DNS (Domain Name System) for Active Directory
- Zone Types
- Primary: hosts a writable master copy of the zone data and is authoritative for the zone. Can be integrated with Active Directory.
- Secondary: is a read-only copy of a zone from the master DNS server and is a secondary source of information for the zone.
- The secondary zone must have network access to the remote DNS server that hosts the zone in order to get the updated zone information from the master (this is called a zone transfer and requires permissions from the master server where the zone is being copied).
- Secondary zones provide redundancy and load balancing.
- Secondary zones cannot be integrated with Active Directory because the secondary zone is a read-only copy and does not support local updates.
- Active Directory Integrated: hosted in one or more application directory partitions in domain controllers.
- Provides name resolution even if a WAN link is temporarily unavailable between the domains (if there is an authoritative DNS server in each domain on the domain controller).
- Same efficient multimaster replication used by the Active Directory topology, only the records that are changed are replicated.
- Stub: hosts NS records and is used to resolve host names between separate DNS namespaces.
- Contains resource records of authoritative zone servers, enabling the DNS server hosting the parent zone to be aware of the authoritative servers for child zones.
- Updated automatically in the parent zone, but requires TCP port 53 be open.
- Can be integrated with Active Directory.
See my blog: DNS Tools and Settings
- Subdomains
- You can create one or more subdomains within the DNS namespace if you have authority.
- A zone starts at a domain and can contain one or more subdomains along with the records to support resolution of the subdomain.
- Delegation
- A delegation is a "link" to a subdomain.
- The delegation is created by the NS record(s) that point to the authoritative name server(s) that are authoritative for the subdomain.
- The NS record(s) points to the name or IP address of the subdomain's name server.
- Delegate DNS zones for management and to distribute traffic.
- When zone delegations are correctly configured, normal referral can sometimes be circumvented.
- GlobalNames zone
- Provides single-name resolution for networks not containing a WINS server.
- Single-name resolution means the name is resolved using the host name instead of the FQDN.
- The GNZ is a specialized zone with CNAME RRs.
- All authoritative DNS servers must be running Windows Server 2008 or later and the GNZ should be integrated with Active Directory.
- To enable GNZ, use dnscmd and enableglobalnamessupport to 1.
- DDNS (Dynamic DNS)
- Secure DNS
- Support secure DDNS to eliminate the possibility of spoofing and cache pollution. Clients can be misdirected to unauthorized addresses without their knowledge and enable the attackers to gain access to client data.
- Denial-of-Service attack. Secure DDNS also helps to prevent Denial-of-Service attacks. This type of attack attempts to make the DNS server unavailable. Clients make a DNS query and receive invalid IP addresses, causing a denial of service. The attacker can register dummy records causing the server's disk space to fill up and slow replication. Disabling recursion when not needed can help prevent a denial-of-service attack.
- Use Secure DNS to ensure only authorized users in the forest access DNS.
- Resource Records
- Each zone contains resource records (RR)
- SOA (Start of Authority) indicates the primary name server.
The Expiry field of the SOA record determines the length of time the secondary zone server can service records without contacting the primary zone server for an update. - A or AAAA also known as 'host' records and resolve a name to an ip address, used in a 'standard' query to DNS. A records map to an IPv4 address. AAAA records map to an IPv6 address.
- Canonical Name (CNAME or 'Alias') records. A CNAME records maps an alias to another FQDN allowing you to associate multiple names to a single server. If the server IP address changes, you can change the server's A record and all CNAME records will continue to function.
- PTR records specify IP address to name mapping to support reverse lookups. Add a PTR record to the IPv6.ARPA domain.
- NS (Name Server) point to the authoritative Name Servers for a domain.
- Mail Exchange (MX) records. The name of an email server in a domain.
- SRV record is used to locate computers running specific services.
- WKS record (Well Known Service) is used to identify a server that hosts a well-known service, such as the FTP service. The WKS record includes the host, the host IP address, the TCP or UDP protocol, and a list of services the host provides.
- HINFO record (host information), is used to enter information about a host's CPU type and operating system.
- ipconfig /flushdns
- When DNS tries to resolve a name and if the name is not in the cache, the DNS server returns a negative response, and the negative response is cached. If you decide to create a host record on the DNS server and retry the query, a negative response will be returned because the negative response is still in the cache. You need to remove the negative response from the cache, use the ipconfig /flushdns command.
- ipconfig /registerdns
- Initiate dynamic registration manually for DNS names and IP addresses that are configured at a computer. You can use this command to help resolve dynamic update issues between a DNS server and a client without restarting the client. For example, an application server is moved from one branch office to a different branch office. Users in the new branch office can access the application server by name or IP address. Users in other branch offices cannot access the application server by name, but can ping the server by its IP address. You need to make the application server available to all network users as quickly as possible without interrupting service to users already connected to the application server.
- route delete destination mask netmask value
- For example, run the route delete 192.168.22.0 mask 255.255.255.0 command to delete an incorrect entry from the routing table to restore connectivity between networks. To delete a route from the routing table, use the route delete command, but, to delete an entry from the routing table, include the subnet mask with the "mask" word before the subnet mask. After deleting the entry from the routing table, use the route add command to add the correct entry back to the routing table. Use the route change command to make changes to an exiting route and the route print command to view the routing tables.
- netsh interface delete is used to delete an interface
- netsh interface reset is used to reset an interface configuration
- route -p
- For example, run the route -p add 131.107.3.0 mask 255.255.255.0 137.107.3.1 to make persistent entries in the routing table by adding a static route directly to the registry.
- nslookup.exe
- Use the nslookup.exe command to query the DNS server directly and bypass the resolver cache.
- Name Resolution
- Configure the physically nearest domain controller as the primary DNS server for a client.
- The DNS server addresses list box contains the IP addresses of DNS servers to provide name resolution services to client computers.
- LLMNR (Link-local multicast name resolution) provides host name resolution on the local subnet for IPv4 and IPv6 addresses.
- GNZ (Global Name Zone) provides single-name resolution, including across forest boundaries. DNS records in a GNZ must be entered manually.
- HOST file is stored on the local computer. It contains a list of host names and IP addresses. The client first checks the local DNS cache, where the HOSTS file is loaded, before it queries a DNS server.
- Recursive query: this is the most common type of query and says to return a response that is definitive.
- Iterative query: DNS server returns a "best guess" answer to the client without contacting other DNS servers - the most useful info it can provide so the DNS server can continue to try to resolve the name.
- When a negative response is returned, the secondary DNS server is not queried. The secondary server is only queried when the primary server is not available because it is only a copy.
- Conditional forwarder: can be configured to forward name requests directly to the authoritative DNS server for a specific DNS domain name. This helps to keep down the traffic generated by name requests.
- Forward lookup zone: Resolve a computer's FQDN to its IP address.
- Reverse lookup zone: Resolve an IP address to a FQDN.
- Root hints
- Used to locate other authoritative DNS servers. If a DNS server cannot resolve name resolution requests and is not configured with a forwarder or the forwarder cannot resolve the name, it will use root hints. The root hints are used as a last resort for name resolution.
- A computer cannot be configured as a forwarder if it hosts a root zone. A root zone is considered to be at the top of the DNS namespace.
- Scavenging
- Stale resource records are created when a domain name is deleted and there are remaining resource records. This can cause poor DNS server performance as well as DNS errors. Zone scavenging is used to remove those old and unused records.
- Scavenging is disabled by default and must be enabled for a zone.
- An interval can be configured to indicate how often to scavenge the zone. Immediate scavenging is done by:
- DNS Manager - right-click the server and select Scavenge Stale Resource Records options.
- Dnscmd - use the /startscavenging parameter.
- Important for dynamic systems and SRV RRs.
- Manage cache: View menu/Advanced Features/Clear server cache by right-clicking server or cached Lookups node.
- TTL (Time to Live)
- Used to indicate how long clients can access cached zone information for DNS.
- Decrease the value if you want to avoid any outdated data.
- Nslookup
- Used to query a DNS server with a computer name to get the computer's IP address to determine if a reverse lookup zone is configured incorrectly.
- set server=ip address [Default: Primary DNS Server]
- set type=record type [Default: A]
- record
- ipconfig /all
- Displays the IP config of the client, including its DNS servers.
- /displaydns: display client DNS resolver cache.
- /flushdns: purge client DNS resolver cache.
- /registerdns: register client DNS records.
- Dnscmd and DNS Manager snap-in
- Use to display and change DNS server properties, zones, and resource records. You can use the dnscmd to change a zone's type.
- Use Dnscmd to configure forwarders. Use /resetforwarders to configure default forwarders.
- ResetListenAddresses command of dnscmd is used to configure the IP addresses to listen for and service DNS requests. Example: dnscmd DNS1 resetlistenaddresses 192.168.10.1
- dsncmd ServerName [Command Parameters]
- /zoneinfo display zone config for a DNS server.
- /zonerefresh causes a secondary zone to request an immediate update from the master.
- /config modify zone's configuration.
- /zoneadd create a new zone.
- /zonedelete delete a zone (add /dsdel to delete zone from AD DS).
- /recordadd add record to a DNS zone.
- /zoneresetmasters change IP address for a zone.
- /dsprimary add a Active Directory-integrated zone.
- /zoneupdatefromds causes zone information to be updated from Active Directory
- Server Core
See my blog: About Windows Server Core 2008
- Must be managed from the command line.
- Windows Server 2008, use ocsetup to add roles to the server.
- Install DNS server role: start /w ocsetup DNS-Server-Core-Role (note: server name is case sensitive)
- Verify server core role: oclist
- Windows Server 2008 R2, use Dism with the /online /enable-feature and /featurename options to add roles to the server.
- Debug Logging
- Enable debug logging on a DNS Server to capture detailed info about DNS traffic in the server's properties dialog box. You can also perform test recursive and iterative queries, to make sure stub zones, conditional forwarders, forwarders, and root hints are working correctly.
- dcdiag.exe /test:DNS command does an exhaustive series of tests. Type dcdiag.exe /? for additional options.
- Logged info is stored in a text file named DNS.log. Logging can be customized.
- Collect events by using subscriptions to centralize trouble spots.
See my blog: About DNS and Windows Active Directory
- Zone transfer is used to transfer zone information to a secondary zone, only. A secondary server copies the zone data from the master server.
- The master server allows the secondary server to connect to initiate a zone transfer, configured on the Zone Transfers tab of the zone properties of the master server.
- Enable BIND secondaries to support zone transfers for BIND version prior to 4.9.4.
- Background loading
- Available on DNS Windows Server 2008 or later, the DNS server loads zone data in the background while the DNS server restarts.
- Service Locator (SRV) Records. Modify zone transfer settings to ensure you can use nslookup to list all SRV resource records. Use nslookup type=SRV. Service Locator Records allow DNS clients to locate TCP/IP network based services.
- Replication
- Replication is the transfer of changes between domain controllers in Active Directory. Replication in Active Directory is done almost immediately. However, you might want to reduce replication traffic in a WAN over a slower link to another site, in order to optimize performance.
- Increase replication interval - to reduce replication traffic by configuring replication to occur less frequently.
- Limit replication to times outside of high traffic periods will improve bandwidth.
- Force replication using Active Directory Sites and Services or use the repadmin /replicate or /syncall command line parameter.
- Replicate the SYSVOL folder by using DFS Replication between domain controllers (Windows Server 2008 servers and Windows Server 2008 domain functional level).
- A preferred bridgehead server can be used in a site to replicate changes from other sites.
- RODC
- A new type of zone called a primary read-only-zone/branch office zone is supported.
- An RODC receives a full read-only copy of all the application directory partitions that DNS uses.
- Replication is unidirectional because no data is written to the RODC.
- Password Replication Policy
- Should be on a writable domain controller.
- Determines whether the RODC should cache a password or not.
- Defines a list of user accounts that should not be cached on the RODC.
- You can repopulate the cache of an RODC with the passwords of user and computer accounts that will authenticate to the RODC.
- If you want to ensure a user can log on to the network in a branch office when the WAN link is unavailable
- Windows Server 2008 R2 provides capability of offline domain joins.
- Improve bandwidth by limiting replication outside of business hours.
- Force replication. Use the repadmin command with the /replicate or /syncall parameter.
- Application Directory Partition
- You can limit the scope of replication by creating an application directory partition and select All domain controllers in a specified application directory partition as the replication scope.
- Application directory partitions can be used to restrict DNS replication traffic so the zone is only replicated to the enlisted domain controllers.
- Enlist a domain controller by using the Dnscmd. Change the replication scope in the zone properties. Click the Change button next to Replication.
- Create an application partition
- dnscmd ServerName /CreateDirectoryPartition FQDN
- DomainDNSZone partition
- The partition is replicated to all domain controllers that are DNS servers in the domain.
- Default partition created when DNS is installed.
- ForestDNSZones partition
- The partition is replicated to all domain controllers that are DNS servers in the forest.
- Default partition created when DNS is installed.
- The Domain
- Contains records for objects, including users and computers, is replicated to all domain controllers.
- Custom application partition
- You can create a custom application partition to specify the servers that will replicate the partition.
- Sites
- A site is used to control replication and service localization.
- A site link bridge is used to connect two or more sites.
- Create subnets to associate each site with specific IP address ranges.
- To disable a site link bridge, select Disable site link bridging from the IP Properties.
- Bridgehead servers are servers in each site designated to replicate changes from other sites.
- Assign cost to control which link becomes the preferred link when there are multiple links between sites. The lowest cost is given preference.
- Domain controllers provide services to the site in which they reside. In the registry, autositecoverage specifies whether the system can add sites to the coverage area of the domain controller.
- Set to 0 means no coverage for that site by the domain controller.
Domain and Forest Functional Levels
- dcpromo/forceremoval. Remove a domain controller. Afterwards, you should perform a metadata cleanup.
- To add a domain controller running Windows Server 2008 R2 to a forest with domain controllers running Windows 2000 Server or Windows Server 2003:
- You must first update the Active Directory schema by running adprep /forestprep from the schema master.
- Second, you must run adprep /domainprep from the infrastructure master to prepare the new domain.
- An RODC domain and forest functional level must be set to Windows 2003 or higher.
- PowerShell cmdlets can be used to configure forests and domains: Set-ADForestMode, Set-ADForest, Set-ADDomainMode, Set-ADDomain.
- ADMT. To restructure domains within a single forest or between multiple forests.
- Migrates objects between domains.
- Provides wizards to automate migration by using the ADMT console, the command line, or interfaces for using scripts such as Visual Basic.
See my blog: Identity and Access Solutions with Windows Server 2008: Useful Links
- Trust relationships between domains enables one domain to trust the other domain's authentication service to secure resources.
- Must be a Domain Admins or Enterprise Admins to create a trust.
- Two domains in every trust relationship: trusted domain and trusting domain.
- Trusted domain holds the identity store and provides the authentication for the users contained in that identity store.
- Trusting domain uses the trusted domain's identities to grant access to resources.
- One-way forest trust: allows all users in one forest to trust all domains in another forest.
- Two-way forest trust: establishes a transitive trust relationship among all domains in both forests. For example, in domain A trusts B, and B trusts C, then domain A automatically trusts domain C.
- Shortcut trusts: created when the authentication path needs to be shortened.
- Incoming trust: means the your domain wants to access resources in another domain and routes authentication requests successfully.
- Outgoing trust: means users in the other domain want to access resources in your domain and routes authentication requests successfully.
- Realm trust: used to create a trust with a non-Active Directory domain.
- External trust: used when you cannot create a forest trust because you want to work on a domain that is not in your forest or when you want to allow access to or from a Windows NT 4.0 domain.
- Selective authentication: only supported on forest and external trusts, you can control the scope of authentication of trusted security principals, domain-wide or forest-wide.
- The Global catalog is a distributed data repository that contains a partial representation (PAS -partial attribute set) of every object in every domain in a multi-domain AD DS forest.
- Searches directed to Global catalogs are faster because global catalogs do not have the referrals to other domain controllers.
- Global catalog servers are used to support logons locally if the WAN link is not available.
- Global catalogs are stored on domain controllers designated as Global catalog servers.
- The first Windows Server 2008 domain controller is always configured as the global catalog server.
- When installing a global catalog on the first domain controller in a new child domain, you should make sure at least one additional domain controller is also configured as a global catalog server.
- Microsoft recommends making all domain controllers global catalog servers in a single-domain network.
- Microsoft recommends placing a global catalog server in any location that
- supports 100 or more users
- supports several remote users
- supports apps that require the global catalog
- Use the Active Directory Sites and Services console to add/remove a Global catalog from a domain controller.
- Right-click NTDS of the server and click Properties.
- Check or uncheck the Global Catalog box to add or remove the Global catalog from the server.
- Select the global catalog server check box on the Additional Domain Controller Options page in the Active Directory Domain Services Installation Wizard to configure the domain controller as a global catalog server when installing a domain controller in a domain.
- If you modify an attribute in the Active Directory schema, you need to ensure the attribute is replicated to the Global catalog.
- From the Active Directory schema snap-in, modify the properties of the schema attribute, set isMemberofPartialAttributeSet to a value of True.
- UGMC (Universal Group Membership Caching) eliminates the need for a global catalog server at a location.
- UGMC locally caches a user's membership in universal groups on the domain controller where they are authenticating.
- UGMC is on a per site basis and is useful in branch office situations where you don't want to have a global catalog server because of the extra WAN traffic caused by Active Directory replication. The UGMC is refreshed every eight hours.
See my blog: Active Directory Domain Services Documentation
- Forest
- Schema Master
- Only one in the forest, forest-wide role that must be on a domain controller in the root domain.
- The first domain controller installed in the forest assumes this role.
- To edit the schema, you must log on to the schema master.
- Domain Naming Master
- Only one in forest, forest-wide role.
- Manage adding and deleting of domains in the forest.
- The first domain controller installed in the forest.
- Microsoft recommends to co-locate the schema master and domain naming master on a single domain controller that is a GC server.
- Domain
- Infrastructure Master Role
- Domain-wide role
- The first domain controller installed in new domain assumes this role.
- Can only be assigned to one domain controller in the domain.
- Keeps track of group members from other domains. When the members are renamed or moved, the infrastructure master identifies the change and modifies group memberships accordingly.
- Cannot hold a Global Catalog because the infrastructure role will not function, but must be physically well connected to a GC server.
- If all domain controllers are GCs, which is what Microsoft recommends, then the Infrastructure role is not needed because all DCs objects are current and up-to-date.
- Can be placed on the same domain controller as the RID master and PDC emulator.
- PDC Emulator
- Domain-wide role
- The first domain controller installed in a new domain assumes this role.
- Can be seized from a failed domain controller using either the Active Directory Users and Computers MMC snap-in or the NTDSUTIL command-line utility.
- Performs multiple functions:
- Emulates a PDC for backward compatibility.
- Required to process password changes from clients of older versions of Windows. Even if there are no clients with older versions of Windows, all password changes are first replicated to the PDC.
- Manages Group Policy updates within a domain
- Provides a master time source for the domain.
- The PDC emulator in the forest root domain is the time master for the entire forest.
- Act as the domain master browser
- The browse list you see when you open Network in Windows and see a list of workgroups and domains and when you see a list of computers when opening a workgroup or domain, this is created by the Browser service.
- The domain master browser merges the list of each master browser so browse clients can retrieve a comprehensive list.
- RID Master
- The first domain controller installed in a new domain assumes this role.
- Every security principal SID in the domain is assigned a unique relative identifier (RID).
- The RID Master issues blocks of RID ids to every domain in the forest.
- Even if the RID Master is offline, other domain controllers can issue new security principals. However, if the domain controller uses the entire block of RIDs, the RID master must come back online to issue another block of RIDs.
- If the RID Master fails, user accounts can no longer be created.
- Microsoft recommends to co-locate the RID master and PDC emulator roles on a single domain controller.
- If a server has failed and cannot be brought back online, any FSMO roles the failed server was assigned can be seized.
- Don't seize a role unless the current operations master will not be available again.
- Provides data storage and support for directory-enabled applications.
- The main components are databases, instances, schema, and partitions.
- To install and configure AD LDS server role, use Server Manager.
- Built-in tools to manage AD LDS instances:
- ADSI Edit (Connect)
- manage AD LDS instances
- Active Directory Sites and Services (Connect)
- Administers the replication of directory data among all sites in an AD LDS set
- Ldp.exe (Connect)
- provides administration of any LDAP service
- Ldifde
- Import legacy data into AD LDS
- Imports and exports data to and from AD LDS
- Dsdbutil.exe
- Bkup and perform authoritative restores of LDS data
- Move AD LDS data files
- Change the AD LDS service account and port numbers
- List the AD LDS instances running on a server
- Active Directory Lightweight Directory Services Setup Wizard
- Create an instance of AD LDS after installing the server role
- Create a new replica of an AD LDS instance
- Set up SSL connections to AD LDS
- Both server and clients require certificates
- Windows Server 2008 R2 provides a new Web service (ADWS) to manage AD data for an AD LDS instance. The ADWS role is automatically installed when you install either the AD DS or the AD LDS role.
- To replicate instances, create a service user account on each LDS server (required).
Active Directory Rights Management Service (AD RMS)
- Helps to protect digital assets and sensitive information such as email messages, financial info, applications, and other user data. Protects content stored in AD RMS-aware intranet service.
- AD RMS uses policy rules to manage access to the information that needs to be protected.
- AD RMS ensures users are granted permissions to view, copy, or print a file.
- AD RMS protects data across AD FS trusts.
- AD RMS servers must be installed as a member server in the same AD DS domain containing the user accounts accessing protected content.
- To use AD RMS:
- Install the AD RMS server role
- Configure the AD RMS cluster
- Configure the AD RMS-enabled client computers
- The WPAS (Windows Process Activation Service) and Web Server (IIS) roles required to install AD RMS on computers running Window Server 2008 or Windows Server 2008 R2.
- WPAS manages the activation and lifetime of apps invoked remotely.
- AD RMS is included by default in Windows Vista and later. The AD RMS client must be downloaded and installed for previous Windows versions.
- You can delegate these roles to users to administer AD RMS:
- AD RMS Enterprise Administrators -manage all AD RMS policies and settings
- AD RMS Template Administrators - manage rights policy templates
- AD RMS Auditors - view and manage audit logs and reports
- Use AD RMS rights policy templates to enforce specific permissions to AD RMS protected content for different users and groups.
- Use AD RMS trust policies for content protected in different AD RMS clusters.
- User AD RMS exclusion policies to prevent entities from making AD RMS requests, such as:
- users
- apps
- lockbox versions
- OS versions
- Windows Server 2008 R2 has PowerShell cmdlets for AD RMS admins.
- To update password of user account used in AD RMS, update AD RMS.
- To update schedule for updated custom policy RMS templates, modify registry on user's computer.
Active Directory Federation Services (AD FSv2)
- AD FS is used to share user user identity securely over federation trusts
- Federation trust is a business agreement between two organizations and is created when the two organizations deploy at least one AD FS server to access resources across organizations.
- AD FS can authenticate a user or multiple web apps using a single user account.
- SSO Single sign-on is the process of authenticating on one network while accessing resources in another network without having to perform repeated logons.
- AD FS is integrated with AD DS, enabling AD FS to authenticate users against AD DS.
- Federation Service server(s) in the account partner organization required and functions as a security token service.
- The service routes authentication requests from external user accounts in partner organizations or from clients on the Internet.
- Federation Service Proxy is normally deployed in a perimeter network and collects and forwards user credentials to the federation service, thus helping the federation servers to avoid direct exposure to the Internet.
- Account partner stores and manages user accounts in AD FS or AD LDS that will access Web-based apps in the resource partner.
- Claims provider provides claims to its users.
- Resource partner hosts the Web servers with the Web-based apps and that trusts the account partner to authenticate users securely.
- Relying party is the organization that wants to verify the end-user's id, i.e, receives and processes claims.
- Relying party trust are trust objects created in the AD FS 2.0 Management snap-in for account partner and resource partner organizations. The relying party trust object is a variety of identifiers, names, and rules identifying the partner or web-based app to the Federation Service.
- In the account partner organization, the trust represents the organization whose accounts will access the resource partner organization.
- In the resource partner organization, the trust is between the Federation Service and a single web-based app.
- AD FS Configuration database stores configuration data in an SQL Server 2005 or SQL Server 2008 database.
- Fsconfig.exe command-line or AD FS 2.0 Federation Server Configuration Wizard to configure a new federation server and a new Federation Service.
- AD FS Web agents is used to allow or deny access to a Web app by a user. A Web agent is a component of AD FS and is used for two different types of Web apps:
- Claims-aware apps are Microsoft Asp.net apps that are written using the AD FS library to make authorization decisions for AD FS security tokens. Claims are statements made about users in AD FS, such as a name, identity, privilege, or capability, and are used for authorization.
- Windows-based token-enabled apps are legacy applications not coded to support claims, but authorized based on security identifiers (SIDs) and access control lists (ACLs).
- Automate creation of Active Directory Accounts
- netdom join command used to join a workstation or member server to a domain. When you join the computer to the domain, the computer account is created on the domain, if it does not exist.
- csvde command used to import user accounts from a CSV file. No password information can be imported. Built into Windows Server 2008. Available if you have AD DS or AD LDS server role.
- example: csvde -i -f d:\TestLab\Lab01\NewEmps.csv -k
- -i option is for import
- -f option is for filename
- -k option tells it not to quit on an error. If you try to import an account that already exists in Active Directory, you will received an error and cause the process to stop.
- Windows PowerShell is supported by Windows Server 2008 R2 to create new user, computer, and group accounts. PowerShell performs other AD tasks b using cmdlets.
- ldifde command is used to export and import AD account information using LDIF format files.
- example: ldifde -i -f d:\TestLab\Lab01\NewEmps.ldf -k
- -i option is for import
- - k option means to continue past errors, such as when the object already exists
- ADSI (Active Directory Services Interfaces) can be used with VBScript or JScript to create accounts programmatically. ADSI enables common administrative tasks.
- ADMT (Active Directory Migration Tool) is used to migrate accounts from one domain to another.
- Maintain Active Directory Accounts
- Assign permissions to group accounts
- Recommendation: add global groups to domain local groups and assign permission to the domain local groups.
- Delegate permission to manage user accounts on the OU that contains the accounts.
- Manually remove the delegated permissions if the user account is moved to another OU.
- Restricted Groups policy
- Allows you to limit the membership of a group.
- Universal Group
- Can contain members from any domain and can be added to a domain local group in any domain in the forest that has a trust relationship.
- Useful in multi domain forests.
- Global Group
- Can be seen by every domain in the forest that trust me.
- Membership restricted on only those uses within my local domain.
- A global group has local membership, but a global scope.
- Domain Local Group
- Can contain universal groups and users and groups from any trusted domain in the forest.
- Can only be used to grant permission to resources in its own domain (domain-wide scope).
- Distribution Group
- Used to create email distribution lists.
- Not security enabled. Has its own security id you can give permissions to.
- Security Group
- Used to provide shared resource access to a group of users.
- Used to filter group policy settings.
- Group Scope
- Local
- Global
- Domain Local
- Universal
- Active Directory Administrative Center
- Available in Windows Server 2008 R2 to graphically manage Active Directory
- Active Directory PowerShell
- Cmdlets to manage AD:
- Set-ADUSER, Set-ADGroup, Set-ADComputer
- Modifies the properties of a user, group, or computer.
- Remove-ADUSER, Remove-ADGroup, Remove-ADComputer
- Deletes a user, group, or computer.
- Rename-ADObject
- Renames an object.
- Set-ADAccountExpiration, Set-ADAccountPassword
- Modifies the password expiration or password for an account.
- Command-line utilities:
- dsquery (retrieve objects)
- dsquery user -name "Tina Thorsen" (this returns the full DN)
- dsquery objectType -limit
- objectType: user, computer, group, ou
- ex: dsquery user -50
- by default, search scope is the entire domain
- -limit switch to specify number of results
- 100 is default
- 0 means "return all results"
- dsquery objectType -attribute "criteria"
- attribute is objectType specific: dsquery objectType /?
- user attributes: -name, -samid, -office, -desc
- ex: dsquery user -name Thor* (this pulls all user names beginning with Thor)
- put the criteria in quotes if there is a space, wildcards are allowed (*)
- dsquery objectType BaseDN -scope {subtree|onelevelbase}
- specify search scope
- ex: dsquery user -desc "New York*" (this retrieves all users in the New York office)
- if you receive a warning that your dsquery has reached the limit:
- ex: dsquery user -desc "*New York*" -limit 0
- dsget (retreive object attributes)
- dsget user -email
- dsget user "cn=Tina Thorsen,ou=Employees,ou=User Accounts,dc=contoso,dc=com" -email
- dsadd: add an object with dsadd
- dsAdd OU=Testlab,dc=contoso,dc=com
- dsadd group "CN=Sales,OU=Role,OU=Groups,DC=contoso,DC=com" -samid Sales -secgrp yes -scope g
- dsrm: delete an account (give the full path)
- dsrm UserDN
- dsmove: move an object with dsmove
- dsmove objectDN -newparent targetOUDN
- objectDN: object to be moved
- targetOUDN: destination OU
- dsmove objectDN -newname newName
- objectDN: object to be moved
- newName: new name for object (used in the Relative Domain Name)
- dsmod: change the account characteristics
- dsmod objectType "objectDN" -attribute "new value"
- ex: dsmod user="Tina Thorsen" -dept"Information Technology" (this updates Tina's dept)
- dsmod user="cn=Tina Thorsen,ou=Employees,ou=User Accounts,dc=contoso,dc=com" -dept "Information Technology"
- Pipe DNs from DSQuery to other DS commands
- Pipe (send) the DNs from dsquery to dsget with | (the | is the sign of pipe, a straight up and down line)
- example: dsquery user -name "Tina Thorsen" | dsget user -email
- Or multiple results: dsquery user -name "Tina*" | dsget user -email
- ex: dsquery user -name "*Thorsen" | dsmod group "cn=Tech Support,ou=Role,ou=Groups,dc=contoso,dc=com" -addmbr (This adds the Thorsens to the Tech Support group)
- dsquery user "ou=Admins,dc=contoso,dc=com" | dsmod user -department "Information Technology" (this command takes the list and feeds it onto the pipe command to change everyone in that OU to Information Technology)
- dsget group groupDN -members | dsqet user -samid
- dssquery group -name "Tech Support" dsget group -members
- dsquery user -desc "Tech Support" | dsget user -email
- dsquery user -desc "Tech Support" | dsmod user -hmdir "X:" (this command configures the home folder for the users in Tech Support)
- Prevent AD objects from being accidentally deleted:
- Active Directory Users and Computers and RSAT (Windows Server 2008 Remote Server Administration Tools)
- Protect object from accidental deletion option.
- If you disable an account instead of deleting the account, then you can re-enable it later with a different name and retain the same characteristics. This way you will not have to recreate the account:
- dsmod: use with the -disabled parameter.
- Active Directory Administrative Center (with Windows Server 2008 R2).
- Set-ADUser cmdlet: user with the -Enabled parameter.
- Group Policy preferences
- Enables you to deploy settings to clients and computers and enables you to decide which settings to enforce.
- You can create a GPO for each site with GPO preferences that are site-specific.
- You can not define preference settings for sites in a local GPO.
- Software Restrictions and AppLocker policies
- Must be in separate GPOs.
- XP and Vista computers ignore AppLocker rules.
- If you apply Software Restrictions and AppLocker rules in a Windows 7 computer, only the AppLocker rule will be applied.
- Default policies applied in the following order:
- Local GPOs
- Site GPOs
- Domain GPOs
- Top-level OU GPOs
- Child OU GPOs
- Enforced option
- Prevents policies applied at lower levels in the hierarchy from overriding settings in the policy.
- Block Inheritance option
- Prevents settings from being inherited from policies applied higher in the hierarchy.
- Loopback Processing mode
- If the Loopback Processing mode is enabled and the Replace option set, the GPO policies that apply to the user account are ignored.
- WMI filtering
- Use to only apply policies to specific computers (for example, running a particular OS).
- Security filtering
- Use to only apply policies to specific security groups.
- Delegation of Control Wizard or Delegation tab in the GPMC
- Use to control permissions allowed for GPO management tasks.
- Tip: Limit containers processed to reduce the amount of time to apply GPOs
GPO Templates
- ADMX
- Used by Windows Server 2008 and later and Windows Vista.
- Displays registry-based policy settings.
- ADMX files are stored on the administrative workstation or in a central store.
- The central store (%systemroot%\sysvol\domain\policies\PolicyDefinitions) folder contains the language-neutral ADMX files and subfolders for each supported language (ADML files).
- To deploy as set of administrative templates to a partner:
- Copy ADMX files from your PDC emulator to the PolicyDefinitions folder on the partner's PDC emulator.
- Security Templates
- Computer Configuration | Security Settings node
- Use Security Templates to create a security policy that contains settings for any policy.
- Administrators can apply a security policy to a computer or deploy it by importing it to a GPO.
- Starter GPO
- A special type of GPO you can import when creating a new GPO.
- Help minimize the number of GPOs you need to link to a container.
- Saves time when creating similar GPOs.
- Can be saved as cabinet files that can be imported by others and used as a baseline for creating custom GPOs.
- PowerShell cmdlets
- Use to manage GPOs, such as:
- Backup-GPO
- Copy-GPO
- Import-GPO
- New-GPO
- New-GPLink
- Remove-GPO
- Remove-GPLink
- Rename-GPO
- Restore-GPO
- Set-GPInheritance
- New Group Policy settings in Windows Server 2008 R2 provide settings you can use to specify whether PowerShell scripts or non-PowerShell scripts run first at startup, shutdown, logon, or logoff.
- By default, non-PowerShell scripts run first.
Software Deployment GPOs
- To deploy software using a GPO:
- Create a distribution point, i.e., a shared folder, and copy the installation files into it.
- Use GPME (Group Policy Management Editor) to configure a GPO with the deployment characteristics.
- When you create a software installation package for an app:
- Reference the .msi file. If no .msi file exists for the app, use the .zap file.
- A .mst (transform) file can be used with a .msi file to customize an application deployment to install only selected components or to change the language for the app's UI.
- Use .msp (patch) files to install patches and hotfixes, automatically.
- To perform an upgrade of existing software, add the package for the existing software to the Upgrades tab of the new package.
- Deploy software by publishing or assigning:
- Assigning software to user accounts - installation occurs when the app is first accessed via the Start menu or an app shortcut.
- Assigning software to computer accounts - installation occurs when computer is rebooted.
- Publishing software to user accounts - installation is performed manually by the user.
- Remove an installed application
- Go to Computer or User Configuration
- Right-click the app and select All Tasks | Remove and one of these options:
- Immediately uninstall the software for all users and computers.
- Allow users to continue using the software, but disallow any new installations.
See my blog about the new security feature along with more detail in Windows Server 2008:
- Windows Server 2008 and later lets you create multiple password policies in a domain
- The password policy is linked to users or global groups.
- Fine-grained password policies let you assign different password strength, expiration, and account lockout policies to a user or global group.
- Fine-grained passwords are not implemented as part of Group Policy.
- A separate object class call Password Settings Object (PSO) is used to maintain the fine-grained password settings.
- Stored in the Password Settings container created by default under the domain's System container in Active Directory Users and Computers. If you don't see the System container, turn on Advanced Features by going to the View menu.
- Maintained by a low-level tool called ADSIEdit (Active Directory Service Interface Editor).
- Must be a member of the Domain Admins group to maintain PSOs.
- You receive a message: "The user account has expired. Ask your domain administrator to reactivate the account.".
- Modify the properties of the user account to set the account to never expire.
- Windows Server 2008 lets you set up an audit policy subcategory to log both old and new values when you make a change to objects and attributes.
- There are four subcategories:
- Directory Service Access
- Controls whether auditing for directory service events is enabled and logged in the security log.
- Directory Service Changes
- Directory Service Replication
- Detailed Directory Service Replication
- In Windows Server 2008, implement the new audit policy by utilizing these controls:
- Global Audit Policy
- Set the Global Audit Policy in the Default Domain Controllers Group Policy under Security Settings\ Local Policies\Audit Policy.
- You can only use auditpol.exe to view or set Audit Policy subcategories.
- SACL
- Control the operations to audit by modifying the SACL on an object.
- Set a SACL on an object on the Security tab of the object properties dialog box.
- Schema
- Additional control in the schema lets you set what objects are not audited.
- Audit registry changes at the domain level:
- Modify Default Domain Policy GPO
- Changes to domain security policy settings should always be made in the Default Domain Policy GPO.
- Audit logon events policy
- Determines whether to log each instance of a user logging onto or off of a computer, or making a network connection.
- Enhancements in Windows Server 2008 R2 for auditing:
- Global Object Access Auditing
- Admins can define computer wide SACLs for file system or registry.
- "Reason for Access Reporting"
- Provides info about the permissions to allow or deny access to an object.
- Advanced Audit Policy Settings
- 53 new settings to target the type of activities to audit to make audit logs more manageable.
- Backup and Restore
- Wbadmin:
- Replaced the Ntbackup command used in earlier versions of Windows
- Run from command prompt
- Windows Server 2008 or later
- Create or modify a backup schedule
- Display current backup settings:
- Run Wbadmin without parameters
- In Windows Server 2008 R2, you can exclude specific files from backup
- Recover a folder:
- Wbadmin start recovery -itemtype:File
- Recover system state data from backups
- Wbadmin systemstatesysrecovery
- In Windows Server 2008, you cannot backup only system state data:
- You must backup all critical volumes
- Critical volumes include:
- System volume (boot files)
- Boot volume (Windows OS and registry)
- Then, backup system state data
- Non-authoritative restore:
- Restores from the backup and then allows normal replication to overwrite the state with any changes that occurred after the backup was taken.
- Non-authoritative restore of a domain controller by using an existing backup:
- Restart domain controller in DSRM (Directory Services Restore Mode) to take the domain controller offline.
- Use one of these backups for your restore source:
- System state backup
- This type of backup is used to restore AD DS. Use the Wbadmin systemstaterecovery command.
- Critical-volumes backup
- OS and registry, boot files, SYSVOL files, or Active Directory files. Use Wbadmin start sysrecovery.
- Full server backup
- Use this only if you cannot start the server, or if you do not have a system state or critical-volumes backup.
- Active Directory Recycle Bin:
- Windows Server 2008 R2
- Recover accidentally deleted Active Directory objects
- Domain and Forest functional levels must be set to Windows Server 2008 R2
- Set functional levels using PowerShell:
- Set-ADForestMode (forest functional level)
- Set-ADDomainMode (domain functional level)
- Enable the Active Directory Recycle Bin:
- Enable-ADOptionalFeature cmdlet (Microsoft recommended method)
- Ldp.exe
- In Windows 2008 and later, you can compact the Active Directory database offline.
- The AD DS server role can be stopped and restarted. While the AD DS is stopped, other domain controllers can service new domain logon requests.
- Use Server Manager or Net stop ntds to stop AD DS.
- Use the ntdstil command with appropriate parameters to create a new compacted version of the database in a different location that can be copied back to the original location.
- After the database is compacted, copy the ntds.dit file back to its original location.
- Windows Reliability and Performance Monitor an MMC snap-in that combines several stand-alone tools available in previous Windows versions: Performance Logs and Alerts, Server Performance Advisor, and System Monitor. It also includes the Reliability Monitor.
- New Features:
- Data Collector Sets (includes default Data Collector Set templates to collect performance data).
- Wizards and templates for creating logs (add counters to log files and stop and start their duration).
- Resource view (real-time graphical overview of CPU, disk, memory, and network usage).
- Reliability Monitor (calculates a System Stability Index)
- Unified property config for all data collection, including scheduling (if you find that a data collector set is useful, you can save it as a template, for future use).
- User friendly diagnosis reports (report generation is improved and reports can be generated from data collector sets).
- Active Directory Best Practices Analyzer
- New tool in Windows Server 2008 R2 to ensure your Active Directory environment meets Microsoft best practices.
- You can perform BPS tasks using PowerShell cmdlets.
- Event Viewer
- Event subscriptions to capture events on a remote computer and forward to a central computer for review.
- Custom views may be created.
- Modify the registry to customize detail logged.
- Dcdiag
- Active Directory domain controller diagnostic tool used to analyze whether a domain controller is working in a domain or forest properly and identify problems to help in troubleshooting.
- Network Monitor
- netmon is used to monitor and capture network traffic.
- Repadmin
- Used to monitor Active Directory replication between domain controllers.
- View replication topology.
- AD CS provides services you can customize for public key certificates in software security systems that use public key technologies (PKI).
- Use the Add Roles Wizard to set up the Active Directory Certificate Certificate Services option and choose to install any of the following components of AD CS:
- Certification Authorities (CAs) - used to issue, revoke, and manage certificates for users, computers, and services, and manage their validity. Enterprise CAs are integrated with Active Directory. Enterprise CAs publish certificates and CRLs to Active Directory.
- CA Web Enrollment - allows Web-based enrollment of certificates.
- Online Responder Service - Implements the OCSP (Online Certificate Status Protocol) that retrieves the revocation status for certificates issued by a CA and responds to client requests for the status of the certificate.
- NDES (Network Device Enrollment Service) - allows routers and other network services to receive certificates.
- A root CA issues certificates to subordinate issuing CAs.
- OCSPs and Enterprise CAs
- Can be installed on Windows Server 2008 Enterprise or Windows Server 2008 Datacenter.
- Stand-alone CA
- AD DS not required and stand-alone CAs do not use certificate templates.
- PKI (Public Key Infrastructure)
- The PKI service of authentication employs a digital signature using cryptographic mechanisms and is associated with three primary services:
- Authentication - assurance the entity is who she or he claims to be
- Integrity - assurance to the entity the data has not been altered
- Confidentiality - assurance no one can read the data except the intended receiver
- CRL (Certificate Revocation List):
- File that contains a list of revoked certificates, along with their serial numbers, revocation dates, the issuer of the CRL, the effective date, and the next update date.
- The default CRL retrieval time is 15 seconds.
- Increase the CRL retrieval time through Group Policy settings.
- When CRLs become too large to download, applications will report errors during the download.
- CDP (CRL distribution point) :
- Network location where the CRL is downloaded. The CDP is in the details tab of the certificate. It is common to list multiple CDPs with different access methods to accommodate different Web browsers and servers when retrieving CRLs. By default, the CDP is published to the %Systemroot%\System32\CertSrv\CertEnroll folder on the CA.
- If the security policy prevents port 443 and port 80 from being open on domain controllers, install the Certificate Enrollment Service on a member server.
- Delta CRLs:
- Only replicate new revocations to each CRL distribution point .
- Benefit: smaller file and less network traffic.
- Backup Operators group members or the Certification Authority Administrator can use the following to backup the CA:
- Back Up CA command in the Certification Authority.
- certutil -backup BackupDirectory.
- Implement key archival on a CA:
- Configure a key recovery agent certificate template.
- Add key recovery agent certificate template to an enterprise CA.
- Enroll key recovery agents.
- Issue a key recovery agent certificate.
- Configure a CA for key archival and recovery.
- Restart the CA.
- Certificate templates format the content of certificates to define which users and computers can enroll for what type of certificates and the type of enrollment process such as:
- Autoenrollment
- Manual Enrollment
- Enrollment with only authorized signatures
- Use the Certificate Templates snap-in (within the Certificate Authority snap-in) to create and modify the templates.
- Security Principals
- User, computer, or security group that can be assigned permissions in a DACL.
- Each certificate template has a DACL (Discretionary Access Control List) with the security principals permissions to read and configure the template and to enroll and autoenroll for certificates as defined in the template.
- Permissions for the templates
- Full Control
- Read
- Write
- Enroll
- Autoenroll
- You can modify certificate templates with Standard Edition of Windows Server 2008, but you cannot deploy them unless you have an Enterprise edition of Windows Server 2008 because they depend on Active Directory.
- Common default certificate templates that can be customized:
- Smartcard User - users can log on and protect email with a smart card.
- Smartcard Logon - users can logon using a smart card.
- User Signature Only - users can add digital signatures.
- Certificate templates definition must be defined to all CAs in the forest by storing it in the Configuration naming context (CN=Configuration,DC=FortestRootName). This is done automatically along with the replication. The certificate template might not be available to all CAs in the forest, until the replication schedule is completed.
- Autoenrollment
- You can use Group Policy to automatically enroll for user certificates.
- Enable autoenrollment to allow users to obtain the certificate automatically.
- Requires the Autoenroll, Enroll, and Read permissions.
- Enrollment Agent
- Issued enrollment agent certificate.
- Enables the enrollment agent to issue smart card certificates on behalf of other users.
- Restricted Enrollment Agents
- Windows Server 2008 Enterprise-based CAs and later.
- Allows and enrollment agent to be used for one or more certificate templates. For each template, you can choose the users or security groups the agent can enroll for.
- Windows Server 2008 R2 supports cross-forest enrollments
- At least one CA server must be running Windows server 2008 R2.
- A two-way forest trust must exist between the resource and the account forest.
- Domain member computers in the forests must be running:
- XP
- Windows Server 2003
- Vista
- Windows Server 2008
- Windows 7
- Windows Server 2008 R2
- Certificate Revocations
- All certificates are issued with a validity period.
- Reasons a certificate might become invalid before the validity period expiration:
- Certificate key is compromised.
- CA that issued the certificate has been compromised.
- Certificate is no longer valid and has been superseded by another certificate.
- Fraudulent certificate.
- Certificate subject no longer a trusted entity.
- Certificate subject name change.
- To revoke a certificate:
- Go to the Certificate Authority snap-in.
- After the certificate is revoked, the CRL should be published.
- When the enterprise root certificate is revoked, no other certificates issued by the CA are valid.
- Certificate "Hold"
- You want to revoke the certificate at a future time. These are the only certificates that can be un-revoked.
No comments:
Post a Comment
"Comment As:" anonymous if you would rather not sign into an account!