Documente Academic
Documente Profesional
Documente Cultură
AD RMS
- MSMQ - MS Message Queuing - page 787 - transaction coor in distrib env.
- IIS 7 page 787
- SQL Server - pg 787 SQL for production (Windows Internal DB for lab)
These services must be started (or restarted) if there are issues with RMS.
Also, users need to be configured with and email address to use RMS
http://blogs.technet.com/rmssupp/archive/2006/11/30/helping-customers-help-thems
elves-w-irmcheck-pt-1.aspx
CA - pg 790
Self enrollments - page 800 - for test env - use CA certs for production
Delegation
page 803
RODC
page 377 - typo on the PPT slide forest and domain FL at 2003
there must be a 2008 RW DC and RODC is on 2008
run adprep /rodcprep
DNS zones on a RODC are read-only. If you want DNS to accept dynamic registrati
ons you would have to uninstall RODC and install DC as a R/W DC with AD int zone
s.
Also, if you have a 2003 AD and you are updating to 2008, you need to run:
adprep /forest and adprep /domain (same as adprep /forestprep and adprep /domain
prep )
credential caching
page 381-382
oclist, ocsetup - mentioned here because RODC's are put on Server Cores typicall
y pg 28
AD FS
pg 825
certs
pg 827
trust policies
pg 835
user and group claim mapping
pg 833
account store, AD or LDS
pg 855
With Federated Services, one organization defines the account store and the othe
r organization defines the resource store.
dsadd, etc pg 88
csvde, ldifde
page 90
ntdsutil - using IFM options to create backup media to do installs from
pg 472
bulk import for group objects
pg 159
upn sufix
pg 868
Powershell to create users
pg 103
template accounts
pg 87
Maintain AD accounts
pg 33
Domain Local Groups
pg 146
Groups
pg 145
Distribution groups do not have SID's and can't be assigned permissions, Securit
y groups do have SID's and can be assigned permissions.
Delegation of Control
pg 74
Add users to the "Group Policy Creator Owner Group" to allow them to create GPO'
s.
Use the "Delegation of Control" wizard to give permissions to link GPO's to an O
U.
Group Policy Inheritence
pg 255
Block Inheritence is applied to an OU and blocks GPO's that are being inherited
from above.
Enforce - can be applied to a GPO to enforce settings and it will go "through" a
block.
ADMX Central Store
pg 246, 252
copy the Windows\Policy Definitions folder to the sysvol folder
add additional .admx files to the central store
Use Vista and above clients to edit GPO's that use .admx templates
Restricted Groups
pg 291
Security Options
pg 303
Starter GPO's
pg 247
Shell Access Policies - used GPMC to configure filters to locate certain policie
s
Admin Templates in Group Policy
Deny Apply Group Policy
pg 263
used if you want certain group of users in an OU to not apply the GPO linked to
that OU or if you want a certain group of users in a domain not to apply a GPO l
inked to that domain.
Software Deployment
pg 322
Assign to computers, Assign or Publish to users
WSUS - not in book
Fine-grained Passwords
pg 360
Allowed List, Denied List
Password Repl Policy - for RODC's
page 380
Revealed list: msDS-RevealedUsers
Authentication to list: msDSAuthenticatedToAccountList
Repl Policies - see users who have cached pw's on the RODC and those that auth w
ith the RODC
RODC's by default don't store user passwords unless you use Password Replication
Polices (Allow or Deny groups).
You can configure a unique Password Replication Policy for each RODC.
ADUC - can be used to see users whose passwords were cached on a stolen RODC (so
you can reset those passwords)
http://technet.microsoft.com/en-us/library/cc732801(WS.10).aspx
This website talks about configuring the RODC "Filtered Attribute Set" to limit
the attributes that are replicated to a RODC. Defined on the Schema Master (rec
ommended SM be 2008) - also recommended that the Forest Functional Level be 2008
for optimal security.
Denied List
page 381
Auditing
page 335
"Audit Account Logon Events" Success/Failure on the Default Domain Controller Po
licy to log auth attempts on the DC's to the Security Log in Event Viewer.
"Audit Logon Events" Success/Failure is typically used on an OU to audit any fai
led authentication attempts (local or from the network) on the computers in that
OU.
"Audit System Events" Success/Failure on a Default Domain policy would audit shu
tdowns on every computer in the domain.
"Audit Object Access" Success/Failure, then audit the specific NTFS folders/file
s and user groups that need to be audited.
auditpol.exe - allows for auditing old and new values in the Security Log in Eve
nt Viewer
page 342
http://support.microsoft.com/kb/921469
auditpol /list /subcategory:*
auditpol /set /subcategory:"user account management" /success:enable /failure:en
able
auditpol /set /subcategory:"directory service changes" /success:enable /failure:
enable
adsiedit.msc - needed for PSO's
page 361
wbadmin.exe - can not back up indiv files, but can restore indiv files
page 630
If you backup the System State - that will include the entire System Volume.
Authoritative Restore
page 642-644
1)Reboot, F8, Directory Services Restore Mode 2) Restore System State 3) use NTD
SUTIL to mark the OU as authoritative 4)then reboot DC
Offline Defrag - with the restartable AD DS service
page 623
Moving the AD db - again with the restartable AD DS service and ntdsutil
Task Manager, Event Viewer etc - page 660
Server Performance Advisor (download from MS) - pg 360 - replaced by Windows Rel
iability and Performance Monitor
Windows System Resource Monitor
pg 672
Performance Monitor and data Collectors
pg 667
Use the System - Data Collector called "Active Directory Diagnostics" to collect
performance/diagnostic data
AD diagnostics
pg 667
Event Viewer subscriptions - not in book
wecutil qc -- quick config for the collecting computer
winrm quickconfig - on the forwarding computer
Configure the collecting computer to collect events from the forwarding computer
to the Forwarded Events log on the collecting computer.
Standalone vs Enterprise CA's
pg 732
Use Enterprise CA's if you want all systems in the forest to trust the certs iss
ued by the CA.
Then, use Group Polcies to automatically deploy the certs.
CA heirarchy - root, subordinates
pg 734
Cert requests - web - standalone and ent
Cert requests - rpc - ent
page 733
Cert Practice Statement - who you are, policies, procedures, how you protect you
r CA's
page 739
Key Archival - supported with Ent and Datacenter versions
page 741, 756 - private key stored on CA in case user loses it
CA backup and restore
page 766
CA Administravtive Role Assignment - not in book
CA Admin, Cert Manager, Backup Op, Auditor, Enrollees
CA Properties - Security tab
Cert Templates
Key Recovery Agent
CA properties, Recovery agents tab,
NDES - network device enrollment service
uses SCEP - Simple Cert Enrollment Protocol
page 732
Autoenrollment
page 773 - Cert Templates
Web enrollment
page 731
smart card enrollment
pg 757
creating enrollment agents
certificates snap-in - request All Tasks, Advanced, Enroll on behalf of
CA properties, 2008 supports restricted enrollment agents
online responders - OCSP - online cert status protocol
page 731, 759
On a webserver on the DMZ - can be made fault tolerant using NLB cluster.
NLB Clusters can be configured with Port Rules to only accept traffic on certain
ports - like HTTP.
CDP - CRL Dist Point
page 754
AIA - Auth Info Access
page 760
Misc:
http://www.microsoft.com/windows/products/winfamily/cardspace/default.mspx
or
http://windows.microsoft.com/en-US/windows-vista/Windows-CardSpace
Windows Cardspace - Windows CardSpace is client software that makes it possible
for users to provide their digital identity to online services in a more simple
and secure way. It is an online virtual information card an ID card for the Intern
et that helps prove a user's identity, and it is very difficult to fake or steal.
Feature comes with Vista. Cardspace app has the ability to backup the digital I
D (to a USB for example).
R2 New Features:
Authentication mechanism assurance in Windows Server 2008 R2
http://blogs.technet.com/b/activedirectoryua/archive/2008/11/21/authentication-m
echanism-assurance-in-windows-server-2008-r2.aspx
Service Accounts Step-by-Step Guide
http://technet.microsoft.com/en-us/library/dd548356(WS.10).aspx
"Managed service accounts in Windows Server 2008 R2 and Windows 7 are managed do
main accounts that provide the following features to simplify service administra
tion:
Automatic password management.
Simplified SPN (service principal names (SPNs), which are required for Kerberos
authentication) management, including delegation of management to other administ
rators. Additional automatic SPN management is available at the Windows Server 2
008 R2 domain functional level."
DNS Devolution:
http://technet.microsoft.com/en-us/library/ee683928(WS.10).aspx
83-640 Labs:
Help works for ntdsutil!
change group type (2-3 of these), i.e. security to distribution, universal to do
main local, etc.
(refer to Transcender screenshot Lab 5 Task 3)
Assign a delegation to another DC (DNS)
(refer to Transcender screenshot Lab 6 Task 1)
Raise domain AND forest functional level
(refer to Transcender screenshot Lab 4 Task 2)
(refer to Transcender screenshot Lab 5 Task 4)
Set postalCode attribute to replicate with global Catalog
(refer to Transcender screenshot Lab 7 Task 6)
Disable round-robin and recursive lookup
(refer to Transcender screenshot Lab 6 Task 2)
Remove a RODC, reset the passwords for users/computers, and export that list of
users/computers to a txt
(refer to Transcender screenshot Lab 3 Task 8)
(refer to Transcender screenshot Lab 7 Task 5)
Also - practice removing and exporting.
Use pre-existing GPOs to not show last user login name on your DC, and password
history of 12 on domain
(refer to Transcender screenshot Lab 8 Task 2)
Also - practice GPO setting - to not display last login name
Set replication to ignore schedules
Practice - AD Sites & Services - IP properties - ignore schedules. Not in Trans
cender!
Set DEFAULTSITEIPLINK to not replicate on Sundays
(refer to Transcender screenshot Lab 5 Task 9)
Set Branch location to enable universal name caching
(refer to Transcender screenshot Lab 5 Task 8)
Change DEFAULTIPLINK cost
Practice - Ad Sites & Services - DefaultIPSiteLink Properties - change cost. No
t in Transcender!
Change users description in AD USERS and comptuers
Practice - AD Users & Computers - user properties - change description. Not in
Transcnder!
Create dns conditional forwarder
(refer to Transcender screenshot Lab 1 Task 1)
Replicate company attribute to Global catalog
(refer to Transcender screenshot Lab 7 Task 6)
Change DSRM password
(refer to Transcender screenshot Lab 7 Task 8)
Disable DNS load bad data
Practice - DNS - Server properties - Advanced
Block inheritance in GPO
(refer to Transcender screenshot Lab 6 Task 3)
Disable user configuration in GPO
Practice - Group Policy Mngt Console - Group Policy Objects container - right cl
ick on GPO - GPO status
Assign permission on a certificate template
Practice - MMC - Add Certificates Template snap-in - right click on template - p
roperties - security
Change DEFAULTIPLINK replication interval
(refer to Transcender screenshot Lab 5 Task 9)
Create a new forward lookup zone in dns
(refer to Transcender screenshot Lab 4 Task 1)
Change gpo security filter
(refer to Transcender screenshot Lab 3 Task 3)
Enforce Password History
=============================================
Computer Configuration\Windows Settings\Security Settings\Password Policy
(refer to Transcender screenshot Lab 8 Task 2)
============================================
Interactive logon: Do not display last user name
============================================
Computer Configuration\Windows Settings\Security Settings\Local Policies\Securit
y Options\
practice GPO setting - to not display last login name
============================================
Enable "PostalCode" attribute to replicate all GC servers
============================================
(refer to Transcender screenshot Lab 7 Task 6)
Run regsvr32 schmmgmt.dll
Run MMC
File - add/remove snap-in
Add Active Directory Schema
Right click Active Directory Schemas, select Connect to Schema Operations Master
Select Attributes
Find postalCode, rightclick, properties
Select Replicate this attribute to the Global Catalog
============================================
Raise Domain Functional Level to 2008
============================================
(refer to Transcender screenshot Lab 4 Task 2)
(refer to Transcender screenshot Lab 5 Task 4)
From Active Directory Users and Computers, right click on the domain
Select Raise domain functional level
============================================
Enable GC on Domain Controller
============================================
(refer to Transcender screenshot Lab 2 Task 4)
From Active Directory Sites and Services, right click NTDS Settings under applic
able DC Server
Select properties, check Global Catalog box
=============================================
Add a task to Event Viewer for Services with ID 7036
=============================================
(refer to Transcender screenshot Lab 6 Task 4)
From Diagnostics\Event Viewer\Windows Logs\System, right click on log ID 7036
Select Attach Task to This Event
=============================================
Configure DNS Delegation
=============================================
(refer to Transcender screenshot Lab 6 Task 1)
From DNS manager, right click on dns for domain, select New Delegation
Enter delegated domain name (eg west.contuso.com)
Click Next then Add
Enter server FQDN (eg server.west.contuso.com) and server IP address
===========================================
Configure DNS Debugging
===========================================
(refer to Transcender screenshot Lab 6 Task 8)
Right click on DNS Server, Properties, Debug Logging
===========================================
DNS - Configure Conditional Forwarding
===========================================
(refer to Transcender screenshot Lab 1 Task 1)
Right click on conditional forwarders, configure FQDN and IP address
===========================================
DNS - Zone Transfer settings
===========================================
(refer to Transcender screenshot Lab 7 Task 2)
Right click on zone, Properties, Zone Transfers
===========================================
Change Cost - ADDS
===========================================
Practice - Ad Sites & Services - DefaultIPSiteLink Properties - change cost. No
t in Transcender!
From Active Directory Sites and Services, select Intersite transports\IP\Site Li
nk
Right click, Properties
Modify Cost
=============================================
Reset DSRM Password from Command Prompt
=============================================
(refer to Transcender screenshot Lab 7 Task 8)
Run ntdsutil
set dsrm password
reset password on server null