Presentation is loading. Please wait.

Presentation is loading. Please wait.

70-411: Administering Windows Server 2012

Published byHenry McKenzie Modified over 10 years ago

Similar presentations

Presentation on theme: "70-411: Administering Windows Server 2012"— Presentation transcript:

1 70-411: Administering Windows Server 2012
Chapter 5 Configure and Manage Active Directory

2 Objective 5.1: Configuring Service Authentication

3 Authentication Authentication is the act of confirming the identity of a user or system and is an essential part used in authorization when the user or system tries to access a server or network resource. Two types of authentication that Windows supports are NT LAN Manager (NTLM) and Kerberos. Kerberos is the default authentication protocol for domain computers. NTLM is the default authentication protocol for Windows NT, standalone computers that are not part of a domain, and situations in which you authenticate to a server using an IP address. © 2013 John Wiley & Sons, Inc.

4 Understanding NTLM Authentication
NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. NTLM is an integrated single sign-on mechanism. NTLM uses a challenge-response mechanism for authentication in which clients are able to prove their identities without sending a password to the server. © 2013 John Wiley & Sons, Inc.

5 Managing Kerberos Kerberos:
Is a computer network authentication protocol, which allows hosts to prove their identity over a non-secure network in a secure manner. Can provide mutual authentication so that both the user and server verify each other’s identity. Protocol messages are protected against eavesdropping and replay attacks. Supports ticketing authentication. © 2013 John Wiley & Sons, Inc.

6 Managing Service Principal Names
A service or application that is secured by Kerberos must have an identity within the realm that the system exists on: Identity: A user account or computer account Realm: The domain A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. The client locates the service based on the SPN. © 2013 John Wiley & Sons, Inc.

7 Managing Service Principal Names
The SPN consists of three components: The service class, such as HTTP (which includes both the HTTP and HTTPS protocols) or SQLService The host name The port (if port 80 is not being used) © 2013 John Wiley & Sons, Inc.

8 Service Accounts A service account:
Is an account under which an operating system, process, or service runs. Allows the application or service specific rights and permissions to function properly while minimizing the permissions required for the users using the application server. Service accounts are used to run Microsoft Exchange Microsoft SQL Server, Internet Information Services (IIS), and SharePoint. © 2013 John Wiley & Sons, Inc.

9 Creating and Configuring Service Accounts
Service accounts do not use an interactive login. Therefore, configure the password not to expire. On an account that does not expire, the password is more vulnerable because more time is available for cracking the password. © 2013 John Wiley & Sons, Inc.

10 Creating and Configuring Service Accounts
Guidelines for reducing the risk of using service accounts: Require a unique account to run the service on each server. If possible, set up the account as a local account rather than a global domain account. Use a strong password for the service account. Make sure that the password changes often. Of course, when you change the password for the account, you will have to change the password for the services or applications that use the service account simultaneously. © 2013 John Wiley & Sons, Inc.

11 Creating and Configuring Service Accounts
Guidelines for reducing the risk of using service accounts (continued): Give the account the least amount of access (user rights, NTFS permissions, and share permissions) it needs to perform its necessary tasks. Do not share the password, and store the password in a safe location. © 2013 John Wiley & Sons, Inc.

12 Managed Service Accounts
Were introduced with Windows Server 2008 R2. Are used to improve the use of the traditional service account in Windows. Are an Active Directory msDS-ManagedServiceAccount object class that enables automatic password management and SPN management for service accounts. © 2013 John Wiley & Sons, Inc.

13 Creating/Configuring Managed Service Accounts
Rather than manually changing the account password and the password for the service or application, you use the MSA where the password will automatically change on a regular basis. MSAs are stored in Active Directory Directory Sevices (AD DS) as msDS-ManagedServiceAccount objects in Windows Server 2008 and MSDS-GroupManagedServiceAccount on Windows Server 2012. © 2013 John Wiley & Sons, Inc.

14 Creating/Configuring Managed Service Accounts
Similar to computer accounts, an MSA establishes a complex, cryptographically random, 240-character password. That password changes when the computer changes its password. By default, this occurs every 30 days. An MSA cannot be locked out and cannot perform interactive logons. © 2013 John Wiley & Sons, Inc.

15 MSA Benefits © 2013 John Wiley & Sons, Inc.
Automatic password management Simplified SPN management © 2013 John Wiley & Sons, Inc.

16 MSA Requirements © 2013 John Wiley & Sons, Inc.
Windows Server 2008 R2 or Windows Server 2012 domain controller .NET Framework 3.5.x Active Directory module for Windows PowerShell © 2013 John Wiley & Sons, Inc.

17 Creating/Configuring Group Managed Service Accounts
If you have a cluster or farm where you need to run the system or application service under the same service account, you cannot use Managed Service Accounts. Group Managed Service Accounts are similar to Managed Service Accounts, but they can be used on multiple servers at the same time. © 2013 John Wiley & Sons, Inc.

18 Objective 5.2: Configuring Domain Controllers

19 Active Directory Logical Components
Forests Trees Domains Organizational Units © 2013 John Wiley & Sons, Inc.

20 Active Directory Logical Components
© 2013 John Wiley & Sons, Inc.

21 Active Directory Physical Components
Domain Controllers Global Catalog Servers Operations Masters Read-Only Domain Controllers © 2013 John Wiley & Sons, Inc.

22 Global Catalogs As a domain controller, a global catalog stores a full copy of all objects in the domain. In addition, as a global catalog, it also has a partial copy of all objects for all other domains in the forest. The partial copy of all objects is used for logon, object searches, and universal group membership. A global catalog is created automatically on the first domain controller in the forest. Optionally, other domain controllers can be configured to serve as global catalogs. © 2013 John Wiley & Sons, Inc.

23 Global Catalogs and Universal Groups
One of the primary functions of a global catalog is to provide search capability of any object in the forest. Another function of global catalog is to resolve User Principal Names (UPNs). Membership of universal groups is stored only in the global catalog and is replicated across the forest. When a user logs on, the domain controller must be able to view the membership of the universal groups, so that it can be determined whether a user is allowed or denied logon based on the membership of the universal group. © 2013 John Wiley & Sons, Inc.

24 Universal Group Membership Caching
If the membership of the universal groups cannot be determined, a user’s logon request denies the request, and the user cannot log on. The only exception to this is that the Administrator account can always log on. Therefore, for all other users to log on, there must be at least one domain controller acting as a global catalog available or you need Universal Group Membership Caching enabled. © 2013 John Wiley & Sons, Inc.

25 Universal Group Membership Caching (UGMC)
Universal group membership caching (UGMC) allows the local domain controller to store the membership of the universal groups in its local cache indefinitely. The cache is refreshed by default every eight hours. As a result, domain controllers can process a logon or resource request without the presence of a global catalog server. UGMC provides better logon performance and minimizes WAN usage. UGMC is enabled on a per-site basis. © 2013 John Wiley & Sons, Inc.

26 Operations Master Roles
Primary Domain Controller (PDC) Emulator Infrastructure Master Relative Identifier (RID) Master Schema Master Domain Naming Master Operations Master sometimes referred to as Flexible Single Master Operations (FMSO). © 2013 John Wiley & Sons, Inc.

27 Transferring the Operations Masters Role
Reasons to transfer the Operations Master: Planned maintenance Retiring a domain controller that holds a role of Operations Master Moving a role of Operations Master to a domain controller with more resources Transferring a FSMO role requires that the source domain controller and the target domain controller be online. © 2013 John Wiley & Sons, Inc.

28 Seizing the Operations Masters Role
If a domain controller that holds an Operations Master role has an unrecoverable failure, you cannot transfer roles because the current domain controller is not online. Therefore, you need to seize the role. Seizing a FSMO role is a drastic measure that should be performed only in the event of a permanent role holder failure. To seize a role of an Operations Master, you use the ntdsutil.exe utility. © 2013 John Wiley & Sons, Inc.

29 Read-Only Domain Controller (RDOC)
The Read-Only Domain Controller (RODC): Contains a full replication of the domain database. Was created to be used in places where a domain controller is needed but the physical security of the domain controller could not be guaranteed. © 2013 John Wiley & Sons, Inc.

30 Domain Controller Clones
Starting with Windows Server 2012, you can safely virtualize a domain controller and rapidly deploy virtual domain controllers through cloning. It allows you to quickly restore domain controllers when a failure occurs and to rapidly provision a test environment when you need to deploy and test new features or capabilities before you apply the features or capabilities to production. © 2013 John Wiley & Sons, Inc.

31 Objective 5.3: Maintaining Active Directory

32 Tools for Importing and Exporting Objects
Regarding Active Directory, to import or export many objects at once, use: CSVDE.exe: Imports or exports Active Directory Domain Services (AD DS) objects to or from a comma-delimited text file. LDIFDE.exe: Imports or exports Active Directory objects, including users. © 2013 John Wiley & Sons, Inc.

33 CSVDE.exe To export all objects in your Active Directory domain:
csvde -f filename To list users or computers or only users with a certain attribute, use these parameters: -i: Turn on Import mode (The default is Export.) -f filename: Input or output filename. -s servername: The server to bind to. (The default is a DC of computer’s domain.) -t portnum: Port number. (The default is 389.) © 2013 John Wiley & Sons, Inc.

34 LDIFDE.exe The LDIFDE command implements batch operations by using LDIF files. The LDIF file format consists of a block of lines, which together constitute a single operation. Multiple operations in a single file are separated by a blank line. © 2013 John Wiley & Sons, Inc.

35 Understanding the Active Directory Database
The Active Directory database is stored in Active Directory database file (C:\Windows\NTDS\Ntds.dit) and its associated log and temporary files. It includes: Ntds.dit: The physical database file in which all directory data is stored. Consists of three internal tables: the data table, link table, and security descriptor (SD) table. Contains the schema information, configuration information, and domain information. Edb.log: The log file into which directory transactions are written before being committed to the database file. Transaction log files used by ESE are 10 MB in size. © 2013 John Wiley & Sons, Inc.

36 Understanding the Active Directory Database
The Active Directory database includes (continued): Edb.chk: The file used to track the point up to which transactions in the log file have been committed. Res1.log and Res2.log: Files used to reserve space for additional log files if edb.log becomes full. Temp.edb: A file used as a scratch pad to store information about in-progress large transactions and to hold pages pulled out of Ntds.dit during maintenance operations. © 2013 John Wiley & Sons, Inc.

37 Understanding the System State
The Windows system state is a collection of system components that are not contained in a simple file but can be backed up easily. The Windows system state includes: Boot files (such as bootmgr) DLL cache folder Registry (including COM settings) SYSVOL (Group Policy and logon scripts) © 2013 John Wiley & Sons, Inc.

38 Understanding the System State
The Windows system state includes (continued): Active Directory NTDS.DIT (domain controllers) Certificate Store (if the service is installed) User profiles COM+ and WMI information Cluster service information IIS metabase System files under Windows Resource Protection © 2013 John Wiley & Sons, Inc.

39 Understanding SYSVOL The SYSVOL is a shared directory that stores the server copy of the domain’s public files that must be shared for common access and replication throughout a domain. The SYSVOL folder on a domain controller contains: Login scripts: Stores the logon scripts administrated from Active Directory Users and Computers and group policies. Windows Group Policy: Configuration settings that control the working environment of user and computer accounts and that provide the centralized management and configuration of operating systems, applications, and user settings in an Active Directory environment. © 2013 John Wiley & Sons, Inc.

40 Understanding SYSVOL The SYSVOL folder on a domain controller contains (continued): Distributed File System (DFS) staging folder and files: Used to synchronize data and files between domain controllers. File system junctions: A physical location on a hard disk that points to data that is located elsewhere on your disk or other storage device to manage a single instance stored. © 2013 John Wiley & Sons, Inc.

41 Backups A backup or the process of backing up refers to making copies of data so that these additional copies can be used to restore the original after a data-loss event. © 2013 John Wiley & Sons, Inc.

42 Backup Media © 2013 John Wiley & Sons, Inc. Magnetic Tape Hard Disks
CDs/DVDs Cloud © 2013 John Wiley & Sons, Inc.

43 Using Windows Backup Microsoft Windows Backup allows you to back up a system. To access the backup and recovery tools for Windows Server 2012 install the Windows Server Backup feature using the Add Roles and Features Wizard. To run the Windows Server Backup, you must be a member of the Backup Operators or Administrators group. Create a backup using the Backup Schedule Wizard or by using the Backup Once option. You can back up to any local drive or to a shared folder on another server. Perform a backup using wbadmin.exe, which is the Backup command-line tool. © 2013 John Wiley & Sons, Inc.

44 Performing an Active Directory Restore
There are two types of restores that you can perform with Active Directory: A nonauthoritative restore: Restores a backup of Active Directory as of the date of the backup. An authoritative restore: An override type restore where the information on the restored domain controller is replicated to the other domain controllers. © 2013 John Wiley & Sons, Inc.

45 Performing an Active Directory Restore
To perform an authoritative restore reboot the computer into the Directory Services Restore Mode (DSRM), which is a mode of Windows that takes the Active Directory offline. Access this mode from the Advanced Boot menu, which is accessed before Windows completes booting by pressing the F8 key. © 2013 John Wiley & Sons, Inc.

46 Snapshots Another tool used in recovery of Active Directory is the Active Directory database mounting tool to create and view Active Directory snapshots. An Active Directory snapshot is a shadow copy, created by the Volume Shadow Copy Service (VSS), of the volumes that contain the Active Directory database and log files. © 2013 John Wiley & Sons, Inc.

47 Active Directory Recycle Bin
Starting with Windows Server 2008 R2, Windows offers the Active Directory Recycle Bin. The Active Directory Recycle Bin holds deleted Active Directory containers and objects. You can undelete the items. When an object or OU in AD DS is deleted, it is moved to the Deleted Objects container. As long as the object has not been scavenged by the garbage collection process after reaching the end of the object tombstone lifetime, you can restore the deleted object. The LDP.exe tool, included with Windows Server 2012, allows users to perform operations against any LDAP-compatible directory, including Active Directory. © 2013 John Wiley & Sons, Inc.

48 Enabling the Recycle Bin
In Windows Server 2012, you can enable the Recycle Bin in two ways: From the Active Directory module for Windows PowerShell prompt, use the Enable-ADOptionalFeature cmdlet. From Active Directory Administrative Center, select the domain, and then click Enable Active Directory Recycle Bin in the Tasks pane. Only items deleted after the Active Directory Recycle Bin is turned on can be restored from the Active Directory Recycle Bin. © 2013 John Wiley & Sons, Inc.

49 Restartable Active Directory Domain Services
Starting with Windows Server 2012, Windows servers include Restartable Active Directory Domain Services, which allows you to stop and start AD DS without restarting the domain controller and stopping other services that might be on the server. To start or stop the AD DS, open the Services console to control the service. There are three domain controller states: AD DS Started AD DS Stopped DSRM © 2013 John Wiley & Sons, Inc.

50 Ntdsutil.exe The ntdsutil tool:
Defragments the Active Directory database to free up disk space. Lets you look for errors in Active Directory. Is similar to running the Optimize and defragment drive tool in Windows. © 2013 John Wiley & Sons, Inc.

51 Metadata To retire a domain controller, the proper method to demote a domain controller is to remove the Active Directory Domain Services. If the demotion fails or the server itself fails where you cannot recover the system, you need to clean up the metadata, which means you must manually remove the domain controller from Active Directory. Metadata is the data that identifies the domain controllers. Methods for cleaning up server metadata: Use Active Directory Users and Computers and ntdsutil. Use the Active Directory Sites and Services and ADSIEdit. © 2013 John Wiley & Sons, Inc.

52 Objective 5.4: Configuring Account Policies

53 Group Policies Group Policies provide centralized management and configuration of operating systems, applications, and user settings in an Active Directory environment. Use Group Policy to specify how often a user has to change his or her password, background images on users’ computers, or whether spell check is required before sending . © 2013 John Wiley & Sons, Inc.

54 Group Policy Objects (GPOs)
Group Policy Objects (GPOs) are collections of user and computer settings including: System settings: Application settings, desktop appearance, and behavior of system services. Security settings: Local computer, domain, and network security settings. © 2013 John Wiley & Sons, Inc.

55 Group Policy Objects (GPOs)
Group Policy Objects (GPOs) are collections of user and computer settings including (continued): Software installation settings: Management of software installation, updates, and removal. Scripts settings: Scripts for when a computer starts or shuts down and for when a user logs on and off. Folder redirection settings: Storage for users’ folders on the network. © 2013 John Wiley & Sons, Inc.

56 Account Policies Account policies (Computer Configuration\Windows Settings\Security Settings\Account Policies) are domain level policies that define the security-related attributes assigned to user objects. Account policies contain three subsets: Password Policy: Settings for passwords, such as enforcement and lifetimes. Account Lockout Policy: The circumstances and length of time that an account is locked out of the system. Kerberos Policy: Kerberos-related settings, such as ticket lifetimes and enforcement. Kerberos Policy settings do not exist in local computer policies. © 2013 John Wiley & Sons, Inc.

57 Configuring Domain User Password Policy
A password policy defines the password parameters that a user uses. The strength of a password is determined by the password’s length, complexity, and randomness. © 2013 John Wiley & Sons, Inc.

58 Configuring Password Policy Settings
Password Policy settings include: Enforce password history: The number of unique, new passwords that must be associated with a user account before an old password can be reused. The default setting is 24 previous passwords. Maximum password age: The number of days that a password can be used before the user must change it. The default setting is 42 days. Minimum password age: The number of days that a password must be used before the user can change it. The default value is one day, which is appropriate if you also enforce password history. © 2013 John Wiley & Sons, Inc.

59 Configuring Password Policy Settings
Password Policy settings include (continued): Minimum password length: The minimum number of characters that a user’s password must contain. The default value is seven. Complexity requirements: A default password filter that is enabled by default. A complex password: Does not contain your name or your username. Contains at least six characters. Contains characters from three of the following four groups: uppercase letters [A…Z], lowercase letters [a…z], numerals [0…9], and special, non-alphanumeric characters (such as © 2013 John Wiley & Sons, Inc.

60 Configuring Account Lockout Settings
To help prevent hacking, Windows uses account lockout settings that specify when an account is locked when there are too many incorrect logon attempts. © 2013 John Wiley & Sons, Inc.

61 Configuring Account Lockout Settings
Group policies include the following account lockout settings: Account lockout duration: The length of time a lockout will remain in place before another logon attempt can be made. This can be set from 0 to 99,999 minutes. If set to 0, an administrator will need to manually unlock the account. © 2013 John Wiley & Sons, Inc.

62 Configuring Account Lockout Settings
Group policies include the following account lockout settings (continued): Account lockout threshold: The number of failed logons permitted before account lockout occurs. This can be set from 0 (no account lockouts) to 999 attempts before lockout. Reset account lockout counter after: The period of time, in minutes, that must elapse before the account lockout counter is reset to 0 bad logon attempts. © 2013 John Wiley & Sons, Inc.

63 Configuring/Applying Password Settings Objects
Fine-grained password policies allow you to specify multiple password policies within a single domain. To enable fine-grained password policies: Create a Password Settings Object (PSO). Configure the same settings that you configure for the password and account lockout policies. © 2013 John Wiley & Sons, Inc.

64 Configuring Local User Password Policy
Execute secpol.msc from a command prompt to open the Local Security Policy console. Local Security Policy console Security Settings Account Policies password-policy and account-policy settings © 2013 John Wiley & Sons, Inc.

65 Delegating Password Settings Management
By default, only members of the Domain Admins group can set fine-grained password policies. You can also delegate the ability to set these policies to other users. The Domain Admins group has Read and Write capabilities to the Default Domain Policy. To give access to others to manage the Default Domain Policy, add the user to the access list and assign permissions. © 2013 John Wiley & Sons, Inc.

Download ppt "70-411: Administering Windows Server 2012"

Similar presentations

Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Lesson 16: Configuring Domain Controllers

Lesson 16: Configuring Domain Controllers
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
7.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

7.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Maintaining Windows Server 2008 File Services

Maintaining Windows Server 2008 File Services
Understanding Active Directory

Understanding Active Directory
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Module 8: Designing Active Directory Disaster Recovery in Windows Server 2008.

Module 8: Designing Active Directory Disaster Recovery in Windows Server 2008.
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.

Similar presentations

Ads by Google