility that a user might change the password every Min password age (14-17 days) for the entire year. Password history must be (365 days per year/Min password age) Best Practices Related to Authentication in an AD DS Domain Use Default Domain Policy GPO to specify general password and account lockout policies that will apply for most users Use Fine Grained Password policy to specify password and account lockout policies for specific users and groups with administrative privileges Do not enable all options for auditing as you will have many security logs which will be hard to search. Use advanced audit logging to have more granular control. Deploy RODCs in sites where physical security is an issue Tools Windows Server 2008 R2 Features Introduced in this Module Tool Used for Where to find it Group Policy Management console Editing and managing group policy objects Administrative Tools ADSI Edit Creating Password Setting Objects Dcpromo Creating and managing domain controllers Command line utility Feature Description Advanced Audit Policies New settings in Group Policy object for more detailed auditing of various system events
396
Module 11: Configuring Domain Name System
Course 6425C Module 11: Configuring Domain Name System Presentation: 105 minutes, Lab: 65 minutes Objectives After completing this lesson, you will be able to: Describe the concepts, components, and processes of DNS. Install and configure DNS. Describe how AD DS, DNS, and Windows are integrated. Describe the advanced configuration and administration tasks of DNS. Module Exam Objectives Understand the structure role, structure, and functionality of DNS Describe client and server name resolution processes Install DNS Manage DNS records Configure DNS server settings Understand the integration between AD DS and DNS Choose a DNS domain for an Active Directory domain Create a zone delegation for a new Active Directory domain Configure replication for Active Directory integrated zones Describe the purpose of Service Locator (SRV) records in the domain controller location process Understand read-only DNS servers Understand and configure single-label name resolution Configure advanced DNS server settings Audit, maintain, and troubleshoot the DNS server role Module 11 Configuring Domain Name System
397
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 11: Configuring Domain Name System Preparation for Demos There is one demonstration in Lesson 3 but it requires 3 virtual machines to carry it out. To prepare for demos in this module carry out the below steps. Boot times may be between of 5–10 minutes for 6425C- NYC-DC1 so it is advisable to start at least that virtual machine now. Start 6425C-NYC-DC1 and log on as Pat.Coleman with the password Pa$$w0rd. Open D:\Labfiles\Lab11b. Run Lab11b_Setup.bat with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. The lab setup script runs. When it is complete, press any key to continue. Close the Windows Explorer window, Lab11b. Start 6425C-NYC-DC2. Log on to NYC-DC2 as Pat.Coleman with the password Pa$$w0rd. Preparation for Labs There are 2 labs which occur during the course of the module. To prepare for them you should launch the virtual machines for Lab A now and when finished Lab A launch the virtual machines for Lab B. The virtual machines used in Lab A are 6425C-NYC-DC1 and 6425C-NYC-DC2
398
Module 11: Configuring Domain Name System
Course 6425C Module Overview Module 11: Configuring Domain Name System Install and Configure DNS in an AD DS Domain Integration of AD DS, DNS, and Windows Advanced DNS Configuration and Administration -blank-
399
Lesson 1: Install and Configure DNS in an AD DS Domain
Course 6425C Lesson 1: Install and Configure DNS in an AD DS Domain Module 11: Configuring Domain Name System Install and Manage the DNS Server Role Create a Zone Create Resource Records Configure Redundant DNS Servers Configure Forwarders Client Configuration In this lesson, you will guide students through the most fundamental processes related to installing and configuring DNS in a domain. The focus of this lesson is an intranet environment. Avoid discussing anything related to external domains until the next lesson. You do not need to spend too much time teaching this lesson and you can cover it very briefly if the students are already familiar with this content.
400
Install and Manage the DNS Server Role
Course 6425C Install and Manage the DNS Server Role Module 11: Configuring Domain Name System Installation Methods Server Manager Roles Add Role Active Directory Domain Services Installation Wizard DNS Manager Snap-In Server Manager DNS Manager console (dnsmgmt.msc) dnscmd.exe
401
Module 11: Configuring Domain Name System
Course 6425C Create a Zone Module 11: Configuring Domain Name System Right-click Forward Lookup Zones Select zone type Specify replication (Active Directory integrated zones only) All DNS servers in forest All DNS servers in domain All domain controllers in domain (for compatibility with Windows® 2000 domain controllers) Enter zone name (DNS domain name) Manage updates Discuss or demonstrate the creation of a DNS zone. Mention the three zone types. Remind students that a primary zone can be updated only on one server, a secondary zone is a read-only copy of a zone hosted on another server, and a stub zone is a dynamically updated set of pointers to name servers in another domain. The check box at the bottom of the Zone Type page allows you to store a zone in Active Directory. This check box is available only if the DNS server on which you are creating the zone is a domain controller. If the zone is Active Directory-integrated, you can then specify where you want the zone replicated. Explain to students that all domain controllers that participate in the replication are able to resolve names in the zone and also write records to the zone. Explain that the zone name will be a DNS domain name. Updates are explained on the next slide.
402
Create Resource Records
Course 6425C Create Resource Records Module 11: Configuring Domain Name System Right-click the zone Dialog box appears specific to the record type you choose This discussion of resource records completes the discussion of the creation of a zone on a DNS server. The next slides take the infrastructure to the next level, with redundant DNS servers and forwarders.
403
Configure Redundant DNS Servers
Course 6425C Configure Redundant DNS Servers Module 11: Configuring Domain Name System Active Directory–integrated zone Add DNS server to another domain controller Standard primary zone Add NS records for secondary servers Master server The server from which the zone will be copied Need not be the primary server Allows Zone Transfers Secondary server Create a new forward lookup zone Choose a secondary zone Configure the master server The first bullet point simply points out that redundancy for Active Directory–integrated zones is simply a matter of adding the DNS server role to another domain controller in the same domain. Active Directory– integrated zones and replication are detailed in the next lesson, so do not go into that detail yet. Instead, focus on the steps that are necessary for non-Active Directory–integrated zones.
404
Module 11: Configuring Domain Name System
Course 6425C Configure Forwarders Module 11: Configuring Domain Name System Right-click DNS server Properties Forwarders For all names not in your domain, resolve using your Internet service provider’s DNS servers If forwarders are not available, use root servers based on root hints Use this slide to tell students how to resolve external names by using the DNS servers of their Internet service provider. Mention to students that you are explaining only the most simple model at this point, and that more complex models will be described in the next lesson. Explain that forwarders allow a DNS server to perform recursive queries against a “parent” DNS server. Point out the check box at the bottom of the dialog box. The result of selecting this option is that if this DNS server cannot forward a recursive query to one of the listed forwarders, it will then attempt iterative queries beginning with the root name servers specified in this server’s root hints.
405
Module 11: Configuring Domain Name System
Course 6425C Client Configuration Module 11: Configuring Domain Name System IP configuration of client netsh interface ipv4 set dns "Local Area Connection" static primary netsh interface ipv4 add dns "Local Area Connection" Dynamic Host Configuration Protocol scope option 6 Explain to students that clients must be pointed to a DNS server. Because the DNS Client service is distinct from all Active Directory–related components, a client does not assume that its domain controller is a DNS server. Clients should have at least two DNS servers configured. The configuration can be fixed in the client’s IP configuration, as shown on the slide. Or if the client is using DHCP to obtain its IP configuration, the DHCP server can be configured to provide the address of DNS servers using DHCP scope option 6: DNS Server. Reinforce the fact that clients do not query their secondary DNS servers unless the primary DNS server is offline. The secondary DNS server is not queried if the primary server returns a negative response (that is, it cannot resolve a record).
406
Lab A: Install the DNS Service
Course 6425C Lab A: Install the DNS Service Module 11: Configuring Domain Name System Exercise 1: Add the DNS Server Role Exercise 2: Configure Forward Lookup Zones and Resource Records Scenario You are an administrator at Contoso, Ltd. You recently added a second domain controller to your enterprise, and you want to add redundancy to the DNS server hosting the domain's zone. Currently, the only DNS server for the contoso.com zone is HQDC01. You need to ensure that clients that resolve against the new DNS server, NYC-DC2, can access Internet websites. Additionally, you need to configure a subdomain to support name resolution that the development team requires to test an application. Exercise 1 In this exercise, students will add the DNS server role to NYC-DC2, examine the domain zone that is automatically populated on the DNS server, and then configure NYC-DC2 to use itself as its primary DNS server Exercise 2 In this exercise, students will add a forward lookup zone for the development domain at Contoso. They will then add a host and CNAME record to the zone, and confirm that name resolution for the new zone is functioning. Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-DC2 Logon user name Do not log on Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 30 minutes
407
Module 11: Configuring Domain Name System
Course 6425C Lab Scenario Module 11: Configuring Domain Name System You are an administrator at Contoso, Ltd. You recently added a second domain controller to your enterprise, and you want to add redundancy to the DNS server hosting the domain's zone. Currently, the only DNS server for the contoso.com zone is NYC-DC1. You need to ensure that clients that resolve against the new DNS server, NYC-DC2, can access Internet websites. Additionally, you need to configure a subdomain to support name resolution that the development team requires to test an application. -blank-
408
Module 11: Configuring Domain Name System
Course 6425C Lab Review Module 11: Configuring Domain Name System If you did not configure forwarders on NYC-DC2, what would be the result for clients who use NYC-DC2 as their primary DNS server? What would happen to clients' ability to resolve names in the development.contoso.com domain if you had chosen a stand-alone DNS zone, rather than an Active Directory– integrated zone? Why would this happen? What should you do to solve this problem? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: If you did not configure forwarders on NYC-DC2, what would be the result for clients that use NYC-DC2 as their primary DNS server? Answer: They cannot resolve names other than those in the contoso.com domain (zone). Question: What would happen to clients' ability to resolve names in the development.contoso.com domain if you had chosen a stand-alone DNS zone, rather than an Active Directory– integrated zone? Why would this happen? What would you have to do to solve this problem? Answer: Clients who query the other DNS server would be unable to resolve names in the zone, because the server would not receive a replica of the zone. This could be solved by making the zone Active Directory– integrated, by hosting a secondary zone on the other DNS server, or by creating a stub zone that refers queries to the server hosting the development.contoso.com zone. Preparation for Lab B To prepare for the next lab in this module you should ask students to launch 6425C-NYC-DC1, 6425C-NYC- DC2 and 6425C-TST-DC1
409
Lesson 2: Integration of AD DS, DNS, and Windows
Course 6425C Lesson 2: Integration of AD DS, DNS, and Windows Module 11: Configuring Domain Name System Integrate AD DS and the DNS Namespace Split-Brain DNS Create a Delegation for an Active Directory Domain Active Directory–Integrated Zones Application Partitions for DNS Zones DNS Application Partitions Dynamic Updates Background Zone Loading Service Locator Records Demonstration: SRV Resource Records Registered by AD DS Domain Controllers Domain Controller Location Read-Only DNS Zones
410
Integrate AD DS and the DNS Namespace
Course 6425C Integrate AD DS and the DNS Namespace Module 11: Configuring Domain Name System An Active Directory domain must have a DNS name Active Directory domain name vs. external DNS namespace Active Directory uses same domain name Active Directory uses subdomain of public domain Active Directory uses separate domain name Use the build slide to compare options for integrating the internal DNS namespace with external namespaces. Emphasize the importance of maintaining separate DNS servers for internal and external name resolution. The internal DNS zones must never be exposed to the Internet, as the internal zones will contain all of the domain controller records. Mention that Active Directory requires DNS, but that it does not require any particular type of DNS server. The internal and DNS servers can be different types. Discuss the pros and cons and details of each option. If you use the same namespace for your Active Directory as your external domain namespace, you have to implement “split-brain DNS” which is detailed on the next slide. If you use a separate domain name, such as contoso.net, and if that domain name is within a valid top-level domain namespace, you should register that domain so that it is not usurped by another organization. You want to make sure you maintain ownership of that part of the DNS namespace. Real-world experience has started to reveal the disadvantages of domain names that are deep in the DNS namespace. Administrators and end users alike need to type fully qualified domain names (FQDNs) far more often than you would expect, and the longer your Active Directory domain name, the more you (and everyone in your enterprise) will have to type, over and over. Additionally, URLs and UNCs have length limits, which are easier to hit if you have a lengthy Active Directory domain name to start with. For these reasons, using the same namespace as your external namespace (and using split-brain DNS) or a first-level registered domain name is highly recommended. The reality is that today, systems, partners, customers, and applications are increasingly connected. There is less and less opportunity for namespace separation, and less value provided by it. Therefore, it’s often best to use a domain name that is most memorable, most closely associated with your organization, and easiest to type. Reference How DNS Support for Active Directory Works contoso.com contoso.com ad.contoso.com contoso.net
411
Module 11: Configuring Domain Name System
Course 6425C Split-Brain DNS Module 11: Configuring Domain Name System The zone that supports AD DS Secured from Internet exposure Dynamic Fully populated with AD DS client, server, and service records The zone that supports the external namespace Secure Static Populated with the records related to external resources Some (manually maintained) duplication of records, such as www If you use the same namespace for your Active Directory as for your external domain namespace, you must be careful to segregate the name servers for that namespace. External queries should only be able to resolve names such as www or ftp. They should not be able to resolve names such as HQDC01 or FILESERVER10. This requires that publicly accessible DNS servers host a zone for your domain that is manually maintained and contains only the records that are appropriate for external resolution. All systems within the domain should be pointed to separate, internal DNS servers that provide full resolution for all names in the domain. Some records may need to be duplicated. For example, if you want your internal users to be able to get to your external website, you may need to add the www record to the internally hosted zone. Similarly, if you want partners to get to portal.contoso.com, that record needs to be in both the public and internal zones. This configuration is quite common, actually, and is called “split-brain DNS.” contoso.com
412
Create a Delegation for an Active Directory Domain
Course 6425C Create a Delegation for an Active Directory Domain Module 11: Configuring Domain Name System Necessary if child domain zone is hosted on different DNS servers Create the delegation in the parent DNS domain (zone) Right-click zone New Delegation Refer to the server that is/will be the child domain DNS server Configure DNS client on child domain server Primary DNS server should be the parent DNS server Install the DNS role and zone Server Manager: Add role, then create primary zone or DCPromo can install DNS while promoting to a domain controller Optional but typical configuration Reconfigure child DNS client to refer to itself as primary DNS server Add parent DNS server as a forwarder on the child server Configure new zone to be Active Directory integrated and secure dynamic update Review the concept of delegation, with the example that the Internet’s .com name servers don’t maintain records for your domain (such as contoso.com), but rather have “pointers” (NS records) that direct DNS clients to the authoritative name servers for your domain. This is a delegation.
413
Active Directory–Integrated Zones
Course 6425C Active Directory–Integrated Zones Module 11: Configuring Domain Name System DNS zone data is stored in AD DS Allows multimaster writes to zone Replicates DNS zone information by using AD DS replication Leverages efficient replication topology Uses efficient Active Directory replication processes: Incremental updates Enables secure dynamic updates Security: Can delegate zones, domains, RRs You touched on Active Directory–integrated zones both in Lesson 1 and Lesson 2. This slide is meant to set up a detailed discussion of Active Directory zones, including application partitions (see next slide). Use this slide to remind students of what you’ve already told them. Ask the students if they can think of any disadvantages to storing DNS information in AD DS. One possible answer might be that if dynamic updates are enabled for all computers in an enterprise, the Active Directory database can be very large. References DNS Help: Understanding Active Directory Domain Services Integration How DNS Support for Active Directory Works
414
Application Partitions for DNS Zones
Course 6425C Application Partitions for DNS Zones Module 11: Configuring Domain Name System Store DNS zones in one of the default application partitions Replication scope is the difference Create a custom partition and define its scope Partitions were introduced in Module 1. If students are not familiar with the concept of the AD DS partitions, briefly describe the three “main” partitions: domain, configuration, and schema. Next describe how those partitions can store DNS information. Highlight that, by default, DNS information is stored in different partitions from the other AD DS information. Mention that the default application partitions for storing DNS information in AD DS are automatically created when DNS is installed and configured during AD DS installation. To create the partitions after AD DS is installed, you can use the DNS management tool or the DNSCMD command-line tool. List the different partitions that are available for storing DNS information in AD DS. Mention that the primary reason for choosing each of the different zones is because each partition has a different replication scope. Consider using a diagram to describe the replication scopes for each partition. Include domain controllers that are not DNS servers and domain controllers that are in a different domain, and then show the effects of storing the Active Directory DNS information in each zone. Provide scenarios for when organizations might choose each option to store the DNS information in each partition. Summarize how to create a custom application partition for storing DNS information. References How DNS Support for Active Directory Works DNS Help: Create a DNS application directory partition DNS Help: To enlist a DNS server in a DNS application directory partition To all domain controllers in the AD DS domain (as in Windows 2000) Domain Config Schema DomainDNSZone ForestDNSZones Custom Partition To all domain controllers that are DNS servers in the AD DS domain To all domain controllers that are DNS servers in the AD DS forest To all domain controllers in the replication scope for the application partition
415
DNS Application Partitions
Course 6425C DNS Application Partitions Module 11: Configuring Domain Name System Create an application partition dnscmd ServerName /CreateDirectoryPartition FQDN Change zone replication scope Properties of zone General Change replication In this topic you should dicsuss on how to create additional DNS application partitions by using dnscmd, as well as how to manage these partitions and their replication scope by using DNS Manager. Reference Managing Server Integration with AD DS
416
Module 11: Configuring Domain Name System
Course 6425C Dynamic Updates Module 11: Configuring Domain Name System DHCP Client service registers records for client During client startup If new/changed IP address (fixed/DHCP) on any network connection If ipconfig /registerdns is run Client sends Start of Authority (SOA) query 1 2 DNS server returns SOA RR Describe how dynamic updates work. It is actually the DHCP Client service (not to be confused with the DHCP server) that registers a client’s host records when an IP address is configured (by DHCP or “fixed”). This is triggered when an IP address is added or changed on any network connection. Registration also happens during computer startup, and you can manually trigger registration using the ipconfig /registerdns command. Mention that SOA RR stands for Start of Authority resource record. Ask students what would happen if dynamic updates were not enabled. The biggest problem would be that domain controllers would not be able to register their records in DNS, so the domain controller records would have to be manually added. Mention that client computer resource records can be updated dynamically in DNS by DHCP servers. (Refer to Course 6421 for more information.) By default, Windows clients register their own A record, and DHCP registers the Pointer (PTR) record. (PTR records are described later in this module.) Mention that, by default, Windows Server 2008 DNS servers are configured to support secure-only updates for Active Directory–integrated zones. Remind students of the rationale behind secure dynamic updates (they can prevent spoofing) and that it is the default for new zones on Windows Server 2008 DNS Server. Reference How DNS Support For Active Directory Works Client sends dynamic update request(s) to identify the primary DNS server 3 DNS server responds that it can perform update 1 2 3 4 5 6 7 4 Client sends unsecured update to DNS server 5 If zone permits only secure updates, update is refused 6 Client sends secured update to DNS server DNS Server Resource Records 7
417
Background Zone Loading
Course 6425C Background Zone Loading Module 11: Configuring Domain Name System When a domain controller with Active Directory—integrated DNS zones starts, it: Refer back to the earlier question about one of the disadvantages of using dynamic updates – large zones! One of the ways in which Windows Server 2008 addresses the issue of very large Active Directory databases containing DNS records is by using background zone loading, which allows a domain controller to begin responding to queries before all zones are fully loaded. If a DNS client requests data for a host in a zone that has been already loaded, the DNS server responds with the data (or, if appropriate, a negative response) as expected. If the request is for a node that has not yet been loaded into memory, the DNS server reads the node's data from AD DS, and then updates the node's record list accordingly. Let the students know that RPC stands for Remote Procedure Call. Reference DNS Server Role Enumerates all zones to be loaded Loads root hints from files or AD DS servers Loads all zones that are stored in files rather than in AD DS Begins responding to queries and remote procedure calls (RPCs) Starts one or more threads to load the zones that are stored in AD DS
418
Service Locator Records
Course 6425C Service Locator Records Module 11: Configuring Domain Name System SRV resource records allow DNS clients to locate TCP/IP-based services. SRV resource records are used when: A domain controller needs to locate replication partners Stress the importance of SRV resource records in a Windows Server 2008 environment. Since the release of Windows 2000, all client computers have used DNS as the primary process for locating domain controllers. Without SRV resource records in DNS, logon from clients will be extremely slow or will fail. Describe the components of an SRV resource record, then use the example on the slide to describe how the record provides all of the information that a client computer needs to locate a domain controller. On the next slide, you will show SRV records. The slides that follow give you the opportunity to detail the domain controller location process. A client computer authenticates to AD DS A user changes his or her password A Microsoft Exchange server performs a directory lookup An admin opens Active Directory Users and Computers SRV record syntax: protocol.service.name TTL class type priority weight port target Example of an SRV record _ldap._tcp.contoso.com IN SRV hqdc01.contoso.com
419
Module 11: Configuring Domain Name System
Course 6425C Demonstration: SRV Resource Records Registered by AD DS Domain Controllers Module 11: Configuring Domain Name System In this demonstration, you will: Look at the service locator (SRV) records registered in _tcp.contoso.com: All domain controllers in the domain _tcp.siteName._sites.contoso.com: All domain controllers in site siteName Simulate a client’s query to DNS for domain controllers Learn how to register SRV records dynamically or statically View %systemroot%\system32\config\netlogon.dns Demonstration Steps If the virtual machines are not already started, perform these steps. Start 6425C-NYC-DC1 and log on as Pat.Coleman with the password Pa$$w0rd. Open D:\Labfiles\Lab11b. Run Lab11b_Setup.bat with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. The lab setup script runs. When it is complete, press any key to continue. Close the Windows Explorer window, Lab11b. Start 6425C-NYC-DC2. Log on to NYC-DC2 as Pat.Coleman with the password Pa$$w0rd. Start 6425C-BRANCHDC02. Do not log on. Wait for BRANCHDC02 to complete startup before continuing. When all the virtual machines are ready, perform the following steps 1. On 6425C-NYC-DC1, run DNS Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. 2. In the console tree, expand NYC-DC1, Forward Lookup Zones, and contoso.com, and then click the _tcp node. Examine the SRV records. 3. In the console tree, expand NYC-DC1, Forward Lookup Zones, contoso.com, _sites, Default-First- Site-Name, and then click the _tcp node. Examine the SRV records. 4. Run Command Prompt with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. 5. Type nslookup and then press Enter. 6. Type set type=srv,and then press Enter. 7. Type _ldap._tcp.contoso.com, and then press Enter. Type Exit and then press ENTER. 8. Switch to DNS Manager. <<continued>>
420
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 11: Configuring Domain Name System 9. In the console tree, expand NYC-DC1, Forward Lookup Zones, and contoso.com, and then click the _tcp node. 10. Right-click the SRV records for NYC-DC1.contoso.com, and then click Delete. 11 Switch to Command Prompt. 12. Type net stop netlogon and then press Enter. 13. Type net start netlogon and then press Enter. 14. Switch to DNS Manager. 15. In the console tree, right-click the _tcp node, and then click Refresh. Examine the SRV records for NYC-DC1.contoso.com. 16. Click Start, and in the Start Search box, type notepad.exe. Note: You should run this with administrative credentials to open the netlogon file in the next step. 17. Click File, click Open, type %systemroot%\system32\config\netlogon.dns in the File Name box, and then press Enter. 18. Examine the default SRV records. Note: Similar information is discussed in Module 13, to support modular customization of the course. If you are teaching both modules, it is recommended that you fully describe SRV records in Module 11, and then you can simply remind students about SRV records in Module 13 and focus on the fact that they are registered both in _tcp (for the entire domain) and in _tcp.sitename to create a localized service. Reference How DNS Support for Active Directory Works
421
Domain Controller Location
Course 6425C Domain Controller Location Module 11: Configuring Domain Name System 1. Queries DNS for DC 2. Responds with multiple records This topic has TWO SLIDES. You can choose to use one, the other, or both, depending on the type of detail you want to present to students. Use the build slide to describe how a client computer locates a domain controller in the same site as the client computer. Mention that the site configuration for client computers is dynamic, and is based on the computer’s IP address and the site configuration in Active Directory. The client computer is not aware of its site location until it starts and receives the site information from DNS and Active Directory. On the other hand, domain controllers are configured with a static site configuration. On the build slide, steps 1 and 2 show the client computer starting up and requesting a domain controller from the DNS server. Steps 3 and 4 show the client connecting to a domain controller in a different site – remember, the client is not yet site-aware. You can explain that the step actually entails the client attempting an LDAP bind with multiple domain controllers. The first one to respond is then contacted. In this case, it just happened that the first domain controller to respond was in Miami—perhaps the local (NYC) domain controller was busy. The Miami domain controller checks the client configuration, and then and redirects the client to communicate with a domain controller in its local site. This is shown in steps 5 and 6 Reference Finding a Domain Controller in the Closest Site 5. Queries DNS for DC in NYC site Local DNS Server 6. Responds with DC in NYC site 3. Contacts MIA-DC1 by using LDAP 4. MIA-DC1 returns site info NYC MIA-DC1 NYC-DC1 NYC Site Miami Site
422
Domain Controller Location
Course 6425C Domain Controller Location Module 11: Configuring Domain Name System New client queries for all DCs in the domain Retrieves SRVs from _tcp.domain Attempts LDAP bind to all First domain controller to respond Examines client IP and subnet definitions Refers client to a site Client stores site in registry Client queries for all DCs in the site Retrieves SRVs from _tcp.site._sites.domain Attempts LDAP bind to all First DC to respond Authenticates client Client forms affinity Subsequently Client binds to affinity DC DC offline? Client queries for DCs in registry-stored site Client moved to another site? DC refers client to another site The domain controller location process is described in Module 13 (sites and replication). You can optionally choose to describe it here, or even use the slide from Module 13 as a visual aide. The same slide exists in Module 13 (to support modular customization of the course). You can determine how much detail you want to go into in this module versus in Module 13. Cover the basics in this module and in Module 11, you focus on the role of the SRV record in helping a client locate a domain controller. Then, in Module 13, you can return to the process and emphasize how clients find the local (in-site) domain controller through referrals. The major lesson in Module 13 is that authentication is a “localized” service, because the service can be site-specific. Finding a Domain Controller in the Closest Site
423
Module 11: Configuring Domain Name System
Course 6425C Read-Only DNS Zones Module 11: Configuring Domain Name System DNS server on an RODC with Active Directory–integrated zones RODC can resolve client queries Changes not allowed on the read-only DNS zone Records cannot be added manually Dynamic updates cannot be made Dynamic updates are “referred” to writeable domain controller Client attempts update RODC returns an SOA of a writeable Windows Server domain controller RODC performs “replicate single object” (RSO) Replicates the updated DNS record for the client it referred from the domain controller it referred the client to Describe DNS zones that reside on Read-Only Domain controllers. You can compare them with secondary zones in DNS, but you must emphasize that these zones are in Active Directory. After that discuss limitations of using RODC DNS zones. Reference RODC Technical Reference
424
Lesson 3: Advanced DNS Configuration and Administration
Course 6425C Lesson 3: Advanced DNS Configuration and Administration Module 11: Configuring Domain Name System Resolving Single-Label Names Resolve Names Outside Your Domain DNS Server and Zone Maintenance Test and Troubleshoot DNS Server and Client DNS Enhancements in Windows Server 2008 R2
425
Resolving Single-Label Names
Course 6425C Resolving Single-Label Names Module 11: Configuring Domain Name System Client-side resolution process Query DNS with fully qualified domain name (FQDN) created by adding DNS suffix of client: ad.contoso.com Domain name “devolution” ad.contoso.com then contoso.com or DNS suffix search order Manage with Group Policy WINS 12 seconds = timeout! Server-side resolution GlobalNames Zone: Specialized zone with single-label CNAME RRs WINS forward lookup: If zone lookup fails, DNS queries WINS Explain the problem: Sometimes users or applications refer to a name that is not fully qualified. The DNS client service attempts to solve this problem by adding suffixes to the single label name and then querying the DNS server with the result. The suffix that is added can either be related to the suffix of the primary network connection or can be a preconfigured list of DNS suffixes. Group policy can be used to configure the DNS suffix search order. If, after querying DNS for each of the possible FQDNs derived in this manner, a resolution has still not been found, then the client attempts to use NetBIOS name resolution processes, which starts with a query to a WINS server prior to a broadcast on the local segment. There are several problems with relying on client-side resolution for single label names. First, the process can be quite lengthy, as successive queries are submitted with different suffixes. Each query is submitted and the client waits for a response from the DNS server before submitting the next query. Second, the process can become so long that it times out. There is a 12-second timeout, after which a failure is returned, and what happens next is based on the behavior of the client application that submitted the single-label query in the first place. Third, the process may not be accurate. There may be computers with the same prefix (host name) in one of several domains. The first query that is successful is considered authoritative, even if it is not accurate. Alternatively, single-label name resolution can be facilitated on the server. Traditionally, this was done with a WINS forward lookup. The DNS zone is configured with a WINS server address. If a host is not found in a zone, DNS strips off the zone name (in other words, the domain name) and sends the resulting flat name to WINS as a query. WINS returns a resolution to DNS, and DNS returns it to the client. In Windows Server 2008, NetBIOS name resolution and WINS are a legacy technology. Avoid single-label names, but where they are necessary to support legacy processes and applications, you can use a new feature of Windows Server 2008 called the GlobalNames Zone. The GlobalNames zone is a specialized zone that contains single-label CNAME records that result in a fully qualified name. The GlobalNames zone is covered in courses that focus on Windows Server 2008 network infrastructure. When a DNS server receives a query for a zone for which it is authoritative, and a resource record does not exist in a forward lookup zone, the server will look in its GlobalNames zone. Reference Providing Single-Label DNS Name Resolution: Deploying the GlobalNames Zone:
426
Resolve Names Outside Your Domain
Course 6425C Resolve Names Outside Your Domain Module 11: Configuring Domain Name System Secondary zone Create a copy of a zone from another DNS server Requires permissions from the master DNS server Forwarders Send unresolved query as recursive query to other DNS server(s) Root hints Begin iterative queries against root, “.”, name servers DNS server has list of root servers updated with Windows Update Conditional forwarders Send unresolved query for specific domain to other server(s) Stub zone Can be for any domain; dynamically updates name service records Requires TCP Port 53 to be open to all name servers in the domain Most of these options (with the exception of conditional forwarders) have been discussed in the context of initial configuration of DNS or of child domains. This slide pulls the concepts back to the forefront as options for resolving names in domains outside your enterprise. Review the way each is implemented, and the pluses and minuses of each.
427
DNS Server and Zone Maintenance
Course 6425C DNS Server and Zone Maintenance Module 11: Configuring Domain Name System Scavenge stale resource records Important in dynamic environments, particularly for SRV RRs Server aging and scavenging properties Defaults for Active Directory—integrated zones Zone aging and scavenging properties Active Directory-integrated zone inherits server property or per- zone Primary zone ignores server property; must set per-zone. Scavenging Configure automatic scavenging: Server properties Advanced Manually launch scavenging: Right-click server Manage the cache View the cache: View menu Advanced Features Clear server cache: Right-click server or Cached Lookups node Emphasize that it is highly recommended to enable aging and scavenging.
428
Test and Troubleshoot DNS Server and Client
Course 6425C Test and Troubleshoot DNS Server and Client Module 11: Configuring Domain Name System Server Troubleshooting Event logs Visible in DNS Manager, Server Manager, and Event Viewer Debug logging Server Properties dialog box Recursive and iterative query tests dcdiag.exe /test:DNS Performs a wide variety of tests to ensure that AD DS and DNS are working well together Network Monitor Client Troubleshooting ipconfig /all NSLookup set server=IP address [Default: Primary DNS Server] set type=record type [Default: A] record ipconfig /displaydns: Display client DNS resolver cache ipconfig /flushdns: Purge client DNS resolver cache ipconfig /registerdns: Register client DNS records
429
DNS Enhancements in Windows Server 2008 R2
Course 6425C DNS Enhancements in Windows Server 2008 R2 Module 11: Configuring Domain Name System DNS Security Extensions (DNSSEC) DNS zone and all the records in the zone are cryptographically signed DNS Devolution Allows client computers that are members of a child namespace to access resources in the parent namespace DNS Cache Locking Cached records will not be overwritten for the duration of the time-to-live (TTL) value DNS Socket Pool Enables a DNS server to use source port randomization when issuing DNS queries
430
Lab B: Advanced Configuration of DNS
Course 6425C Lab B: Advanced Configuration of DNS Module 11: Configuring Domain Name System Exercise 1: Enable Scavenging of DNS Zones Exercise 2: Explore Domain Controller Location Exercise 3: Configure Name Resolution for External Domains Scenario You are the DNS administrator at Contoso, Ltd. You want to improve the health and efficiency of your DNS infrastructure by enabling scavenging and by creating a reverse lookup zone for the domain. You also want to examine the records that enable clients to locate domain controllers. Finally, you are asked to configure name resolution between contoso.com and the domain of a partner company, tailspintoys.com. Exercise 1 In this exercise, students will enable scavenging of DNS zones, in order to remove stale resource records. Exercise 2 In this exercise, students will examine the resource records that allow clients to locate domain controllers. Exercise 3 In this exercise, students will configure name resolution between two completely separate domains. Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-DC2 6425C-TST-DC1 6425C-BRANCHDC02 Logon user name Pat.Coleman Sara.Davis Do not Logon Administrative user name Administrator Pat.Coleman_Admin Sara.Davis_Admin Password Pa$$w0rd Estimated time: 35 minutes
431
Module 11: Configuring Domain Name System
Course 6425C Lab Scenario Module 11: Configuring Domain Name System You are the DNS administrator at Contoso, Ltd. You want to improve the health and efficiency of your DNS infrastructure by enabling scavenging and by creating a reverse lookup zone for the domain. You also want to examine the records that enable clients to locate domain controllers. Finally, you are asked to configure name resolution between contoso.com and the domain of a partner company, tailspintoys.com. -blank-
432
Module 11: Configuring Domain Name System
Course 6425C Lab Review Module 11: Configuring Domain Name System In this lab, you used a stub zone and a conditional forwarder to provide name resolution between two distinct domains. What other options you could have used? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: In this lab, you used a stub zone and a conditional forwarder to provide name resolution between two distinct domains. What other options you could have used? Answer: You could create a secondary zone in each domain that hosts a copy of the zone from the other. If the domains have delegations in the top-level .com domain, you could use root hints and standard DNS recursive queries to get them to resolve names in each other’s domains.
433
Module Review and Takeaways
Course 6425C Module Review and Takeaways Module 11: Configuring Domain Name System Review Questions Common Issues Related to DNS Real-World Issues and Scenarios Best Practices Related to DNS Tools Review Questions Question: You are conducting a presentation for a potential client about the advantages of using Windows Server 2008 R2. What are the new features that you would point out when discussing the Windows Server R2 DNS server role? Answer: You would point out DNS Security Extensions, DNS Devolution, DNS Cache Locking and DNS Socket Pool. Question: You are deploying DNS servers into an Active Directory domain, and your customer requires that the infrastructure is resistant to single points of failure. What must you consider while planning the DNS configuration? Answer: You must ensure that more than one DNS domain controller is deployed into the network. Question: What is the difference between recursive and iterative queries? Answer: A client issues a recursive query to a DNS server. It can have only two possible replies: 1) the IP address of the domain requested, or 2) host not found. An iterative query resolves IP addresses through the hierarchal DNS namespace. An iterative query returns an authoritative answer or the IP address of a server the next level down in the DNS hierarchy. Question: You must automate a DNS server configuration process so that you can automate the deployment of Windows Server What DNS tool can you use to do this? Answer: You can use dnscmd.exe. Common Issues Related to DNS Issue Troubleshooting tip Client can sometimes cache invalid DNS records Clear the DNS cache Zone transfer is not working Ensure that the server trying to transfer the zone is permitted in the primary zone configuration Ensure that a firewall or other port-management devices that reside between the two DNS servers are not blocking Port 53 UDP. DNS server performs slowly Use Performance Monitor to identify the load on the server that DNS requests generate. It may be necessary to split the load or create additional subzones.
434
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 11: Configuring Domain Name System Real-World Issues and Scenarios Reverse DNS zones Typically, administrators do not create reverse DNS zones in their DNS infrastructure. This will not cause any obvious issues at first. However, many applications use reverse DNS to resolve name information about hosts on which they are running. Some applications require that a reverse zone and pointer resource records are defined. Many security devices and software routinely check for a reverse DNS record for the IP address communicating with it. DNS and Active Directory trusts When creating trusts between two Active Directory domains, the ability for domain A to lookup records in domain B (and vice versa) is tied to the configuration of the DNS infrastructure. Active Directory domains are accessible rarely on the Internet. Therefore, you need conditional forwarders, stub zones, or secondary zones to replicate the DNS infrastructure across domains and forests. Secure zones against zone dumping By default, zone transfers are disabled in Windows Server When configuring zone transfers, it is a best practice to specify the IP address of the servers to which you want to transfer zone data. Do not select the Allow zone transfer to Any Server, especially if the server is on the Internet. With this option enabled, it is possible to dump the entire zone, which can provide a significant amount of information about the network to possible attackers. Best Practices Related to DNS If you are using Active Directory, use directory-integrated storage for your DNS zones. This offers increased security, fault tolerance, and simplified deployment and management. Disable recursion for servers that do not answer client queries or communicate by using forwarders. As DNS servers communicate amongst themselves by using iterative queries, this ensures that the server responds only to queries that are intended for it. Consider the use of secondary zones to assist in off-loading DNS query traffic wherever appropriate. Enter the correct address of the responsible person for each zone you add to, or manage on, a DNS server. Applications use this field to notify DNS administrators for a variety of reasons. For example, query errors, incorrect data returned in a query, and security problems are a few ways in which this field can be used. Although most Internet addresses contain the to represent the word “at” in , this symbol must be replaced with a period (.) when entering an address for this field. For example, instead of you would use “administrator.microsoft.com.”
435
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 11: Configuring Domain Name System Tools Windows Server 2008 R2 Features Introduced in This Module Tool Used for Where to find it DNS Management Console DNS administration and management Administrative Tools Nslookup Use to perform query testing of the DNS domain namespace. Command-line utility Dnscmd Use this command-line interface to manage DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks or to perform simple unattended setup and configuration of new DNS servers on your network. Ipconfig Use this command to view and modify IP configuration details that the computer uses. This utility includes additional command-line options to provide help in troubleshooting and supporting DNS clients. DNSlint Provides several automated tests to verify that DNS servers and resource records are configured properly and pointing to valid services. You can download this command from Microsoft at Feature Description DNS Enhancements in Windows Server 2008 R2 New features in DNS that allow administrators to configure digital signing of DNS responses, cache locking, devolution and socket pooling.
436
Module 12: Administering AD DS Domain Controllers
Course 6425C Module 12: Administering AD DS Domain Controllers Presentation: 60 minutes Lab: 80 minutes Module Goal Present options for installing domain controllers in a variety of scenarios. Present concepts and skills related to configuration and ongoing maintenance of domain controllers. Module 1 was intentionally simplistic, and until this point in the course, we’ve been dealing with one (or two) domain controllers in a single domain. We’re starting to head toward more complex environments. Objectives After completing this lesson, you will be able to: Describe the various options for installing domain controllers. Install and configure a domain controller on Server Core. Manage the placement, transfer, and seizure of operations master roles. Migrate SYSVOL replication from FRS to DFS-R. Module Exam Objectives Configuring the Active Directory® infrastructure: Configure a forest or domain Configuring the Active Directory infrastructure: Configure Active Directory replication Configuring the Active Directory infrastructure: Configure operations masters Preparation for Demonstrations There are no demonstrations in this Module Preparation for Labs There are four labs which occur during the course of the module. To prepare for them, you should start the virtual machines for Lab A now, after Lab A, start the virtual machines for Lab B, then when Lab B finishes, start the virtual machines for Lab C, and so on. The virtual machines used in Lab A are 6425C-NYC-DC1 and 6425C-NYC-DC2, and 6425C-NYC-SVR1 Module 12 Administering AD DS Domain Controllers
437
Module 12: Administering AD DS Domain Controllers
Course 6425C Module Overview Module 12: Administering AD DS Domain Controllers Domain Controller Installation Options Install a Server Core domain controller Manage Operations Masters Configure Global Catalog Configure DFS-R Replication of SYSVOL -blank-
438
Lesson 1: Domain Controller Installation Options
Course 6425C Lesson 1: Domain Controller Installation Options Module 12: Administering AD DS Domain Controllers Install a Domain Controller by Using the Windows Interface Unattended Installation Options and Answer Files Install a New Windows Server 2008 Forest Prepare an Existing Domain for Windows Server Domain Controllers Options for Installing Domain Controllers in a Domain Stage the Installation of an RODC Attach a Server to a Prestaged RODC Account Install AD DS from Media Remove a Domain Controller -blank-
439
Install a Domain Controller by Using the Windows Interface
Course 6425C Install a Domain Controller by Using the Windows Interface Module 12: Administering AD DS Domain Controllers To install a domain controller: Add the AD DS role by using Server Manager Install and configure AD DS with the Active Directory Domain Services Installation Wizard DCPROMO.exe Installs the AD DS role if it is not already installed Remind students of what they already know and have learned in this course. To install a domain controller, you must install the “role” and then you must install and configure Active Directory Domain Services (AD DS) with the Active Directory Domain Services Installation Wizard, which is invoked using DCPromo. DCPromo will, in fact, install the role if it is not already installed, so you can complete more than one task at once by just running DCPromo. Using DCPromo (with no /unattend switch) provides the GUI Active Directory Domain Services Wizard, which supports all domain controller installation scenarios and prompts for all parameters required by the selected scenario.
440
Unattended Installation Options and Answer Files
Course 6425C Unattended Installation Options and Answer Files Module 12: Administering AD DS Domain Controllers Options can be specified at the command line /option:value – for example, /newdnsdomainname:contoso.com dcpromo.exe /?[:operation] for help Options can be specified in an answer file Answer file can be called by using dcpromo.exe /unattend:”path to answer file” Options on command line will override answer file Options not specified will be prompted by wizard Except in Server Core Recommendation: Use dcpromo.exe on full installation and export answer file for command line or Server Core The remainder of this module focuses on using command-line switches and answer files for DCPromo so that domain controller installation can be automated and so that the same procedures can be used for both full installation and Server Core installations. Talk through the points on this slide, which speak about dcpromo.exe switches and answer files at a very high level. The following slides will go into detail about what switches/options to use for each scenario. [DCINSTALL] NewDomainDNSName=contoso.com
441
Install a New Windows Server 2008 Forest
Course 6425C Install a New Windows Server 2008 Forest Module 12: Administering AD DS Domain Controllers dcpromo.exe /unattend:”path” [DCINSTALL] ReplicaOrNewDomain=domain NewDomain=forest NewDomainDNSName=fqdn DomainNetBiosName=name ForestLevel={0, 2, 3} DomainLevel={0, 2,3} InstallDNS=yes DatabasePath="path" LogPath="path" SYSVOLPath="path" SafeModeAdminPassword=pwd RebootOnCompletion=yes Remind students not to stop after installing just one domain controller. Create additional domain controllers to distribute authentication, create a level of fault tolerance in the event any one domain controller fails, or provide authentication in remote sites. We do not recommend that you talk through each switch/option. That would be too much for students to absorb. Instead, remind them that each scenario is well documented in the student handbook. And focus on unusual switches and tips. Tell students, also, that they do not need to focus on every switch and option. What’s most important in the “real world” is that they use the Active Directory Domain Services Installation Wizard (DCPromo) to create an answer file that has all of the options for the specific domain controller installation scenario. These slides will simply highlight a few key points. With the right setup, you should be able to move through these slides very quickly. On this slide: Remind students that fqdn means “fully qualified domain name”, for example, contoso.com, whereas name means the flat/NetBIOS name of the domain, for example, contoso. ForestLevel & DomainLevel. 0 means “Windows® 2000 Native,” 2 means “Windows Server® 2003,” and 3 means “Windows Server 2008.” Any parameters not in the answer file or command line will be prompted for. So you can leave out sensitive options such as SafeModeAdminPassword. Leave out the entire line from the answer file and then add it as a command-line switch when you run the answer file, for example, dcpromo.exe /unattend “path to answer file” /safeModeAdminPassword:Pa$$w0rd dcpromo.exe /unattend /installDNS:yes /dnsOnNetwork:yes /replicaOrNewDomain:domain /newDomain:forest /newDomainDnsName:contoso.com /DomainNetbiosName:contoso /databasePath:"e:\ntds" /logPath:"f:\ntdslogs" /sysvolpath:"g:\sysvol" /safeModeAdminPassword:password /forestLevel:3 /domainLevel:3 /rebootOnCompletion:yes
442
Prepare an Existing Domain for Windows Server 2008 Domain Controllers
Course 6425C Prepare an Existing Domain for Windows Server 2008 Domain Controllers Module 12: Administering AD DS Domain Controllers ADPrep (adprep.exe) prepares AD DS for the first domain controller running a version of Windows newer than current domain controllers DVD:\sources folder adprep /forestprep Log on to the Schema master as a member of Enterprise Admins, Schema Admins, and Domain Admins Run once per forest. Wait for change to replicate. adprep /domainprep /gpprep Log on to Infrastructure master as a member of Domain Admins Run once per domain. Wait for change to replicate. adprep /rodcprep Log on to any computer as a member of Enterprise Admins Run once per forest. Wait for change to replicate Transition: You just reviewed how to create a new Windows Server 2008 forest, but most of the time, in real- world, you are adding domain controllers to existing environments. Set up the scenario: An existing domain in which domain controllers are running an “older” version of Windows. The newer version has features that require updates to AD DS: new schema object classes and attributes, new security descriptors (permissions) on existing objects and files (in SYSVOL, for example), and new objects or containers in existing partitions. Explain ADPrep: A command that performs all necessary updates. Emphasize that ADPrep has “modes” that are run once per domain or forest. Some modes require being logged on to specific computers with specific credentials. Describe the three modes of adprep shown on the slide. Note: On the Windows Server 2008R2 CD, adprep is in the DVD:\support folder. Tip: The adprep /rodcprep command is required before installing an RODC into any domain in an existing forest with Windows Server 2003 or Windows 2000 Server domain controllers. It is not necessary if the forest is a new forest consisting only of Windows Server 2008 domain controllers. Neither the domain nor forest functional levels must be elevated. You just need to run adprep /rodcprep and have one writable Windows Server 2008 domain controller, and then you can have RODCs.
443
Options for Installing Domain Controllers in a Domain
Course 6425C Options for Installing Domain Controllers in a Domain Module 12: Administering AD DS Domain Controllers Installing additional domain controllers Install from media Specify source domain controller for replication Install a new Windows Server 2008 child domain New domain is added as subdomain to existing domain Install a new domain tree in a forest New namespace is created wi Thin existing forest In this topic, you should discuss various scenarios for adding new domain controllers in existing Active Directory infrastructure. Explain to students the differences between the three scenarios listed on the slide. Point out that each scenario can be implemented by using the dcpromo GUI or by using unattended installation from command line. Refer to student handbook to show examples of unattended installation for each case.
444
Stage the Installation of an RODC
Course 6425C Stage the Installation of an RODC Module 12: Administering AD DS Domain Controllers Create the account for the RODC Right-click the Domain Controllers OU Pre-Create Read-only Domain Controller Account Delegation of RODC Installation and Administration Delegate to a group Members of the group can join RODC to domain Members of the group are local Administrators after join Attach the server to the RODC account Server must be a member of a workgroup dcpromo /UseExistingAccount:attach This slide is meant to cover two points: There are two steps to adding an RODC using a staged account: prestaging the account, and then joining the server to the account. The details of the “staging” process, which are also covered in Module 10. If you delivered Module 10, you can just review the prestaging process. If you did not deliver Module 10, you should spend more time and perhaps even demonstrate prestaging an RODC account; and discuss the delegation of RODC installation and administration in more depth. The next slide goes into more detail about the second step, attaching the server to the RODC account.
445
Attach a Server to a Prestaged RODC Account
Course 6425C Attach a Server to a Prestaged RODC Account Module 12: Administering AD DS Domain Controllers [DCINSTALL] ReplicaDomainDNSName=fqdn UserDomain=fqdn UserName= DOMAIN\username* Password=password* InstallDNS=yes ConfirmGC=yes DatabasePath="path" LogPath="path" SYSVOLPath="path" SafeModeAdminPassword=pwd RebootOnCompletion=yes dcpromo.exe /useexistingaccount:attach /unattend:”path” Emphasize that whether you use the “GUI” dcpromo, command line switches, or an answer file, you are always going to use the dcpromo.exe switch, /UseExistingAccount:Attach. dcpromo.exe /unattend /UseExistingAccount:Attach /ReplicaDomainDNSName:contoso.com /UserDomain:contoso.com /UserName:contoso\dan /password:* /databasePath:"e:\ntds" /logPath:"f:\ntdslogs" /sysvolpath:"g:\sysvol" /safeModeAdminPassword:password /rebootOnCompletion:yes GUI Active Directory Domain Services Wizard: dcpromo.exe /useexistingaccount:attach
446
Install AD DS from Media
Course 6425C Install AD DS from Media Module 12: Administering AD DS Domain Controllers Install from media (IFM) Create installation media—a specialized backup of AD DS Use installation media for creation of domain controller Significantly reduce over-the-network replication DC will need to replicate changes since backup was made ntdsutil – activate instance ntds – ifm create sysvol full path: Media with sysvol for writable DC create full path: Media without sysvol for writable DC create sysvol rodc path: Media with sysvol for read-only DC create rodc path: Media without sysvol for read-only DC Active Directory Domain Services Installation Wizard, select Use Advanced Mode ReplicationSourcePath option/switch Emphasize the scenario that Install from Media (IFM) addresses: DC promotion, where the replication of Active Directory to the new domain controller over the network would be problematic. IFM media still needs to be transported to the server that will be promoted, but it can be done using “media” (DVD/HDD/tape) or can be transferred over the network during off-hours.
447
Remove a Domain Controller
Course 6425C Remove a Domain Controller Module 12: Administering AD DS Domain Controllers [DCINSTALL] UserName= DOMAIN\username* UserDomain=fqdn Password=password* AdministratorPassword=password* RemoveApplicationPartitions=yes RemoveDNSDelegation=yes DNSDelegationUserName=DOMAIN\username DNSDelegationPassword=password* dcpromo.exe /uninstallbinaries /unattend:”path” Explain that if you run DCPromo on an existing domain controller, it automatically goes into “removal” mode. Highlight the /uninstallbinaries switch used for command-line and answer file–based removals. dcpromo.exe /unattend /uninstallbinaries /UserName:contoso\dan /password:* /administratorpassword:Pa$$w0rd GUI Active Directory Domain Services Wizard: dcpromo.exe Command line: dcpromo.exe /uninstallbinaries If domain controller cannot contact the domain dcpromo /forceremoval Then, you must clean up metadata: KB
448
Lab A: Install Domain Controllers
Course 6425C Lab A: Install Domain Controllers Module 12: Administering AD DS Domain Controllers Exercise 1: Create an Additional Domain Controller with the Active Directory Domain Services Installation Wizard Exercise 2: Add a Domain Controller from the Command Line Exercise 3: Create a Domain Controller from Installation Media Scenario You decide to add a new domain controller to provide fault tolerance for the directory service. You have already installed a new servers named NYC-SVR1 and NYC-SVR2. Exercise 1 In this exercise, students will use the Active Directory Domain Services Installation Wizard (DCPromo.exe) to create an additional domain controller in the contoso.com domain. They will not complete the installation, however. Instead, they will save the settings as an answer file, which will be used in the next exercise. Exercise 2 In this exercise, students will examine the answer file they created in Exercise 1. They will use the installation options in the answer file to create a dcpromo.exe command line to install the additional domain controller. Exercise 3 In this exercise, students will create a domain controller from installation media. Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-SVR1 6425C-NYC-SVR2 Logon user name Pat.Coleman Contoso\Administrator Administrator Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 50 minutes
449
Module 12: Administering AD DS Domain Controllers
Course 6425C Lab Scenario Module 12: Administering AD DS Domain Controllers You decide to add a new domain controller to provide fault tolerance for the directory service. You have already installed a new server named NYC-SVR1. You will also de- commission NYC-DC2 by removing AD DS. -blank-
450
Module 12: Administering AD DS Domain Controllers
Course 6425C Lab Review Module 12: Administering AD DS Domain Controllers Why would you choose to use an answer file or a dcpromo.exe command line to install a domain controller rather than the Active Directory Domain Services Installation Wizard? In which situations does it make sense to create a domain controller using installation media? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: Why would you choose to use an answer file or a dcpromo.exe command line to install a domain controller rather than the Active Directory Domain Services Installation Wizard? Answer: Automation of installation. Consistency (always using the same options in a script versus hoping that an admin uses the correct options). Documentation (the script “documents” how the domain controller was installed). And, of course, in a Server Core installation. Question: In which situations does it make sense to create a domain controller using installation media? Answer: When the replication of Active Directory to the new domain controller will be problematic from a performance or network impact perspective. Preparation for Lab B To prepare for Lab B you should ask students to shut down the existing virtual machines and start the 6425C-NYC-DC1 and 6425B-HQDC03-A virtual machines.
451
Lesson 2: Install a Server Core Domain Controller
Course 6425C Lesson 2: Install a Server Core Domain Controller Module 12: Administering AD DS Domain Controllers Understand Server Core Install Server Core Server Core Configuration Commands -blank-
452
Understand Server Core
Course 6425C Understand Server Core Module 12: Administering AD DS Domain Controllers Minimal installation: 3 GB disk space, 256 MB RAM No GUI: Command-line local UI. Can use GUI tools remotely Roles (Windows Server 2008 R2) Active Directory Domain Services Active Directory Certificate Services Active Directory AD LDS DHCP Server DNS Server File Services (with FSRM) Print Server Streaming Media Services Web Server: HTML. R2 adds .NET Hyper-V Features (Windows Server 2008 R2) .NET Framework Microsoft Failover Cluster Network Load Balancing Subsystem for UNIX applications Windows Backup Multipath I/O Windows Bitlocker Drive Encryption SNMP WINS Telnet client Windows PowerShell Quality of Service (QoS) Discuss the following questions: What is Server Core? Why Server Core? From a manageability and security perspective, Server Core is very important. Help reduce student anxiety about a no-GUI server. Because server administration can be performed remotely with GUI tools, and because (particularly with today’s security environment) there are rarely reasons to log on locally to a server, it makes very good sense to use Server Core for most or all servers, and certainly for all domain controllers. Windows Server 2008 R2 Talk about some of the changes to Server Core in Windows Server 2008 R2, including the Microsoft .NET Framework support and Windows PowerShell®. Plus, Server Manager can now be used remotely against a Server Core installation. In addition to the server roles available in Server Core installations of Windows Server 2008, the following are available: The Active Directory Certificate Services (AD CS) role The File Server Resource Manager component of the File Services role A subset of ASP.NET in the Web Server role In addition to the Windows features available in Server Core installations of Windows Server 2008, the following features are available: The .NET Framework A subset of the Microsoft .NET Framework version 2.0 A subset of the .NET Framework version 3.0, including Windows Communication Foundation (WCF) and Windows Workflow Foundation (WF) A subset of the .NET Framework version 3.5, including WF additions from the .NET Framework version 3.5 and the .NET Language-Integrated Query (LINQ) Windows PowerShell, including cmdlets for Server Manager and the Best Practices Analyzer Windows-on-Windows 64-bit (WoW64) The Removable Storage feature has been removed. You can remotely configure a server running a Server Core installation of Windows Server 2008 R2 by using Server Manager. References
453
Module 12: Administering AD DS Domain Controllers
Course 6425C Install Server Core Module 12: Administering AD DS Domain Controllers Select the Server Core Installation option in Windows setup Mention that installing Server Core is very easy: Just select the option when installing Windows Server 2008.
454
Server Core Configuration Commands
Course 6425C Server Core Configuration Commands Module 12: Administering AD DS Domain Controllers Task Command Change the Administrator Password When you log on with Ctrl+Alt+Delete, you will be prompted to change the password. You can also type the following command: Net user administrator* Set a static IPv4 Configuration Netsh interface ipv4 Activate Windows Server Cscript c:\windows\system32\slmgr.vbs –ato Join a domain Netdom Add Server Core roles, components, or features Ocsetup.exe package or feature Note that the package or feature names are case- sensitive Display installed roles, components, and features Oclist.exe Enable Remote Desktop Cscript C:\windows\system32\scregedit.wsf /AF 0 Promote a domain controller Dcpromo.exe Configure DNS Dnscmd.exe (or remotely from DNS console) Configure DFS Dfscmd.exe (or remotely from DFS console) Configure servers Sconfig.cmd Performing the initial configuration of Server Core requires using command-line tools that some students will not be familiar with. Inform students that they will actually perform these commands to configure a Server Core installation as part of the Lab for this lesson. Remind students that they learned how to use DCPromo with command-line options and with an answer file in Lesson 1. Remind students that some commands, such as DNSCMD and DFSCMD, are not really necessary, as you can more easily manage DNS and DFS remotely with GUI MMC consoles. Also, be sure to mention sconfig.exe as a new configuration utility in Windows Server 2008 R2 Server Core. If time permits, perform a short demo of this utility and show students how they can easily configure server core without typing long commands in cmd window. 454
455
Lab B: Install a Server Core Domain Controller
Course 6425C Lab B: Install a Server Core Domain Controller Module 12: Administering AD DS Domain Controllers Exercise 1: Perform Post-Installation Configuration on Server Core Exercise 2: Create a Domain Controller with Server Core Scenario You are a domain administrator for Contoso, Ltd., and you want to add a domain controller to the AD DS environment. In order to enhance the security of the new domain controller, you plan to use Server Core. You have already installed Server Core on a new computer, and you are ready to configure the server as a domain controller. Exercise 1 In this exercise, students will perform post-installation configuration of the server to prepare it with the name and TCP/IP settings required for the remaining exercises in this Lab. Exercise 2 In this exercise, students will add the DNS and AD DS roles to the Server Core installation. Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-DC3 Logon user name Pat.Coleman Administrator Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 15 minutes
456
Module 12: Administering AD DS Domain Controllers
Course 6425C Lab Scenario Module 12: Administering AD DS Domain Controllers You are a domain administrator for Contoso, Ltd, and you want to add a domain controller to the AD DS environment. To enhance the security of the new domain controller, you plan to use Server Core. You have already installed Server Core on a new computer, and you are ready to configure the server as a domain controller. -blank-
457
Module 12: Administering AD DS Domain Controllers
Course 6425C Lab Review Module 12: Administering AD DS Domain Controllers Did you find the configuration of Server Core to be particularly difficult? What are the advantages of using Server Core for domain controllers? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: Did you find the configuration of Server Core to be particularly difficult? Answer: Answers will vary, some administrators may find difficult to perform initial configuration by using command line tools. Question: What are the advantages of using Server Core for domain controllers? Answer: Reduced system requirements, reduced attack surface (vulnerability) and therefore increased security.
458
Lesson 3: Manage Operations Masters
Course 6425C Lesson 3: Manage Operations Masters Module 12: Administering AD DS Domain Controllers Understand Single Master Operations Operations Master Roles Optimize the Placement of Operations Masters Identify Operations Masters Transfer Operations Master Roles Seize Operations Master Roles -blank-
459
Understand Single Master Operations
Course 6425C Understand Single Master Operations Module 12: Administering AD DS Domain Controllers In any multimaster replication topology, some operations must be “single master” Many terms used for single master operations in AD DS Operations master (or operations master roles) Single master roles Operations tokens Flexible single master operations (FSMOs) Roles Use this slide to: Introduce the concept of what a “single master operation” is, and why it must be done in a multimaster database. Introduce the many terms used in documentation and in the industry for Flexible Single master Operations (FSMOs). Introduce “the list” of FSMOs. Do not go into detail about specific roles yet. The following slides will allow you to do that. It might be helpful to pick one FSMO and use it as an example as you introduce the concepts. An RID master is a good one to use. Students are familiar with SIDs and that SIDs must be unique. SIDs can be assigned by any domain controller to a new account. So how do domain controllers ensure they are giving out unique SIDs? They are given a “pool” of SIDs (effectively) by the RID master. Compare it to DHCP, which has a “pool” of IP addresses to assign. You do not (yet) need to go into detail about how an SID is the domain SID plus an RID. Just set up the concept. The RID master is responsible for handing out “pools” of unique RIDs. It must be done by one and only one machine, or domain controllers might get identical or overlapping pools of RIDs, which would lead to duplicate SIDs, which can cause issues. Forest Domain naming Schema Domain Relative identifier (RID) Infrastructure PDC Emulator
460
Operations Master Roles
Course 6425C Operations Master Roles Module 12: Administering AD DS Domain Controllers Forest-wide Domain naming: Adds/removes domains to/from the forest Schema: Makes changes to the schema Domain-wide RID: Provides “pools” of RIDs to domain controllers, which use them for SIDs Infrastructure: Tracks changes to objects in other domains that are members of groups in this domain PDC: Plays several very important roles Emulates a Primary Domain Controller (PDC): compatibility Special password update handling Default target for Group Policy updates Master time source for domain Domain master browser Discuss each of the roles in as much depth as you feel is appropriate for the students. Be sure to point out that most master roles are so “specific” that the master could be offline for days, weeks, months or years without problem. For example, you don’t need the schema master until you make changes to the schema; and you don’t need the domain naming master until you add or remove a domain in the forest. Domain FSMOs are needed on a more regular basis, particularly the PDC. The RID master provides a pool of RIDs to each domain controller. If it is not available, eventually a domain controller will attempt to create an account and will be unable to do so. Talk through the five PDC functions to the level of detail that is provided in the student handbook. Enforce that if the PDC is not available or is slow to respond, you are more likely to have issues in the domain.
461
Optimize the Placement of Operations Masters
Course 6425C Optimize the Placement of Operations Masters Module 12: Administering AD DS Domain Controllers Forest root DC (first DC in forest) has all roles by default Best practice guidance Co-locate the schema master and domain naming master on a GC Co-locate the RID master and PDC emulator rules Place the infrastructure master on a DC that is not a global catalog Have a failover plan Real-world enhancements to best-practice guidance Consider configuring all domain controllers as global catalogs In a single domain forest, it doesn’t increase replication traffic If all domain controllers are global catalogs, infrastructure master role is not “necessary” Still exists, but does not start on a global catalog and isn’t needed Best practice guidance bullets are “traditional” guidance since Windows 2000 Server. Real-world organizations have found that making every domain controller a global catalog is beneficial, particularly if they use Microsoft® Exchange Server. If every domain controller is a global catalog, infrastructure master role is not important. In a single domain forest, making every domain controller a global catalog does not increase replication traffic because there is no partial attribute set from any other domain to replicate. If the infrastructure master is on a global catalog, the role doesn’t start. That’s why when you add a domain controller that is not a global catalog, the Active Directory Domain Services Installation Wizard prompts you to transfer the Infrastructure role. But if every domain controller is going to be a global catalog, you can ignore these prompts.
462
Identify Operations Masters
Course 6425C Identify Operations Masters Module 12: Administering AD DS Domain Controllers User interface tools PDC Emulator: Active Directory Users And Computers RID: Active Directory Users And Computers Infrastructure: Active Directory Users And Computers Schema: Active Directory Schema Domain Naming: Active Directory Domains and Trusts Command-line tools NTDSUtil DCDiag netdom query fsmo Talk through or demonstrate the user interface tools with which operations masters can be identified. List the command-line tools. Students can refer to the student handbook for more details. Emphasize netdom query fsmo. Not only is this most likely to appear on certification exams, it’s also the most immediate and friendly way to list all five FSMOs.
463
Transfer Operations Master Roles
Course 6425C Transfer Operations Master Roles Module 12: Administering AD DS Domain Controllers Scenarios for transferring roles To distribute roles away from the forest domain root domain controller Prior to taking a role holding domain controller offline for maintenance Prior to demoting a role holding domain controller Procedure for transferring roles Ensure that the new role holder is up to date with replication from the current role holder Open the appropriate administrative snap-in Connect to the target domain controllers Open the Operations Master dialog box and click Change Or use NTDSUtil to change transfer the master Use this slide to talk through the graceful transfer of FSMO roles. A later slide will discuss seizing a role. Inform students they will practice exactly these procedures in the lesson Lab. Optionally, demonstrate the transfer of a token (for example RID or PDC) using HQDC01 and HQDC02.
464
Seize Operations Master Roles
Course 6425C Seize Operations Master Roles Module 12: Administering AD DS Domain Controllers Recognize operations master failures Typically you notice when you attempt to perform an action for which the master is responsible, and receive an error Respond to an operations master failure Determine whether the domain controller can be brought online, and when Evaluate whether the enterprise can continue to function temporarily without the domain controller Seize the role by using NTDSUtil Return a role to its original holder? Only for PDC and Infrastructure tokens If Schema, RID, or domain naming have been seized, you must decommission the failed domain controller offline, then promote it again Begin the discussion of this slide by mentioning the fact that seizing operations master roles is far from a day-to-day activity of Windows administrators. In fact, it’s likely that few if any students in your classroom will ever need to seize an operations master role. Therefore, the specifics and procedures related to seizing roles are not critical for students to memorize. Recommend, instead, that if students encounter an operations master failure, they should simply open to this location in the student manual and read the information at that time. However, some high level understanding of the issues is useful not only for the real world, but also for the certification exams. First, discuss how students will recognize that an operations master role has failed. Several of the operations masters can be offline for a significant period of time without you even knowing. However, if the PDC emulator or RID masters fail, you are more likely to notice the impact. After you know that an operations master has failed, the first thought in your head should be that seizing an operations master is a high impact activity that should only be performed if absolutely necessary. Therefore, you should evaluate whether the failed domain controller can be brought back online, and in what timeframe. Then, determine whether the enterprise can continue to function temporarily without the operations master role, until the domain controller is back online. If an operations master role holder cannot be brought back online in sufficient time, then you are forced to seize the operations master role to a functioning domain controller. You use NTDSUtil to perform this task. Specific steps are in the student manual for reference. Again, it’s not important to memorize the steps. A very important point to emphasize is that most failed operations master role holders should never be brought back online after the token has been seized. Only the PDC and infrastructure master roles can be brought back online, after which you can gracefully transfer the token back to the original domain controller. Other operations masters must be demoted offline, brought back online as a member server, and then re- promoted to a domain controller. Only at that time can you transfer the token back to the newly created domain controller.
465
Lab C: Transfer Operations Master Roles
Course 6425C Lab C: Transfer Operations Master Roles Module 12: Administering AD DS Domain Controllers Exercise 1: Identify Operations Masters Exercise 2: Transfer Operations Master Roles Scenario You are a domain administrator at Contoso, Ltd. One of the redundant power supplies has failed on NYC- DC1, and you must take the server offline for servicing. You want to ensure that AD DS operations are not interrupted while the server is offline. Exercise 1 In this exercise, students will use both user interface and command-line tools to identify operations masters in the contoso.com domain. Exercise 2 In this exercise, students will prepare to take the operations master offline by transferring its role to another domain controller. You will then simulate taking it offline, bringing it back online, and returning the operations master role. Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-DC2 Logon user name Pat.Coleman Do not log on Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 15 minutes
466
Module 12: Administering AD DS Domain Controllers
Course 6425C Lab Scenario Module 12: Administering AD DS Domain Controllers You are a domain administrator at Contoso, Ltd. One of the redundant power supplies has failed on NYC-DC1, and you must take the server offline for servicing. You want to ensure that AD DS operations are not interrupted while the server is offline. -blank-
467
Module 12: Administering AD DS Domain Controllers
Course 6425C Lab Review Module 12: Administering AD DS Domain Controllers If you transfer all roles before taking a domain controller offline, is it okay to bring the domain controller back online? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: If you transfer all roles before taking a domain controller offline, is it okay to bring the domain controller back online? Answer: Yes.
468
Lesson 4: Configure Global Catalog
Course 6425C Lesson 4: Configure Global Catalog Module 12: Administering AD DS Domain Controllers Understand the Global Catalog Global Catalog Servers Placement Configure a Global Catalog Server Universal Group Membership Caching In Lesson 1, you learned how to create site and subnet objects that enable Active Directory and its clients to localize authentication and directory access; you decided where domain controllers should be placed. In Lesson 2, you configure global catalog servers and application directory partitions; you manage what will replicate between domain controllers.
469
Understand the Global Catalog
Course 6425C Understand the Global Catalog Module 12: Administering AD DS Domain Controllers Domain A Configuration Schema Global catalog hosts a partial attribute set for other domains in the forest Supports queries for objects throughout the forest Describe the role of the global catalog server in searching for objects across domains in a forest. Define a global catalog as a domain controller that replicates the partial attribute set for each domain in the forest. But the domain controller won’t need the partial attribute set for its own domain (it already has the full copy of the domain NC), it simply needs the changes made to other domains. That’s why in a single domain environment, making every domain controller a global catalog adds no significant replication. Domain A Configuration Schema Domain B Configuration Schema Domain B Global Catalog Server Domain B Configuration Schema
470
Global Catalog Servers Placement
Course 6425C Global Catalog Servers Placement Module 12: Administering AD DS Domain Controllers Recommendation: Make every domain controller a global catalog In particular If an application in a site queries the global catalog (port 3268) If a site contains an Exchange Server If a connection to a GC in another site is slow or unreliable Should a domain controller be a global catalog? Recommendation: Every domain controller should be a global catalog. Certainly in some extreme situations there would be reason not to do so, but most large, distributed organizations are doing just that, so it also makes sense for less complex, smaller organizations as well. Domain A Configuration Schema Domain A Configuration Schema Domain B Make a GC? Domain B HEADQUARTERS BRANCHA
471
Configure a Global Catalog Server
Course 6425C Configure a Global Catalog Server Module 12: Administering AD DS Domain Controllers Right-click the NTDS Settings node underneath the domain controller Preferably demonstrate how to enable a global catalog.
472
Universal Group Membership Caching
Course 6425C Universal Group Membership Caching Module 12: Administering AD DS Domain Controllers Universal group membership replicated in the global catalog Normal logon: User’s token built with universal groups from global catalog Global catalog not available at logon: Domain controller denies authentication If every Domain controller is a global catalog, this is never a problem If connectivity to a global catalog is not reliable Domain controllers can cache universal group membership for a user when user logs on Global catalog later not available: User authenticated with cached Universal groups In sites with unreliable connectivity to global catalog, enable universal group membership caching Right-click NTDS Settings for site Properties Enables universal group membership caching for all domain controllers on the site Ensure that students realize that universal group membership caching is only necessary in sites that don’t have reliable connectivity to a global catalog. If every domain controller is a global catalog, this is not an issue. This option is not very common in enterprises, but it is useful to know.
473
Module 12: Administering AD DS Domain Controllers
Course 6425C Lab D: Configure the Global Catalog and Universal Group Membership Caching Module 12: Administering AD DS Domain Controllers Exercise 1: Configure a Global Catalog Exercise 2: Configure Universal Group Membership Caching Scenario You are an administrator at Contoso, Ltd. To improve the availability and resilience of the directory service, you decide to configure additional global catalog servers and universal group membership caching. You are also curious about the relationship between Active Directory–integrated DNS zones and the DNS application partitions. Exercise 1 In this exercise, students will configure a global catalog. Exercise 2 In this exercise, students will create a site to reflect a branch office and configure the site to cache universal group membership. Exercise 3 In this exercise, students will explore the DNS records related to replication and the DomainDnsZone application directory partition, using ADSI Edit. NOTE: Do not shut down the virtual machines after you finish this lab because the settings you have configured here will be used in subsequent labs. Logon information Virtual machine 6425C-NYC-DC1 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 30 minutes
474
Module 12: Administering AD DS Domain Controllers
Course 6425C Lab Scenario Module 12: Administering AD DS Domain Controllers You are an administrator at Contoso, Ltd. In your continued effort to improve the availability and resiliency of the directory service, you decide to configure additional global catalog servers and universal group membership caching. -blank-
475
Module 12: Administering AD DS Domain Controllers
Course 6425C Lab Review Module 12: Administering AD DS Domain Controllers When you enable Global Catalog, what actually happens on that domain controller? On which level would you enable Universal Group Membership Caching? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: When you enable Global Catalog, what actually happens on that domain controller? Answer: Domain Controller that is designated as Global Catalog, in addition to its full, writable domain directory partition replica, also starts to store a partial, read-only replica of all other domain directory partitions in the forest. Question: On which level would you enable Universal Group Membership Caching? Answer: It is enabled on site level.
476
Lesson 5: Configure DFS-R Replication of SYSVOL
Course 6425C Lesson 5: Configure DFS-R Replication of SYSVOL Module 12: Administering AD DS Domain Controllers Raise the Domain Functional Level Understand Migration Stages Migrate to DFS-R Replication of Sysvol -blank-
477
Raise the Domain Functional Level
Course 6425C Raise the Domain Functional Level Module 12: Administering AD DS Domain Controllers All domain controllers in the domain must be Windows Server 2008 or newer Domain controllers in other domains and member server operating systems do not matter Active Directory Domains And Trusts Right-click domain Raise Domain Functional Level In Module 1, students were introduced to the general concept of domain and forest functional levels. Module 15 goes into detail about domain and forest functional levels. Therefore, on the slide, focus on the fundamentals: all domain controllers in the domain must be Windows Server 2008 or newer, and the procedure for raising the domain functional level.
478
Understand Migration Stages
Course 6425C Understand Migration Stages Module 12: Administering AD DS Domain Controllers Four states (stages) 0 (start): Default state. FRS replicates SYSVOL 1 (prepared) Copy of SYSVOL called SYSVOL_DFSR, replicated by DFS-R SYSVOL replicated by FRS and used by clients 2 (redirected) SYSVOL share redirected to SYSVOL_DFSR for client use. SYSVOL replicated by FRS (for failback) 3 (eliminated): FRS replication of SYSVOL stopped. Folder remains. DFSRMig (dfsrmig.exe) setglobalstate state where state is 0-3. Sets global (desired) state. getglobalstate reports current global DFSR migration state getmigrationstate reports migration state of each domain controller towards state Mention that SYSVOL is critical to the health and functionality of a domain. Therefore, there is no “instant” migration to DFS-R replication of SYSVOL. Discuss each state of migration, pointing out which replication mechanisms are used and which folder clients are actually redirected to use as the domains SYSVOL. Explain that the DFSRMig command is used to manage migration. You use the setglobalstate option to set the desired state: where you want the domain to be. That information is then replicated and domain controllers begin migrating to that state. While they are migrating, you can use the getmigrationstate to report the migration state of each domain controller, or the getglobalstate option to determine whether the domain has reached the state that you specified with the setglobalstate option. Explain that you can revert to an earlier state, until you have reached state 3. After that point, there’s no going back. Finally, inform students that they will be performing the steps in a lab for this lesson.
479
Migrate to DFS-R Replication of SYSVOL
Course 6425C Migrate to DFS-R Replication of SYSVOL Module 12: Administering AD DS Domain Controllers Raise the domain functional level to at least WS2008 dfsrmig /setglobalstate 1 Wait for migration to Prepared state. Can take 15 minutes to an hour or longer Use dfsrmig /getmigrationstate to monitor progress dfsrmig /setglobalstate 2 Wait. dfsrmig /getmigrationstate to monitor progress dfsrmig /setglobalstate 3 Wait. Can take 15 minutes to an hour or longer During migration to state 3 (eliminated), any changes to SYSVOL must be manually made to SYSVOL_DFSR as well
480
Lab E: Configure DFS Replication of SYSVOL
Course 6425C Lab E: Configure DFS Replication of SYSVOL Module 12: Administering AD DS Domain Controllers Exercise 1: Observe the Replication of SYSVOL Exercise 2: Prepare to Migrate to DFS-R Exercise 3: Migrate SYSVOL Replication to DFS-R Exercise 4: Verify DFS-R Replication of SYSVOL Scenario You are an administrator at Contoso, Ltd.. You have recently upgraded the last remaining Windows Server domain controller to Windows Server 2008, and you want to take advantage of the improved replication of SYSVOL by using DFS-R. Exercise 1 In this exercise, students will observe SYSVOL replication with File Replication Service (FRS) by adding a logon script to the NETLOGON share and observing its replication to another domain controller. Exercise 2 In this exercise, students will confirm the fact that DFS-R migration is not supported in other domain functional levels. Then, they will raise the domain functional level to Windows Server 2008. Exercise 3 In this exercise, students will migrate the replication mechanism from FRS to DFS-R. Exercise 4 In this exercise, students will verify that SYSVOL is being replicated by DFS-R. Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-DC2 6425C-BRANCHDC02 Logon user name Pat.Coleman Do not log on Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 45 minutes
481
Module 12: Administering AD DS Domain Controllers
Course 6425C Lab Scenario Module 12: Administering AD DS Domain Controllers You are an administrator at Contoso, Ltd. You have recently upgraded the last remaining Windows Server domain controller to Windows Server 2008, and you want to take advantage of the improved replication of SYSVOL by using DFS-R. -blank-
482
Module 12: Administering AD DS Domain Controllers
Course 6425C Lab Review Module 12: Administering AD DS Domain Controllers What would you expect to be different between two enterprises, one which created its domain initially with Windows 2008 domain controllers, and one that migrated to Windows Server 2008 from Windows Server 2003? What must you be aware of while migrating from the Prepared to the Redirected state? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: What would you expect to be different between two enterprises, one which created its domain initially with Windows 2008 domain controllers, and one that migrated to Windows Server 2008 from Windows Server 2003? Answer: In a domain that was created with Windows 2008 in the first place, the SYSVOL share will refer to a folder named SYSVOL that is replicated with DFS-R. In a domain that was created with domain controllers prior to Windows 2008, SYSVOL will be replicated with FRS, until it has been migrated. After that point, the SYSVOL share will refer to a folder named SYSVOL_DFSR. Question: What must you be aware of while migrating from the Prepared to the Redirected state? Answer: While migrating from the Prepared to the Redirected state, any changes made to SYSVOL must be manually duplicated in SYSVOL_DFSR.
483
Module Review and Takeaways
Course 6425C Module Review and Takeaways Module 12: Administering AD DS Domain Controllers Review Questions Common Issues Related to Administering AD DS Domain Controllers Best Practices Related to Administering AD DS Domain Controllers Tools Windows Server 2008 R2 Features Introduced in this Module Review Questions Question: In which scenario will you have the option to choose domain and forest functional level during dcpromo wizard? Answer: This option will be available only during installation of first domain controller in domain/forest. Question: How can you easily prepare an unattended file for domain controller installation? Answer: You can do it by running dcpromo.exe on full version of Windows Server 2008 or 2008 R2, and by exporting configured settings at the end of wizard. Question: How can you say that RID master is not working? Answer: If the RID master fails, eventually you will be prevented from creating new security principals. For example, you will not be able to create new user objects. However, this might not happen immediately. Domain Controllers will contact RID master after they spend all SIDs from last allocation. Question: If you seize the operations master role, can you bring online the original operation master? Answer: Only if the failed domain controller was the PDC emulator or infrastructure master. Schema, domain naming, and RID master role holders cannot be brought back online if the role was seized while the domain controller was offline. Instead, the failed domain controller must be demoted or, preferably, reinstalled entirely while offline. After the server is back online, it can be re-promoted to a domain controller and, at that time, the operations master role can be transferred gracefully to it. Common Issues Related to Administering AD DS Domain Controllers Issue Troubleshooting tip Cannot raise domain or forest functional level Check if all domain controllers are running same version of operating system that is equal to domain functional level. If forest case, check that all domains are running same functional level that is equal to desired forest functional level You cannot transfer one or more operation masters roles Check if current role master is online. If not, you must seize the role instead transferring it. You cannot install role or feature on Server Core Check if role that you want to install is supported on Server Core, as this version supports only limited number of roles and features. You cannot add additional domain controller to current AD DS infrastructure Check if there is at least one domain controller available Check DNS functionality Check IP settings
484
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 12: Administering AD DS Domain Controllers Best Practices Related to Administering AD DS Domain Controllers Always install at least two domain controllers per one domain to achieve high availability. Use Server Core domain controller when using role-centric servers, and to maintain higher security and easier management. Distribute operations masters roles on several servers. Be sure to co-locate compatible roles. Use DFS-R for SYSVOL replication. Tools Windows Server 2008 R2 Features Introduced in this Module Tool Used for Where to find it Active Directory Users and Computers Managing operation masters Managing domain functional level Creating and managing AD objects Administrative Tools Active Directory Domains and Trusts Managing domain and forest functional level Trust management Dcpromo.exe Installation and configuration of Active Directory Domain Services You can run it manually Server Manager AD DS role installation Active Directory Schema Management Managing schema master role Must be added as a separate snap-in Windows Server 2008 R2 feature Description New Server Core roles and Features In Windows Server 2008 R2, new roles and features are provided for Server Core installation 484
485
Module 13: Managing Sites and Active Directory® Replication
Course 6425C Module 13: Managing Sites and Active Directory® Replication Presentation: 45 minutes, Lab: 40 minutes Objectives After completing this module, you will be able to: Configure sites and subnets. Configure global catalog servers and application directory partitions. Configure replication topology with connection objects, bridgehead servers, site links, and site link bridges. Module Exam Objectives Configuring the Active Directory infrastructure: Configure the global catalog Configuring the Active Directory infrastructure: Configure sites Configuring the Active Directory infrastructure: Configure Active Directory® replication Maintaining the Active Directory environment: Monitor Active Directory Preparation for Demos There are no demos in this module Preparation for Lab There are 3 labs which occur during the course of the module. The same virtual machines are used in each Lab and each lab is dependent on the previous one. Therefore you should instruct students not to shut down the virtual machines when they are finished a Lab. To prepare for the labs, you should ask the students to start the following virtual machine 6425B-NYC-DC1. Notes This module builds a detailed story of Active Directory replication. If you are at all uncertain about how to present the story, read the information in the Student Manual and use it as a guide for how and when to introduce and detail each concept, process, or recommendation. In the interest of time, propagation dampening (USNs), up-to-dateness vectors, and replication conflict (collision) remediation is not covered. You can add value by discussing these concepts. The best place to do so is after the final lab—as an “appendix” to this module. Module 13 Managing Sites and Active Directory® Replication
486
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 13: Managing Sites and Active Directory® Replication Module Goal Continuing movement to more complex environments and infrastructures. In most enterprises, there is overemphasis on sites for replication; and an underemphasis on sites for service localization, so we first discuss service localization, and then discuss replication. In Lesson 1, you learn how to create site and subnet objects that enable Active Directory and its clients to localize authentication and directory access; you decided where domain controllers should be placed. In Lesson 2, you will learn how and when replication occurs. You’ll discover why the default configuration of Active Directory supports effective replication and why you might modify that configuration so that replication is equally effective but more efficient, based on your network topology. There has been a lot of misinformation about replication and sites in the “real world” that you should work to dispel while delivering this module. Experience has shown that replication traffic is simply not that significant in most networks, and network connectivity between sites has gotten better and better each year with improvements in hardware and drops in connectivity costs. Replication traffic is minimal when compared with the traffic generated by one user receiving one message with one attachment. On the other hand, organizations underestimate the need for sites for service localization—not just for authentication (domain controllers) but also for Distributed Files System (DFS) and other Active Directory (site) aware applications. Many organizations do not have enough sites to effectively localize services. The recommendations that students should understand (and be able to evaluate for their enterprises) are: Configure sites to localize services (and to segment replication if necessary, but typically it is not) Reduce intersite replication polling to the minimum (15 minutes) Configure each domain controller as a global catalog, at which point infrastructure master role and universal group membership caching are no longer a concern If trying to manage replication flow, disable site link bridging and create site links manually Do not throttle site link replication schedules If necessary (for firewall or performance), designate bridgeheads but always pick more than one (or else replication will stop)
487
Module 13: Managing Sites and Active Directory® Replication
Course 6425C Module Overview Module 13: Managing Sites and Active Directory® Replication Configure Sites and Subnets Configure Replication
488
Lesson 1: Configure Sites and Subnets
Course 6425C Lesson 1: Configure Sites and Subnets Module 13: Managing Sites and Active Directory® Replication Understand Sites Plan Sites Create Sites Manage Domain Controllers in Sites SRV Records for Domain Controller How Client Locates Domain Controller In Lesson 1, you learn how to create site and subnet objects that enable Active Directory and its clients to localize authentication and directory access; you decided where domain controllers should be placed.
489
Module 13: Managing Sites and Active Directory® Replication
Course 6425C Understand Sites Module 13: Managing Sites and Active Directory® Replication Loosely related to network “sites” A highly connected portion of your enterprise Active Directory objects that support Replication Active Directory changes must be replicated to all domain controllers Some domain controllers might be separated by slow, expensive links Balance between replication “cost” & convergence Service localization Domain Controller (LDAP and Kerberos) DFS Active Directory–aware (site aware) apps Location property searching, for example, printer location Set out the highest level definition of a site: an object that supports replication and service localization. Mention that the incorrect implementation of sites can cause problems later. For example, Microsoft® Exchange Server 2007 uses Active Directory sites to route (whereas earlier versions used Routing Groups).
490
Module 13: Managing Sites and Active Directory® Replication
Course 6425C Plan Sites Module 13: Managing Sites and Active Directory® Replication Active Directory sites may not map one-to-one with network sites Two locations, well connected, may be one Active Directory site A large enterprise on a highly connected campus (one “site”) may be broken into multiple Active Directory sites for service localization Criteria Connection speed: 512 kbps link is a guideline, but as low as 28 kbps is used Service placement: If there are no domain controllers or Active Directory–aware services, you might not need to create a site User population: If the number of users warrants a domain controller, consider a site Directory query traffic by users or applications Desire to control replication traffic between domain controllers Ensure that students understand that an Active Directory site is not a one-to-one mapping with a network “site.” This course tends to use the word “location” to refer to a network site, because the word location can refer to a more “physical” construct. A location can contain more than one Active Directory site, or an Active Directory site may span more than one location. Make sure that, with the information on this slide, students can answer the question, “Would I want a separate site for this location?”
491
Module 13: Managing Sites and Active Directory® Replication
Course 6425C Create Sites Module 13: Managing Sites and Active Directory® Replication Active Directory Sites and Services Default-First-Site-Name Should be renamed Create a site Assign to site link Create a subnet Assign to site A site can have more than one subnet A subnet can be associated with only one site Demonstrate or discuss the most basic procedures for creating a site and assigning a subnet to the site. Mention that many of these tasks require Enterprise Admin credentials, by default, but can be delegated.
492
Manage Domain Controllers in Sites
Course 6425C Manage Domain Controllers in Sites Module 13: Managing Sites and Active Directory® Replication Domain controllers should be in the correct site The Servers container will show only domain controllers, not all servers Add a domain controller to a site First domain controller will be in Default-First-Site-Name Additional domain controllers will be added to sites based on their subnet address DCPromo prompts you for the site You can right-click the Servers container of a site and precreate the server object before promoting the domain controller Move a domain controller to a new site: Right-click the domain controller and click Move As you discuss sites & subnets, do not talk about replication yet. Stay focused on service localization such as creating a site to make it more efficient to log on. Replication is covered in Lesson 2.
493
SRV Records for Domain Controller
Course 6425C SRV Records for Domain Controller Module 13: Managing Sites and Active Directory® Replication Domain controllers register service locator records (SRV) in DNS in the following locations _tcp.contoso.com: all domain controllers in the domain _tcp.siteName._sites.contoso.com: all domain controllers in site siteName Clients query DNS for domain controllers Discuss, or demonstrate, SRV records.
494
How Client Locates Domain Controller
Course 6425C How Client Locates Domain Controller Module 13: Managing Sites and Active Directory® Replication New client queries for all domain controllers in the domain Retrieves SRVs from _tcp.domain Attempts LDAP bind to all First domain controller to respond Examines client IP and subnet definitions Refers client to a site Client stores site in registry Client queries for all domain controllers in the site Retrieves SRVs from _tcp.site._sites.domain Attempts LDAP bind to all First domain controller to respond Authenticates client Client forms affinity Subsequently Client binds to affinity domain controller Domain controller offline? Client queries for domain controllers in registry-stored site Client moved to another site? Domain controller refers client to another site Talk through the process that clients use to locate a domain controller.
495
Lab A: Configure Sites and Subnets
Course 6425C Lab A: Configure Sites and Subnets Module 13: Managing Sites and Active Directory® Replication Exercise 1: Configure the Default Site Exercise 2: Create Additional Sites Exercise 3: Move Domain Controllers into Sites The goals of this lab are to familiarize students with the two most fundamental objects related to physical topology: sites and subnets. Scenario You are an administrator for Contoso, Ltd. You are preparing to improve the service localization and Active Directory replication of your enterprise. The previous administrator made no changes to the out-of-box configuration of sites and subnets. You want to begin the process of defining your physical topology in Active Directory. Exercise 1 In this exercise, students will rename the Default-First-Site-Name site and associate two subnets with the site. Exercise 2 In this exercise, students will create a second site and associate a subnet with it. Exercise 3 In this exercise, students move domain controllers into sites. NOTE: Do not shut down the virtual machines after you finish this lab because the settings you have configured here will be used in subsequent labs. Logon information Virtual machine 6425C-NYC-DC1 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 20 minutes
496
Module 13: Managing Sites and Active Directory® Replication
Course 6425C Lab Scenario Module 13: Managing Sites and Active Directory® Replication You are an administrator at Contoso, Ltd. You are preparing to improve the service localization and Active Directory replication of your enterprise. The previous administrator made no changes to the out-of-box configuration of sites and subnets. You want to begin the process of defining your physical topology in Active Directory. -blank-
497
Module 13: Managing Sites and Active Directory® Replication
Course 6425C Lab Review Module 13: Managing Sites and Active Directory® Replication If you have a site with 50 subnets, each with a subnet address of 10.0.x.0/24, and you have no other 10.0.x.0 subnets, what could you do to make it easier to identify the 50 subnets and associate them with a site? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: If you have a site with 50 subnets, each with a subnet address of 10.0.x.0/24, and you have no other 10.0.x.0 subnets, what could you do to make it easier to identify the 50 subnets and associate them with a site? Answer: Define a single subnet, /16.
498
Lesson 2: Configure Replication
Course 6425C Lesson 2: Configure Replication Module 13: Managing Sites and Active Directory® Replication Understand Active Directory Replication Intrasite Replication Site Links Replication Transport Protocols Bridgehead Servers Site Link Transitivity and Bridges Control Intersite Replication Monitor and Manage Replication In Lesson 1, you learned how to create site and subnet objects that enable Active Directory and its clients to localize authentication and directory access; you decided where domain controllers should be placed. In Lesson 2, you will learn how and when replication occurs. You’ll discover why the default configuration of Active Directory supports effective replication and why you might modify that configuration so that replication is equally effective but more efficient, based on your network topology.
499
Understand Active Directory Replication
Course 6425C Understand Active Directory Replication Module 13: Managing Sites and Active Directory® Replication Multimaster replication’s balancing act Accuracy (integrity) Consistency (convergence) Performance (keeping replication traffic to a reasonable level) Key characteristics of Active Directory Replication Multimaster replication Pull replication Store-and-forward Partitions Automatic generation of an efficient & robust replication topology Attribute level replication Distinct control of intrasite and intersite replication Collision detection and remediation Discuss the replication model. It is important that students understand that changes can be made on any domain controller in the domain except for RODCs, and that the changes are then replicated to all other domain controllers. Compare this with a single master replication model, where changes can be made on one domain controller only. Ask students what benefits and disadvantages result from using a multimaster replication model. Stress that this model does result in a much more complicated replication process than a single master model, but provides more flexibility and resilience. Use that as a transition to introduce the concepts of integrity, convergence, and performance. In a multimaster database, these must be balanced. Go on to define the key design characteristics of AD DS replication as shown on the slide. References Active Directory Replication Technologies: Active Directory Replication Technologies: How the Active Directory Replication Model Works:
500
Intrasite Replication
Course 6425C Intrasite Replication Module 13: Managing Sites and Active Directory® Replication Connection object: inbound replication to a domain controller Knowledge Consistency Checker (KCC) creates topology Efficient (maximum three hop) and robust (two-way) topology Runs automatically, but you can “Check Replication Topology” Few reasons to manually create connection objects Standby operations masters should have connections to masters Replication Notification: Domain controller tells its downstream partners change is available (15 seconds) Polling: Domain controller checks with its upstream partners (1 hour) for changes Downstream domain controller directory replication agent (DRA) replicates changes Changes to all partitions held by both domain controllers are replicated Use this slide to fully explain intrasite recommendation. Discuss, demonstrate, or illustrate the role of the KCC in creating connection objects to create an efficient (three hop maximum) and robust (two-way) topology. Emphasize that there are only rare situations in which an administrator would want to modify intrasite replication. One such situation is that you should have a “standby operations master,” particularly for important and active roles such as primary domain controller (PDC) and RID. These should have direct connection objects with the active master, so that if the master fails, the standby is as up to date as possible. Otherwise, there are few reasons to manually create connection objects within a site. In fact, administrators have very few options by which they can modify the replication topology within a site. Move on to the replication itself. Mention that in a single site, the replication goal is to update all domain controllers as quickly as possible. However, when a change is made on a domain controller, the domain controller waits up to 15 seconds to notify its partners of the change. This increases the efficiency of replication if additional changes are made to the partition. Point out that with a maximum of 15 seconds, that means “on average,” changes replicate every 7.5 seconds. With a maximum of three hops, that means within 45 seconds (22.5 seconds on average) the entire site is updated with a change. Introduce the DRA. Point out that all partitions replicated between two DCs on a connection object are replicated at the same time—there is no way to time the partitions differently. Point out that replication traffic is not compressed, because it is assumed that all domain controllers in the same site will be connected with a fast network connection with abundant available bandwidth. DC2 DC1 DC3
501
Module 13: Managing Sites and Active Directory® Replication
Course 6425C Site Links Module 13: Managing Sites and Active Directory® Replication Intersite topology generator (ISTG) builds replication topology between sites Site links Contain sites Within a site link, a connection object can be created between any two DCs Not always appropriate given your network topology! Point out that even with multiple sites that have a distinct hub-and-spoke network topology (that is. all routers go through the headquarters), if Active Directory has the sites on one site link, it may well create connection objects between DCs in the “spokes.” Click to build slide. To align your network topology with Active Directory replication, you must remove the DefaultIPSiteLink and create specific site links. Additionally, you must turn off site link transitivity (covered later). This is not a design class, so cover the theory at a level to allow students to understand why the tasks are done but do not delve deeply into design concepts.
502
Replication Transport Protocols
Course 6425C Replication Transport Protocols Module 13: Managing Sites and Active Directory® Replication Directory Service Remote Procedure Call (DS-RPC) Appears as IP in Active Directory Sites and Services The default and preferred protocol for intersite replication Inter-Site Messaging—Simple Mail Transport Protocol (ISM-SMTP) Appears as SMTP in Active Directory Sites and Services Rarely used in the real world Requires a certificate authority Cannot replicate the domain naming context—only schema and configuration Any site that uses SMTP to replicate must be in a separate domain within the forest Ensure that students know that it will be highly unlikely for them to use Simple Mail Transport Protocol (SMTP) for replication in production, but on the exams they need to know the information under the Exam Tip below. Tip The most important thing to remember is that if two sites can replicate only with SMTP—if IP is not an option—then those two sites must be separate domains in the forest. SMTP cannot be used to replicate the domain naming context.
503
Module 13: Managing Sites and Active Directory® Replication
Course 6425C Bridgehead Servers Module 13: Managing Sites and Active Directory® Replication Replicate changes from bridgeheads in all other sites Are polled for changes by bridgeheads in all other sites Are selected automatically by ISTG (new method in Windows Server 2008 R2) Or you can configure preferred bridgehead servers Firewall considerations Performance considerations Discuss bridgeheads. After students are comfortable with what bridgeheads are, point out that bridgeheads are chosen per partition. If you select a preferred bridgehead, you should select more than one because if preferred bridgehead(s) are unavailable, replication into and out of a site stops cold. Discuss best practices that are described in the last paragraph of the student manual.
504
Site Link Transitivity and Bridges
Course 6425C Site Link Transitivity and Bridges Module 13: Managing Sites and Active Directory® Replication Site link transitivity (default) ISTG can create connection objects between site links Disable transitivity in the properties of the IP transport Site link bridges Manually transitive site links Useful only when transitivity is disabled It is useful to know that site links are transitive by default, that transitivity can be disabled, and that when transitivity is disabled, you might want to build site link bridges.
505
Control Intersite Replication
Course 6425C Control Intersite Replication Module 13: Managing Sites and Active Directory® Replication Site link costs Replication uses the connections with the lowest cost Replication Notifications off by default. Bridgeheads do not notify partners Polling. Downstream bridgehead polls upstream partners Default: 3 hours Minimum: 15 minutes Recommended: 15 minutes Replication schedules 24 hours a day Can be scheduled The scenario that the slide builds is described in the student handbook. Use the information in the manual as a guide for presenting this slide. 100 100 100 300
506
Whiteboard: Replication
Course 6425C Whiteboard: Replication Module 13: Managing Sites and Active Directory® Replication BH IP Subnet Site B Site A BH Site Link Bridge Site C Site D RODC Branch IP Subnet Use this optional slide to set out intrasite replication, site links and bridges, and bridgehead servers. Ask students to anticipate what intersite replication connection objects will be built. Then click to build the slide.
507
Monitor and Manage Replication
Course 6425C Monitor and Manage Replication Module 13: Managing Sites and Active Directory® Replication RepAdmin repadmin /showrepl hqdc01.contso.com repadmin /showconn hqdc01.contoso.com repadmin /showobjmeta hqdc01 "cn=Linda Miller,ou=…" repadmin /kcc repadmin /replicate hqdc02 hqdc01 dc=contoso,dc=com repadmin /syncall hqdc01.contoso.com /A /e DCDiag /test:testName FrsEvent or DFSREvent Intersite KccEvent Replications Topology Discuss RepAdmin and DCDiag.
508
Lab B: Configure Replication
Course 6425C Lab B: Configure Replication Module 13: Managing Sites and Active Directory® Replication Exercise 1: Create a Connection Object Exercise 2: Create Site Links Exercise 3: Designate a Preferred Bridgehead Server Exercise 4: Configure Intersite Replication Scenario You are an administrator at Contoso, Ltd. You want to optimize replication of AD DS by aligning replication with your network topology and domain controller roles and placement. Exercise 1 In this exercise, students will create a connection object between NYC-DC1 and NYC-DC2, where NYC- DC2, the standby operations master, replicates from NYC-DC1, the current operations master. Exercise 2 In this exercise, students will create site links between the headquarters and the other sites, creating a hub- and-spoke replication topology. Exercise 3 In this exercise, students will designate a preferred bridgehead server for the site. Exercise 4 In this exercise, students will reduce the intersite replication polling frequency, and will increase the cost of a site link. Logon information Virtual machine 6425C-NYC-DC1 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 20 minutes
509
Module 13: Managing Sites and Active Directory® Replication
Course 6425C Lab Scenario Module 13: Managing Sites and Active Directory® Replication You are an administrator at Contoso, Ltd. You want to optimize replication of AD DS by aligning replication with your network topology and domain controller roles and placement. -blank-
510
Module 13: Managing Sites and Active Directory® Replication
Course 6425C Lab Review Module 13: Managing Sites and Active Directory® Replication Is the procedure you performed in Exercise 2 enough to create a hub-and-spoke replication topology, which ensures that all changes from branches are replicated to the headquarters before being replicated to other branches? If not, what must still be done? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: Is the procedure you performed in Exercise 2 enough to create a hub-and-spoke replication topology, which ensures that all changes from branches are replicated to the headquarters before being replicated to other branches? If not, what must still be done? Answer: You must disable “Bridge all site links.” Optionally, demonstrate this. Remove "bridge all site links" and show resulting replication topology.
511
Module Review and Takeaways
Course 6425C Module Review and Takeaways Module 13: Managing Sites and Active Directory® Replication Review Questions Common Issues Related to Managing Sites and Replication Best Practices Related to Managing Active Directory Sites and Replication Tools Review Questions Question: Why is it important that all subnets are identified and associated with a site in a multisite enterprise? Answer: The process of locating DCs and other services can be made more efficient by referring clients to the correct site, based on the client’s IP address and the definition of subnets. If a client has an IP address that does not belong to a site, the client will query for all DCs in the domain, and that is not at all efficient. In fact, a single client can be performing actions against domain controllers in different sites, which (if those changes have not replicated yet) can lead to very strange results. It is very important that each client knows what site it is in, and that’s achieved by ensuring that DCs can identify what site a client is in. Question: What are the advantages of reducing the intersite replication interval? What are the disadvantages? Answer: Convergence is improved. Changes made in one site are replicated more quickly to other sites. There are actually few, if any, disadvantages. If you consider that the same changes must replicate whether they wait 15 minutes or 3 hours to replicate, it’s really a matter of timing of replication rather than quantity of replication. However, in some extreme situations, it’s possible that allowing a smaller number of changes to happen more frequently might be less preferable than allowing a large number of changes to replicate less frequently. Question: What is the purpose of bridgehead server? Answer: The bridgehead server is responsible for all replication into and out of the site for a partition. Instead of replication all domain controllers from one site with all domain controllers in another site, bridgehead servers are used to handle inter-site replication. Question: Which protocol can be used as a alternative for Active Directory replication? What is the disadvantage of using it? Answer: SMTP can be used. The disadvantage is the inability to replicate domain partition.
512
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 13: Managing Sites and Active Directory® Replication Common Issues Related to Managing Sites and Replication Best Practices Related to Managing Active Directory Sites and Replication You should implement the following best practices when you manage Active Directory sites and replication in your environment: Always provide at least one Global Catalog per site Be sure that all sites have appropriate subnets associated Do not set up long intervals without replication Avoid using SMTP as a protocol for replication Do not use universal groups unless necessary, as the create additional replication traffic Issue Troubleshooting tip Client cannot locate domain controller in its site. Check whether all SRV records for domain controller are present in DNS. Check whether the domain controller has an IP address from subnet that is associated to that site. Replication between sites does not work. Check whether site links are configured correctly Check replication schedule Check whether firewall between sites permits traffic for AD replication User cannot log on or cannot access network resources. Check whether Global Catalog is enabled on at least on Domain Controller Replication between two Domain Controllers in the same site does not work. Check whether both DCs appear in same site Check whether Active Directory on domain controllers is operational.
513
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 13: Managing Sites and Active Directory® Replication Tools Tool Used for Where to find it Active Directory Sites and services Manage site objects Manage site links Manage replication Administrative Tools ADSI Edit View and manage Active Directory partitions Repadmin Monitoring and managing replication Command line utility dcdiag reports on the overall health of replication and security for Active Directory Domain Services
514
Module 14: Directory Service Continuity
Course 6425C Module 14: Directory Service Continuity Module 14 Directory Service Continuity Presentation: 65 minutes Lab: 80 minutes Module Goal Present tools and best practices for ensuring continuity of Active Directory® Domain Services (AD DS) in a Windows® domain. Objectives After completing this module, you will be able to: Monitor Active Directory. Manage the Active Directory database. Describe the purpose of the Active Directory Recycle Bin. Back up and restore AD DS and domain controllers. Module Exam Objectives Maintaining the Active Directory Environment: Perform offline maintenance Maintaining the Active Directory Environment: Configure backup and recovery Maintaining the Active Directory Environment: Monitor Active Directory Preparation for Demos To prepare for the demos in this module you should launch virtual machines 6425C-NYC-DC1 and 6425C- NYC-DC2 Preparation for Lab There are four labs in this module. The same virtual machines are used in each lab and although the labs are not dependent on each other, to reduce the amount of time required to restart the virtual machines, it is recommended that they are not shut down after each lab. Therefore you should instruct students not to shut down the virtual machines when they are finished with a lab. To prepare them, you should ask students to launch the following virtual machines 6425C-NYC-DC1 and 6425C-NYC-DC2
515
Module 14: Directory Service Continuity
Course 6425C Module Overview Module 14: Directory Service Continuity Monitor Active Directory Manage the Active Directory Database Active Directory Recycle Bin Back Up and Restore AD DS and Domain Controllers Introduce module content. Emphasize that keypoint of this module is to present tools for monitoring of AD DS and for keeping continuity of AD DS.
516
Lesson 1: Monitor Active Directory
Course 6425C Lesson 1: Monitor Active Directory Module 14: Directory Service Continuity Understand Performance and Bottlenecks Monitoring Tools Overview Performance Monitor Data Collector Sets Demonstration: Monitor AD DS Monitoring Best Practices Active Directory Best Practices Analyzer Demonstration: Using Active Directory Best Practices Analyzer -blank-
517
Understand Performance and Bottlenecks
Course 6425C Understand Performance and Bottlenecks Module 14: Directory Service Continuity Key system resources CPU Disk Memory Network Bottleneck: A resource that is currently at peak utilization Explain the four key system resources. Define a bottleneck, emphasizing that removing one bottleneck (for example, adding more memory to a server) may then set the stage for the next bottleneck (for example, disk utilization). List some of the tools that are available to help admins.
518
Monitoring Tools Overivew
Course 6425C Monitoring Tools Overivew Module 14: Directory Service Continuity Task Manager Real-time monitoring of key system components Event Viewer Logged monitoring for various system services Resource Monitor Detailed realtime monitoring of resource usage Reliability Monitor Tracks system reliability over time Performance Monitor Real-time and historical monitoring of system performance Provide a brief overview of monitoring tools. Students will probably be familiar with most of these tools, so don’t spend too much time on this. If necessary, you can demonstrate some of these tools while teaching this topic.
519
Module 14: Directory Service Continuity
Course 6425C Performance Monitor Module 14: Directory Service Continuity Useful counters in any server baseline Memory \ Pages/sec PhysicalDisk \ Avg. Disk Queue Length Processor \ %Processor Time Useful counters for monitoring Active Directory NTDS\ DRA Inbound Bytes Total/sec NTDS\ DRA Inbound Object NTDS\ DRA Outbound Bytes Total/sec NTDS\ DRA Pending Replication Synchronizations NTDS \ Kerberos Authentications/sec NTDS\ NTLM Authentications Describe the basic counter set that should be included in any server baseline: Pages/sec, Avg. Disk Queue Length, %Processor Time. Each of these counters provide high-level insight into performance problems. If a counter has a high value, you will want to look at more detailed counters. For example, if Avg Disk Queue Length has a high value, examine average disk read and write queue length counters. Explain that in addition to the normal baseline counters that you monitor for all servers, there are objects and counters that are specific to AD DS. The Directory Services object provides access to the NT Directory Service (NTDS) counters. Briefly describe the most important counters. Mention that there are also several database counters that allow you to monitor the Active Directory database at an advanced level. These counters provide information regarding the performance of the database cache, database files, and database tables. You can use some of these counters to determine whether you need more hard disks to store additional Active Directory data. Also mention that there is a predefined Data Collector Set for Active Directory Diagnostics that collects data from many different objects. Reference Deploying Active Directory for Branch Office Environments Chapter 9 - Post Deployment Monitoring of Domain Controllers
520
Module 14: Directory Service Continuity
Course 6425C Data Collector Sets Module 14: Directory Service Continuity Collections of data points: Performance counters Event trace data System configuration information (registry keys) Usage scenarios: View real-time performance with Performance Monitor Create a log (manually invoked or scheduled) and then view Reports Generate alerts based on thresholds Used by other applications To create a Data Collector Set: Start from a template; role templates added by Windows Save an existing set of counters in a Performance Monitor view Manually specify and configure data collectors in a set Export/import data collector set as XML Transition to this topic by pointing out that repeatedly loading the same counters would get tiresome. Data Collector Sets allow you to move from one-off, on-the-spot performance monitoring to managed performance monitoring. Describe Data Collector Sets, including how and when you would use them. Explain that a Data Collector Set is the building block of performance monitoring and reporting in Windows Reliability and Performance Monitor. It organizes multiple data collection points into a single component that you can use to review or log performance. You can create a Data Collector Set and then record it individually, group it with other Data Collector Sets and incorporate it into logs, view it in Performance Monitor, configure it to generate alerts when thresholds are reached, or configure it for use by other non- Microsoft applications. You also can associate it with scheduling rules for data collection at specific times. Explain that you can create a Data Collector Set from a template, from an existing set of data collectors in a Performance Monitor view, or by selecting individual data collectors and setting each individual option in the Data Collector Set properties. Discuss the built-in reporting features. Reference Creating Data Collector Sets
521
Demonstration: Monitor AD DS
Course 6425C Demonstration: Monitor AD DS Module 14: Directory Service Continuity In this demonstration, you will see how to: Configure AD DS monitoring by using Data Collector Sets Demonstration Steps : Create a new Data Collector Set named Custom Active Directory. If it is not already started Launch the virtual machine 6425C-NYC-DC1 and log on as Contoso\Pat.Coleman_Admin with Password Pa$$w0rd Open Performance Monitor and then add the server baseline counters. Add some of the Active Directory counters, and then start the Data Collector Set. Perform some activity to generate statistics. Stop the Data Collector Set, and then look at the user-defined report. In the system container, start the Active Directory Diagnostics Data Collector Set. Stop the Data Collector Set, and then look at the system-defined report.
522
Monitoring Best Practices
Course 6425C Monitoring Best Practices Module 14: Directory Service Continuity Monitor early to establish baselines Document performance when things are working well Include server and role-related counters during idle and busy times Monitor often to identify potential problems Compare to baseline and watch for troublesome deviation Know how to monitor and interpret performance before a meltdown Establish Data Collector Sets Build the skills to interpret performance counters Capture appropriately Do not overcapture Degrades performance Creates “noise,” making it difficult to identify real problems Explain that a baseline needs to be established prior to troubleshooting. You need to know what the counters look like under normal conditions before you can understand the cause of a problem. Data needs to be collected for a period of time, over weeks or months, to establish a baseline. During that period, collect data at different times of the day. For example, collect it during the morning when users are authenticating, or during idle times and periods of replication. When AD DS problems arise, compare the baseline findings to the current statistics to help identify the problem’s source.
523
Active Directory Best Practices Analyzer
Course 6425C Active Directory Best Practices Analyzer Module 14: Directory Service Continuity New tool in Windows Server 2008 R2 that helps administrator detect best practices violations and helps implement best practices for : AD DS AD CS DNS Server Terminal Services In this topic, you should introduce the new tool—Active Directory Best Practices Analyzer—specific to Windows Server 2008 R2. First define best practices. In Windows management, best practices are guidelines that are considered the ideal way—under normal circumstances and as defined by experts—to configure a server. While best practice violations, even critical ones, do not necessarily lead to problems, they indicate server configurations that can result in poor performance, poor reliability, unexpected conflicts, increased security risks, or other potential issues. Continue by defining what is AD BPA, which roles it covers, and how it works, by using diagram on slide.
524
Demonstration: Using Active Directory Best Practices Analyzer
Course 6425C Demonstration: Using Active Directory Best Practices Analyzer Module 14: Directory Service Continuity In this demonstration, you will see how to use Active Directory Best Practices Analyzer Detailed demonstration steps : Log on to 6425C-NYC-DC1 as Contoso\Pat.Coleman_Admin with Password Pa$$w0rd Open Server Manager console In left console pane, expand Roles and click on Active Directory Domain Services role In central pane, scroll down to the Best Practices Analyzer section Click Scan This Role and wait until scanning is completed Review events that showed up in Noncompliant tab. Emphasize that some events have severity Error and some are Warning Right click any event and select Properties Show the detailed description of event. Click Close Right click any event and select ExcludeResult. Show that event now appears in Excluded tab Click Compliant tab and show events that appear there. Close Server Manager.
525
Lab A: Monitor Active Directory Events and Performance
Course 6425C Lab A: Monitor Active Directory Events and Performance Module 14: Directory Service Continuity Exercise 1: Monitor AD DS with Performance Monitor Exercise 2: Work with Data Collector Sets Scenario Last month, the only domain controller in the branch office failed, causing the call center of Contoso to be offline for an entire day. Because redundant authentication or monitoring had not been configured, this failure caused the company a significant amount of money in lost revenue. You were asked to configure monitoring to ensure that performance and reliability can be watched regularly for any signs of trouble. Exercise 1 In this exercise, students will use Performance Monitor to monitor the real-time performance of AD DS, to save performance counters, and to view a log of saved performance counters. Exercise 2 In this exercise, students will examine and run a Data Collector Set that is predefined when you add the AD DS role to a server. They will then create a custom Data Collector Set, configure its schedule and data management policies, run it, and examine its data. NOTE: Do not shut down the virtual machines once you are finished with this lab as they will be used again in the next lab in this module Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-DC2 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 30 minutes
526
Module 14: Directory Service Continuity
Course 6425C Lab Scenario Module 14: Directory Service Continuity Last month, the only domain controller in the branch office failed, causing the call center of Contoso to be offline for an entire day. Because redundant authentication or monitoring had not been configured, this failure caused the company a significant amount of money in lost revenue. You were asked to configure monitoring to ensure that performance and reliability can be watched regularly for any signs of trouble. -blank-
527
Module 14: Directory Service Continuity
Course 6425C Lab Review Module 14: Directory Service Continuity In which situations do you currently use, or plan to use event subscriptions as a monitoring tool? To which events or performance counters would you consider attaching notifications or actions? Do you use notifications or actions currently in your enterprise monitoring? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: In which situations do you currently use, or plan to use event subscriptions as a monitoring tool? Answer: Answers will vary. Question: To which events or performance counters would you consider attaching notifications or actions? Do you use notifications or actions currently in your enterprise monitoring?
528
Lesson 2: Manage the Active Directory Database
Course 6425C Lesson 2: Manage the Active Directory Database Module 14: Directory Service Continuity Active Directory Database Files NTDSUtil Restartable Active Directory Domain Services Perform Database Maintenance Demonstration: AD DS Database Maintenance Active Directory Snapshots Restore Deleted Objects -blank-
529
Active Directory Database Files
Course 6425C Active Directory Database Files Module 14: Directory Service Continuity Description NTDS.dit EDB*.log EDB.chk File The AD DS database file All AD DS partitions and objects on the domain controller Default location: systemroot\NTDS Transaction log Default transaction log: EDB.log Overflow logs: Edb000x.log Checkpoint file Pointer into transaction log: which transactions have or have not been committed ebdres00001.jrs ebdres00002.jrs Reserved transaction log files Used if disk runs out of space so that transaction logs do not crash Open Windows Explorer and browse to the C:\Windows\NTDS folder. Point out the files in the folder as you discuss each of the files. Stress that log files always will be exactly 10 megabytes (MB) in size. Discuss the role of the reserve log files. If students are familiar with previous AD DS versions, mention that the edbres00001.jrs and edbres00002.jrs files were called res1.log and res2.log in previous versions. Reference How the Data Store Works
530
How the Database Is Modified
Course 6425C How the Database Is Modified Module 14: Directory Service Continuity EDB.chk Write Request Update the checkpoint This slide is meant to be used in conjunction with the previous slide, to help illustrate the roles of the transaction logs and the checkpoint file. It is recommended that you switch to this slide as you discuss the roles of these two files, then switch back to the previous slide to discuss the role of the reserve logs. Describe how the files that the slide lists are used when data is committed to the database. The basic data modification process consists of six steps: The write request initiates a transaction. AD DS writes the transaction to the memory transaction buffer. AD DS secures the transaction in the transaction log. AD DS writes the transaction from the buffer to the database. AD DS compares the database and log files to ensure that the transaction was committed to the database. AD DS updates the checkpoint file. Question: What other Microsoft services use a transactional model for making database changes? How does the AD DS model compare to these other services? Answer: Both Microsoft Exchange Server and Microsoft SQL Server® use the transaction model. The AD DS model is very similar in all cases, although some details, such as the size of the transaction logs, varies. For example, in Exchange Server 2007, the transaction logs are only 1 MB in size. Reference How the Data Store Works Commit the transaction Transaction is initiated Write to the transaction buffer Write to the database on disk Write to the transaction log file NTDS.dit on Disk EDB.log
531
Module 14: Directory Service Continuity
Course 6425C NTDSUtil Module 14: Directory Service Continuity Manage and control single master operations Perform AD DS database maintenance Perform offline defragmentation Create and mount snapshots Move database files Clean domain controller metadata Domain controller removal or demotion while not connected to domain Reset Directory Services Restore Mode password set dsrm Describe what NTDSUtil is, and then describe some of the scenarios in which you can use it. Mention that Module 12 covers how to use NTDSUtil to manage and control single master operations, while Module 14 covers using the tool to perform AD DS database maintenance. Consider opening a command prompt and starting the NTDSUtil tool. Show how to access help and how to move between different contexts within NTDSUtil. Review the NTDSUtil commands. Question: You have forgotten the Directory Services Restore Mode password for your domain controller. How can you recover the password? Answer: You cannot recover the password, but by using the Set DSRM password command in NTDSUtil, you can configure a new password for this account. References NTDSUtil Help Data Store Tools and Settings
532
Restartable Active Directory Domain Services
Course 6425C Restartable Active Directory Domain Services Module 14: Directory Service Continuity New feature in Windows Server 2008 AD DS can be started or stopped by using Services console AD DS can be in three states : AD DS Started AD DS Stopped Directory Services Restore Mode (DSRM) It is not possible to perform system state restore while AD DS is in Stopped state Restartable AD DS There are three possible states for a domain controller running Windows Server 2008: AD DS Started. In this state, AD DS is started. For clients and other services running on the server, a Windows Server 2008 domain controller running in this state is the same as a domain controller running Windows 2000 Server or Windows Server 2003. AD DS Stopped. In this state, AD DS is stopped. Although this mode is unique, the server has some characteristics of both a domain controller in DSRM and a domain-joined member server. As with DSRM, the AD DS database (NTDS.dit) is offline. Also, you can use the DSRM password to log on locally if another domain controller cannot be contacted. As with a member server, the server is joined to the domain. Also, users can log on interactively or over the network by using another domain controller for domain logon. However, a domain controller should not remain in this state for an extended time, because in this state it cannot service logon requests or replicate with other domain controllers. Directory Services Restore Mode (DSRM). This mode (or state) is unchanged from Windows Server 2003.
533
Perform Database Maintenance
Course 6425C Perform Database Maintenance Module 14: Directory Service Continuity Garbage collection Scavenging: Removing deleted items that have reached their tombstone lifetime Defragmentation Online defragmentation (part of garbage collection): Reclaims unused space Offline defragmentation (manual): Releases unused space and reduces file size Use NTDSUtil Must be done in DSRM or by stopping AD DS Garbage Collection Mention that this happens every 12 hours by default, and it is done per domain controller. Defragmentation Describe the difference between online and offline defragmentation. Emphasize that online defragmentation happens automatically and does not disrupt normal access to AD DS. Offline defragmentation requires the administrator to take the database offline and run the NTDSUtil tool. Mention that offline defragmentation does not need to be performed normally. The scenarios in which students may choose to run an offline defragmentation include the following: After removing the global catalog from a server After removing a large number of objects from the domain After converting from AD DS-integrated Domain Name System (DNS) to standard DNS Question: How often will you need to perform an offline defragmentation of your AD DS databases in your environment? Answer: Most organizations will have to perform an offline defragmentation only when they need to optimize database usage. In general, you will do this only when the amount of data that you are storing in the AD DS database on a domain controller decreases significantly. Give the example of a university, in which every semester thousands of objects are deleted. It is good to perform offline defragmentation after each mass deletion. References Windows Server 2008 Technical Library Data Store Tools and Settings
534
Demonstration: AD DS Database Maintenance
Course 6425C Demonstration: AD DS Database Maintenance Module 14: Directory Service Continuity In this demonstration, you will see how to: Stop the AD DS service Simulate compacting the database Simulate moving the database to a new volume Restart the AD DS service Demonstration To stop or start the AD DS service: If it is not already started, start the virtual machine 6425C-NYC-DC1 and log on as Contoso\Pat.Coleman_Admin with Password Pa$$w0rd Click Start, click Administrative Tools, and then click Services. Right-click Active Directory Domain Services, and then select Stop from the context menu. In the Stop Other Services dialog box, click Yes. To perform an offline defrag of the Advanced Directory database while in an AD DS stopped state: Click Start, click Run, type CMD, and then press Enter. In the command window, type ntdsutil, and then press Enter. Click Yes. At the ntdsutil: prompt, type Activate Instance NTDS, and then press Enter. At the ntdsutil: prompt, type files, and then press Enter. At the file maintenance: prompt, type compact to drive:\ LocalDirectoryPath (where drive:\ LocalDirectoryPath is the path to a location on the local computer), and then press Ctrl+C to break the process. It takes too long to demonstrate. Next, you would copy NTDS.dit to a “backup” location, along with the logs (*.log), and then you would delete the logs (*.log). Next, check the integrity of the newly compacted database. Type integrity to check the integrity of the newly compacted database, but press Ctrl+C to break the process! To move the AD DS database: In the File Maintenance command window, type move db to pathname, and then press Ctrl+C to break the process! Explain that the NTDS.dit file would be moved to the new location and permissions would be set accordingly To restart AD DS: In the Services MMC, right-click Active Directory Domain Services, and then click Start. Question: Why is it necessary to stop AD DS before defragmenting? Answer: The database needs to be closed completely before it can be overwritten. An online database may have locked records that are being written to, thus preventing file modification. Question: Why is it necessary to compact the database to a temporary directory first? Answer: Compacting the database actually creates a contiguous copy, which will be used to overwrite the fragmented original. Reference Compact the Directory Database File (Offline Defragmentation):
535
Active Directory Snapshots
Course 6425C Active Directory Snapshots Module 14: Directory Service Continuity Create a snapshot of Active Directory NTDSUtil Mount the snapshot to a unique port Expose the snapshot Right-click the root node of Active Directory Users and Computers and choose Connect to Domain Controller Enter serverFQDN:port View (read-only) snapshot Cannot directly restore data from the snapshot Recover data Manually reenter data or Restore a backup from the same date as the snapshot Describe a scenario in which the Database Mounting Tool may be useful. For example, if a user account was deleted several weeks ago, but you are not sure which backup of AD DS has the most recent information about it, you can view the snapshots of AD DS to see when the account was last available in AD DS. Then you can restore the backup of AD DS from that date. In another example, if a Group Policy object is modified accidentally, you can use the Database Mounting Tool to examine the changes and help you better decide how to correct them, if necessary. The Database Mounting Tool does not actually recover the deleted objects and containers. The administrator must perform data recovery as a subsequent step. You can use Active Directory Users and Computers or a Lightweight Directory Access Protocol (LDAP) tool such as Ldp.exe, which is a tool that is built into Windows Server 2008 to view the data that the snapshots exposes. This data is read-only, and by default, only members of the Domain Admins and Enterprise Admins groups are allowed to view the snapshots because they contain sensitive AD DS data. To create a snapshot, you must be a member of the Enterprise Admins group or the Domain Admins group, or you must have been delegated the appropriate permissions. Mention that, as a best practice, administrators should schedule a task that runs NTDSUtil.exe to take snapshots of the volume that contains the AD DS or AD LDS database. Reference AD DS: Database Mounting Tool
536
Restore Deleted Objects
Course 6425C Restore Deleted Objects Module 14: Directory Service Continuity When an object is deleted Stripped of almost every attribute except SID, objectGUID, lastKnownParent, sAMAccountName Moved to Deleted Objects container, marked as isDeleted You can restore (“reanimate”) deleted (“tombstoned”) objects when Domain functional level is Windows Server 2003 or newer Deleted object has not yet been scavenged To restore deleted objects: LDP.exe Modify isDeleted Provide distinguished name (DN) Repopulate all other attributes Describe the scenario in which reanimating tombstoned objects will work. By default, AD DS objects are retained in the AD DS database in a deactivated state for 60 days after the object has been deleted. When an object is deactivated, most of the object’s attributes are deleted, and only a few critical attributes (SID, ObjectGUID, LastKnownParent, and SAMAccountName) are retained. When you reanimate the object, you are activating it, but you still must reconfigure all of the user settings. You may want to show the students how to reanimate the object that was deleted in a previous topic. The resource listed below provides the procedure. Reference How to Restore Deleted User Accounts and their Group Memberships in Active Directory
537
Lab B: Manage the Active Directory Database
Course 6425C Lab B: Manage the Active Directory Database Module 14: Directory Service Continuity Exercise 1: Perform Database Maintenance Exercise 2: Work with Snapshots and Recover a Deleted User Scenario You are an administrator at Contoso, Ltd, which is an online university. At the end of the semester, 65 days ago, you deleted 835 user accounts for students who graduated or will no longer return to the program. You now want to compact your Active Directory database to reclaim the space released by that many deleted objects. In addition, you were notified that yesterday, one user account, Adriana Giorgi, was deleted by accident. You want to recover that account with a snapshot you have scheduled to run each night at 1:00 A.M. Exercise 1 In this exercise, students will perform maintenance on the Active Directory database. To do so, they will need to stop the AD DS service and restart it when the maintenance is complete. Exercise 2 In this exercise, students will create and mount an Active Directory snapshot, and they will use the information to help repopulate attributes of a deleted user object. NOTE: Do not shut down the virtual machines once you are finished with this lab as they will be used again in the next lab in this module Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-DC2 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 15 minutes
538
Module 14: Directory Service Continuity
Course 6425C Lab Scenario Module 14: Directory Service Continuity You are an administrator at Contoso, Ltd, which is an online university. At the end of the semester, 65 days ago, you deleted 835 user accounts for students who graduated or will no longer return to the program. You now want to compact your Active Directory database to reclaim the space released by that many deleted objects. In addition, you were notified that yesterday, one user account, Adriana Giorgi, was deleted by accident. You want to recover that account with a snapshot you have scheduled to run each night at 1:00 A.M. -blank-
539
Module 14: Directory Service Continuity
Course 6425C Lab Review Module 14: Directory Service Continuity In which other situations should you mount a snapshot of Active Directory? What are the disadvantages of restoring a deleted object with a tool such as LDP? Use the questions on the slide to guide the discussion after students have completed the lab exercises. Question: In which other situations should you mount a snapshot of Active Directory? Answer: If you discover a problem with Active Directory that will require restoring a backup, you might want to look at snapshots to determine just how far back you need to go to restore. Once you’ve found the snapshot in which the correct data resides, you can then restore the backup taken on the same date. Question: What are the disadvantages of restoring a deleted object with a tool such as LDP? Answer: You must repopulate all attributes.
540
Lesson 3: Active Directory Recycle Bin
Course 6425C Lesson 3: Active Directory Recycle Bin Module 14: Directory Service Continuity Delete and Restore Objects from Active Directory What Is Active Directory Recycle Bin? Active Directory Recycle Bin Requirements Demonstration: Restore Deleted Objects with Active Directory Recycle Bin -blank-
541
Delete and Restore objects from Active Directory
Course 6425C Delete and Restore objects from Active Directory Module 14: Directory Service Continuity Deleted objects are recovered through tombstone reanimation When object is deleted, most of attributes are cleared Authoritative restore requires AD DS downtime
542
What Is Active Directory Recycle Bin?
Course 6425C What Is Active Directory Recycle Bin? Module 14: Directory Service Continuity New feature of Windows Server 2008 R2 Active Directory Provides a way to restore deleted objects without AD DS downtime Uses the LDP.exe utility or Windows Power Shell with Active Directory Module
543
Active Directory Recycle Bin Requirements
Course 6425C Active Directory Recycle Bin Requirements Module 14: Directory Service Continuity Feature is disabled by default; it must be manually enabled Forest functional level must be Windows Server 2008 R2 Adprep /forestprep and /domainprep might be neccessary Enabled by executing : Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=contoso,DC=com’ –Scope ForestOrConfigurationSet – Target ‘contoso.com’
544
Module 14: Directory Service Continuity
Course 6425C Demonstration: Restore Deleted Objects with Active Directory Recycle Bin Module 14: Directory Service Continuity In this demonstration, you will see how to restore deleted objects from Active Directory by using Active Directory Recycle Bin and ldp.exe utility Before performing this demonstration, run the script located at D:\Labfiles\Lab14a\Lab14a_Setup.bat. On NYC-DC1, click Start, point to Administrative Tools and then click Active Directory Domains and Trusts. Right click Active Directory Domains and Trusts and click Raise Forest Functional Level. Check the value of Current forest functional level. If it is not set to Windows Server 2008 R2, proceed to the next step. If it is, click OK and close the Active Directory Domains and Trust console. In a Select an available forest functional level drop-down list, select Windows Server 2008 R2. Click Raise. In the Warning window, click OK.. In confirmation window, click OK. Close the Active Directory Domains and Trust console. Enable the Active Directory Recycle Bin Feature Click Start, click Administrative Tools, and then right-click Active Directory Module for Windows PowerShell. Click Run as administrator and then click Yes. Type the following command, and then press Enter. Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=contoso,DC=com’ –Scope ForestOrConfigurationSet –Target ‘contoso.com’ Type y and press Enter, After command prompt is returned to you, close the PowerShell window, Delete an object Open the Active Directory Users and Computers console from Administrative Tools. Expand Contoso.com and expand User Accounts and then click the Employees organizational unit. In the central pane, right-click Aaron Lee and select Delete. In the confirmation window, click Yes. Close Active Directory Users and Computers.
545
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 14: Directory Service Continuity Restore Deleted Object by using LDP.exe To open Ldp.exe, click Start, and in the search box type ldp.exe. Under Programs, right-click ldp.exe and then click Run as administrator. Click Yes. On the Options menu, click Controls. In the Controls dialog box, expand the Load Predefined menu, click Return deleted objects, and then click OK. To verify that the Deleted Objects container is displayed: To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connection, click Connect, click OK, and then under Connection, click Bind, and then click OK. Click View, click Tree, and in BaseDN, type DC=contoso,DC=com, and then click OK In the console tree, double-click the root distinguished name (also known as DN) and locate the CN=Deleted Objects, DC=contoso,DC=com container. Expand that object and ensure that Aaron Lee object appears below it. Right-click the CN=Aaron Lee,... object, and click Modify In the Edit Entry Attribute box, type isDeleted. Under Operation, click Delete, and then click Enter. In the Edit Entry Attribute box, type distinguishedName. In the Values box, type the original distinguished name, which is CN=Aaron Lee,OU=Employees, OU=User Accounts,DC=contoso,DC=com. Under Operation, click Replace. Ensure that the Extended check box is selected, click Enter, and then click Run. Click Close. From Administrative Tools, open the Active Directory Users and Computers console Expand Contoso.com and expand User Accounts and then click the Employees organizational unit. Ensure that the Aaron Lee user object exists and that all attributes like group membership are retained. 545
546
Lab C: Using Active Directory Recycle Bin
Course 6425C Lab C: Using Active Directory Recycle Bin Module 14: Directory Service Continuity Exercise 1: Enable the Active Directory Recycle Bin Feature Exercise 2: Restore Deleted objects with Active Directory Recycle Bin Scenario You are an administrator at Contoso, Ltd, which is an online university. At the end of the semester, few days ago, you deleted 835 user accounts for students who graduated or will no longer return to the program. However, two user accounts, Aaron Lee and Terri Chudzik, are deleted by mistake and must be restored as soon as possible with minimum downtime. Logon information Virtual machine 6425C-NYC-DC1 Logon user name Administrator Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 20 minutes
547
Module 14: Directory Service Continuity
Course 6425C Lab Scenario Module 14: Directory Service Continuity You are an administrator at Contoso, Ltd, which is an online university. At the end of the semester, few days ago, you deleted 835 user accounts for students who graduated or will no longer return to the program. However, two user accounts, Aaron Lee and Terri Chudzik, are deleted by mistake and must be restored as soon as possible with minimum downtime. -blank-
548
Module 14: Directory Service Continuity
Course 6425C Lab Review Module 14: Directory Service Continuity Will it be possible to restore these deleted objects if they were deleted before Active Directory Recycle Bin has been enabled? In which scenarios is Windows PowerShell a more appropriate method for object restoration? Question: Will it be possible to restore these deleted objects if they were deleted before Active Directory Recycle Bin has been enabled? Answer: Yes, but only as tombstone objects, without most of attributes or by using authoritative restore of A D DS Question: In which scenarios is Windows PowerShell a more appropriate method for object restoration? Answer: If we were restoring multiple objects, power shell is much more convenient method because of possibility to pipeline commands so we can restore multiple objects with just one command.
549
Lesson 4: Back Up and Restore AD DS and Domain Controllers
Course 6425C Lesson 4: Back Up and Restore AD DS and Domain Controllers Module 14: Directory Service Continuity Backup and Recovery Tools Overview of AD DS and Domain Controller Backup Demonstration: Backing Up AD DS Additional Backup and Recovery Tools Active Directory Restore Options Nonauthoritative Restore Authoritative Restore -blank-
550
Backup and Recovery Tools
Course 6425C Backup and Recovery Tools Module 14: Directory Service Continuity Windows Server Backup snap-in (use locally or remotely) Back up a full server (all volumes) Back up selected volumes Backup individual files (Windows Server 2008 R2 only) Back up system state (includes all critical volumes) Recover volumes, folders, files, or system state wbadmin.exe Perform manual or automated backup Back up to CD/DVD/HDD No tape Use a dedicated HDD for backup: Recommended or required Additionally, if you are backing up to disk, you should back up to a dedicated disk to improve performance and to facilitate bare-metal recovery (full system restore). In some configurations of backup, you’re required to use a dedicated disk, so it’s best to do so every time. When the disk fills, Windows Server Backup will remove older backups to make room for new backups. References Backup and Recovery Overview for Windows Server 2008 Windows Server Backup Windows Server Backup Step-by-Step Guide for Windows Server 2008 Backing Up Your Server
551
Overview of AD DS and Domain Controller Backup
Course 6425C Overview of AD DS and Domain Controller Backup Module 14: Directory Service Continuity You must back up all critical volumes System volume: The volume that contains boot files Boot volume: The volume that contains the Windows operating system and the registry Volumes hosting SYSVOL, AD DS database (NTDS.dit), logs Do not store other data on these volumes as it will increase backup and restore times Windows Server Backup (wbadmin.exe) Mention that backing up AD DS in Windows Server 2008 is different than it was in previous AD DS versions, in which you could back up just the System State information, which was just the registry, the Active Directory database, and a few other files. In Windows Server 2008, the System State is much more than that—it is a subset of (or in some configurations, equivalent to) the full server backup. In Windows Server 2008, the system components that make up System State data depend on the server roles that are installed on the computer, and which volumes host the critical files that the operating system and the installed roles use. System State data includes at least the following, plus additional data depending on the server roles that are installed: Registry COM+ Class Registration database Boot files, as described earlier in this topic AD DS Certificate Services database AD DS Domain Services database SYSVOL directory Cluster service information Microsoft Internet Information Services (IIS) metadirectory System files that are under Windows Resource Protection Mention that because you have to back up entire volumes to back up AD DS, it is a best practice to dedicate disk volumes to the critical volumes. For example, data should not be stored on the system volume, as this will increase the backup’s size and increase the time it takes to restore the server. Question: What other process could you use to back up the system state data on a domain controller? Answer: You could do a full server backup. References AD DS Backup and Recovery Step-by-Step Guide
552
Demonstration: Backing Up AD DS
Course 6425C Demonstration: Backing Up AD DS Module 14: Directory Service Continuity In this demonstration, you will see how to: Back up a domain controller Demonstration Steps Before performing this demonstration, you will need to open Server Manager and install the Windows Server Backup Features on NYC-DC1. 1. On NYC-DC1, open the Windows Server Backup snap-in. 2. Click the Backup Once link. The Backup Once Wizard appears. 3. On the Backup Options page, ensure that Different options is selected, and then click Next. 4. On the Select Backup Configuration page, click Custom, and then click Next. 5. On the Select Items for Backup page, click Add Items. 6. On the Select Items dialog box, click System state, and then click OK. Click Next. 7. On the Specify Destination Type page, click Next. 8. On the Select Backup Destination page, click Next. 9. On the Confirmation page, click Backup. The Backup Once option in the Actions pane offers manual backup capabilities. You can deselect the system volume from the Backup Items, or specify that you want to be able to perform a system recovery using this backup. The location type screen shows that you can select local disks, DVD, or a remote shared folder (network backup). Select the location for backup, view the summary, and proceed with the backup. Cancel so as not to begin the lengthy backup process.
553
Additional Backup and Recovery Tools
Course 6425C Additional Backup and Recovery Tools Module 14: Directory Service Continuity Active Directory Snapshots Windows PowerShell cmdlets Windows Recovery Environment Boot to Windows Server 2008 DVD and choose System Recovery Options Install locally as a boot option Useful for full system recovery
554
Active Directory Restore Options
Course 6425C Active Directory Restore Options Module 14: Directory Service Continuity Nonauthoritative (normal) restore Restore domain controller to previously known good state of Active Directory Domain controller will be updated by using standard replication from up-to-date partners Authoritative restore “Mark” objects that you want to be authoritative Windows sets the version numbers very high Domain controller is updated from its up-to-date-partners Domain controller sends authoritative updates to its partners Full Server Restore Typically performed in Windows Recovery Environment Alternate Location Restore The goal of this slide is to help students understand the options for restoring Active Directory or an entire domain controller. Following slides will go into detail on normal restore and authoritative restore, so focus on the reason why you would use one option or another. Focus on the scenarios. Discuss the following options for restoring AD DS: Normal restore. Use this method to reinstate the AD DS data to the state before the backup, and then update the data through the normal replication process. Perform a normal restore only when you want to restore a single domain controller to a previously known good state. Authoritative restore. Use this method in conjunction with a normal restore. An authoritative restore marks specific data as current, and prevents the replication from overwriting that data. The authoritative data then is replicated throughout the domain. Perform an authoritative restore to restore individual objects in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. Full Server Restore. Use this method to restore a failed domain controller. Full server restore performs a bare-metal restoration of the system and data volumes, back to a point in time prior to failure. A full server recovery recovers every server volume. Backup reformats and repartitions all disks that are attached to the server. Use this scenario if you want to recover onto new hardware, or if all other attempts to recover the server on the existing hardware have failed. Alternative Location Restore. Use this method to install new domain controllers using the Install From Media option.
555
Nonauthoritative Restore
Course 6425C Nonauthoritative Restore Module 14: Directory Service Continuity Restart the domain controller in DSRM Locally: Press F8 on restart Remotely using remote desktop: Configure restart in DSRM: bcdedit /set safeboot dsarepair Restart: shutdown -t 0 -r Log on with the Administrator account and the DSRM password Perform the nonauthoritative restore Use Windows Server Backup (wbadmin.exe) to restore AD DS Restart Set normal restart: bcdedit /deletevalue safeboot dsarepair Domain controller replicates all changes since date of backup from its partners Stress that the nonauthoritative restore does not restore deleted AD DS information (unless the domain controller is the only one in the domain). When performing a nonauthoritative restore, AD DS replication replicates changes (including the deletion) to the domain controller when it reboots after the restore is complete. To restart the domain controller in disaster-recovery mode, you can: After the boot option menu appears, press F8, and then select the option for Directory Services Restore Mode (DSRM). OR Open a command prompt, type the following command, and then press ENTER: bcdedit /set safeboot dsrepair Type the following command, and then press ENTER: shutdown -t 0 –r To restart the server normally after you perform the restore operation, type the following command, and then press ENTER: bcdedit /deletevalue safeboot dsrepair shutdown -t 0 -r Administrative credentials - You can log on to the domain controller that you are restoring by using the DSRM password, either locally or remotely. You specify the DSRM password when you install AD DS. Optionally, talk students through the remote restoring of Active Directory. Scenario: The domain controller is in a remote datacenter. You must use remote desktop to connect to the domain controller, configure DSRM boot using BCDEdit, restart the machine, and then, after it has had time to restart, reconnect with remote desktop. This time, you log on with the Administrator account and the DSRM password. Perform the restore, use BCDEdit to allow the machine to boot normally, and then restart it.
556
Authoritative Restore
Course 6425C Authoritative Restore Module 14: Directory Service Continuity Restart the domain controller in DSRM Log on with the Administrator account and the DSRM password Perform the nonauthoritative restore Use Windows Server Backup (wbadmin.exe) to restore AD DS Mark selected objects as authoritative restore [object|subtree] “objectDN" Authoritative changes have a higher version number than on partners Restart Restored domain controller replicates changes since date of backup Partners see authoritative changes with high version numbers Partners pull the authoritative changes from the restored domain controller To perform an authoritative restore of AD DS objects, you must first perform a nonauthoritative restore. However, you must not restart the domain controller normally following the nonauthoritative restore procedure. When an object is marked for authoritative restore, its version number is changed so that it is higher than the (deleted) object’s existing version number in the AD DS replication system. This change ensures that any data that you restore authoritatively is replicated from the restored domain controller to other domain controllers in the forest. To mark a subtree or individual object authoritative: 1. In DSRM, click Start, click Run, type ntdsutil, and then press ENTER. 2. At the ntdsutil: prompt, type authoritative restore, and then press ENTER. 3. To restore a subtree or individual object, type one of the following commands, as appropriate, and then press ENTER: To restore a subtree (for example, an organizational unit (OU) and all child objects), type: restore subtree DistinguishedName To restore a single object, type: restore object DistinguishedName 4. Click Yes in the message box to confirm the command. For example, if you wanted to restore a deleted OU named Marketing NorthAm in the corp.contoso.com domain, you would type: restore subtree “OU=Marketing,DC=EMEA,DC=WoodgroveBank,DC=com” (Always enclose the distinguished name in quotes when there is a space or other special characters within the distinguished name.) Reference Performing an Authoritative Restore of Active Directory Objects
557
Lab D: Back Up and Restore Active Directory
Course 6425C Lab D: Back Up and Restore Active Directory Module 14: Directory Service Continuity Exercise 1: Back Up Active Directory Exercise 2: Restore Active Directory and a Deleted OU Scenario As an administrator in Contoso, Ltd, it is your responsibility to ensure that the directory service is backed up. Today, you noticed that last night's backup did not run as scheduled. You therefore decided to perform an interactive backup. Shortly after the backup, a domain administrator accidentally deletes the Contractors OU. Luckily, you are able to restore the OU with the backup you just made. Exercise 1 In this exercise, students will install the Windows Server Backup feature, and then use it to schedule a backup of Active Directory. They also will perform an interactive backup of the system volume. Exercise 2 In this exercise, students will perform an authoritative restore of the AD DS database. They will then verify that the data is restored successfully. Logon information Virtual machine 6425C-NYC-DC1 6425C-NYC-DC2 Logon user name Pat.Coleman Administrative user name Pat.Coleman_Admin Password Pa$$w0rd Estimated time: 15 minutes
558
Module 14: Directory Service Continuity
Course 6425C Lab Scenario Module 14: Directory Service Continuity As an administrator in Contoso, Ltd, it is your responsibility to ensure that the directory service is backed up. Today, you noticed that last night's backup did not run as scheduled. You therefore decided to perform an interactive backup. Shortly after the backup, a domain administrator accidentally deletes the Contractors OU. Luckily, you are able to restore the OU with the backup you just made. -blank-
559
Module 14: Directory Service Continuity
Course 6425C Lab Review Module 14: Directory Service Continuity What type of domain controller and directory service backup plan do you have in place? What do you expect to put in place after having completed this lesson and this lab? When you restore a deleted user (or an OU with user objects) using authoritative restore, will the objects be exactly the same as before? What attributes might not be the same? Use the questions on the slide to guide the debriefing after students have completed the lab exercises. Question: What type of domain controller and directory service backup plan do you have in place? What do you expect to put in place after having completed this lesson and this Lab? Answer: Answers will vary. Question: When you restore a deleted user (or an OU with user objects) by using authoritative restore, will the objects be exactly the same as before? Which attributes might not be the same? Answer: Answers may vary somewhat, but the question is designed to frame a discussion of group membership. A user’s group membership is not an attribute of the user object but rather of the group object. When you authoritatively restore a user, you are not restoring users’ membership in groups. The user was removed from the member attribute of groups when it was deleted. So the restored user will not be a member of any groups other than its primary group. In order to restore group memberships, you would have to consider authoritatively restoring groups as well. This may or may not always be desirable, because when you authoritatively restore the groups you return their membership to the day on which the backup was made.
560
Module Review and Takeaways
Course 6425C Module Review and Takeaways Module 14: Directory Service Continuity Review Questions Common Issues Related to Directory Service Continuity Best PracticesRelated to Directory Service Continuity Tools Windows Server 2008 R2 Features Introduced in this Module Review Questions Question: Why is it necessary to stop AD DS before defragmenting? Answer: The database needs to be closed completely before it can be overwritten. An online database may have locked records that are being written to, thus preventing file modification. Question: Why is it necessary to compact the database to a temporary directory first? Answer: Compacting the database actually creates a contiguous copy, which will be used to overwrite the fragmented original. Question: Which tool should be used to clean up metadata from offline domain controller? Answer: You should use ntdsutil for this purpose Question: What should you do before starting to use Active Directory Recycle Bin? Answer: You should check if your forest functional level in on Windows Server 2008 R2, and you must enable Active Directory Recycle Bin feature by using Windows PowerShell or by using ldp.exe. Question: What kind of restore can you perform with Active Directory? Answer: You can perform authoritative restore, nonauthoritative restore and restore of single objects with Active Directory Recycle Bin,
561
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 14: Directory Service Continuity Common Issues Related to Directory Service Continuity Best Practices Related to Directory Service Continuity Use Performance Monitoring tools to monitor Active Directory counters. Always establish a baseline before starting to make decisions based on monitoring results. Use the ability to stop and start AD DS when Domain Controller is online instead of restarting to the Directory Service Restore Mode. Perform a backup of Active Directory database as often as possible. Tools Issue Troubleshooting tip Active Directory is responding slowly to client requests Enable performance monitoring on AD DS– related counters You suspect that Active Directory is not configured according to best practices Run Active Directory Best Practices analyzer You want to be able to quickly restore accidentally deleted objects Enable Active Directory Recycle Bin feature Tool Used for Where to find it Performance Monitor Monitoring of system objects from performance aspect Administrative Tools Reliability Monitor Monitoring events that affect system stability and reliability Event Viewer Reviewing logged events on server or workstation Active Directory with PowerShell Module Active directory administration Ldp.exe Management of Active Directory objects Can be started from run window Ntdsutil Management of Active Directory database Command-line utility Active Directory Domains and Trusts Management of forest and domain functional levels and trusts Windows Server Backup Backup and restore of files and Active Directory 561
562
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 14: Directory Service Continuity Windows Server 2008 R2 Features Introduced in this Module Windows Server 2008 R2 feature Description Active Directory Best Practices Analyzer Windows Server 2008 R2 provides a new tool to analyze Active Directory configuration Active Directory Recycle Bin Windows Server 2008 R2 Active Directory provides a feature that enables object restoration after accidental deletion 562
563
Module 15: Managing Multiple Domains and Forests
Course 6425C Module 15: Managing Multiple Domains and Forests Module 15 Managing Multiple Domains and Forests Presentation: 30 minutes Lab: 30 minutes Module Goal This module covers the concepts and skills required to support the most complex Active Directory® Domain Services (AD DS) environments: multi-domain forests and multi-forest scenarios. It will enable students to evaluate domain and forest models that are appropriate for their enterprises. It will also equip students with skills to migrate objects between domains and forests and to enable authentication and resource access across multiple domains and forests. Objectives After completing this lesson, you will be able to: Configure domain and forest functional levels. Manage multiple domains and trust relationships. Move objects between domains and forests. Preparation for Demos There is one demo in this module. To prepare for it, you should launch the 6425C-NYC-DC1. Preparation for Lab To prepare for the Labs you should ask students to launch the following virtual machines 6425C-NYC-DC1 and 6425C-TST-DC1.
564
Module 15: Managing Multiple Domains and Forests
Course 6425C Module Overview Module 15: Managing Multiple Domains and Forests Configure Domain and Forest Functional Levels Manage Multiple Domains and Trust Relationships Move Objects Between Domains and Forests -blank-
565
Lesson 1: Configure Domain and Forest Functional Levels
Course 6425C Lesson 1: Configure Domain and Forest Functional Levels Module 15: Managing Multiple Domains and Forests Understand Functional Levels Domain Functional Levels Forest Functional Levels -blank-
566
Understand Functional Levels
Course 6425C Understand Functional Levels Module 15: Managing Multiple Domains and Forests Domain functional levels Forest functional levels New functionality requires that domain controllers are running a particular Windows version Windows 2000 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Active Directory Domains and Trusts Cannot raise functional level while domain controllers are running previous Windows versions Cannot add domain controllers running previous Windows versions after raising functional level Present the terms domain functional level and forest functional level and describe them as switches that enable new functionality that has been introduced by newer versions of Windows. Be certain that students understand that it is only the domain controllers that must be running at least a certain version of Windows in order to raise the functional level to that version. It does not matter what version of Windows is being run on domain member workstations or servers. As you discuss functional levels, mention one or two features that are easy for students to understand the benefits of. For example, at the Windows Server® 2008 domain functional level, you can implement fine- grained password policies so that you can require users that are members of administrative groups to maintain longer passwords and to change them more frequently than nonadministrative users. Students will understand the business value of such a feature. You can then take advantage of that understanding to encourage students to upgrade domain controllers as quickly as reasonably possible to the newest version of Windows, and then to raise the functional level of the domain. Also ensure that students understand that one domain can be at a higher functional level while another domain in the forest is at a lower functional level. However, the forest functional level cannot be raised until all domains are at the appropriate domain functional level. Mention that the Active Directory Domains and Trusts tool is used to raise domain and forest functional level.
567
Domain Functional Levels
Course 6425C Domain Functional Levels Module 15: Managing Multiple Domains and Forests Windows 2000 Native Windows Server 2003 Domain controller rename Default user and computer container redirection lastLogonTimestamp attribute Selective authentication on external trust relationships Windows Server 2008 Distributed File System Replication (DFS-R) of SYSVOL Last interactive logon information Fine-grained password policy Advanced Encryption Services (AES 128 and AES 256) for Kerberos Windows Server 2008 R2 Authentication mechanism assurance Discuss the features that become available at each domain functional level. Most of these features have already been discussed in prior modules, but selective authentication and AES (Advanced Encryption Services) apply to trust relationships, which are covered in the next lesson.
568
Forest Functional Levels
Course 6425C Forest Functional Levels Module 15: Managing Multiple Domains and Forests Windows 2000 Windows Server 2003 Forest trusts Domain rename Linked-value replication Support for RODCs Requires adprep /rodcprep and one writeable Windows Server domain controller Improved KCC Conversion of inetOrgPerson objects to user objects Support for dynamicObject auxilliary class Support for application basic groups and Lightweight Directory Access Protocol (LDAP) query groups Deactivation and redefinition of attributes and object classes Windows Server 2008 No new features; sets minimum level for all new domains Windows Server 2008 R2 Active Directory Recycle Bin Reemphasize that read-only domain controllers (RODCs) can be introduced at the Windows Server domain functional level. You must simply run adprep /rodcprep and you must have at least one writable domain controller running Windows Server This is important for several reasons. First, it’s important for real-world planning: An organization does not need to upgrade all of its domain controllers in order to benefit from RODCs. Second, this feature is missing from the list of domain functional level features on some documentation, because it is a new feature available to an already existing domain functional level. Most documentation about the Windows Server 2003 functional levels was written when Windows Server was introduced, at which point the domain functional level did not yet offer RODCs. Real World The new features added by each version of Windows can be quite valuable. Windows Server 2008 R2 adds a significant new feature—the Active Directory Recycle Bin—that is available only at the Windows Server R2 forest functional level. Therefore, it’s common for an organization to see great business value in moving its domain controllers to the newest version of Windows as quickly as possible. This can be facilitated by keeping domain controllers dedicated to the job of being domain controllers. Don’t “pollute” a domain controller with other roles, such as Web services or Structured Query Language (SQL) services. It is common, and a best practice, to include core infrastructure roles such as DNS Server and DHCP Server on a domain controller. If you keep a domain controller dedicated and “clean,” it will be easier for you to upgrade because there will be fewer potential conflicts.
569
Lesson 2: Manage Multiple Domains and Trust Relationships
Course 6425C Lesson 2: Manage Multiple Domains and Trust Relationships Module 15: Managing Multiple Domains and Forests Define Your Forest and Domain Structure Understand Trust Relationships Characteristics of Trust Relationships How Trusts Work Within a Forest Demonstration: Create a Trust Shortcut Trusts External Trusts and Realm Trusts Forest Trusts Administer Trust Relationships Domain Quarantine Resource Access for Users from Trusted Domains -blank-
570
Define Your Forest and Domain Structure
Course 6425C Define Your Forest and Domain Structure Module 15: Managing Multiple Domains and Forests Dedicated forest root domain Single-domain forest Single domain partition, replicated to all domain controllers Single Kerberos policy Single DNS namespace Multiple-domain forest Increased hardware and administrative cost Increased security risk Multiple trees Multiple forests Use this slide to address domain and forest design and architectural issues. Spend some time determining what questions your students have regarding domain and forest design.
571
Understand Trust Relationships
Course 6425C Understand Trust Relationships Module 15: Managing Multiple Domains and Forests Trust relationships extends concept of trusted identity store to another domain Trusting domain (with the resource) trusts the identity store and authentication services of the trusted domain A trusted user can authenticate to, and be given access to resources in, the trusting domain Within a forest, each domain trusts all other domains Trust relationships can be established with external domains Use this slide to introduce the concept of trusts. Explain a trust relationship by returning to the concept of a workgroup. In its default, stand-alone configuration (workgroup), a Windows system trusts only its own identity store—its Security Accounts Manager (SAM) database. When a computer joins a domain, it extends its realm of trust to include the shared identity store and authentication service provided by the domain controllers of the domain. Now the server will authenticate and can assign permissions to a user that is not in its SAM but rather in the trusted identity store in the domain. With that introduction, it is a small step to the concept of trust relationships, in which a domain extends its roam of trust to include an identity store and authentication service provided by another domain. Users in the trusted domain/identity store can now be authenticated by and assign resources in the trusting domain. Discuss this scenario shown on the slide in which Domain A trusts Domain B. Discuss the terminology, trusted and trusting, and give users a way to remember which domain is which. Ideally, because of the way you have introduced the story of trust starting with a workgroup machine and extending to a single domain, students should be comfortable with the idea of extending trust between domains, and it will be natural that the trusting domain trusts the identity store and authentication services of the trusted domain. However, a mnemonic device can be helpful: The trustTED domain has “Ted,” the user. The trusTING domain has the “tings” (things, or resources) that Ted wants. Trusted Domain Trusting Domain A B
572
Characteristics of Trust Relationships
Course 6425C Characteristics of Trust Relationships Module 15: Managing Multiple Domains and Forests Direction Transitivity Automatic or Manual Discuss the characteristics of trust using the figure shown on the slide or a whiteboard. Trusted Domain Trusting Domain A B C
573
How Trusts Work Within a Forest
Course 6425C How Trusts Work Within a Forest Module 15: Managing Multiple Domains and Forests tailspintoys.com Tree Root Domain Forest Root europe.tailspintoys.com asia.wingtiptoys.com wingtiptoys.com usa.wingtiptoys.com Inform students that, within a forest, all domains trust each other, and therefore any user can be authenticated by any domain in the forest and can be given access to resources anywhere in the forest. That is the net result that is accomplished through a series of automatically created, two-way, transitive trusts. You have the option with this slide of going into significantly more detail about authentication protocols and trust relationships within a forest. The two-way, transitive trusts between domains in a forest are a result of the fact that the trust relationships are Kerberos trusts. You can choose to explain the fundamentals of Kerberos authentication, including ticket-granting tickets (TGTs) and service tickets. The Student Manual has supporting information for such a discussion. You can then go on to explain how the trust relationships and the trust path work within an Active Directory forest. Explain that each child domain in a forest trusts its parent domain with an automatic, two-way, transitive trust called a parent-child trust. The root domain of each tree in a domain trusts the forest root domain with an automatic, two-way, transitive trust called a tree-root trust. These trust relationships create what is referred to as the trust path or trust flow in a forest. Ensure that students understand that the diagram of a forest from a DNS perspective and from a Kerberos perspective is slightly different. From a DNS perspective, every tree root is at the same level. From a Kerberos (trust path) perspective, the Forest Root domain is really at the “root”. Stress that within a forest, the Kerberos version 5 authentication protocol is used to maintain all trusts, and all authentication and resource access between domains. Describe what happens when a user tries to access a resource in a different domain in the forest. In this case, the Kerberos version 5 protocol travels the trust path to obtain a referral to the target domain’s domain controller. The target domain controller issues a service ticket for the requested service. The trust path is the shortest path in the trust hierarchy. When the user in the trusted domain attempts to access the resource in the other domain, the user’s computer first contacts its domain controller to get authentication to the resource. If the resource is not in the user’s domain, the domain controller uses the trust relationship with its parent, and refers the user’s computer to a domain controller in its parent domain. This attempt to locate a resource continues up the trust hierarchy, possibly to the forest root domain, and down the trust hierarchy, until contact occurs with a domain controller in the domain where the resource exists.
574
Demonstration: Create a Trust
Course 6425C Demonstration: Create a Trust Module 15: Managing Multiple Domains and Forests In this demonstration, you will see how to: Create a trust by using Active Directory Domains and Trusts and the New Trust Wizard If it is not already started, launch the virtual machine 6425C-NYC-DC1 and log on as Contoso\Pat.Coleman_Admin with Password Pa$$w0rd. Open the New Trust Wizard from Active Directory Domains and Trusts You do not need to complete the entire wizard. Explain that this wizard prompts you through the entire process of creating either side of any one of a number of different types of trusts. The main point is that this wizard is what you use in every trust creation scenario. The following slides then detail the different types of trusts you can create. Students will create a trust relationship in the lab for this lesson. To create a trust relationship: 1. Open the Active Directory Domains and Trusts snap-in. 2. Right-click the domain that will participate in one side of the trust relationship, and choose Properties. You must be running Active Directory Domains and Trusts that have permissions to create trusts in this domain. 3. Click the Trusts tab. 4. Click the New Trust button. The New Trust Wizard guides you through the creation of the trust. 5. On the Trust Name page, type the DNS name of the other domain in the trust relationship, and then click Next. 6. If the domain you entered is not within the same forest, you will be prompted to select the type of trust, which will be one of the following: Forest External Realm If the domain is in the same forest, the wizard knows it is a shortcut trust. 7. If you are creating a realm trust, you will be prompted to indicate whether the trust is transitive or non- transitive. (Realm trusts are discussed later in this lesson.)
575
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 08: Managing Enterprise Security and Configuration with Group Policy Settings 8. On the Direction Of Trust page, select one of the following: Two-Way. This establishes a two-way trust between the domains. One-Way: Incoming. This establishes a one-way trust in which the domain you selected in step 2 is the trusted domain, and the domain you entered in step 5 is the trusting domain. One-Way: Outgoing. This establishes a one-way trust in which the domain you selected in step 2 is the trusting domain, and a domain you entered in step 5 is the trusted domain. 9. Click Next. 10. On the Sides Of Trust page, select one of the following: Both this domain and the specified domain. This establishes both sides of the trust. This requires that you have permission to create trusts in both domains. This domain Only. This creates the trust relationship in the domain you selected in step 2. An administrator with permission to create trusts in the other domain must repeat this process to complete the trust relationship. The next steps will depend on the options you selected in steps 8 and 10. The steps will involve one of the following: If you selected Both this domain and the specified domain, you must enter a user name and password with permissions to create the trust in the domain specified in step 5. If you selected This Domain Only, you must enter a trust password. A trust password is entered by administrators on each side of a trust to establish the trust. The passwords should not be the administrators’ user account passwords. Instead, each should be a unique password used only for the purpose of creating this trust. The passwords are used to establish the trust, and then the domains change them immediately. 11. If the trust is an outgoing trust, you are prompted to choose one of the following: Selective Authentication Domain-Wide Authentication or Forest-Wide Authentication, depending on whether the trust type is an external trust or a forest trust, respectively. 12. The New Trust Wizard summarizes your selections on the Trust Selections Complete page. Click Next. The wizard creates the trust.
576
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 08: Managing Enterprise Security and Configuration with Group Policy Settings 13. The Trust Creation Complete page appears. Verify the settings, and then click Next. You will then have the opportunity to confirm the trust. This option is useful if you have created both sides of the trust or if you are completing the second side of a trust. If you selected Both this domain and the specified domain in step 8, the process is complete. If you selected This domain only in step 8, the trust relationship will not be complete until an administrator in the other domain completes the process: If the trust relationship you established is a one-way outgoing trust, an administrator in the other domain must create a one-way incoming trust. If the trust relationship you established is a one-way incoming trust, an administrator in the other domain must create a one-way outgoing trust. If the trust relationship you established is a two-way trust, an administrator in the other domain must create a two-way trust. Reference Detailed procedures for creating each type of trust are available at:
577
Module 15: Managing Multiple Domains and Forests
Course 6425C Shortcut Trusts Module 15: Managing Multiple Domains and Forests tailspintoys.com europe.tailspintoys.com asia.wingtiptoys.com wingtiptoys.com usa.wingtiptoys.com Forest Root Domain Explain that shortcut trusts are used to shorten the trust path for authentication within a multidomain forest. If a manually created trust relationship is established, authentication can “jump” between domains that are further away from the forest root domain. This improves performance, removes points of failure (inaccessible domains in the trust path), and reduces the need to put domain controllers from parent domains in sites containing only users from child domains solely to support authentication across trusts in the forest. Talk about the scenario shown on the slide. Point out that there is a one-way shortcut trust in which wingtiptoys.com trusts europe.tailspintoys.com. Discuss the trust path used in authentication scenarios to point out that the default trust path is used if a user from wingtiptoys.com needs to be authenticated in europe.tailspintoys.com. It would be unusual, in a single domain forest, not to create a reciprocal one way trust, but it’s possible to have a one-way shortcut trust. Point out the two-way shortcut trust between europe.tailspintoys.com and usa.wingtiptoys.com. Tree Root Domain
578
External Trusts and Realm Trusts
Course 6425C External Trusts and Realm Trusts Module 15: Managing Multiple Domains and Forests worldwideimporters.com sales.worldwideimporters.com europe.tailspintoys.com tailspintoys.com asia.tailspintoys.com Explain that an external trust is a trust relationship between a domain and a Windows domain that is not in your forest. Talk through the examples shown on the slide. Explain that external trusts are always one-way and nontransitive, although you can create a reciprocal one- way trust to create the effect of a two-way trust. Briefly mention that a realm trust is an external trust between a Windows domain and a UNIX Kerberos version 5 realm. Realm trusts are one-way (but a second, reciprocal trust can create the effect of a two-way trust) and nontransitive, but they can be made transitive. Few, if any, of your students are likely to need to influence or support a realm trust, so you do not need to spend too much time discussing them. If, however, someone needs a bit more detail, you can point out that realm trusts are implemented using an account mapping system, in which a user that has been authenticated in a trusted non-Windows Kerberos realm is represented by a security principal in the Windows domain. The Windows security principal and the Kerberos account are mapped to each other.
579
Module 15: Managing Multiple Domains and Forests
Course 6425C Forest Trusts Module 15: Managing Multiple Domains and Forests worldwideimporters.com sales.worldwideimporters.com europe.tailspintoys.com tailspintoys.com asia.tailspintoys.com Explain that forest trusts are one-way but that a reciprocal second trust can create a two-way trust relationship. Unlike trusts to external domains, a forest trust is transitive. Therefore, when Forest A trusts Forest B, all domains in Forest A trust the authentication and identity store of all domains in Forest B. This makes forest trusts significantly easier to establish and maintain than individual trusts between each domain in both forests. Point out, however, that the forest trust itself is not transitive. If Forest B trusts Forest C, that does not mean that Forest A trusts Forest C. Point out that forest trust relationships require the forest functional level of Windows Server 2003 or later, and that specific DNS configuration is required. The Student Manual has a reference to the technical details about the required DNS configuration.
580
Administer Trust Relationships
Course 6425C Administer Trust Relationships Module 15: Managing Multiple Domains and Forests Validate a trust relationship Active Directory Domains and Trusts netdom trust TrustingDomainName /domain:TrustedDomainName /verify Remove a manually created trust relationship netdom trust TrustingDomainName /domain:TrustedDomainName /remove [/force] /UserD:User /PasswordD:* UserD is a user in the Enterprise Admins or Domain Admins group of the trusted domain Remind students that trust relationships, regardless of the type, are created using Active Directory Domains and Trusts, as you show them in the demonstration. The same tool can be used to validate a trust relationship or to remove it. Explain that the netdom.exe command can also be used to validate and remove trusts.
581
Module 15: Managing Multiple Domains and Forests
Course 6425C Domain Quarantine Module 15: Managing Multiple Domains and Forests Filters out trusted user SIDs that come from a domain other than the trusted domain If a user was migrated into the trusted domain User account may have SIDs from user’s previous domain in the sIDHistory attribute Those SIDs are included in the user’s privilege attribute certificate (PAC) that is part of the Kerberos ticket the user presents to the trusted domain These SIDs are discarded Enabled by default on all new outgoing trusts to external domains/forests Disable if necessary netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:[Yes|No] Ensure that students understand the scenario that domain quarantine addresses, and why it is useful that domain quarantine is enabled by default. You should be familiar with both the terms: domain quarantine or SID filtering. Remember that this procedure is used so that users from a trusted domain are authorized using only the SIDs that originate in the trusted domain. An effect of domain quarantine is that the trusting domain ignores SIDs in the sIDHistory attribute, which typically contains the SIDs of accounts from a domain migration.
582
Resource Access for Users from Trusted Domains
Course 6425C Resource Access for Users from Trusted Domains Module 15: Managing Multiple Domains and Forests Giving trusted users access to resources Authenticated Users Add trusted identities to trusting domain’s domain local groups Add trusted identities to ACLs First, explain to students that simply establishing a trust relationship does not, on its own, give trusted users access to any resources in the trusting domain. Draw a parallel to the fact that simply creating a user account in a domain does not give the user access to resources in the domain. These actions simply allow the user to be authenticated, not authorized. However, trusted users are considered to be Authenticated Users in the trusting domain. Of course, many resources may have permissions assigned to Authenticated Users, and many user rights may be assigned to Authenticated Users, so the practical reality is that when you establish a trust, trusted users are likely to get some immediate access to the trusting domain. The second way to give trusted users access to resources is to add user or global group accounts from a trusted domain into domain local groups in the trusting domain that have been assigned permissions to resources. This is the most manageable and recommended way to give trusted users access to resources in a trusting domain. Optionally, you can add trusted identities directly to access control lists (ACLs) in the trusting domain. This does not follow role-based management principles, is less manageable, and therefore is not recommended. Selective authentication is an important concept that you will want to make sure students fully understand. It addresses, among other things, the Authenticated Users issue mentioned earlier. If you enable selective authentication, then even though a trust relationship is in place, systems in the trusting domain will not automatically allow users from the trusted domain to authenticate. Instead, the default configuration is to disallow authentication. Then, an administrator can specify which users from the trusted domain are allowed to authenticate to which computers in the trusting domain. This is done by opening the security properties of a computer’s object in the trusting domain and adding to the ACL a permission that grants a trusted user or group the Allowed To Authenticate permission. It is then the combination of the trust relationship and the Allowed To Authenticate permission that actually enables a user to authenticate on a system in the trusting domain. Mention that the way selective authentication is managed is not necessarily the most granular: it is done on a computer-by-computer basis. You cannot open up access on a folder-by-folder basis (other than with ACLs). Selective authentication has the potential to be somewhat unmanageable, again because it must be done on a computer-by-computer basis. If you want to enable authentication on 50 servers, you must ensure that the Allowed To Authenticate permission has been assigned to each of those servers. Ask students how that might be done in a manageable way. The answer is to put those servers in an organizational unit (OU), and to apply the permission at the OU level. Tip Re-emphasize that the Allowed To Authenticate permission is assigned to the trusted identity on the computer object in the trusting domain’s Active Directory directory service. Selective authentication Reduces the risk of exposure--for example, to Authenticated Users You specify which trusted users are allowed to authenticate on a server-by-server (computer-by- computer) basis Enables selective authentication in the properties of the trust Gives users Allowed To Authenticate permission on the computer object in Active Directory
583
Lab: Administer Trust Relationships
Course 6425C Lab: Administer Trust Relationships Module 15: Managing Multiple Domains and Forests Exercise 1: Configure Name Resolution Between Contoso.com and Tailspintoys.com Exercise 2: Configure a Forest Trust Logon information Virtual machine 6425C-NYC-DC1 6425C-TST-DC1 Logon user name Contoso\Administrator Tailspintoys\Administrator Administrative user name Password Pa$$w0rd Estimated time: 30 minutes
584
Module 15: Managing Multiple Domains and Forests
Course 6425C Lab Scenario Module 15: Managing Multiple Domains and Forests Contoso, Ltd has initiated a strategic partnership with Tailspin Toys. Users from the two organizations will need to access files when collaborating on joint projects. You need to perform the following tasks: Configure name resolution between the two forests Configure a forest trust relationship between Contoso.com and Tailspintoys.com Configure Selective Authentication to only allow Tailspintoys.com domain users to access NYC-SVR1
585
Module 15: Managing Multiple Domains and Forests
Course 6425C Lab Review Module 15: Managing Multiple Domains and Forests How would you configure a forest trust with another organization if the organization does not provide you with their administrator credentials? What is the main benefit of Selective Authentication? Lab Review Questions Question: How would you configure a forest trust with another organization if the organization does not provide you with their administrator credentials? Answer: You would be able to configure and verify one side of the trust only. Administrators in the other organization must configure the trust in their domain. Question: What is the main benefit of Selective Authentication? Answer: The ability to restrict which resources are available over the trust.
586
Lesson 3: Move Objects Between Domains and Forests
Course 6425C Lesson 3: Move Objects Between Domains and Forests Module 15: Managing Multiple Domains and Forests Considerations for Moving Objects Between Domains and Forests What Is the Active Directory Migration Tool? Best Practices for Using ADMT -blank-
587
Considerations for Moving Objects Between Domains and Forests
Course 6425C Considerations for Moving Objects Between Domains and Forests Module 15: Managing Multiple Domains and Forests Inter-forest migration: Copy objects Intra-forest migration: Move objects Security identifiers, security descriptors, and migration sIDHistory Security Translation: NTFS, printers, SMB shares, registry, rights, profiles, group memberships Group membership Address object migration within and between Active Directory forests. The slide is intentionally high level, giving you the option of touching lightly on the topic or diving into more depth, based on the experience and interest level of your students, as well as remaining time in the workshop. Be certain that students understand the two major concerns related to object migration: The first is the issue of security identifiers (SIDs). When an object is moved to a new domain, the object is re-created and is given a new security identifier. The object therefore loses access permissions and rights based on the original object SID. There are two basic approaches to solving this problem: The first is to copy the SID of the original object into the sIDHistory attribute of the new object. sIDHistory is a multivalued attribute that can contain one or more SIDs. When a user’s security token is created, it will include the SIDs from the sIDHistory attribute of the user object, as well as the sIDHistory attribute of all groups to which the user belongs. You can explain to students that the token now represents “who you are in the new domain as well as who you were in the old domain.” Therefore, when the user attempts to access a resource or use a privilege based on the old SID, the token actually contains that SID, and there is no problem. The second solution to the problem of SIDs is to modify all references to the old SID so that they refer to the new SID. This is called security translation. The Active Directory Migration Tool can assist in this effort. Obviously, it seems easier to load the object’s old SID into the new object’s sIDHistory, as opposed to the scanning and translating of NTFS ACLs, user rights, and so on. However, sIDHistory presents a moderate security vulnerability, plus it contributes to the bloat of the user access token and of the Kerberos PAC, both of which do have fixed maximum sizes. Therefore, what most organizations end up doing is using sIDHistory as the easy solution during migration, then coming back and performing security translation, and then cleaning up (erasing) sIDHistory. Another major concern with migration is group membership. In an intra-forest migration, if you move a user to a new forest, the user can no longer belong to global groups in the original forest. The solution to this problem involves migrating global groups first, so that identical global groups exist in both the source and target domains. The SIDs of the source global groups are added to the sIDHistory of the corresponding global groups in the target domain. Then, as a user is migrated, the ADMT evaluates the user’s group memberships in the source domain, and adds the user to the corresponding global group in the target domain. In other words, there is a parallel structure that is created. <<continued>>
588
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6425C Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 15: Managing Multiple Domains and Forests Domain migration is a large, complex topic about which you can talk for several hours or days. As long as students understand that objects can be moved between domains in the same forest or in different forests using the ADMT, and as long as they have an understanding of the two major issues with migration, then they are equipped to begin an informed review of the ADMT and other migration documentation.
589
What Is the Active Directory Migration Tool?
Course 6425C What Is the Active Directory Migration Tool? Module 15: Managing Multiple Domains and Forests Active Directory Migration Tool (ADMT) Console, command line, scriptable APIs “Simulation” mode: Test the migration settings and migrate later Latest Version is ADMT 3.2 which supports Windows Server R2
590
Best Practices for Using ADMT
Course 6425C Best Practices for Using ADMT Module 15: Managing Multiple Domains and Forests Perform regular backups Perform a test migration Test migration scenarios in a test environment Have a recovery plan, and ensure that your recovery plan works Decrypt files that have been encrypted with EFS Ensure that the system time is synchronized in each domain from which objects are migrated Provide a high level summary of best practices for using ADMT.
591
Module Review and Takeaways
Course 6425C Module Review and Takeaways Module 15: Managing Multiple Domains and Forests Review Questions Windows Server 2008 R2 Features Introduced in this Module Review Questions Question: If a there is a trust within a forest, and the resource is not in the user’s domain, how does the domain controller use the trust relationship to access the resource? Answer: The domain controller uses the trust relationship with its parent, and refers the user’s computer to a domain controller in its parent domain. This attempt to locate a resource continues up the trust hierarchy, possibly to the forest root domain, and down the trust hierarchy, until contact occurs with a domain controller in the domain where the resource exists. Question: Your organization has a Windows Server 2008 forest environment, but it has just acquired another organization with a Windows 2000 forest environment that contains a single domain. Users in both organizations must be able to access resources in each others’ forest. What type of trust do you create between the forest root domain of each forest? Answer: You will need to implement an external trust, because Windows 2000 does not support forest trusts. Only Windows Server 2003 or later supports forest trusts. Question: A user from Contoso attempts to access a shared folder in the Tailspin Toys domain and receives an Access Denied error. What must be done to provide access to the user? Answer: A trust relationship must be established in which Tailspin Toys trusts Contoso, then the user (or a group to which the user belongs) must be given permission to the shared folder in the Tailspin Toys domain. Question: Can you raise the domain functional level of a domain to Windows Server 2008 when other domains contain domain controllers running Windows Server 2003? Answer: Yes. Domain functional levels within a forest can be different. Windows Server 2008 R2 Features Introduced in this Module Windows Server 2008 R2 feature Description Windows Server 2008 R2 domain and forest functional levels Used to enable Windows Server 2008 R2- specific features
592
Module 15: Managing Multiple Domains and Forests
Course 6425C Course Evaluation Module 15: Managing Multiple Domains and Forests Remind students to complete the course evaluation. 592
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.