Documente Academic
Documente Profesional
Documente Cultură
Active Directory is a database that keeps track of all the user accounts and passwords
in your organization. It allows you to store your user accounts and passwords in one
protected location, improving your organization's security. Active Directory is
subdivided into one or more domains.
What is User Principal Name (UPN)
In the Windows operating system's Active Directory, a User Principal Name (UPN) is
the name of a system user in an e-mail address format. The user name (or
"username") is followed by the "at sign" followed by the name of the Internet domain
with which the user is associated.
Schema Master
The schema is shared between every Tree and Domain in a forest and must be consistent between all
objects. The schema master controls all updates and modifications to the schema.
Domain Naming
When a new Domain is added to a forest the name must be unique within the forest. The Domain
naming master must be available when adding or removing a Domain in a forest.
Allocates RIDs to DCs within a Domain. When an object such as a user, group or computer is created
in AD it is given a SID. The SID consists of a Domain SID (which is the same for all SIDs created in
the domain) and a RID which is unique to the Domain.
When moving objects between domains you must start the move on the DC which is the RID master of
the domain that currently holds the object.
PDC Emulator
The PDC emulator acts as a Windows NT PDC for backwards compatibility, it can process updates to a
BDC.
It is also responsible for time synchronising within a domain.
It is also the password master (for want of a better term) for a domain. Any password change is
replicated to the PDC emulator as soon as is practical. If a logon request fails due to a bad password
the logon request is passed to the PDC emulator to check the password before rejecting the login
request.
Infrastructure Master
The infrastructure master is responsible for updating references from objects in its domain to objects
in other domains. The global catalogue is used to compare data as it receives regular updates for all
objects in all domains.
Any change to user-group references are updated by the infrastructure master. For example if you
rename or move a group member and the member is in a different domain from the group the group
will temporarily appear not to contain that member.
Server Manager also eliminates the requirement that administrators run the
Security Configuration Wizard before deploying servers; server roles are
configured with recommended security settings by default, and are ready to
deploy as soon as they are installed and properly configured.
2.
3.
Click the Computer Name tab, and then click Change. Alternatively, click Network
ID to use the Join a Domain or Workgroup wizard to automate the process of
connecting to a domain and creating a domain user account on your computer.
4.
Type the name of the domain that you want to join, and then click OK.
You will be asked to type your user name and password for the domain.
Once you are successfully joined to the domain, you will be prompted to restart your
computer. You must restart your computer before the changes take effect.
You need to use Djoin.exe on the domain controller to accomplish above. Please use
Djoin.exe /? to see the syntaxes.
An example is given below:
Djoin.exe /provision
/domain Name_Of_the_Domain_To_Be_Joined /machine Client_Computer_Name /sa
vefileFile_Name.txt
Servicing requirements
Management requirements
Attack surface
To accomplish its core, critical roles, the Server Core installation option only installs the
binaries required by its supported roles. For example, the Explorer shell is not installed with
Server Core. Instead, the Server Core user interface is the command prompt.
When configured, Server Core can be managed locally and remotely using Windows
PowerShell, by using a terminal server connection from a command line, as well as remotely,
by using the Microsoft Management Console (MMC) or command line tools that support
remote usage.
Simply type in sconfig on the command prompt and follow the on screen
instructions:
The error message says it cannot find the source files to perform the installation.
I was building a new lab environment and didnt have the ability to stage the installation files on the
network, but that is an option. My environment was inside a Hyper-V environment on my Windows 8
system, so I needed to pull the files from the disk. As you know the installation files are located inside
the /sources/install.wim file. To get the Full GUI running, I performed the following steps:
1.
2.
3.
mkdir c:\mount
4.
5.
6.
When Server Core originally shipped, a lot of Windows admins avoided it because you could
only use the command line, but this changes with Windows Server 2012 which enabled the use
of a hybrid mode.
Turning the GUI Off
In Windows Server 8 the GUI has kept with the modular nature of recent Windows Server
Operating Systems and in turn has become a Feature. This makes removing the GUI very
easy. To get started launch Server Manager.
Click on Manage, and then select Remove Roles or Features from the menu.
Click next to skip past the before you begin page, then select your server from the server pool
and click next.
Since the GUI is not a Role, we can just click next again to skip past the Roles section.
When you reach the Features page, you need to uncheck the box next to the User Interfaces
and Infrastructure option, and then click next.
Now tick the Restart Destination Server box, then click remove.
After the binaries are removed your server will automatically reboot.
Once it comes back up, and you log in, you will only be able to use the command line.
You can see near the bottom of the screen that we can use 12 to Restore the GUI, so type 12
and hit enter.
You will be warned that enabling the GUI requires a reboot, click the yes button.
That will kick off DISM which will start to add the binaries for the GUI Shell.
When its finished you will be asked if you would like to restart the computer now, type y and hit
enter to reboot.
GUI Off with PowerShell
You can do the same thing as we did in the GUI much quicker with a PowerShell cmdlet. To do
so, open Server Manager, click on Tools and launch PowerShell.
Not long after you have hit the enter key, the removal will begin.
When its done, you will be notified that you need to restart your server to complete the process,
which can be easily done from the current PowerShell window by running:
Shutdown r -t 0
When your machine restarts you will only have the command line to work with .
When its done, we will need to restart our server by using the Shutdown command:
Shutdown r -t 0
When your server reboots you will have the GUI back.
Earlier this week I saw a situation in which someone with a small, single-domain controller
network performed a restoration of their domain controller. This restoration effectively
reverted the Active Directory to a previous version. In doing so, they accomplished basically
the same thing that they would have if they had performed an authoritative restoration on a
domain controller in a larger organization.
Although the restore operation succeeded, it had some unforeseen consequences. After the
restoration, all of the other servers in the domain displayed an error message at log in. This
error message stated that the trust relationship between the workstation and the primary
domain failed. You can see the actual error message in Figure 1.
Figur
e 1. An authoritative domain controller restoration can trigger this error on
workstations and member servers.
The reason why this problem happens is because of a "password mismatch." Passwords
are typically thought of as something that is assigned to a user account. However, in Active
Directory environments each computer account also has an internal password. If the copy
of the computer account password that is stored within the member server gets out of sync
with the password copy that is stored on the domain controller then the trust relationship will
be broken as a result.
So how can you fix this error? Unfortunately, the simplest fix isn't always the best option.
The easy fix is to blow away the computer account within the Active Directory Users and
Computers console and then rejoin the computer to the domain. Doing so reestablishes the
broken-trust relationship. This approach works really well for workstations, but it can do
more harm than good if you try it on a member server.
The reason for this has to do with the way that some applications use the Active Directory.
Take Exchange Server, for example. Exchange Server stores messages in a mailbox
database residing on a mailbox server. However, this is the only significant data that is
stored locally on Exchange Server. All of the Exchange Server configuration data is stored
within the Active Directory. In fact, it is possible to completely rebuild a failed Exchange
Server from scratch (aside from the mailbox database) simply by making use of the
configuration data that is stored in the Active Directory.The reason why I mention this
particular example is that the Exchange Server configuration data is stored within the
computer object for that server. So with that in mind, imagine that a trust relationship was
accidentally broken and you decided to fix the problem by deleting the Exchange Server's
computer account and rejoining the computer to the domain. By doing so, you would lose all
of the configuration information for that server. Worse yet, there would still be orphaned
references to the computer account scattered elsewhere in the Active Directory (you can
see these references by using the ADSIEdit tool). In other words, getting rid of a computer
account can cause some pretty serious problems for your applications.
A better approach is to simply reset the computer account. To do so, open the Active
Directory Users and Computers console and select the Computers container. Right click on
the computer that you are having trouble with. Select the Reset Account command from the
shortcut menu, as shown in Figure 2. When you do, you will see a prompt asking you if you
are sure that you want to reset the computer account. Click Yes and the computer account
will be reset.
In case you are wondering, computer accounts can also be reset through PowerShell
(version 2 or higher). The cmdlet used for doing so is Reset-ComputerMachinePassword.
In my experience, broken trust relationships probably aren't something that you will have to
worry about on a day-to-day basis, but they can happen as a result of using backup
software or imaging software to revert a server to a previous state. When this happens, the
best course of action is to reset the computer account.
2 Next, open CMD.. and this is the SYNTAX : netdom computername <currentDC FQDN>
/add:<newDCName FQDN>
so in your cmd, type netdom computername LON-DC1.adatum.com/add:MIZI01.cpx.local
3 After you get The command completed successfully, the next syntax is : netdom
computername <currentDC FQDN> /makeprimary:<newDCName FQDN>
so in your cmd, type netdom computername LONDC1.adatum.com/makeprimary:MIZI01.cpx.local
After you get The command completed successfully.. Restart your Server..
4 After your Windows Server 2012 domain server reboot.. go to System Properties and confirm that
the new server hostname is listed.
5 Next, open CMD and the next syntax is : netdom computername <newDCName FQDN>
/remove:<oldDCName FQDN>
This command is to remove old Server Hostname which is LOC-DC1..
so in your CMD type this : netdom computername MIZI01.cpx.local/remove:LONDC1.adatum.com and press enter
6 your last step, do confirm that your Domain Server running without any issue, on the CMD run this
command : dcdiag
proceed & I always advice especially to my students, please do this exercises in LAB Environment
(Hyper-V). Dont simply take any risk by doing this is production environment unless you have to!!.
For this exercises, Im using MCT courseware from 20410B (Installing and Configuring Windows
Server 2012).
The existing domain is ADATUM.COM and I will rename it to CPX.LOCAL.
** for those who want to built your own AD and try this exercises, please refer to my previous
post https://mizitechinfo.wordpress.com/2013/06/09/simple-guide-how-to-built-active-directory-inwindows-server-2012/.
So, let get started
1 Open your System Properties and check your existing domain name, if you see from my Windows
Server 2012 system properties, my existing domain name isAdatum.com. This will be change
to cpx.local in the short while.
2 Next, open your Server Dashboard, go to Tools & click DNS to open DNS Manager..
3 on the DNS Manager, you must create the New DNS Zone (cpx.local), this is to make sure that after
whole process successfully, your member server @ Windows clients can join to new Domain name.
** to create new DNS Zone, Right Click Forward Lookup Zone, and click New Zone
4 On the Welcome to the New Zone Wizard, just click Next button..
6 On the Active Directory Zone Replication Scope, click button To all DNS servers running on
domain controllers in this domain:Adatum.com and click Next
7 In the Zone Name, key in your new Domain Name, my new Domain Name iscpx.local
8 On the Dynamic Update, Click Allow only secure dynamic updates (recommended for Active
Directory), and click Next
9 On the completing the New Zone Wizard, click Finish to complete the process.
10 On DNS Manager, you can see my new Domain Name is listed (cpx.local)
12 In CMD, type rendom /list and press enter this command use to generate a state file
named Domainlist.xml. This file contains the current forest configuration.
13 Next, open computer and browse to C:\Users\Administrator folder to get your Domainlist.xml.
14 Once you see the Domainlist.xml, right click the file name & choose Edit.. I going to change the
DNSname and NetBiosName in this Domainlist.xml file.
15 Once the Domainlist.xml open, you can see there are few existing Domain name, change this
existing domain name to new domain name.. refer to picture:
16 once you change to new Domain name, make sure you save the Domainlist.xml file..
17 After you save the Domainlist.xml file, close it and return to CMD. On the CMD, type rendom
/showforest. This is to show the potential changes; this step does not make any changes.
18 Next, type rendom /upload. This is to upload the rename instructions (Domainlist.xml) to the
configuration directory partition on the domain controller holding the domain naming operations master
role.
19 Next, type rendom /prepare. This use to verify the readiness of each DC in the forest to carry out
the rename instructions. This should contact all DCs successfully and return no errors before proceed to
next process.
20 Next, type rendom /execute. This is to verifies readiness of all DCs and then preforms the rename
action on each one.
** Remember also there will be a service interruption during this process. Once the process
successful, your DC Server will be restarted.
21 Once your DC Server restarted, log in using the new Domain name as administrator.
22 Next, after you successfully log in, open System Properties and check your old Domain Name is
now gone.. replace by new Domain name
25 Next, type rendom /clean. This is to remove references of the old domain name from AD.
26 Next, type rendom /end. This is to unfreeze the forest configuration and allow further changes. This
was frozen during the rendom /upload step.
27 Next, Open DNS Manager, click your new created domain (cpx.local), here you can see your own IP
listed but we still have long way to go to make sure this DNS Zone is working..
28 Next, turn on your client PC, for this exercise Im using Windows 8 as a client. Open System
Properties and join to new Domain (cpx.local). in case you getting an error, dont get scared!!.. just
click OK and you Windows Security box will show up and now key in administrator and domain
password and click OK (Welcome to the cpx.local domain). Refer pictures..
30 Once you log in, double check Windows 8 System Properties. Now yourWindows 8
successfully join in to new Domain (cpx.local).
31 Now, go to the Server 2012 and open DNS Manager, you can see now yourWindows 8 Client is
listed in DNS.
32 You can also check in Active Directory Users & Computers that your Windows 8 Client now also
listed.
Create e-mail distribution lists. For more information, see Group types.
Groups are characterized by their scope and their type. The scope of a group determines the
extent to which the group is applied within a domain or forest. For information about group
scope, see Group scope. The group type determines whether a group can be used to assign
permissions from a shared resource (for security groups) or if a group can be used for e-mail
distribution lists only (for distribution groups). For information about security groups and
distribution groups, see Group types.
There are also groups for which you cannot modify or view the memberships. These groups
are referred to as special identities and are used to represent different users at different
times, depending on the circumstances. For example, the Everyone group represents all
current network users, including guests and users from other domains. For more information,
see Special identities.
Distributions groups
Distribution groups can be used only with e-mail applications (such as Exchange) to send email to collections of users. Distribution groups are not security-enabled, which means that
they cannot be listed in discretionary access control lists (DACLs). If you need a group for
controlling access to shared resources, create a security group.
Security groups
Used with care, security groups provide an efficient way to assign access to resources on
your network. Using security groups, you can:
This is possible because by default, the user rights Back up files and
directories and Restore files and directories are automatically assigned to the Backup
Operators group. Therefore, members of this group inherit the user rights assigned to
that group. For more information about user rights, see User rights. For more
information about the user rights assigned to security groups, see Default groups.
You can assign user rights to security groups, using Group Policy, to help delegate
specific tasks. You should always use discretion when assigning delegated tasks
because an untrained user assigned too many rights on a security group can
potentially cause significant harm to your network. For more information,
see Delegating administration. For more information about assigning user rights to
groups, see Assign user rights to a group in Active Directory.
Group scope
Any group, whether it is a security group or a distribution group, is characterized by a scope
that identifies the extent to which the group is applied in the domain tree or forest. The
boundary, or reach, of a group scope is also determined by the domain functional level
setting of the domain in which it resides. There are three group scopes: universal, global,
and domain local.
The following table describes the differences between the scopes of each group.
Group
scope
Univers
al
Global
Group can be
assigned
permissions in
Any domain or forest
Member permissions
can be assigned in
any domain
Group scope
can be
converted to
Domain
local
Global (as
long as no
other
universal
groups
exist as
members
Universal (as
long as it is not a
member of any
other global
groups)
Domain
local
Member permissions
can be assigned only
within the same
domain as the parent
domain local group
Universal (as
long as no other
domain local
groups exist as
members)
Note
When the domain functional level is set to Windows 2000 mixed, members of global groups can i
entire group. If the forest functional level is lower than Windows Server 2003, you should not
change the membership of a group with universal scope frequently because any changes to
these group memberships cause the entire membership of the group to be replicated to
every global catalog in the forest. For more information about universal groups and
replication, see Global catalogs and sites. For more information about linked value
replication, see How the Active Directory Replication Model Works.
Note
When the domain functional level is set to Windows 2000 mixed, you cannot create security grou
Global to universal. This conversion is allowed only if the group that you want to
change is not a member of another global scope group.
Domain local to universal. This conversion is allowed only if the group that you
want to change does not have another domain local group as a member.
Universal to global. This conversion is allowed only if the group that you want to
change does not have another universal group as a member.
A local group that is created on one of these computers can be assigned permissions
only on that one computer.
Groups with universal scope can have the following members: accounts,
computer accounts, other groups with universal scope, and groups with
global scope from any domain.
Groups with global scope can have the following members: accounts from the
same domain and other groups with global scope from the same domain.
Groups with domain local scope can have the following members: accounts,
groups with universal scope, and groups with global scope, all from any
domain. This group can also have as members other groups with domain
local scope from within the same domain.
Security groups in domains set to the Windows 2000 mixed functional level are restricted to the
following types of membership:
Groups with global scope can have as their members only accounts.
Groups with domain local scope can have as their members other groups with
global scope and accounts.
Security groups with universal scope cannot be created in domains with the domain functional
level set to Windows 2000 mixed because universal scope is supported only in domains where
the domain functional level is set to Windows 2000 native or Windows Server 2003.
Note
You cannot add the default groups that are located in the Builtin container as members to other groups. Ho
located in the Builtin container.