Documente Academic
Documente Profesional
Documente Cultură
http://www.supinfo.com
Active
Directory
Operations
Master
http://www.supinfo.com
AD DS Management Tools
1. Course
1.1. Overview of Active Directory Domain Services
Windows Server 2008 Active Directory Domain Services is a Windows-based directory service which provides a centralized management and authentication service for a network.
Provides information about user objects, computers, and other network resources and services (such as an email address).
Stores all this information in a secure database and provides the tools for managing and searching the directory.
Allows you to manage all network user accounts and resources in a single location and apply policies to the directory objects to ensure that all are managed consistently. A directory service is both the directory information source and the service that makes the information avalaible and usable. This allows the service to provide information about the objects (users, groups, computers or services) as well as provide authentication and access to network resources.
2. Groups of these objects can then be created 3. A client can use the use account to authenticate against AD DS 4. The user can try to access network resources 5. The resources will again validate the authenticated user against AD DS
CN is tthe Common Name of the object in its container. In this case, it is also the RDN.
4
http://www.supinfo.com
OU is the organizational unit that contains the object. You can find more than one organizational unit level.
DC means Domain Component. It is used to represent parts of the domain name. You have at least two domain components but possibly more if you have child domains.
Object classes define what kind of objects can be created in the directory. For example: user class or computer class.
Attributes are defined separately from object classes. They define what information can be stored for each object class. For example: display name, description, telephone number...
1.2.2. Domains
As the most basic logical unit in the AD DS infrastructure, domains are used to group and manage the AD DS objects in an organization.
5
http://www.supinfo.com
Domains provide:
An authentication and authorization boundary that provides a way to limit the scope of access to resources.
Each domain must have at least one domain controller installed. In fact, you create a domain by installing the first domain controller in the domain, and you remove a domain by removing the last domain controller in the domain. To install a domain controller on Windows Server 2008, you have to run the following command:
1.2.3. Trusts
Trusts provide a way for users to gain access to resources in another domain. Domains can allow secure access to shared resources for users coming from others domains using authenticated connections called trusts. Trusts enable users to:
Access resources in domains other than the domain where their user account is configured.
Log on to computers that are members of domains other than the domain where their user account is configured. When you configure a trust you have two options:
Direction: The trust direction flows from trusted domain to the trusting domain.
Transitivity: The trust relationship is extended beyond a two domain trust to include other trusted domains. For example: If domain A trusts domain B, and domain B trusts domain C, so domain A trusts domain C.
6
http://www.supinfo.com
By default, trust relationships are created between all domains in a forest. It mean all domains in a forest trust all other domains in this forest.You can create trusts for domains outside the forest.
Child domains have a two-way transitive trust with their parent domain (called a parent/child trust)
1.2.5. Forests
A forest is a collection of one or more domain trees. All domains and domain trees can only exist within an Active Directory forest. A forest is created when you install the first domain in the forest. The first domain of a forest is called the forest root domain. Bye default the information in Active Directory is shared only between domains in the forest. This way, the forest is a security boundary for the information stored in the Active Directory instance. Some forest specifications:
7
http://www.supinfo.com
Share the Enterprise Admins and Schema Admins group By default, in a forest, all domains are trusting each other. A two-way transitive trust is created between each domain tree and the forest root domain. (called the tree/root trust)
Apply policies
8
http://www.supinfo.com
1.2.7. AD DS Objects
AD DS objects are entities created on AD DS domain controllers. They represent resources (printers), services (shared folders) or users (both individuals and groups). Each object has its definition and attributes in the Active Directory schema. This makes creating and administering new instances of a particular type of object very efficient.
Used for compatibility with other directory services Contacts Used primarily to assign e-mail addresses to external users
Does not enable network access Groups Used to simplify the administration of access control Computers Enables authentication and auditing for computer access to resources Printers Used to simplify the process of locating and connecting to printers Shared folders Enables users to search for shared folders based on properties
9
http://www.supinfo.com
Directory's use of network bandwith, you need to understand the physical structure.
10
http://www.supinfo.com
The global catalog is also required for user logon process on to a domain and access to domain resources.
1.3.5. AD DS Replication
AD DS replication is the process used to copy all changes on the AD DS database to all other domain controllers in a domain or forest. It is used to ensure that all domain controllers have the same information, as you can perform changes on any domain controller (except Read-Only Domain Controllers). When you modify an information in the AD DS database on a domain controller, (for example: you create a new user account), automatically, this domain controller will send the modification to all other domain controllers concerned by this modification. (domain controllers of the same domain in our example) The replication topology is automatically generated as new domain controllers are added to the domain, and this topology is verified regularly. Summary of AD DS replication:
Uses a multi-master replication model (changes can be made on any domain controller, except RODCs)
1.3.6. AD DS Sites
AD DS sites are used to represent your physical network. Indeed, many organizations have offices in different cities or countries and their network is divided in different geographical locations. In general, these offices are connected by WAN connections to be able to connect the different local networks. So we will use AD DS sites to represent a network segment where all domain controllers are connected by a fast and reliable network connection. AD DS sites will be connected to each other using site links. Sites are:
Used by site aware applications such as Distributed File System (DFS) or Exchange Server 2007
11
http://www.supinfo.com
Used to assign group policy objects to all users and computers in a company location
Active Directory Users and Computers: A Microsoft Management Console (MMC) that is used to manage and publish information in Active Directory. You can manage user, group, and computer accounts, organizational units, add computers to a domain, manage account policies, user rights, and audit policy.
Active Directory Sites and Services: An MMC that is used to manage the physical structure. You can create and manage sites, site links, subnets, and the replication process.
Active Directory Domains and Trusts: An MMC that is used to manage domain trusts and forest trusts, add user principal name suffixes, and change the domain and forest functional levels.
Active Directory Schema: An MMC that is used to manage the schema. It is not available by default in the Administrative Tools menu. You must register a DLL to be able to use it. You have to run "regsvr32 schmmgmt.dll" command.
Dsadd, dsmod, dsrm, dsget, dsquery, dsmove : With these command-line tools you can create, modify or delete objects such as computers, servers, users, groups, organizational units, and contacts.
Ldifde : Command-line tool used to create, modify, and delete AD DS objects. Can also extend the AD DS schema, export users and groups information to other applications or services, and populate AD DS with data from other directory services.
Csvde : Command-line tool used to import and export AD DS data by using comma-separated files.
WSH: WSH for Windows Scripts Host. Scripting environment to run Visual Basic Scripts (VBS) for example.
12
http://www.supinfo.com
1. Course
1.1. Installing Active Directory Domain Services
Active Directory Domain Services is a server role in Microsoft Windows Server 2008. When you decide to install AD DS, you have several choices. You can choose to create a new domain, for a new forest or an existing one, or add a domain controller to an existing domain. You can also install AD DS on Windows Server 2008 Server Core or install a read-only domain controller. This lesson will describe the different ways to install Active Directory.
WIndows Server 2008, Datacenter Edition Here are the different requirements for installing AD DS:
Minimum disk space of 250 MB and a partition formatted with NTFS: 200 MB for the AD DS database and 50 Mb for the AD DS database log files. File size requirements depend on the number and type of objects in the domain. Additinal disk space can required if the domain controller is also a global catalog server.
13
Created by XMLmind
XSL-FO Converter.
DNS Server that supports dynamic updates must be available or will be configured on the domain controller
Windows 2000 Windows Server 2003 Windows Server 2008 Windows Server 2003
Windows Server 2003 Windows Server 2008 Windows Server 2008 Domain functional levels enable features accros the domain. Windows Server 2008
14
Created by XMLmind
XSL-FO Converter.
Group nesting.
Group conversion is enabled. It means you can convert a security group in a distribution group and the reverse.
Secutiry Identifier (SID) History. Special attribute used to keep the old SID of an object when migrated between domains. All default Active Directory features, all Windows 2000 Native functional level features, and the following features:
The availability of the domain management tool, netdom.exe, to be able to rename domain controllers.
Update of the logon time stamp. The lastLogonTimestamp attribute will be updated with the last logon time of the user or computer.
The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects. Windows Server 2003 The ability to redirect Users and Computers container. By default, these two containers are provided to store user and computer accounts. This feature makes it possible the definition of a new location for these accounts.
Includes constrained delegation so that applications can take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol.
Supports selective authentication. It is possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest. All previous features and the following features:
Distributed File System Replication (DFSR) support for SYSVOL, which provides more reliable replication of SYSVOL contents.
Advanced Encryption Services (AES 128 and 256) for the Kerberos protocol.
Last Interactive Logon Information. It displays the time of the last successful interfactive logon for a user, from which computer, and the number of failed logon attempts since the last logon.
Fine-grained password policies (FGPP). It allows to specify password and account lockout policies for users and global security groups in a domain. 15
Created by XMLmind
XSL-FO Converter.
With this feature, you can have multiple password policies in a domain, which was not possible by default before. Forest functional levels enable features accros all domains within the forest.
Domain renaming.
Linked-value attribute replication. For example, you modify the membership list of a group, only the values modified will be replicated instead of replicating the entire membership list. This results in lower bandwidth and processor usage during replication. Windows Server 2003 The ability to deploy a Read-Only Domain Controller (RODC) that runs Windows Server 2008.
The ability to convert an inetOrgPerson object instance to a User object instance, and the reverse. Windows Server 2008 No additional features but all domain controllers that are added to the forest will operate at a Windows Server 2008 domain functional level by default.
Install the AD DS role by using the Server Manager console, and run the Active Directory Installation Wizard by running DCPromo or by using Server Manager too.
Run DCPromo from the Run command or a command prompt. This automatically install the AD DS server role and then launch the Active Directory Installation Wizard. The installation process contains the following steps:
Install the Active Directory Domain Services role using Server Manager
16
Created by XMLmind
XSL-FO Converter.
Choose the deployment configuration (new domain in new forest, new domain in existing forest, add a domain controller to an existing domain...)
Select the additional domain controllers features (DNS Server, Global Catalog Server, Read-Only Domain Controller)
Select the location for the database, log files, and SYSVOL folder
You can select the Use advanced mode installation check box in the Active Directory Domain Services Installation Wizard Welcome page.
You can run the DCPromo /adv command in the Run command or a Command Prompt. Here are the different options you can find in advanced mode:
XSL-FO Converter.
Description Creates installation media for a writable domain controller into folder %s Create installation media for an RODC into folder %s
Create RODC %s
To create installation media, you must be able to log on to a domain controller interactively and be able to make a backup. Here is an example of how to create an installation media. First you have to launch a Command Prompt with the Administrator privileges.
If you install the first Windows Server 2008 domain controller in the forest, you have to extend the schema (add new attributes and classes specific to Windows Server 2008). To extend the schema, you have to run the "adprep /forestprep" from the Windows Server 2008 installation media files. You need to be Schema Administrator or Enterprise Admin to perform this operation and it is recommended to execute this command on the schema master role owner.
If you install the first WIndows Server 2008 domain controller in a Windows 2000 Server domain, you have to prepare the domain by running the "adprep /domainprep /gpprep" command.
I you install the first Windows Server 2008 domain controller in a Windows Server 2003 domain, you have to run the "adprep /domainprep" command.
To install an RODC in a Windows Server 2003/2008 forest, a writeable domain controller must be already present. But before, you have to prepare the forest by running the "adprep /rodcprep" command. If you want the RODC to be also a global catalog server, you must run the "adprep /domainprep" command in all domains in the forest to allow the RODC to replicate global catalog data from all domains in the forest.
You can use answer files with the "dcpromo /answer [:filename]" where filename is the name of the answer file.
18
Created by XMLmind
XSL-FO Converter.
Or you can directly run the "dcrpomo" command with answers for the installation. Here, you can see two examples to install AD DS on Server Core.
Verify that the SYSVOL folder structure was created, and then verify that the necessary shared folders were created. By default, the SYSVOL folder path is %SystemRoot%\SYSVOL (if you didn't change it during installation)
Verify that the Active Directory database and log files were created. By default, AD DS database and log files are stored in %SystemRoot%\NTDS (if you didn't change during installation)
Verify the creation of the default Active Directory structure. Launch the Active Directory Users and Computers and verify the domain structure.
Verify that the domain controllers records are created in the DNS zone for this domain. Check on the DNS Server.
19
Created by XMLmind
XSL-FO Converter.
An RODC only accepts replicated changes and never initiate replication because no changes can be made on it. RODCs cannot hold operation master roles or be configured as replication bridgehead servers. If you want to maximize security, you can deploy RODCs on servers running Windows Server 2008 Server Core.
Read-only AD DS database: Except for account passwordsan RODC stores all the Active Directory objects and attributes that a writeable domain controller stores but changes cannot be made to the database that is stored on the RODC. You have to perform changes on a writeable domain controller and then wait for replication on the RODC.
Unidirectional replication: AD DS uses a one-way connection to replicate data from a writeable domain controller to the RODC. Like this, the RODC only receive changes on the AD DS database and never initiate replication.
Credential caching: by default, no credential caching is done on RODCs but you can configure which credentials will be cached with password replication policies.
Administrative role separation: You can delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain or other domain controllers.
Read-only DNS: You can install the DNS service on an RODC. An RODC can replicate all application partitions that DNS uses, including ForestDNSZones and DomainDNSZones. However, the DNS Server on an RODC is read-only and does not support client updates directly.
RODC filtered attribute set: Some applications that use AD DS as a data store can have some credential-like data (passwords, credentials, or encryption keys) that you do not want to be replicated on an RODC. You can configure a set of attributes in the schema for domain objects that will not replicate to an RODC. This set of attributes is called the RODC filtered attribute set.
Configure the domain and forest functional level: the domain and forest must be at least at a Windows Server 2003 functional level.
A Windows Server 2008 writeable domain controller must be available to replicate the domain partition to the RODC.
Run "ADPrep /domainprep" in all domains if the RODC will be configured as a global catalog server.
20
Created by XMLmind
XSL-FO Converter.
You can find the "ADprep" tool on the Windows Server 2008 installation media. The RODC installation is almost the same as the installation of AD DS on a writeable domain controller.First, in the AD DS Installation Wizard, you have to choose the option to install an additional domain controller in an existing domain. Next, you can choose to install an RODC. Then, if you have used the advanced installation mode, you can configure the password replication policy. If you plan to install an RODC on a Server Core, you can use answer files with "ReplicaOrNewDomain=ReadOnlyReplica" value. See part 1.1.7 for information on unattended installation.
Add users or groups to the Domain RODC Password Allowed group so credentials for members of this group are cached on all RODCs in the domain
XSL-FO Converter.
It enables network logon by providing universal group membership information to a domain controller when a logon process is initiated. It is also used when a network resource access is initiated.
It finds directory information regardless of which domain in the forest actually contains the data.
Performs all updates to the Active Directory Schema Domain Master Naming One per forest
Controls the addition or removal of domains in the forest. When you add a new
22
Created by XMLmind
XSL-FO Converter.
domain to the forest, only the domain controller that holds the domain naming master role can add the new domain. RID Master One per domain
When a new object is created, the domain controller creates a new security principal that represents the object and assigns a unique security identifier (SID) to the object. This SID consists of a domain SID, which is the same for all security principals created in the domain, and a relative identifier (RID), which is unique for each security principal created in the domain. The RID master allocates blocks of RIDs to each domain controller in the domain. The domain controller then assigns a RID to objects that are created from its allocated block of RIDs. PDC Emulator One per domain
Minimizes replication latency for password changes. When a password is changed on a domain controller, the domain controllers directly informs the PDC Emulator of this change and after perform replication with other domain controllers. Like this, if the user affected by the password change tries to log on on another domain controller where replication has not occured, the domain controller can ask the PDC Emulator to know if the password has changed.
Synchronizes time on all domain controllers in the domain. Time synchronization is very important for the Kerberos protocol Infrastructure Master One per domain
When objects are moved from one domain to another, the infrastructure master updates object references in its domain that point to the object in the other domain.
23
Created by XMLmind
XSL-FO Converter.
Chapter 3. Configuring Domain Name Service for Active Directory Domain Services
In this lesson, we will see that Active Directory is completely linked to DNS (Domain Name System). We will see the relationship between these two applications to be able to provide the best service as possible to clients. Module Overview
1. Course
1.1. Overview of Active Directory Domain Services and DNS Integration
Active Directory Domain Services requires that a DNS infrastructure is in place before installing it. Understanding how DNS and Active Directory are connected, and how client computers use DNS during logon, will help you resolve manye Active Directory issues related to DNS, such as client logon issues.
24
Created by XMLmind
XSL-FO Converter.
Net Logon uses the information and queries DNS for SRV resource records
25
Created by XMLmind
XSL-FO Converter.
During Net Logon startup, the Net Logon service on each domain controller enumerates the site objects in the Configuration partition of Active Directory. Net Logon uses the site information to map IP addresses (coming from subnets configured in Active Directory) to site names. The domain controller uses the IP address of the client and this mapping to know in which site is the client computer.
Replication: Replicates DNS zone information using Active Directory replication instead of zone transfers.
Multimaster model: By default, in a DNS infrastructure, you have a primary DNS server, which stores a writeable copy of the zone, and secondary DNS servers which store read-only copies of the primary zone. It means you can only perform changes on the primary zone and changes are transferred to seconday zones using zone transfers. So if the primary source for the zone is unavailable, you can't perform any changes on your zone, until the primary zone is available again. By integrating zones into Active Directory, you will take advantage of the multimaster replication model used by AD DS. It means, you will be able to perform changes on every domain controller that store this zone. So even if a primary source for the zone becomes unavailable, you will still be able to perform changes on another domain controller which is available. It is a fault tolerance mechanism.
Secure Dynamic Updates: By default, DNS Servers accept both secure and non-secure dynamic updates. When you integrate DNS zones into Active Directory, you can choose to accept only secure dynamic updates for more security.
XSL-FO Converter.
By default, there are three major partitions in the Active Directory database:
The schema partition, which contains and replicates schema information to the entire forest.
The configuration partition, which contains and replicates information about the AD DS structure to the entire forest.
The domain partition, which contains and replicates domain information (objects) to all domain controllers in a given domain. You can choose to store a DNS zone in the domain partition or in an application partition. By default, there are two application partitions, named DomainDNSZones and ForestDNSZones, that are created to store DNSspecific data. Administrators can create additional application partitions and define the replication scope for those application partitions. You can choose on which domain controller the application partition will be replicated. You can configure where you want to store DNS zones in the DNS console. You have four different choices:
To all DNS servers in the forest: The DNS zone will be stored in the ForestDNSZones application partition.
To all DNS servers in this domain: The DNS zone will be stored in the DomainDNSZones application partition.
To all domain controllers in this domain (for Windows 2000 compatibility): The DNS zone will be stored in the domain partition.
To all domain controllers in the scope of this directory partition: The DNS zone will be stored in a custom application partition you configured. 27
Created by XMLmind
XSL-FO Converter.
You can see the content of directory partitions by using the ADSI Edit tool which is installed by default on each Windows Server 2008 domain controller.
6. Clients send a SOA query to get the name of the DNS server which is hosting the primary zone 7. DNS server sends zone name and server IP address 8. Client verifies existing registration 9. DNS Server reponds by stating that registration does not exit 10. Client sends dynamic update to DNS server to register its name and IP address in a A record. (PTR if reverse lookup zone exists)
28
Created by XMLmind
XSL-FO Converter.
Starts one or more threads to load the zones that are stored in AD DS
DNS information required for Active Directory name resolution is available for clients in the same site as the RODC, as RODCs are designed to provide a secure Directory service in branch offices where physical security cannot be ensured.
Changes are not allowed on the read-only DNS zone, which increases security.
29
Created by XMLmind
XSL-FO Converter.
Configuring AD DS Trusts
1. Course
After you have deployed Active Directory Domain Services on your network, you will have to create and manage AD DS objects. It is the most common task for an AD DS administrator. Generally, in organizations, each employee has a user account created in Active Directory and most of the computers have a computer account in AD DS. Then, these accounts can be grouped with AD DS groups which will be used to give permissions to access network resources. So we will see how to manage user, computer and group accounts to make the management of network access easier, depending on the organization.
1.1.1. AD DS Objects
In AD DS, you can create several types of objects that will represent your network resources. Here are the common objects you can use:
User accounts: They are used to represent a user on your network. It will provide single sign-on for this user and access to network resources. Single sign-on means that the user will be able to use the same credentials (username and password) to access all the different resources on the network.
30
Created by XMLmind
XSL-FO Converter.
Computer accounts: They provide authentication and auditing of computer access to network resources. They are used to represent the physical computers that are members of your AD DS domain.
Group account: Groups are used to group objects, such as user account, and to give permissions on network resources for example. Imagine you have 100 user accounts and you want to give them the permissions to access a shared folder on the network. Instead of giving one hundred times the same permission to each user account on the shared folder, you can use a group. You put all the user accounts in this group, and you give the permission on the shared folder to this group. Automatically, all the members of this group will inherit the permissions granted to the group they are member of.
InetOrgPerson: This object type is similar to a standard user account but is used for compatibility with other directory services.
Organizational Units: Container objects used to organize the other objects in your domain. We can compare organizational units to folder on your hard drive. You create folders to organize your files and to make the management of them easier. It's the same in AD DS, you create organizational units in domains to organize the different objects of this domain, user, computer and group accounts for example. Like this, it will be easier to manage these objects and to deploy group policies or delegate administrative permissions.
Printers: They are used to represent the printers on your network, and simplify the process of locating and connecting to printers. Users don't need to know on which server the printer is connected and how to access it.
Shared folders: They are used to simplify the process of locating and connecting to shared folders on the network.
Active Directory Users and Computers: It is the main tool to create and manage AD DS objects. With this MMC, you can create organizational units, users, computers, groups, printers, shared folders... This console is very useful and will be the mostly used tool by AD DS administrators.
31
Created by XMLmind
XSL-FO Converter.
Directory Service command-line tools: A set of command line tools to create and manage AD DS objects. The DS tools include: dsadd, dsmod, dsrm, dsmove, dsget, dsquery. With this tools you can write scripts or batch files to perform tasks on AD DS objects.
LDIFDE: Lightweight Directory Access Protocol Data Interchange Format Directory Exchange is a command line tool thet you can use to create AD DS objects in a batch processing, it means a lot of objects at the same time. LDIFDE uses an input file that contains information about the objects to add, modify, or delete. This file must respect the LDIF format. The information is stored as a series of records that are separated by a blank line in an input file
CSVDE: Coma-Separated Value Directory Exchange is a command line tool used to import or export data in Active Directory Domain Services by using CSV formatted files.
WSH: Windows Script Host is a script executing environment. WSH can run scripts written in JScript or VBScript natively. So you will be able to manage AD DS using WSH.
Security groups: They are used to assign rights or permissions to groups of users and computers. Rights determine which functions members of a security group can perform in a domain or forest. Permissions determine which resources a member of a group can access on the network. One way to use security groups effectively is to use nesting, that is, to add a group to another group. The nested group inherits the permissions of the group that it is a member of, which simplifies the assigning of permissions to several 32
Created by XMLmind
XSL-FO Converter.
groups at once and reduces the traffic that replication of group membership changes causes.
Distribution groups: They are used only with e-mail applications, such as Microsoft Exchange, to send messages to collections of users. Distribution groups are not security-enabled, that is, they cannot be listed in discretionary access control lists (DACLs). To control access to shared resources, create a security group.
Domain Local
Accounts from any trusted domain In any trusted domain Global User, groups, and computers from its own domain In any trusted domain Universal Users, groups, and computers from any trusted domain On the local computer only where local groups are created Users, groups, and computers from any trusted domain
Local
Account Operators
Administrators
Backup Operators
33
Created by XMLmind
XSL-FO Converter.
Print Operators
Replicator
Server Operators
Users You can use these groups to give specific roles to users. For example, you can put a user account in the Account Operators group to allow this user to create and manage user accounts and groups in the domain. But be carefull, because this user will have permissions to manage all user accounts in the domain. We will see in a later part that it is more appropriate to delegate administrative control on AD DS objects to be able to give permissions only on some AD DS objects and not on the entire domain.
XSL-FO Converter.
accounts to groups and then assign permissions to the group. This way, all the members of the group inherit permissions assigned to this group.So, in this part, we will see how to use groups depending on your AD DS deployment.
Add user accounts directly to the ACL (Access Control List) on the resource. This is the worst solution because you have to do it for each user account. If you have hundreds of user accounts, it will become very difficult to manage quickly.
Add user accounts to groups, and adding the groups to the ACL on the resource. This is the basic solution using groups. It is better than adding user accounts directly to the ACL but in some cases, it might not provide enough flexibility and scalability.
Add user accounts to account groups (groups only used to put user accounts together), add the account groups to resource groups (groups used only to assign access to resource), and then add the resource group to the ACL on the resource. This is the most flexible solution and the one that will provide the best evolution possibilities. In AD DS, we create users and groups to provide access to network resources, such as shared folders, printers, or applications. When you assign access to resources, you need to:
Plan for the lowest level of permissions. You always have to give the minimum permissions to a user. Only the permissions the user needs to perform its tasks, not more, not less.
Keep the plan as simple as possible. You have to keep in mind that the goal is to simplify access to resources.
Document what you have done. If you are choosing for a particular structure concerning groups and access to resources, document your plan. Like this it is easier to maintain and you can follow the same rules all the time.
35
Created by XMLmind
XSL-FO Converter.
XSL-FO Converter.
Active Directory Users and Computers: With this tool you cannot create multiple user accounts at the same time for example, but you can select multiple AD DS objects to modify some of their properties that they can have in common. For exemple you can change the location of multiple user accounts, or the membership to groups.
Directory Service tools: You can create a batch script to perform operations on multiple AD DS Objects at the same time.
Windows PowerShell
37
Created by XMLmind
XSL-FO Converter.
givenName: Jenner sn: VERNAL sAMAccountName: jvernal displayName: Jenner VERNAL userPrincipalName: jenner.vernal@supinfo.lan description: SCT for Microsoft Lab
After you just need to run the following command to execute the modifications: ldifde -i -f filename.ldf
After you just have to run the following command to import the data from the CSV file: csvde -i -f filename.csv
Powerful single line cmdlets: You have cmdlets to perform most of the tasks on a Windows Environment and it is extensible so you can have more cmdlets added to the basic ones for specific products. For example when you install Exchange Server 2007, it provides the Exchange Management Shell which is Windows PowerShell with specific cmdlets to manage Exchange Server objects.
Aliases
Variables
Pipelining: You can use pipelines (the caracter "|") to combine multiple cmdlets. Actually, the result of the first cmdlet on the left side of the pipe is sent to the cmdlet on the right side of the pipe.
Scripting support: You can write PowerShell scripts with the extension ".ps1" and execute them to perform multiple tasks in one time.
Access to all cmd.exe commands In Windows Server 2008, Windows PowerShell is a feature that you can install from the Server Manager. 38
Created by XMLmind
XSL-FO Converter.
Get-Service | Sort-Object name : Lists all the services on the computer and then sort the object by their name. If you want to get the list of all cmdlets available: Get-Command If you want to get help on a specific cmdlet: get-help <cmdlet>
XSL-FO Converter.
to be able to perform administration tasks on AD DS objects. In Windows Server 2008 AD DS, you will be able to delegate some of those administrative tasks to other users. It is what we call the decentralized management. By delegating administrative control, you allow other users to perform specific AD DS management tasks and you can grant only permissions that they need and not more. For example, you want to give the permission to manage user accounts in a specific organizational unit. Rather than putting the user account you want to delegate permissions to in the Account Operators group, what will give him permissions to manage accounts in the entire domain, you will be able to delegate control on the specific organizational unit and specify that this user can only manage user accounts in this organizational unit.
Standard permissions which are the basic permissions and the most frequently used because it is easier to maintain.
Special permissions which provide a finer degree of control for assigning permissions on objects. Actually, standard permissions are just a set of special permissions. To access special permissions, you just need to click on Advanced in the Security tab of the organizational unit Properties dialog box.
Deny: Denies explicitly the corresponding permission. It means the user or group affected by the Deny will not be able to perform this task. The explicit deny is stronger than any other permission. It means it will replace an Allow or an implicit deny If nothing is checked, it is an implicit deny. It is denied by default if no other permission specifies the contrary. Permissions are cumulative. It means a user account can receive permissions from multiple groups or levels. 40
Created by XMLmind
XSL-FO Converter.
You can set permissions at the object level or they can be inherited from the parent object. If you configure a specific permission on an organizational unit, you can specify to apply the permission to all child organizational units or only on this organizational unit.
You can also configure permissions directly in the Security tab of the organizational unit Properties dialog box as seen in part 1.4.1.
XSL-FO Converter.
resources in the other domain, if it has permissions to do so, of course. In this part, we will see the different trusts that exist in AD DS, how they work and how to configure them.
1.5.1. AD DS Trusts
Trusts have different characteristics:
Transitivity: If domain A trusts domain B, domain B trusts domain C and both trusts are transitive, then domain A trusts domain C implicitly.
Direction: the trust direction defines the account domain and the resource domain. There are three different options: one-way incoming, one-way outgoing or two-way.
One-way incoming: If in domain A, you configure a one-way incoming trust from domain B, users from domain A will be able to access resources in domain B.
One-way outgoing: If in domain A, you configure a one-way outgoing trust to domain B, users from domain B will be able to access resources in domain A.
Two-way: If you configure a two-way trust between domain A and domain B, users from domain A will be able to access resources in domain B and the reverse.
42
Created by XMLmind
XSL-FO Converter.
Here are the different trust types you can find in Active Directory Domain Services:
Tree/Root Trust: By default, two-way and transitive. The tree/root trust is created automatically when a new tree is added to the forest. A tree/root trust is created between each tree root domain and the forest root domain. A tree/root trust cannot be deleted.
Parent/Child Trust: Bye default, two-way and transitive. The Parent/Child trust is created automatically when you add a child domain to an existing domain. A parent/child trust cannot be deleted.
Shortcut Trust: You can create a shortcut trust to improve user access between two domain in two different trees within the same forest. In the picture above, if a user from domain A want to access a resource in domain E, it will need to authenticate on the forest root domain, on domain D and then on domain E. To avoid these kerberos authentication steps, you can create a shortcut trust.
External Trust: External trusts are non-transitive and can be created between Active Directory domains in different forests or between an Active Directory domain and a Windows NT 4.0 domain.
Realm Trust: A realm trust can be established between any non-Windows-based operating system Kerberos version 5 realm and a Windows 2000 Server, Windows Server 2003, or Windows Server 2008 domain. This trust relationship allows cross-platform interoperability with security services based on other Kerberos version 5 implementations, such as that from the Massachusetts Institute of Technology (MIT).
Forest Trust: You can link two different forests by creating a one-way or two-way transitive trust relationship. A two-way forest trust is used to form a trust relationship between every domain in both forests. Forest trusts can be created only between two forests at a Windows Server 2003 functional level. You need to configure DNS correctly so that domain controllers from each forest can contact domain controllers in the other forest. Generally, we use DNS Forwarding to ensure this configuration but configuring Stub zones can be another option.
XSL-FO Converter.
The UPN contains two different parts that are separated by the @sign, for example, romain.lacour@supinfo.lan:
The user principal name prefix, also called user logon name, which in this example is romain.lacour.
The user principal name suffix, which is in this example supinfo.lan. By default, the UPN suffix is the name of the domain where the user account was created. You can use other domain names in the forest or you can create additional suffixes for the forest, to configure other suffixes for users. What can be done, is to create an UPN suffix that matches users' e-mail adresses. It's easier for users because they just have to remember their e-mail address and they can log on to the network using their e-mail adress. A UPN must be unique in the forest. To create additional UPN suffixes, you have to use the Active Directory Domains and Trusts console. There is a mechanism called UPN suffix routing used for routing authentication requests between trusted forests. With this mechanism, user from one forest can use its UPN to log on to the other forest and automatically authentication requests are routed to the target source. UPN suffix routing is automatically disabled if the same UPN suffix is used in both forests. You can manually enable or disable name suffix routing accross trusts. You just have to go in the Properties of a forest trust in the Active Directory Domains and Trusts console.
Configure the forest or external trust to use selective authentication rather than domain wide authentication.
44
Created by XMLmind
XSL-FO Converter.
1. Course
1.1. Overview of Active Directory Domain Services Replication
In Active Directory Domain Services, you can deploy multiple domain controllers in the s ame domain or in other domain in the forest. When changes are made to one of those domain controllers, AD DS must ensure that all other domain controllers update their information so that they have all the same information. This process is called replication. By understanding how AD DS replication works, you will be able to manage replication network traffic and ensure the consistency of AD DS data accross domain controllers in your network.
45
Created by XMLmind
XSL-FO Converter.
Deletion of an object from the directory Within a single site, the domain controller on which the change is made sends a notification to replication partners, other domain controllers in the same site, to initiate the replication process. This notification is used to inform the replication partner that changes are available. Then, the replication partner pulls the changes from the domain controller where update has been made using a remote procedure call (RPC) connection. When replication is complete with the first replication partner, the original domain controller waits three seconds and then notifies another replication partner, which also pulls the changes. For normal updates, a domain controller will wait for 15 seconds after a change is made and then send a notification to initiate the replication process to other domain controllers in the same site. For some critical changes, as a password modification, the change notification is triggered immediatly and the domain controller does not wait 15 seconds. In that case, we talk about urgent replication. Active Directory replication uses loose consistency with convergence. It means, when a change is made on a domain controller database and during all the replication process, the system looses consistency because the information is not the same on all domain controllers. After some time, that we call replication latency, when the replication process is finished and that all domain controllers have replicated the changes, we say that the system has reached the convergence. There are two types of write operations that Active Directory replication needs to track. The first type is originating writes, which is when a particular change was performed directly on a particular DC. For instance, if you connect to DC1 and change a user's description, that change is considered as an originating write on DC1. The second type is replicated writes, this means that a particular change has replicated in from another domain controller. The change that was considered as an originating write on DC1 will be considered a replicated write when that change is replicated to DC2, DC3, and any other domain controller in the domain. To manage the transmission of directory information, domain controllers use replication metadata. This means that, in addition to sending the actual data that has been changed from one DC to another (Romain Lacour's description was changed to "SCT for Microsoft Lab"), Active Directory also transmits additional information about that change to allow domain controllers to manage replication in the most efficient way, such as the domain controller that the change originated from , the time at which the change was made, and some other information. The first piece of metadata is the Update Sequence Number (USN). Each domain controller maintains its own USN and it is incremented by 1 everytime a change is made to Active Directory. So if a DC has a USN of 1000 at 2:00 p.m., and 1005 at 2:30 p.m., you know that 5 changes have been made to this DC database. USNs are internal to a specific domain controller only, and don't have any relevance when compared with other DCs. Furthermore, the USN is incremented by both originating and replicated write operations. So each DC needs a way to keep a track of wich changes have already been replicated, otherwise each DC would be sending the entire database accross the network at every replication. To prevent this, the second piece of replication metadata is the high watermark vector (HWMV). It is maintained by each domain controller for other domain controllers that it is replicating with. The high watermark vector is the GUID (Global Unique identifier) of remote DCs associated with the USN. With only USNs and high watermark vectors, it creates an endless replication cycle that uses more and more bandwith. That's why there is a third piece of replication metadata used by domain controllers to manage replication, which is called the up-to-dateness vector (UTD Vector, or UTDV). It used to prevent the same change to be replicated over and over again between domain controllers.
XSL-FO Converter.
AD DS have different mechanisms to resolve these conflicts automatically. To resolve those conflicts, there are two more pieces of replication metadata. the versionID value is assigned to each individual attribute on an object, with a starting value of 1 when the object is first created. The versionID is incremented by 1 whenever an individual attribute is modified from any DC. For instance, if the description attribute of a particular user gets updated from its default value to "SCT for Microsoft Lab", the description attribute will have a versionID of 2. If the description is later modified to "Microsoft Lab Manager", the description attribute will have a versionID of 3. The second piece of metadata used to resolve replication conflicts is a timestamp. It is the time indicating when the modification was made. There are three different conflict types:
Attribute value:This conflict occurs when the same attribute on an object is modified on two domain controllers at the same time. To solve this conflict, AD DS look at the versionID of each modification and keeps the modification with the highest versionID. If both modifications have the same versionID, the change that has the later timestamp will be kept. Then if both records have the same versionID and timestamp, the record originated by the DC with the lower-numbered GUID is kept.
Adding an object or modifying an object on one domain controller at the same time that the container for this object is deleted on another domain controller. In this case, AD DS will put the object in the LostAndFound container in the domain. To see this container, you have to enable the Advanced Features view in the Active Directory Users and Computers console.
RDN conflict: Adding objects with the same relative distinguished name in the same container on different domain controllers. AD DS will rename duplicated objects so that the different objects can exist in the same container. To determine which object will be renamed, AD DS uses the versionID, timestamp and originating DC GUID as for the attribute value conflict.
47
Created by XMLmind
XSL-FO Converter.
Schema partition: Only one schema partition exists per forest. The schema partition is stored on all domain controllers in a forest. The schema partition contains definitions of all objects and attributes that you can create in the directory, and the rules for creating and manipulating them. Schema information is replicated to all domain controllers in the forest. Therefore, all objects must use the schema object and attribute definitions.
Configuration partition: There is only one configuration partition per forest. Stored on all domain controllers in a forest, the configuration partition contains information about the forest-wide Active Directory structure, including which domains and sites exist, which domain controllers exist in each forest, and which services are available. Configuration information is replicated to all domain controllers in a forest.
Domain partition: There are as many domain partitions in a forest than the number of domains in this forest. But a domain controller stores only the domain partition concerning its own domain. A domain partition contains information about all domain-specific objects that were created in that domain, including users, groups, computers, and organizational units. The domain partition is replicated to all domain controllers of that domain. All objects in every domain partition in a forest are stored in the global catalog with only a subset of their attribute values.
Application partitions: Application partitions are used to store information of some applications into the Active Directory database. For example, DNS stores information about integrated DNS zones in two application partitions: ForestDNSZones and DomainDNSZones. You can create additional application partition and you can configure on which domain controllers this application partition will be replicated.
Replication topology is the route by which replication data travels throughout a network. Replication occurs between two domain controllers at a time. Over time, replication synchronizes information in Active Directory for all domain controllers in the forest. To create a replication topology, Active Directory must determine which domain controllers replicate data with other domain controllers. Active Directory creates a replication topology based on the information that is stored in Active Directory. A replication topology can be different for schema, configuration, domain, and application partitions. Because all domain controllers within a forest share the same schema and configuration partitions, Active Directory replicates schema and configuration partitions to all domain controllers in the forest, they have the same replication topology. Domain controllers in the same domain also replicate the domain partition. Every 48
Created by XMLmind
XSL-FO Converter.
domain partition in a forest have a different replication topology, because a domain partition is only replicated between domain controllers of the same domain. In addition, domain controllers that host an application partition replicate the application partition. To optimize replication traffic, a domain controller may have several replication partners for different partitions. Active Directory replicates updates to the directory across domain controllers that contain the updated partition in the forest.
Configures replication connections (connection objects) between domain controllers. Each connection object defines incoming replication from a replication partner. Within a site, each KCC generates its own connections. For replication between sites, a single KCC per site generates all connections between sites.
Converts the connection objects that represent inbound replication to the local domain controller into the replication agreements that are actually used by the replication engine. By default, the KCC reviews and makes modifications to the Active Directory replication topology every 15 minutes to ensure propagation of data, either directly or transitively, by creating and deleting connection objects as needed. The KCC recognizes changes that occur in the environment and ensures that domain controllers are not orphaned in the replication topology. When the KCC builds the topology, it must determine which servers that are present in each site in order to construct an efficient topology. The following objects provide the information required by the KCC to create the topology:
Server object: All domain controllers are identified as server objects in the configuration directory partition, broken down by site.
The NTDS Settings object: Each server object that represents a domain controller has a child NTDS Settings object, which identifies the domain controller as having Active Directory installed. The NTDS Settings object must be present for the server to be considered as part of the replication topology. The presence of these objects also determines the site in which the domain controller is to be located. For example, the distinguished name of the NTDS Settings object contains the site to which that domain controller belongs. If the server is physically located in one site but is configured for another site in Active Directory, the KCC uses the information in Active Directory to construct the topology. Therefore, the improper configuration of servers in sites can affect network bandwidth. Within a site, all KCCs generate connection objects for replication within the site. When there is more than one site, a single KCC in each site generates all connection objects for replication between sites.
XSL-FO Converter.
single site communicate frequently. This communication minimizes the latency within the site; that is, the time required for a change that is made on one domain controller to be replicated to other domain controllers. You create sites to optimize the use of bandwidth between domain controllers that are in different locations. You use sites to control replication traffic, logon traffic, and client computer requests to the global catalog server. In Active Directory, sites help define the physical structure of a network. A set of TCP/IP subnet address ranges defines a site, which in turn defines a group of domain controllers that have similar speed and cost. Sites consist of server objects, which contain connection objects that enable replication. Subnet objects identify the network addresses that are used to map computers to sites. A subnet is a segment of a TCP/IP network to which a set of logical IP addresses are assigned. Because the subnet objects map to the physical network, so do the sites. For example, if three subnets are located at three campuses in a city, and these campuses are connected by high-speed, highly available connections, you could associate each of those subnets with one site. A site can consist of one or more subnets. For example, on a network that has three subnets in Redmond and two in Paris, you can create a site in Redmond, a site in Paris, and then add the subnets to the respective sites. Active Directory creates a default site when you install the first domain controller in a forest. By default, this site is called Default-First-Site-Name. You can rename this site to a more descriptive name of your choice. When you create your first domain in a forest, Active Directory automatically places it in the default site. Site links are used to represent the wide area network connections between sites. They are used by AD DS to know when replication occurs between sites and the best path to use to replicate directory partitions between sites. You have several parameters to configure on a site link:
Cost: The cost is a value that you configure on site links to represent the bandwith of the connection between sites. If you have multiple paths between two sites, AD DS will select the path with the lowest cost.
Replication frequency: Determine the frequency basis for replication on this site link. If you put the value 60, it means replication will occur every hour on this site link.
Schedule: Determines when the replication can occur. You can specify time ranges during when replication is 50
Created by XMLmind
XSL-FO Converter.
To manage sites, site links and subnets, you have to use the Active Directory Sites and Services console.
The network connections within a site are both reliable and have sufficient available bandwidth.
Replication traffic within a site is not compressed because a site assumes fast, highly reliable network links. Not compressing replication traffic helps reduce the processing load on the domain controllers. However, uncompressed traffic may increase the network bandwidth that replication messages require.
A change notification process initiates replication within a site. Replication between sites:
The network links between sites have limited available bandwidth and may not be reliable.
Replication traffic between sites is designed to optimize bandwidth by compressing all replication traffic between sites. Replication traffic is compressed to 10 - 15 percent of its original size before it is transmitted. Although compression optimizes network bandwidth, it imposes an additional processing load on domain controllers, both when it compresses and decompresses replication data.
Replication between sites happens automatically after you define configurable values, such as a schedule or a replication interval. You can schedule replication for inexpensive or off-peak hours. By default, changes are replicated between sites according to a schedule that you define manually, not according to when changes occur. The schedule determines when replication can occur. The interval specifies how often domain controllers check for changes during the time that replication can occur.
51
Created by XMLmind
XSL-FO Converter.
If the intersite topology generator determines that its own site is the only site, it performs no further processing because no connections between sites are possible for the current configuration. The current owner of the intersite topology generator role is communcated through the normal Active Directory replication process. Initially, the first domain controller in the site becomes the ISTG for the site. The role does not change as additional domain controllers are added to the site until the current intersite topology generator becomes unavailable. To determine the ISTG role owner for a site, use the Active Directory Sites and Services console, access the NTDS Site Settings Properties for the site you want. The current role owner appears in the Server box under Inter-Site Topology generator.
Remote Procedure Call (RPC) over IP. RPC is the default protocol. An industry standard protocol for client/server communications, RPC over IP provides reliable, high-speed connectivity within sites. Between sites, RPC over IP enables replication of all Active Directory partitions. RPC over IP is the best transport protocol for replication between sites.
Simple mail transfer protocol (SMTP). SMTP supports replication of the schema, configuration, and global catalog between sites and between domains. You cannot use this protocol for replication of the domain partition, because some domain operations -for example, Group Policy - require the support of the File Replication service (FRS), which does not support an asynchronous transport for replication. If you use SMTP, you must install and configure a certificate authority to sign the SMTP messages and ensure the authenticity of directory updates. Additionally, SMTP does not provide the same level of data compression as RPC over IP.
XSL-FO Converter.
applied in Active Directory Domain Services. This feature is used by Read-Only Domain Controllers. Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly, writable domain controllers that are replication partners do not have to pull changes from the RODC. This means that any changes or corruption that a malicious user might make at branch locations cannot replicate from the RODC to the rest of the forest. This also reduces the workload of bridgehead servers in the hub and the effort required to monitor replication. The RODC will only have an inbound connection object to other Windows Server 2008 writeable domain controllers in the domain. There is not outbound connection. This means the RODC cannot initiate replication and cannot notify other domain controllers of changes. This is a new layer of security. RODC unidirectional replication applies to both AD DS and Distributed File System (DFS) Replication of SYSVOL. The RODC performs normal inbound replication for AD DS and SYSVOL changes.
53
Created by XMLmind
XSL-FO Converter.
In this picture, only connections that are used to replicate Schema and Configuration partitions are shown.
54
Created by XMLmind
XSL-FO Converter.
Faster logon times since authenticating domain controllers no longer need to access a global catalog to obtain universal group membership information.
No need to upgrade hardware of existing domain controllers to handle the extra system requirements necessary for hosting a global catalog.
Minimized network bandwidth usage since a domain controller will not have to handle replication for all of the objects located in the forest.
Active Directory Sites and Services: MMC used to manage the physical structure (sites, site links, subnets) and replication in your forest. Most of the common tasks concerning replication can be performed from this console
Repadmin: Command-line used to administer replication. You can perform all the replication configuration from this tool.
55
Created by XMLmind
XSL-FO Converter.
DcDiag: Command line tool that you can use to monitor replication between domain controllers.
56
Created by XMLmind
XSL-FO Converter.
1. Course
1.1. Overview of Group Policies
This lesson introduces you how you can use Group Policies to simplify the management of users and computers in an Active Directory infrastructure. You will learn how Group Policies are structured and applied.
Deploy software
57
Created by XMLmind
XSL-FO Converter.
Enforce a consistent desktop environment. For example, you can configure the desktop wallpaper or prohibit access to some Windows components like the Control Panel... By default, in each domain, you have two Group Policy Objects created and configured.
Default Domain Controller Policy: This GPO enforces some settings for all domain controllers in the domain. It is linked on the Domain Controllers OU.
Default Domain Policy: This GPO enforces some settings for all computer and user accounts in the domain. For example, in this GPO, you have a default password policy that applies on all computers in the domain, like password complexity, password length, age, etc... Group Policy settings are contained in Group Policy objects (GPOs), which live in the domain and can be linked to the following Active Directory containers: sites, domains, or organizational units (OUs).
58
Created by XMLmind
XSL-FO Converter.
Startup scripts run For client computers and member servers, group policies are also refreshed every 90 minutes and a random time between 0 and 30 minutes to avoid that every computer refresh group policies at the same time. You can configure this refresh interval. When the user logs on:
Logon scripts run User settings are also refreshed every 90 minutes and a random time between 0 and 30 minutes. For domain controllers, Group Policies are refreshed every 5 minutes to ensure that settings for domain controllers are applied as soon as possible.
Many GPO settings take two logons to take effect Additional exceptions:
The Group Policy Container (GPC) is stored in Active Directory under the CN=Policies, CN=System 59
Created by XMLmind
XSL-FO Converter.
container within each domain. It contains GPO status, version information, WMI filter information, and a list of components that have settings in the GPO. Computers can access the GPC to locate Group Policy templates, and domain controllers can access the GPC to obtain version information. If the domain controller does not have the most recent version of the GPO, replication occurs to obtain the latest version of the GPO.
The Group Policy Template (GPT) is a folder hierarchy in the SYSVOL shared folder, under Policies folder, on a domain controller. When you create a GPO, Windows Server 2003 creates the corresponding GPT, which contains all Group Policy settings and information, including administrative templates, security, software installation, scripts, and folder redirection settings. Computers connect to the SYSVOL folder using SMB (Server Message Block) to obtain the settings. The name of the GPT folder is the globally unique identifier (GUID) of the GPO that you created. It is identical to the GUID that Active Directory uses to identify the GPO in the GPC. The path to the GPT on a domain controller is %systemroot%\SYSVOL\sysvol.
60
Created by XMLmind
XSL-FO Converter.
processing order through enforcement, blocking inheritance, security filtering, and Windows Management Instrumentation (WMI) filters or using the loopback processing mode. In this part, you will learn about these possibilities.
Block inheritance: If you don't want an OU to inherit Group Policies applied on a higher level, you can block inheritance on this OU. To block inheritance, in the Group Policy Management console, right click on the concerned OU and then select Block inheritance.
61
Created by XMLmind
XSL-FO Converter.
Enforcement: You can enforce the application of a Group Policy to ensure that the settings configured on this Group Policy will be applied even if there are conflicts with Group Policy settings applied on a lower level, or even if inheritance is blocked somewhere. To enforce the application of a GPO, in the Group Policy Management console, select the link concerned, right click and select Enforce.
Filtering using security groups or WMI filters : By default, all Group Policies are applied to the Authenticated Users group on each container. By filtering using security groups, you can specify on which groups this GPO will be applied. WMI filters allow you to specify hardware or software characteristics to filter dynamically on which computer the GPO will apply. A common example is when you deploy a software with Group Policies. You want to ensure that this software will be deployed only if the target computer has at least 1GB of free disk space. You can do it using WMI filters.
62
Created by XMLmind
XSL-FO Converter.
Disabling GPOs: You can disable a GPO. When you perform this action, the GPO is still created and linked to the different containers you linked it before, but the settings from this GPO will not apply anymore, until it is enabled again.
Merge mode : Merges the user settings configured on GPOs that apply to the user account with user settings configured on GPOs that apply to the computer account. If there are conflicts, user settings from GPOs applying on the computer account are applied.
Replace mode: Applies only the user settings coming from GPOs that apply on the computer account.
XSL-FO Converter.
System administrators need to know how policy settings affect computers and users in a managed environment. This information is essential when planning policy for a network and when debugging existing policy. Obtaining the information can be a complex task when you consider the many combinations of sites, domains, and organizational units that are possible, and the many types of Group Policy settings that can exist. Further complicating the task are securitygroup filtering and the inheritance, blocking, and enforcement of Group Policies. The GPResult command-line tool and the Group Policy Management Console (GPMC) provide reporting features to simplify these tasks.
Both tools are similar but they each provide different information.
64
Created by XMLmind
XSL-FO Converter.
To get help on the GPResult.exe command-line tool, you can run the gpresult /? command.
Use a migration table to map them to new values in the new GPO
XSL-FO Converter.
Creating Group Policy objects: You can put user or group accounts in the Group Policy Creator Owners group or you can explicitly assign permissions on the Group Policy Objects container in the GMPC.
Editing Group Policy objects: You can assign edit permissions on individual policies to specific users or groups.
Managing Group Policy links for a site, domain, or OU: You can assign the right to link GPOs on a site, domain, or OU using the GPMC.
Create WMI filters in a domain: You can assign the right to create WMI filters on the WMI Filters container using the GPMC.
66
Created by XMLmind
XSL-FO Converter.
Deploy software
1. Course
1.1. Configuring Group Policy Settings
We have seen in the previous lesson that there are a lot of different Group Policy settings. Some settings are very simple and you can only choose to enable or disable them, but some others are more complex and can require more configuration. In this part, we will see how to configure various settings.
Enabled: it means the setting will be applied. For example if the setting is "Prohibit access to the Control Panel", users affected by this setting will not beto remove and prevent access able to access the Control Panel except if a lower Group Policy specifies the contrary.
Disabled: It means this setting will not be applied. In our example, if a domain level policy prohibits access to the Control Panel and you want users in the Admin OU to have access to the Control Panel. You can configure a new Group Policy at the Admin OU level wi th setting "Prohibit access to the Control Panel" set to Disabled.
Not configured: It means the setting is not configured so clients will ignore it. Be careful of the sense of a setting when you configure it. If you want to remove and prevent access to the Shut Down, Restart, Slepp, and Hibernate commands in the Start menu, you have to enable the "Remove and prevent acces to the Shut Down, Restart, Sleep, and Hibernate commands" setting and not disable it.
67
Created by XMLmind
XSL-FO Converter.
But you have settings that require a more complex configuration with multiple values. If there is a conflict between two values in 2 different GPOs, all the values from the wiining GPO are applied.
XSL-FO Converter.
the pagefile to make the environment more secure. You can use Group Policies to assign different kind of scripts. In Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown):
Startup scripts: scripts that are executed when the computer starts.
Shutdown scripts: scripts that are executed when the computer shuts down. By default, startup scripts run synchronously. It means that the system wait for each script to complete before it runs the next startup script. You can change this behaviour with Group Policy by enabling the setting you can find in: Computer Configuration\Policies\Administrative Templates\System\Scripts\ Run startup scripts asynchronously In UserConfiguration\Policies\Windows Settings\Scripts (Logon/Logoff):
Logon scripts: scripts that are executed when the user logs on to a computer.
Logoff scripts: scripts that are executed when the user logs off. By default, logon scripts run asynchronously. It means all configured scripts run at the same time when the user logs on. You can change this behaviour on computers with Group Policy by enabling the setting that you can find in: Computer Configuration\Policies\Administrative Templates\System\Scripts\ Run logon scripts synchronously Here is an example of logon script used to map a network drive automatically when users log on to a computer. In this example, we map the Accounting shared folder to the Z: drive on the computer. We configure this script in a Group Policy linked to the Accounting organizational unit. As a result, everytime a user account from the Accounting OU is used to log on to a computer, the network drive will be created on this computer.
Desktop
69
Created by XMLmind
XSL-FO Converter.
Start Menu In Windows Vista, you can redirect some extra folders:
Contacts
Downloads
Favorites
Searches
Links It can be interesting when you want users to share the same content for some of these folders, or when you want to give access to the content of this folders regardless of the computers to which the users log on to. It means, if you redirect the Documents folder on a file server, the users will be able to access their documents on every computer and not only on the computer where they created their documents. Folder redirection works with the Offline Files feature, so you have a synchronization between files on the server and files on the client computer. You have also a local cached copy on the client computer to let them access their files even when they can't connect to the server. (mobile users, network problem....)
70
Created by XMLmind
XSL-FO Converter.
Windows Components
System
Network
71
Created by XMLmind
XSL-FO Converter.
Windows Components
Desktop
Control panel
Shared folders
Network
System
XSL-FO Converter.
defined setup rules during the installation process. Windows Installer contains two components:
Windows Installer service. This client-side service fully automates the software installation and configuration process. The Windows Installer service can also modify or repair an existing installed application. It installs an application either directly from the CD-ROM or by using Group Policy. To install an application, the Windows Installer service requires a Windows Installer package.
Windows Installer package. This package file contains all of the information that the Windows Installer service requires to install or uninstall software. A package file contains:
Any external source files that are required to install or uninstall the software.
The product files or a reference to an installation point where the product files reside.
XSL-FO Converter.
wizard, and then choose the .msi file on which to base transforms. You must determine the order in which to apply transform files before assigning or publishing the application.
Mandatory upgrades: These upgrades automatically replace an old version of software with an upgraded version. For example, if users currently use software version 1.0, this version is removed, and software version 2.0 is installed the next time that the computer starts or the user logs on.
Optional upgrades: These upgrades allow users to decide when to upgrade to the new version. For example, users can determine if they want to upgrade to version 2.0 of the software or continue using version 1.0.
Selective upgrades: If some users require an upgrade but not others, you can create multiple GPOs that apply to the users who require the upgrade and create the appropriate software packages in them.
When you assign software to a user, the Start menu, desktop shortcuts, and registry settings that are relevant to the software are updated the next time the user logs on. The next time the user starts the software, the service pack or software update is automatically applied.
When you assign software to a computer, the service pack or software upgrade is automatically applied the next time the computer starts.
When you publish and install software, the Start menu, desktop shortcuts, and registry settings that are relevant to the software are updated the next time the user logs on. The next time the user starts the software, the service pack or software upgrade is automatically applied.
Forced removal: You can force the removal of the software, which automatically deletes it from a computer 74
Created by XMLmind
XSL-FO Converter.
the next time the computer starts or the next time a user logs on.
Optional removal: You can remove the software from Software Installation without forcing the physical removal of the software. Software is not actually removed from computers. The software no longer appears in Add or Remove Programs, but users can still use it. If users manually delete the software, they cannot reinstall it.
75
Created by XMLmind
XSL-FO Converter.
1. Course
It's very important for an organization to have a well designed security policy, if the organization don't have the adequate policy, it can lead to many risks. A well designed policy helps to protect investments in business information and internal resources, like hardware and software. For this you can use Group Policies, it provides an security standardization to control the environment. In fact, having a security policy is not enough, to be effective this policy has to be implemented.
76
Created by XMLmind
XSL-FO Converter.
If you want to secure your network environment all users have to utilize strong passwords. With Password policy settings control you are able to control the complexity and lifetime of passwords. Password policy settings can be configured through Group Policy.
Store password using reversible encryption : disabled Account lockout Lockout duration : not defined
Reset account lockout after : not defined Kerberos Can only be applied at the domain level
XSL-FO Converter.
User : read This folder does not exist until you configure an LGPO. If read permission is withdrawn from the Local Administrator group, Group Policy does not apply. By this way you can exempt Local Administrators from a Group Policy object even though they have the Apply Group Policy permissions set to allow.
New Microsoft Management Console (MMC) snap-in for graphical user interface (GUI) configuration
Firewall filtering and Internet Protocol security (IPsec) protection settings are integrated
Rules (exceptions) can be configured for Active Directory service accounts and groups, source and destination IP addresses, IP protocol number, source and destination TCP and UDP ports, all or multiple TCP or UDP ports, specific types of interfaces, ICMP and ICMPv6 traffic by Type and Code, and for services
78
Created by XMLmind
XSL-FO Converter.
In previous Active Directory domains, it was possible to apply only one password and account lockout policy to all users in the domain. With fine-grained password policies you're now able to have different password requirements and account lockout policies for different Active Directory users or groups. This can be very useful when you want different users to have different password requirements, but do not want separate domains. For example, te Domain Admins group may need strict password requirements that you don't want to apply to ordinary users. If you don't implement fine-grained passwords, then the normal default domain account policies applies to all users.
Password Settings Object (PSO) The System container in the domain is where the PSC object class is created by default. And the PSC is the container that contains the domain's PSOs. It's not possible to rename, move or delete this container. A PSO has attributes for all the settings that can be defined in the Default Domain Policy (except Kerberos settings). These settings include attributes for the following password settings :
XSL-FO Converter.
These settings also include attributes for the following account lockout settings:
Reset account lockout counter after In addition, a PSO has the following two new attributes:
PSO link, this is a multivalued attribute that is linked to users and group objects.
Precedence, this is an integer value that is used to resolve conflicts if multiple PSOs are applied to a user or group object. All attributes except msDS-PSOAppliesTo are mustHave attributes. This means that you must define a value for each one. Settings from multiple PSOs cannot be merged. Note : PSOs can be created through ADSI Edit or LDIFDE Note : PSOs can only be applied to users or global groups
A PSO has an attribute named msDS-PSOAppliesTo that contains a forward link to only user or group objects. The msDS-PSOAppliesTo attribute is multivalued, which means that you can apply a PSO to multiple users or groups. You can create one password policy and apply it to different sets of users or groups.
A new attribute named msDS-PSOApplied has been added to the user and group objects in Windows Server 2008. The msDS-PSOApplied attribute contains a back-link to the PSO. Because the msDS-PSOApplied attribute has a back-link, a user or group can have multiple PSOs applied to it. In this case, the Resultant Set of Policy (RSOP), represented by the new msDS-ResultantPSO attribute, must be calculated for that user. There are three major steps involved in implementing fine-grained passwords :
Apply PSOs to the appropriate users or global security groups You can link a PSO to other types of groups in addition to global security groups, such as shadow groups with which you can apply a PSO to all users that do not already share a global group membership. However, when the RSOP for a user object is being determined, only those PSOs that are directly linked to the user object or to the global security groups that the user is a member of are considered. PSOs that are linked to distribution groups or other types of security groups are ignored. A user or group object can have multiple PSOs linked to it, only one PSO can be applied as the effective password policy. Only the settings from that PSO can affect the user or group. The settings from other PSOs 80
Created by XMLmind
XSL-FO Converter.
that are linked to the user or group cannot be merged in any way. RSOP can be calculated only for a user object. The PSO can be applied to a user object in either of the following two ways:
Indirectly: The PSO is linked to groups that the user is a member of. Each PSO has an additional attribute that assists in the calculation of RSOP, it's the precedence. A lower value for the precedence attribute indicates that the PSO has a higher rank, or a higher priority, than other PSOs. If multiple PSOs are linked to a user or group, the resultant PSO that is applied is determined as follows:
A PSO that is linked directly to the user object is the resultant PSO. If there is no PSO linked directly, it's the PSO with the lowest value for the precedence attribute that will be applied.
If no PSO is obtained from the preceding conditions, the Default Domain Policy is applied.
For any group on a local computer by applying a GPO to the OU that holds the computer account
For any group in Active Directory by applying a GPO to the domain controller
XSL-FO Converter.
Providing a way to define a list of which code is trusted and which not.
Providing a flexible, policy-based appraoach for regulating scripts, executables and ActiveX controls
Enforcing the policy automatically There are three steps to create and apply a Software Restriction policy : 15. You create the policy with the Group Policy MMC snap-in for a particular Active directory container such as a site, domain or organizational unit. 16. After the policy is created, it's downloaded and applied to a machine. User policies apply the next time a user logs on. Machine policies apply when a machine starts up. 17. When a user starts a program or script, the operating system or scripting host checks the policy and enforces it. Unrestricted or Disallowed You can create a Software Restriction policy with the MMC Group Policy snap-in. A policy consists of a default rule which determines if programs are allowed to run, and exceptions to that rule. The default rule can be set to Unrestricted or Disallowed (run or don't run). When you set the default rule to Unrestricted, you can allow to define exceptions, for example programs you don't want to allow to run. But there is a more secure approach to configure this rule, it's to set it to Disallowed and then specify only those programs which should be able to run so these which are known and trusted. Default Security level There are two ways to use software restriction policies :
If you know all of the software that should run, then you can apply a software restriction policy to let run only the software you trust.
If all the applictations that users might run are not known then you can step in and disallow undesired applications or file types as needed.
82
Created by XMLmind
XSL-FO Converter.
Path - the local or universal naming convention (UNC) path of where the file is stored
Zone - Internet Zone Hash Rules A hash rule is a cryptographic fingerprint that is used to identify a file regardless of where it is accessed or its name. You may not want users to run a certain version of a program which can have security or privacy bugs, or compromises system stability. With a hash rule, it will always match the rule because this kind of rule is based on a cryptographic calcuation involving file contents although when you move or rename the program. A hash rule consists of three pieces of data, separated by colons :
File length
Hash algorithm ID Certificate Rules A certificate rule specifices a code-signing, software publisher certificate. Certificates used in a certificate rule can be distributed from a commercial certificate authority (CA) such as VeriSign, a Windows Server PKI or a self-signed certificate. This kind of rule is a strong way to identify software because it uses signed hashes contained in the signature of the signed file to match files regardless of name or location. So if you want to make an exceptions to a certificate rule, you can use a hash rule to identify the exceptions. Path Rules A path rule can specify a folder or fully qualified path to a program. When a path rule specifies a folder, each program contained in this folder and its sub-folder will be matched. Note : Both local and UNC paths are supported
XSL-FO Converter.
Account Policies
Local Policies
Event Log
Restricted Groups
System Services
Registry
File System
Blocking unused ports and secure ports that are left open using IPSec
Configuring audit settings SCW helps you to create correctly the security policy you need, and it determines functionalities required by a server's role and disables all functionalities that are not necessary. 84
Created by XMLmind
XSL-FO Converter.
With SCW you create your policy in five steps, in each step you will configure security for these sections :
Network Security
Registry Settings
Audit Policy
Internet Information Services Once a policy is created, it can be edited or applied to one or more similarly configured servers. Applied policies can be rolled back in order to undo changes that have caused problems. To edit, apply, or roll back a security policy, the policy must have been created with SCW. The security policies that you create with SCW are XML files, and when you apply them, they will configure sevices, network security, specific registry values, audit policy, and if applicable, Internet Information Services (IIS). Note: these security policies can be integrated in Active Directory Note : it is possible to configure a security policy on a remote server with SCW SCW also includes an command-line tool Scwcmd.exe, which you can use for the following tasks :
1.4.3. Options for integrating the Security Configuration Wizard and Security Templates
When you create a security policy with SCW you can include custom security templates. Some settings from SCW partially overlap the settings from security templates alone. Neither set of configuration changes totally includes the other. For example, the SCW includes IIS settings that are not installed in any security template. Conversely, security templates can include such items as Software Restriction policies, which it is not possible to configure through SCW.
85
Created by XMLmind
XSL-FO Converter.
Learn How to Monitor Active Directory Domain Servers Using Reliability and Performance Monitor
Learn How to Configure Active Directory Domain Services Auditing Required knowleges:
Monitoring Basis.
Auditing Basis.
1. Course
To manage and administer an organizantion's system,it's important to understand the tools that you can use to monitor the system's health. By Using tools like Event Viewer, Reliability and Performance Monitor, and auditing policies, you will be better able to anticipates issues and manage everyday events.
Events Viewer enable you to view events on a single remote computer. However, troubleshooting and issues might require you to examine a set of events stored in multiple logs on multiple remote conputers. Event Viewer provides the ability to collect copies of events from multiple remote computers and store the locally. To specify which events to collect, you create an event subscription? Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events. You can use the event viewer to create Custom views.Custom Views are filters the are named and saved. After 86
Created by XMLmind
XSL-FO Converter.
creating and saving a custom View, you are able to reuse it whithout re-creating its underlying filter. To reuse a custom view, navigate to the Custom View category in the console tree and select the custom view's name. By selecting the custom view, you apply the underlying filter and the result are displayed. You can import and export custom views, enabing you to share them between users and computers. The System and Application logs still provide general information and log events from many areas, but the Event Viewer now provide granular information about Active Directory and other services, like Group policy, Offline files, Windows Update client and many others.
1.2. Monitoring Active Directory Domain Servers using Reliability and Performance Monitor
1.2.1. Overview of Performance and Reliability monitoring
In general, performance is the measure of how quickly a computer completes application and system tasks. Use preformance monitoring to track a range of processes and display the results. You can use performance monitoring to assist you whith upgrade planning, tracking precesses that need to be optimized, and understanding a workload and it's effect on ressource usage to identify bottlenecks. Overall system performance might be limited by the access speed of the physical hard disk, the amount of available memory, the processor speed or the throughput of new network interfaces.
Windows Reliability and Performance Monitor enables you to track the performance impact of applications and services, and to generate alerts or take action when user-defined tresholds for optimum performance are exeeded. Windows Reliability and Performance Monitor provides the features outlined below :
Resource View
Reliability Monitor
Generate Reports
XSL-FO Converter.
degraded performance and jeopardized service levels. For example, you can use performance indicators to set a baseline and monitor for low disk space on the disk drives that contain the Active Directory database and log files, and you can monitor CPU usage of a domain controller. You can also monitor critical services running on a domain controller. Monitoring these indicators allows the administrator to ensure adequate performance. To determine an accurate baseline, monitor and collect data for a time period that is long enough to represent peak and low usage. For example, monitor during the time in the morning when the greatest number of users log on. Monitor for an interval that is long enough to span your password change policy and any month-end or other periodic processing that you perform. Also, collect data when network demands are low to determine this minimal level. Be sure to collect data when your environment is functioning properly. To accurately assess what is acceptable for your environment, remove data caused by network outages or other failures when you establish your baseline. The baseline that you establish for your environment can change over time as you add new applications, users, hardware, and domain infrastructure to the environment, and as the expectations of users change. 1.2.2.2. Monitoring Service Availability With the Reliability Monitor A system's reliability is the measure of how often it deviates from configured, expected behavior. The reliability monitor calculate a system stability index that reflects whether unexpected problems reduced the system's reliability. A graph of the stability intex over time quickly identifies dates when problems began to occur. The accompanying System Stability Report provides details to hels troubleshoot the root cause reduced reliability. The Reliability Monitor begins to collect datas at the time of system installation and must run for at least 24 hours before the data is displayed in the system stability chart.By viewing changes to the system (installation or removal of applications, updates to the oprating system, or addition or modification of drivers) side by side with failures (application failures, operating system crashes, or hardware failures), you can develop a strategy for addressing the issues quickly. On your Domain controller, the reliability Monitor helps you to find problems which can happends, by using this monitor, you'll be able to identify the problem source, and it will be easier for you to find the remediation method in order to provide and maintain the high availability of your domain controller . With the Windows server 2008 new features, the performance monitor is now able to collect datas using Data Collector Sets, which groups datas collectors into reusable elements for use with different performance monitoring scenarios.
88
Created by XMLmind
XSL-FO Converter.
1. Course
1.1. Maintaining the AD DS Domain Controllers
Maintaining the AD DS database is an important administrative task to repair the Active Directory database and recover lost or corrupted data in case of problems, to ensure that you have to schedule it regularly. You should know that Active Directory has its own database engine, the Extensible Storage Engine (ESE). The usage of ESE is to manage the storage of all Active Directory objects in an Active Directory database.
1.1.1. The Active Directory Domain Services Database and Log Files Table 10.1. AD DS database and log files
File Ntds.dit Active Directory database file Description
Uses the default transaction log file edb.log Edb.chk Checkpoint file
Tracks data not yet written to Active Directory database file ebdres00001.jrs
89
Created by XMLmind
XSL-FO Converter.
Description
The Active Directory database engine is called ESE (Extensible Storage Engine).
What is a transaction ? A transaction is a set of changes made to the AD DS Database and the corresponding Metadata The data is modified in six steps : 18. The write request initiate a transaction 19. Active Directory writes the transaction to the transaction buffer in memory 20. Active Directory writes the transaction in the transaction log called Edb.log 21. Active Directory writes the transaction from the memory buffer to the database which is NTDS.dit 22. Active Directory compares the database and log files to ensure that the transaction was committed to the database 23. Active Directory updates the checkpoint file called Edb.chk
90
Created by XMLmind
XSL-FO Converter.
Seizing operations master (also known as Flexible Single Master Operations or FSMO) roles
XSL-FO Converter.
objects, but does not reduce the size of the database file. An online defragmentation is performed every 12 hours automatically by Active Directory.
Perform tasks such as offline defragmentation of the Active Directory database Note : if you want to restore the Active Directory database you have to use the Directory Services Restore mode.
Minimize the number of server roles and applications installed on your domain controller
Use the Security Configuration Wizard to lock down the services on a domain controller It's important that you know services required for AD DS to function correctly, there are six services require by AD DS :
DNS Server
Intersite Messaging
92
Created by XMLmind
XSL-FO Converter.
The system volume: the volume that hosts the boot files
The boot volume: this volume contains the Windows operating system and the Registry
The volume containing the Active Directory database log files These files can be stored in a single volume or placed in multiple volumes. To backup Active Directory, you can use the feature called Windows Server Backup, it's not installed by default. To install it you have to use Add features in Server Manager before you can use the Wbadmin.exe commandline tool or Backup tool in Administrative Tools.
Recover the server without using third-party backup and recovery tools
Use DVDs or CDs as backup media Note : with Windwos Server Backup you cannot backup individual files or directories, only entire volumes.
93
Created by XMLmind
XSL-FO Converter.
Normal Restore
Authoritative Restore
Press F8 at the start of your sever and then choose Directory Services Restore Mode or you can also type the command "bcedit /set safeboot dsrepair" and then restart the server.
Restore the desired backup, which is typically the most recent backup
94
Created by XMLmind
XSL-FO Converter.
Restart the domain in normal mode to replicate the changes Note : to mark an object as authoritative, use a command like : restore subtree "OU=SCT, DC=Labo-Microsoft, DC=Supinfo, DC=com"
Compare data in snapshots taken at different time which improves the recovery process
Suppress the need to restore multiple backups to compare the Active Directory data contained by these backups
SID
ObjectGUID
LastKnownParent
SAMAccountName All other attributes are deleted so if you want to reanimate the object, you have to provide all the information it once had, therefore you have to recreate the missing attribute values manually. You should reanimate a deleted object in AD DS when :
Accounts or security groups were deleted and you don't have the current AD DS backups for the 95
Created by XMLmind
XSL-FO Converter.
corresponding domain
The deleted object has not yet been scavenged from the Active Directory database
The object was deleted in domains with only Windows Server 2003 or later domain controllers. If you want to reanimate tombstoned AD DS objects you can :
Enable the object and reconfigure the object attributes Note : If you want to view the attributes for the deleted object and so simplify the recovery of the deleted object, you can use the Database Mounting Tool to view the attributes you need in a snapshot made before the object was deleted
96
Created by XMLmind
XSL-FO Converter.
Troubleshooting AD DS Replication
1. Course
1.1. Troubleshooting Active Directory Domain Services
1.1.1. Introduction to AD DS Troubleshooting
Active Directory Domain Services is a distributed system that is comprised of many different services and depends on all of the services to function properly. The methodology presented can ease the difficulties inherent in identifying the computers and services involved in problems you might be having, and help you isolate a problem to the core component. In most cases, troubleshooting begins when you detect one of the following:
97
Created by XMLmind
XSL-FO Converter.
Authentication errors
Network connectivity
Time synchronization
Group memberships
98
Created by XMLmind
XSL-FO Converter.
Active Directory installation fails In particular, you should begin DNS troubleshooting when you see the issues listed:
Use ipconfig to make sure all computers, including clients, member servers, domain controllers, and DNS servers are using a DNS server that is authoritative for the Active Directory domain. Sometimes computers are manually misconfigured to use the wrong DNS server, such as an Internet caching server or an ISPs DNS server.
Use netdiag to test DNS connectivity. Ensure that the DNS server is working correctly. You can perform the Simple self-test in the DNS servers properties to verify the database is responding. As well, clear the DNS servers cache to ensure that the cache is not polluted, or that it has the latest zone information Use ipconfig /flushdns to clear the clients DNS resolver cache.
If the zone seems to be corrupt, restore from backup. If necessary, clear any dynamic registrations from the DNS zone and rebuild the database.
Use nslookup to see what results are returned by the DNS server. The following DNS records are required for proper Active Directory functionality.
XSL-FO Converter.
Register the SRV records by restarting the Netlogon service All servers must have at least A (host) and possibly PTR (reverse lookup) records in DNS. In addition, all domain controllers must have their SRV (Resource Locator) records updated in DNS. The following lists which service is responsible for dynamically updating DNS: A records are updated by the computers DNS client service.
PTR records are manually configured. SRV records are updated by the DCs netlogon service.
100
Created by XMLmind
XSL-FO Converter.
Name registration or DNS replication issues To troubleshoot standard zone transfer issues:
Routable IP infrastructure
Kerberos v5 authentication
No bridgehead server in the site group Replication is slow Inefficient site topology and schedule
101
Created by XMLmind
XSL-FO Converter.
Client computers receive a slow response No domain controller online in client site
Not enough domain controllers Replication greatly increases network traffic Insufficient bandwidth
Incorrect site topology You use the Repadmin.exe command-line tool to view the replication topology from the perspective of each domain controller. You can also use Repadmin.exe to manually create the replication topology, force replication events between domain controllers, and view the replication metadata, which is information about the data, and up-to-date state of vectors. You use the Dcdiag.exe command-line tool to analyze the state of a domain controller and report any problems. The Dcdiag.exe tool performs a series of tests to verify different aspects of the system. These tests include connectivity, replication, topology integrity, and intersite health.
Dcdiag /test:Connectivity Not enough domain controllers System monitor NTDS counters Incorrect site topology Active Directory Sites and Services
Repadmin /latency
V Dcdiag /test:Intersite
102
Created by XMLmind
XSL-FO Converter.
Windows Server 2008 uses FRS or DFSR to replicate the SYSVOL directory between domain controllers
Both FRS and DFRS require LDAP and RPC connectivity between domain controllers
Use DFSRAdmin to troubleshoot DFRS replication The contents of SYSVOL folder are replicated to every domain controller in a domain. If the domain is at Windows Server 2003 or lower functional level, the File Replication Service (FRS), is responsible for replicating the contents of the SYSVOL folder between domain controllers. When you upgrade the functional level to Windows Server 2008, Distributed File System Replication (DFSR) is used to replicate the contents of the SYSVOL folder. In both cases, the connection object topology and schedule that the Knowledge Consistency Checker (KCC) creates for Active Directory replication is used to manage replication between domain controllers.
103
Created by XMLmind
XSL-FO Converter.
1. Course
1.1. Introduction to Group Policy Troubleshooting
1.1.1. Scenarios for Group Policy Troubleshooting
Common scenarios that require troubleshooting:
Policies are applied but settings are inconsistent Core Group Policy processing. When a client begins to process Group Policy, it must determine whether it can reach a domain controller, whether any GPOs have changed, and what policy settings (based on client side extension) must be processed. The core Group Policy engine performs the processing of this in the initial phase. Client side extension (CSE) processing. Policy settings are grouped into different categories, such as Administrative Templates, Security Settings, Folder Redirection, Disk Quota, and Software Installation. The settings in each category require a specific CSE to process them, and each CSE has its own rules for processing settings. The core Group Policy engine calls the CSEs that are required to process the settings that apply to the client.
Perform basic checks to test network connectivity: use diagnostic tools like netdiag, ping
104
Created by XMLmind
XSL-FO Converter.
Check that the domain controller is functioning and reachable: use diagnostic tools like dcdiag, the set command, Kerbtray
GPResult This tool can only be run locally on the target computer, but it provides information about the Resultant Set of Policies (RSoP), blocked GPOs, permissions on GPOs, and much more. Using the command with the /v switch will show a great deal of information about the GPOs that are affecting the computer and about user accounts associated with the current logon session.
Gpotool Since GPOs are replicated from the domain controller where the GPO changes initially occur to all other domain controllers, there is a chance of replication failing or not converging efficiently. The result of this is inconsistency or failure of the changes to be properly applied to the target computers. Tools such as Gpresult and RSOP can help determine what GPOs have applied, but this tool, Gpotool, can help you determine if the GPOs on each domain controller are consistent
Gpupdate If you are implementing new GPO settings or trying to ensure that all GPO processing has occurred, you can use the Gpupdate tool. This is a command-line tool that ships with the operating system . When you run it, it will trigger a background refresh which will apply all GPO settings that adhere to this type of refresh. If you add the /force switch, it will reapply all GPO settings, even if there have been no changes to the GPO since the last refresh. Running this command before running the Gpresult command is a very powerful method for tracking GPO issues.
Dcgpofix There might be a time when you have an issue with one of the two default GPOs: Default Domain Policy and Default Domain Controllers Policy. If one or both of the GPOs becomes corrupted, too far out of configuration where you can't fix it, or some other unknown issue, you can use the dcgpofix tool to revert them to the default state.
GPOLogView The Event Viewer has a wealth of information regarding Group Policy. Unfortunately, it requires you to look at all of the different log files to find entries for Group Policy. There you'll find entries related to policy application, policy replication, and policy refresh, all of which can be useful when trying to track down a problem. There is not always a lot of information on specific Group Policy errors in the event logs, but remember that you can always search TechNet if you find errors you can't identify. 105
Created by XMLmind
XSL-FO Converter.
Group Policy log files If other tools do not provide the information you need to identify the problems affecting Group Policy application, you can enable verbose logging and examine the resulting log files. Verbose logging can reduce performance and consume significant disk space, so as a best practice enable verbose logging only when necessary.
Group Policy Management Scripts Scripting of Group Policy related tasks not scripting of settings within a GPO. Fixes customer-reported bugs found in GPMC sample scripts.
XSL-FO Converter.
change increments the version number of the GPT and the GPC.
Verify that the user has logged off and on, or that the computer has been restarted
Check if there are cached credentials because they may delay the effect of Group Policy
XSL-FO Converter.
Settings that are true policies are reversed when the policy no longer applies
Settings that are preferences will tattoo the registry and remain in effect until they are specifically reversed
The operating system and service pack level determine if the computer can accept a policy setting
The domain controller receives account policies from a domain level policy
Security settings come from the GPO that have the highest priority Characteristics of Security Policies :
Security policies are refreshed every 16 hours even if they have not changed.
XSL-FO Converter.
values during its normal processing. When a CSE reports success, it might mean only that the scripts location is placed in the registry. Even though the setting is in the registry, there could be problems preventing the setting from being applied to the client. For example, if a script specified in a Script setting has an error that prevents it from completing, the CSE does not detect an error When troubleshooting script policy settings, consider the following:
Use the Group Policy tools to ensure that Group Policy is applied correctly Group Policy processes a GPO and stores the script information in the registry, in these locations:
109
Created by XMLmind
XSL-FO Converter.