STUDY NOTES 70-640

DC Install dcpromo /forceremoval to remove To include 2008 server in 2003 environment - first step is adprep /forestprep Removing AD: uninstall the role use dcpromo with answer file RODC: Forest and Domain FFL must be 2003 or later If demoting a DC that has a replica of application data partition, you must remove replica before demoting the DC

Sites & Trusts Trusted (Outgoing) I am trusting someone else to access my resources Trusting (Incoming) Someone else is trusting my users Realm Trust - for Unix based domains If Domain A trusts Domain B, domain B is the trusted domain Its users and global groups can be members of domain local groups in Domain A. Domain Bs users and groups can be assigned permissions to resources in Domain A Trust Relationships Can only establish forest trust when both forests running 2003 FFL or higher One way - Incoming Users in your (Trusted) domain can be authenticated in the other (trusting) domain Shortcut Trust - Exists within a single forest Authentication scope: Domain Wide - unrestricted access by users in the tursted domain to all shared resources in the trusting domain, depending on permissions. Forest wide - the same Selective Authentication - no default authentication - you specifiy the users and groups from the trusted forest that are permitted to authenticate to servers in the trusting forest Do this in the Trust tab on the Domains & Trusts. Trusted domain can use the resources of the trusting domain Kerberos AES - must be windows 2008 Site Links By default, two sites created in AD aren't linked - must be manualy created with a site link

Bridging - by default, all site links are bridged - all DCs in each site can communicate You might turn off bridging if thers some DCs you never want communicating with each other Turning off bridging makes replication dependent on the explicit links you created Preferred Bridgehead: DCs bridgehead to particular transport Problem - can reduce redundancy of AD DS by prevening KCC taking over to other DCs in same site if bridgehead offline You should have multiple bridgeheads Bridgehead Server - Set in CN=IP, CN=InterSite Transports ... bridgeheadServerListBL attribute Universal group membership caching - set on NTDS site setting properties

Site Links: Must be created manually Transitive in nature Site link bridge - builds transitve and logial link between sites that do not have an explicit site link Its created only when transitivity of site link is disabled to ensure sysvol replication using DFS, Domain Functional Level must be 2008 AD Sites and Services - where you set GC UGMC caching - set at site level

Sites Site link bridge - grouping of one or more site links that enable any two DCs to communicate, whether or not they are directly linked by a site link. AD bridges all site links by default Site link - replicates info between sites. Each site link bridge is a chain of site links that enables any DC to communicate directly, whether or not they are directly connected by a sitel link. We might need to disable auto linking or create our own site link bridge if: Network not fully routed you don't want direct communications between all dcs Sites not well connected Intersite replication crossing a slow link - create a site link bridge that encompasses the faster links. Ports used for replication: TCP/UDP 135 Intersite Topology Generator

TCP/UDP 636 TCP/UDP 88 TCP/UDP 445 TCP/UDP 53 TCP 3268/3269

Secure Ldap Kerberos SMB DNS Global Catalog

Don't set intersite replication to less than the 15 minute minimum replication interval

Replication Troubleshoot Replication - use Eventvwr, Replmon (for 2003) and Repadmin Repadmin Options repadmin /options - is it a GC repadmin /bridgehead - info abou replication topology repadmin /showrep - shows replication partners, attmpts etc repadmin /add - create replication links repadmin /replsum - displays summary

To force replication - AD Sites & Services, NTDS > Replicate Now DCDIAG - analyses connectivity, replication, topology generation

LDS Don't use 389 or 636 for LDS if you have AD DS on the same Create an instance (unique or replica of existing) Replicate LDS using Sites & Services.. Work with LDS using ADSIEdit, ntdsutil, or dsdbutil dsdbutil allows you to back up the specific to an external media To remove, remove instances first from Progs & features, and then remove roles from Server Manager To configure data in AD LDS - use ADSIEdit, LDP, AD Schema, AD Sites & services Can import legacy x.500 - use ldidfe to import data from legacy applications Authentication - users requesting directory data from ADLDS instance must be authenticated prior to access. Binding Can use dsadd to add accounts to LDS To install on server core - start /w Ocsetup DirectoryServices-Adam-ServerCore and then install instance from answer file You can also use ldidfe to import data into your ADLDS instance Can back up specific AD LDS instances using DSDBUTIL

Use ADSIEdit to create new OUs in LDS application directory partition If you install a replica of ADLDS you can then replicate LDS instance on another computer ADUC and Domain and Trusts not supported in LDS implementation - Sites & Services are

RMS DFL/FFL of 2000 will do (double check) although you can only install RMS on server using 2008 or R2 Need RMS service account (domain user) Reserve URL for RMS cluster Database - SQL 2005 plus Use SSl from certification authority Install client software on clients - 2000sp4, Xp sp2, Vista must have SP2, the client is installed by default. Need domain admin to install, Need IIS, Windows Process Activation Serivce, Message Queueing Services To install, you need to be a member of the local AD RMS Enterprise Admins, and a member of Enterprise Admins RMS Cluster auto enrolled - using server self enrollment certificate

Need RMS Server - add role through Server Manager AD RMS Root Cluster - doesn't mean more than one server. This will be on IIS Need a DC- will have a directory partition that stores the SCP (Service connection Point) allows the servers etc to find the RMS server Need user groups/accounts Need service account Need a database - SQL2005 or later. This will store the configuration information

AD RMS Licencing Only cluster - if you have a division within company that has unique rights management needs, you might set this up. Still points to your root cluster, but can work with some independence XP and earlier - need to download RMS client Installing RMS: service account for installing need Enterprise Admin for SCP configuration Don't install on a Domain Controller SQL Write right to create DB Web cert for SSL Use CNAME for URL Create certificate template & make available in AD In certificate properties, in subject need to select URL under Alternative Name and use the cname

If you want RMS available for a forest in a federation, you need to set up RMS before setting up a federation trust.

AD Federation Services IIS and Process Activation Service required for AD FS IIS, ASP.NET 2.0 and .NET 2.0 required Web.config file - where the claims aware applicaiton will have the return URL typed AD FS can operate properly if the functional level is 2003 Federation Services Servers sharing trust policy - resource and account federation servers Federation service proxy - one in each resource and account partner. Shouldn't be on the Federation Server Claims aware agent - enables the querying of AD FS security token claims - (default.aspx, web.config, default.aspx.cs) Claims Aware App must have return URL typed correctly in the web.config file and it must match the URL specified in the federation service. FS Web Agent manages tokens and cookies (claims aware, windows token based agent). Its the mechanism that a web app would use for authenticating external users Federation Server Farm with SQL backend allows for some redundancy Installing FS Server Role Need 2008 Enterprise/Datacenter Install through Add Roles Prerequisites- IIS, Windows Process Activation, Need certificate also Claim Mapping: UPN Email Group Common Name Setup Trust: Need to create claims (New organisation claim) Create account stores - using LDS or DS Enable applications Create Federation Trusts Objects & Trusts Bulk Import tools: CSVDE (adding stuff) LDIFDE (adding and modifyin gstuff)

DSADD Scripts DSRM (Remove)

AD Recycle Bin Use lpd.exe or Get-ADObject and RestoreADObject to restore AD Recycle Bin - 2008R2 on all Dcs, FFL 2008R2 Get-ADForest (to see what FFL) If not, can change - Set-ADForestMode - Identity .. Forestmode Enable-ADOptionalFeature "RecycleBin" AD Recycle Bin - Forest FFL 2008 R2

Database & AD Maintenance & Monitoring Compact Database - Use NTDSUTIL DSAMAIN - Data Mining tool for LDAP, compare snapshots, decide what to restore etc. WinRM allows event collection- set to Automatic on target machine.Also the Windows Event Collector on the machine where you want to collect the logs Windows Remote Management- remote management service that has server component, WinRM, and Client component, WinRS Run WinRS on the computer that will be remotely managing the server. You should use HTTPS when using WinRS from a host not in the same domain. Xcopy copies ADML files. ADML files need windows 2008, R2, Vista, Windows 7. They are stored in the Sysvol folder Applocker - to enforce, must be running 2008R2, Win 7 Ultimate, or Win 7 Enterprise. If you upgrade a computer that uses Software Restriction Policies to windows 7 and then implement Applocker rules, then only the Applocker rules are enforced. YOU CANNOT USE NTDSUTIL TO FORCE REPLICATION Critical volume includes sysvol, ntds.dit etc Windows server backup - install prior to use NTDSUTIL IFM (Install From Media) NTDSUTIL PARTITION MANAGEMENT CREATE NC - Creates AD partition Wbadmin Backup system state - wbadmin start systemstatebackup

Restore AD: Boot into DSRM To do nonauthoritative restore using wbadmin: wbadmin start systemstaterecovery then do authoritiative restore by using -authsysvol paramater

Restore: WBadmin start systemstate recovery - then do an authoritative restore NTDSUTIL : authoritative restore Then replicate you can recover back links using LDIF files Scripts for Group Policy backup /restore ImportGPOs.wsf CreateGPO.wsf CopyGPO.wsf/CopyAllGPO.wsf RestoreGPO.wsf /RestoreAllGPO.wsf BackupGPO.wsf Offline Defragmentation net stop ntds ntdsutil activate instance ntds compact to delete log files copy old ntds.dit to archive location copy new ntds.dit over old verify integrity net start ntds Windows backup WBADMIN - wbadmin Get Versions - list backup history To run in PS - add-PSSnapin Windows.ServerBackup Get-Command *wb* to get history list - Get-WBBackupSet Backup AD in System State and Bare Metal Full backup of volume NTDSUTIL after authoritative restore, will list name of file containing backlink info. This can be copied over the DC using LDIDFE Use NTDSUTIL to change DSRM password

Offline defrag enhances performance Windows 2008 allows restartable AD DS Use NTDSUTIL to move NTDS.DIT or defrag it Should have 1GB or 20% more when moving DB and logfiles

Finegrained Password Policies Need Windows 2008 DFL They only apply to user objects and global security groups. To do it: Upgrade all DCs to 2008 Raise DFL to 2008 Create PSO and edit attributes under Password Settings container Apply PSO to the Accounting Users and set the priority rank of the PSO higher than any other PSO Need Domain Admins DFL must be 2008 Policies applied to users or global groups that need them To configure: ADSIEdit Locate CN=Password Settings Container Select MSDS Password Settings To apply to group - MSDS-PSOAppliesTo Finegrained Passwords Need DFL 2008 for Finegrain Passwords Can only be assigned to users/groups Can be created through ADSIEdit or scripted using LDIFDE

Reason for Access Auditing: Need 2008R2 and Windows 7 for this And set Audit:Force audit policy subcategory settings under Security Options

Read Only Domain Controllers

Need FFL 2003 PDC Emulator must be on 2008 Run ADPREP /RODCPREP on Schema Master (If all DCs 2008, you don't need to run this)

Writeable DC must be 2008 and in connectivity with tehe RODC Recomend installing DNS on RODC in case of link failure To check what accounts cached on RODC - repadmin /prp view servername reveal

Admin Role Separation You can assign administrator to one user/group on the RODC DSMGMT - Local Roles - add domain\user administrator Read only DNS doesn't dynamically update - if you need this, rebuild as a writeable DC Password Replication Policy - Each RODC has the Allowed and Deny list Go into ADUC, DC OUs, right click the RODC, choose Properties Select Password Replication Policy tab Add people to the allow/deny tab Can cache credentials - prepopulate password cache, in the properties of the RODC. Click Advanced - Prepopulate

GPOs & Groups etc AGULDP - Accounts into Global groups into Universal Groups into Domain Local groups, assign permission to DL groups WMI files - can query destination computer for hardware and other attributes. Windows 2000 doesn't support WMI Block Inheritance can only apply to Container. Cannot Apply to Users or Groups ADMX files - stored in Sysvol (central location). ADMX files work with Vista & 2008 and can be managed from them Policy Definitions folder must exist in the \\domain\SYSVOL\<domain>\Policies\PolicyDefinitions

Starter GPOs - you can create another GPO using a starter GPO, but you can't link a starter GPO directly to the DS object Can contain settings defined in Admin Templates in Computer Config, or in User Config Cannot use starter GPO to define settings in Windows Settings area or Software Settings area

GPOs with a higher link order (lower number) take precedence over ones with a higher number If link enabled is turned off, setting from GPO not applied at all

Deploying software using GPO Assign to user - software follows them around, will appear from start menu, installed when they click on it

Assign to Computer - Available to all users who log on, installed when the machine restarts Published to users - Put in Control Panel, or when people click on certain file extensions You cannot publish to computers - users must manually commence install of published software Do you assign or publish - if mandatory to install app, assign Assign to computers if all computers in the scope of the GPO require it regardless of user Remove software - you can uninstall or allow them to continue, or prevent new install

Auditing Auditing - Configure in GPO Account logon - logon/off by user account at DC Account management - resetting pw etc DS object Logon events - authentication of local users Object access Privilege use - user rights such as changing system time System events - shutdown etc Auditpol [<sub-command><options>] /get - displays current policy /set - sets audit policy /list - displays policy categories/subcategories /backup /restore /clear - clears the policy /remove Subcommands /category <name> /subcategory

NTDSUTIL - can seize operations master roles ADRMS - users email accounts must be registered RODC - to enable dynamic updates, unninstall AD DS and reinstall as writeable DC Netdom - change server name

Bitlocker:

TPM Chip or/and USB device 2 NTFS partitions (1.5gb) Bios comatible UPN suffix- add to forest CSVDE - import and export WMI Filters - Filters the effect of a GPO on the basis of characteristics like ram, processor speed, disk capacity, installed apps WMI Filter - value for Windows 7 is 6.1 (Version Attribute) Windows System Resource Manager - resource allocation policy only hits in when processor utilisation is over 70%

NTDSUTIL - Maintenance of AD DB, Operations masters roles Assigning App to users - advertised on start menu Assigning app to computers - installation performed on startup Publish to user - in Add Remove CANNOT PUBLISH TO COMPUTER Terminal server cannot accept published programs Remove using removal option in GPO, forced or optional

Auditpol Successful logon: auditpol /set/subcategory:"log on" /success:enable Account logon - user account authenticated on domain controller, logged in security log DSDBUTIL - performs DB maintenance of AD DS, configure AD DLS WBADMIN - need to add using server manager

Certificate revocation: On root CA, configure CRL distribution point (CDP) to point to store folder Copy CRL file from root CA to shared folder Enrol permossion required for user requesting certificates Clients can request certs through Autoenrol, web enrol or manual Online responder - conveys info about the validity of a certificate. Receives and responds to

individual requests about the certificate

AD integrated DNS zone replication - traffic is auto encrypted Need DFL 2008 for Kerberos AES To query LDS, need to run ldp.exxe on the server locally DNSCMD /zoneexport - lists RRs for a specified zone Trusts can be: created explicitly (manual) or implicity (auto) can be transitive or nontransitive one way or two way ADRMS - install latest SP on XP, install RMS client

Raid 5 and DB files - Place NTDS.DIt on Raid5 array. Log file to another disk (not the Raid 5, or the OS) Fine Grained: DFL must be 2008 All DCs must be 2008 Global Catalog Built automatically by ad replication, no need to replicate manually Global catalog can add to the replication traffic Objects with partialAttributeSet properties of attributes set to true are replicated by the Global Catalog Global Cat recommended with more than 100 users in branch Clients can request certs through autoenroll, webenroll, manual enroll

Secondary DNS zones can provide means to offload DNS query traffic in areas where zones heaveily queued. Incremental zone transfer can also provide name resolution Members of backup operators cannot schedule backups Sysvol folder needs to be on NTFS partition Windows 2000 native is the lowest you can use for DCs Transitive two way trusts are auto created between domains in a tree

site link bridges are built with intent to permit site links to be transitive Connection objects are created automatically UGMC - enable at site level licencing service - can run on AD Sites & Services Enterprise Admins has full permission to admin all domains in the AD forest Add admin accounts in RODC password replication denied group, if you don't want them caching Filtered attribute set needs FFL 2008 Reason for access - allows you to see the reason why an operation was successful or failure DFS replication - DFL 2008 DFS-R - is managed by DFSRADMIN DFSRMIG.EXE can determine replication method being used - dfsrmig /GetGlobalState - a state of Redirected or Eliminated indicates DFSR is being used. A state of Start or Prepared means FRS replication is still being used. DCs must be 2008, 2008R2 Minimum DFL 2008 After you raise DFL, use Dfsrmig.exe to switch replication mode You don't need to raise forest functional level to use DFS-R

Subscriptions - prepare source computers - winrm quickconfig Add collector computer to local admin group on the source computer If you want to minimise latency, run winrm quickconfig on the source, or wecutil /qc Create subscription on collector computer

CSVDE can create objects but not modify Can create groups with DSADD, CSVDE and LDIFDE DSGET - full memberships of group Shadow group - need to manually add new users Default mode of CSVDE/LDIFDE is export - change switch to -i to import Reset computer account with ADUC, Netdom, DSMOD, Netdom Policy Definitions folder - %sysroot%\sysvol\domain\policies\policydefinition PSOs - use ADSIEdit to create

Exporting AD with PS Get -ADObject Get-ADObject (set attribute) Remove-ADObject New-ADObject Restore-AdObject

UPN Suffix -create in AD Domains & Trusts Certification Authorities Version 1 templates - win2000 Version 2 templates - xp, server 2003 or later Version 3 template - only vista, 7, 2008 Request handling tab options: Purpose (Signature, Encryption, Signature & Encryption) Add Read permissions to network service on private key For Version 3 only Certificates - to recover key certutil -getkey (to store key to a blob) certutil -recoverkey to create .pfx file the user can import DO the following when subject enrolled and when private key assocated with this cert issued: Enroll subject without requiring user input Prompt user during enrollment Prompt user during enrollment and require user imput when private key is used Certificate based on Enrollment Agent certificate template enables a user to request certs on behalf of other users. They are generally not authorised to approve cert requests, revoke certs or perform other tasks associated with the Certificat Manager Role Certificate Manger role can issue, appove, deny, renew and revoke certificates Available permissions for a CA Read, Issue and Manage Certificates, Manage CA, and Request CA. To automatically issue user or computer certificates, edit the GPO: User Config>Security Settings>Public Key Policies Highlight and edit Certificate Services Client Auto Enrollment Computer Config > Security Settings etc Cross Forest certificates need 2008 r2

You can designate administrators to the Certificate Manager Role Enterprise CA and Online Responder are only on 2008 Enterprise and Datacenter Certificate Revocation can come from CA on 2008, 2003 or non MS

IIS must be installed before online responder. A virtual directory called OSCP is created and web proxy registerd as ISAPI extension Online responder setup requires configuring certificate templates and issuance properties for OCSP response signing, and additional steps on CA to support certificates issuing and online responder.

To configure templates for Online Responder: Duplicate the OSCP Response Signing Template Go to Security Tab, click Add to select computer hosting Online Responder Service Give the computer the Read and Autoenroll permission To configure CA to support Online Responder: Need to use the CA snap in to add the location of the OR to the AIA extension of issued certs, and enable the template you configured. To configure CA to support Online Responder: Open Certificate Authority snapin Click Name of CA Actions Properties, Click Extension Tab In Select Extension click AIA Select Include in AIA extension of issued certs, and Include in OCSP extension Specify the location where you obtain Cert Revocation Data In Enable Certificate Templates, select the OCSP Response Signing Template. Revocation Configuration Before you do it, ensure cert enrolment has taken place, so a signing cert exists on computer, and adjust permissions to allow Online Responder to use it: Log on to the certificate snapin. Open Personal Cert Store and ensure it contains OCSP Response Signing Certificate Right click Manage Private Keys Security tab. Enter Network Service, Assign full permissions check box Create Revocation Configuration: 1. Identify CA cert for CA that supports Online Responder 2. Identify CRL Distribution Point 3. Select signing cert to sign revocation status responses 4. Select Revocation Provider Revocation Config 1. Open Online Responder Snapin

2. 3. 4.

Add Revocation Config Select Certificate from Existing Enterprise CA If it appears, select it, if it doesnt, browse to the computer

View the cert and copy the CRL Distribution Point Open Certificate Services and select the cert Click Details Select CRL Distribution Points Put in the URL for CDP you wish to use On select signing cert accept default, auto select signing cert On revocation Provider, add CDP URL

Setting up NDES It operates as Isapi filter on IIS Add in Server Roles CA NDES Holds MSCEP_ADMIN website. Max password cache by default is 5 You can change the settings for this and others by editing HKLM\Software\Microsoft\Cryptography\MSCEP\Password Max Other options: PasswordLength PasswordValidity CacheRequest HashAlgorithm

Online Responder The config info can be found in HKLM\System\CurrentControlSet\Services\OCSPSVC\Responder Three steps to do it: Install the Online Responder Service Prepare the Environment Configure the Online Responder Install OCSP through Roles, You need IIS installed and it also installs Windows Process Activation Service Can manually register the webproxy - certutil vocsproot Then configure CAs to be included in Online Responders URL as part of AIA extension of issued certs Do this in properties of CA, Extensions Tab, in Select Extension List . Click AIA and add The location should be the full URI of Online Responder You then configure the Templates use Read & Enroll in the OSCP Template Autoenroll is not used by the Online Responder Then issue the template Restart the Online Responder Service by running net stop OCSPSVC etc To Audit Online Responder, go to the properties. The following is available on the tab: 1. Start/Stop OR Service

Changes to OR config Changes to OR security Requests Submitted to OR Theyll be logged only if Audit Object Access is enabled in the local GPO
2. 3. 4.

You can have array of online responders. For each array, one member is defined as the array controller. This helps to resolve synchronisation conflicts To backup online responder on array controller export the following key: HKLM\System\CCS\Services\OCSPSVC\Responder Service log is found in System Drive\Windows\Service Profiles\NetworkService\OSCPSVC.LOG

Cross Forest Cert Enrollment: Need 2008 R2 Resource forest holds the PKI object. Account Forest domain members who enroll from enterprise CAs in resource forest. Forest CAs allowed with 2008 r2 for CertEnroll Cert Enroll webserver, schema, enterprise CA must be 2008R2 and the clients must be win 7 or 2008 R2 You need Cert Enrollment Web Service and the Cert Enrollment Policy Web Service Before people can use the Cert Enrollment Policy Web Service, must provide the location of the web service in Group Policy to the members of the forest. Go to the web server that hosts the Cert Enrollment Policy and copy the URL of the ADPolicyProvider_CEP_AuthenticationType

Certutil crl publishes new CRLS. Or you can publish the CRL through the CS snapin. You can publish the new CRL or the delta CRL You can limit who has permissions for autoenrollment to particular cert by limiting the permissions on the cert template (Security Tab). You can do Read, Enroll, Auto Enroll, Enroll without requiring user input Users must have appropriate permissions to request a cert from a CA Request Certificate Subject Alternative Name (SAN) cert x.509 allows cert to identify more than one entity or device Certutil dump dumps config info of the CA Smartcards: Smartcard User template - can be used for smart card logon and secure mail Smartcard Logon - can be used for authenticatino but not email

DNS DNS - configure address for round robin by creating two or more A records, each pointing to a unique ip address

DNS - to submit unresolved queries to another server, set up a forwarder: dnscmd /ResetForwarders *.*.*.* DNSCMD /ZoneUpdateFromDS - forces syncwith AD DNSCMD /ZoneRefrhes - forces non AD secondary zone to refresh from master server DNSCMD /SoneResetMasters - Change config of secondary zones from secondary server DNSCMD /EnlistDirectoryPartition - Makes partitions available DNSCMD /ZoneAdd - creates zone DNSCMD /ZoneChangeDirectoryPartition - moves zone to different partition DNSCMD /config /norecursion 0 - turns on recursion DNSCMD /Config /norecursion 1 - turns off recursion DNSCMD /Config <ZoneName> /Aging 1 - enables aging and scavenging DNSCMD /ZoneRefresh forces non AD zone to refresh data from a master server DNSCMD /ZoneResetSecondaries contoso.pvt /SecureList - configures zone for transfers, specifies list of DNS servers allowed to perform transfers Configure DNS Notify to speed replication changes from primary zone to secondary zone: On the Name Servers tab of zone properties, click Notify DNSCMD /ZoneResetSecondaries domain.com /Notify Amount of time before a DNS record is removed is equal to refresh interval plus no refresh interval (default 7 days)