2008 R2 ADS Vocabulary - Session 3 Flashcards
Group Policy Processing
You can apply Group Policy settings at the local, site, domain, and OU levels.
All group policies that can apply to a user or computer do so,
blending their settings However, settings from different policies may directly conflict with each other.
Group Policy Processing
To prevent conflicts, policy settings in GPOs at different levels are processed in a specific order. That order is as follows (LSDOUC):
Local GPOs GPOs Linked to the Site Domain -Level GPOs GPOs Linked to OUs GPOs linked to Child OUs
You can choose to alter the default processing order using a variety of methods, including the following:
Block Inheritance
Enforced
Block Inheritance
The Block Inheritance option prevents an OU or domain from inheriting GPOs from any of its parent containers. However, GPOs that are marked as Enforced are always inherited.
Enforced
The Enforced option is a GPO link option that ensures the settings in the policy are applied regardless of blocked inheritance or the order of processing of linked GPOs.
GPO Status
The GPO Status option can be used to troubleshoot a set of applied policies if the desired end result of the policies is not what it should be by choosing to Disable the User portion, Computer portion, or all of a GPO. Separately, a GPO Link can also be disabled.
Link Order
The Link Order option controls the precedence order of multiple GPOs that are linked to the same particular container. The lower the link order, the higher its precedence. The GPO link with the link order of 1 has the highest precedence in that container.
GPO Filtering
Each GPO is set to apply to members of the Authenticated Users group, which contains all domain Users and Computers. If this group is replaced with a smaller group, then the Group Policy will be filtered to apply to only those members of the container who also are members of the security group referenced.
WMI Filtering
In the GPMC console a WMI script can be created to test for the absence or presence of system properties or values, such as Operating System, Service Pack, free disk space, RAM capacity, etc. This WMI script can then be bound to a GPO. If the receiving client does not meet the criteria of the WMI filter it will not receive ANY of the GPO settings.
Loopback Processing (Merge or Replace)
There is a Computer GPO Administrative Template Setting that will override the User logon’s normal GPO loading behavior. In “Replace” mode, when a user logs on to a Loopback Mode computer, the GPOs loaded will be the policies in the LDAP path of the Computer, not the User. This can enforce a kiosk-like consistent configuration of settings. In “Merge” mode, the Users settings are loaded, but the Computers path settings are also loaded, with the Computer’s path settings overriding the User’s.
Slow Link Detection
If the computer detects a slow connection (by default less than 500kbps, but the threshold can be changed or disabled) than certain portions of Group Policy, such as software deployment, will be skipped in Group Policy processing. Other portions of Group Policy, such as Security settings, cannot be skipped.
Credential Caching
Users’ credentials are automatically cached locally, based on previous logon attempts, to enable the user to log on if a DC fails and authentication on the domain is not possible. If a user logs on using locally cached credentials, Group Policy settings are not applied..
The configuration of Loopback Processing, Slow link detection, what will be loaded or skipped for a slow link, and Loopback Processing Mode are all configured in the following Administrative Template path:
“Computer
Configuration \Administrative Templates \System \Group Policy”
Creating a GPO
The GPMC provides a user-friendly interface that an administrator can use to create, view, and manage GPOs in an organization.
Starter Group Policy objects derive from a Group Policy object (GPO),
), allowing administrators to store a collection configured Administrative Template settings.
. A New GPO built from a Starter GPO will begin with all of the Administrative Template policy settings and values that were defined by the
Starter GPO
Starter GPOs can be exported to
other environments as needed.
By default, only members in the Domain Admins, Enterprise Admins, or Group Policy Creator Owners (GPCO) groups ca
create new GPOs and edit existing ones
A member of the Domain Admins group can choose to delegate the authority for creating and managing a GPO to
other users or groups in that GPO’s domain.
THE GROUP POLICY MANAGEMENT CONSOLE
Installing and Customizing the GPMC
The GPMC is a Microsoft Management Console (MMC) snap-in that you use in Windows Server 2008 R2 to configure group policy settings throughout various forests in an organization.
GPMC
GROUP POLICY MANAGEMENT CONSOLE
You can use the GPMC to perform several operations on GPOs, including the following:
- Searching for GPOs in a forest
- Backing up and restoring a GPO
- Importing settings from a backed up GPO to an existing GPO in the same forest
The GPMC enables you to plan the deployment of
a Group Policy using the Resultant Set of Policies (RSoP) data simulation, which is used to view the combined effect of a set of GPOs on systems and users.
You can also use the GPMC to obtain
RSoP data and to troubleshoot Group Policy deployments.
(RSoP)
the Resultant Set of Policies
To launch the GPMC
use the Run dialog box, which you access by selecting Start - Run. Type gpmc.msc in the Open text box and click OK.
The Group Policy Editor Window allows
administrators to navigate the topology of Computer and User settings in order to modify values that will be set in the particular group policy being edited.
GROUP POLICY OBJECT TEMPLATES
Administrative Templates
You are
doing it! You will pass with flying colors!
Two types of Group Policy settings are stored in each GPO
- user configuration and computer configuration settings
In Windows Server 2008 R2, registry-based policy settings are stored as
ADMX files, XML-based, containing language-specific settings.
In domain-based enterprises, ADMX files can be stored
stored in a central location, accessible to anyone with permission to create or edit GPOs.
You can filter administrative templates using either of these two views:
- The local view for a template modifies the view only for that template
- The global view modifies the view for all administrative templates
You can filter administrative templates based on their
type, using keywords, and - by using requirement filters - based on the platform or applications to which they apply.
You can use a starter GPO to create multiple GPOs with the same baseline configuration
each new GPO inherits the template settings from the starter GPO.
A security template is a
file that defines a security configuration that can be applied to a local computer, imported to a GPO, and used to analyze security.
Security Templates does not
It does not introduce new security parameters, but organizes the existing security attributes
Security Templates is a text file
It is a text-based file with an .inf extension that enables you to copy, paste, import, and export some or all the attributes of a template.
Security templates can be used with
Security Configuration and Analysis snap-ins to examine a system for security holes or policy violations.
You can use security templates to define the following:
- Account Policies
- Local Policies
- Event Log Settings
- Restricted Groups
- System Services Settings
- File and Registry Permissions
You can download and install the GPOAccelerator from
Microsoft to obtain the predefined templates.
The following are examples of the types of predefined security templates included with the GPOAccelerator:
- Default Security (Setup security.inf)
- Domain Controller Default Security (DC security.inf)
- Compatible (Compatws.inf)
- Secure (Secure*.inf)
- Highly Secure (hisec*.inf)
The secedit command-line tool is the command-line version of the
Security Configuration and Analysis snap-in.
Configuring the .admx Central Store
Administrative templates are XML-based files with the file extension .admx that contain group policies settings definitions for
the Group Policy Editor in Windows Server 2008 R2
.adm files.
The .admx files have replaced the original administrative template files -
To take advantage of the benefits of .admx files, you must create a
“Central Store” in the SYSVOL folder of your domain controller.
The Central Store is a location that is checked first by the
the Group Policy Editor to define available settings for an administrator to configure.
The files that are in the Central Store are automatically
replicated to all domain controllers in the domain.
When new Administrative templates are added for software such as Microsoft Office, or updated for new versions of the operating system, the templates only need to
to be updated once in the central store and all domain controllers will replicate the new version of the editor template automatically.
The default location for .admx files is
the %SYSTEMROOT%\PolicyDefinitions folder
Domain Controllers can be configured to replicate their Administrative Template .admx files using a
“Central Store by creating a PolicyDefinitions folder (or copying the existing one) in following location: %SYSTEMROOT%\SYSVOL\domain\policies\
To copy the local server 2008 R2’s existing policies and create a Central Store:
xcopy /E “°/0SYSTEMROOT%\PolicyDefinitions” “%SYSTEMROOT%\SYSVOL\domain\Policies\PolicyDefinitions\
Deploying Software Using Group Policy
Together with AD DS and the Windows Installer, you can use Group Policy to install, maintain, publish, and remove software across an organization, site, or domain.
Windows Installer is an
extensible software management and installation service.
Using Group Policy, you can choose to
to advertise a software package by assigning it to particular users or computers, or by publishing it to users.
Using Group Policy,
Assigning software to a computer installs it at next boot.
• Assigning software to a user only installs it at next logon if a special feature is enabled in the deployment settings. Normally this configuration will, at next logon, advertise shortcuts in the start menu, enable document invocation of the file type, and make the software available in add/remove programs (in Windows Vista and later, “Programs and Features”, “Install a program from the network”
• Publishing software to a user will only, at next logon, enable document invocation and software availability in the control panel.
Configuring Software Packages
Using Group Policy, you can configure the properties of software before you deploy it. You can also use Group Policy to install patches or service packs (.msp), or to upgrade software you have already installed. Transform (.mst) files allow for a delployment of the same .msi file twice with different .mst files to two different installations (ie: One French dictionary, one English)
PREVENTING SOFTWARE EXECUTION WITH GPOS
Software Restriction Policies:
Applocker :
Configuring Security Settings
Restricted Groups
Software Restriction Policies:
: Software Restriction Policies (SRP) are designed to control the installation and execution of executable programs — like a firewall it can block all software execution except what is allowed or allow all software execution except what is blocked. Rules can be defined by Hash Rule, Certificate Rule, Path rule, or Network zone rule.
Applocker :
More advanced software prevention technology, allows for auditing before deployment, import/export of rules, PowerShell management, flexible certificate value rules (ie: product name, but not version specific). Only applies to Windows 7 Enterprise & Ultimate and Server 2008 R2
Configuring Security Settings
Security templates in Windows Server 2008 R2 enable you to configure security-related policy settings. You can create custom security templates to suit your needs, or import and deploy an existing security template.
You use the Local Group Policy Editor to configure security for LGPOs. To configure security settings for AD GPOs, you use the Group Policy Management Editor.
Restricted Groups
Restricted groups enable you to control the security and access settings for users in local and domain user groups. Using restricted groups, you can set desired membership for a user group without changing the parent group to which the user belongs. You can apply restricted group settings to a GPO as a group policy, provided the GPO is linked to AD.
CONFIGURE ACCOUNT POLICY USING GROUP POLICY OBJECTS
You can protect your network from unauthorized users by
Implementing an Account Lockout Policy
Securing it with Strong Passwords
Password & Lockout Policies
Fine Grained & Lockout Policies
Implementing an Account Lockout Policy
An account lockout policy locks a user account after an incorrect password is entered a specific number of times over a specified time period. An account lockout policy reduces the possibility of an attack on your network by repeated logon attempts.
Securing it with Strong Passwords
A strong password uses alphanumeric characters as well as symbols, such as punctuation, to make it more complex. This minimizes the risk of guessing the password.
Password & Lockout Policies
Password Policies and Lockout Policies that are set at the Domain level will affect all domain users. These include password length, complexity, the number of failed attempts before an account is locked out, and the duration of a locked out account. Any of these account policies that are set at a non-domain level will only affect the behavior of local accounts of the computers within the containers that receive these settings.
Fine Grained & Lockout Policies
If an administrator wishes to have a different set of password and lockout standards for some users, whether more or less stringent than the domain standard, Password Settings Objects (PSO) must be configured separately from Group Policies. This must be done using the ADSIedit utility by creating an msDS-PasswordSettings object in the “CN=System,CN=Password Settings Container” path. This will launch a wizard that will configure all of the standard settings except msDS-PSOAppliesTo, which must be configured manually to link the PSO to the user or group to which it should apply. User-linked PSOs supersede group-linked PS0s, and if more than one PSO is applies to the same user via groups, the msDS¬PasswordSettingsPrecedence attribute value of each PSO is compared – the PSO with the lowest value (highest precedence) wins and that PSO in its entirety will be applied to the user
The AD DS Auditing Features
In Windows Server 2008 R2, AD DS provides auditing features that enable you to monitor the movement, deletion, and modification of AD objects. AD DS maintains a log that stores old values for AD objects and their attributes, as well as new values when alterations are made.
The controls used to incorporate auditing features in Windows Server 2008 R2 are:
- Global audit policy
- An SACL
- A control schema
Audit policies are security templates that must be enabled for particular auditing activities to be carried out. The following are audit policies that you can choose to configure:
- Audit Logon Events
- Audit Account Logon Events
- Audit System Events
- Audit Account Management
- Audit Privilege Use
- Audit Directory Service Access
- Audit Object Access
- Audit Policy Change
- Audit Process Tracking
Windows Server 2008 R2 introduces audit policy subcategories. This allows for auditing more
specific events, which returns less data that is easier to analyze.
Configuring Audit Policies subcategories
You can use the auditpol command to display the current audit policy, display selectable policy elements and to set audit policy subcategories. You can disable auditing for the subcategories for which you do not want auditing set, using this command or enable filtered auditing categories for only a user or group. (ie: only observe the logons of the helpdesk group) This command works locally, so the only way to deploy it with group policy is to create an auditpol script and deploy that with the GPO.
Steps to configure a domain
- Install windows server
- Install DNS if not already one on network
- Install ADS (dcpromo.exe) to add the AD DS role and promote the server
- Promote server to a DC which manages security authentications from the domain requests
- run dcpromo from run line
- choose “Create a new domain in a forest
- Enter FQDN
- Choose windows server function level
9.
Answer File that will install a new forest root domain consists of three parts
- Set the Install DNS parameter to yes to install dns server role
New Domain Value to yes to say new domain is first dc in the new forest - DomainNetBiosName is unique so clients without AD DS can access server
- Forest function level 3 sets it to 2008
Example:
DCINSTALL
InstallDNS=[yes|no}
NewDomain={forest|tree|child}
NewDomainDNSName=FQDN_of_the_DNS_Server
DomainNetBiosName=NetBios_name
REplicaOrNewDomain=[replica|readonlyreplica|domain}
FroestLevel={0|2|3}
DomainLevel={)|2|3}
DatabasePath=%systemroot%\NTDS
LogPath=%systemroot%NTDS
RebootONCompletion={yes|no}
SYSVOLPath=%systemroot%\SYSVOL
SafeModeAdminPassword={password|none}
To run installation File on windows 2008
save it, run from cmd prompt by using the dcpromo utility with /unattend option followed by the path.
dcpromo /unattend: “c:\documents\answerfile”
to add the dc to an existing non 2008 AD Domain, prepare adprep /forestprep utility, only once on the dc that holds the schema master operations master role for every 2008 forest
admins belonging to SchemaAdmin or EnterpriseAdmin, Domain Admins can run the utility
To raise functional level
Active Directory Domains and Trusts
right click your domain from the list and choose Raise Domain Functional Level
Choose function level from drop down list
and click the Raise Button
choose change settings in right hand side of window
To add a computer to the domain
Computer, right click and choose properties,
WAIK from Microsoft Download Center
Windows Automated Installation Kit
SIM
System Image Manager in conjunction with WAIK
WDS to autmate Deployment
WAIK then SIM then WDS to deploy the client
two unattended files are needed:
WDS Client unattend file - permissions, etc
Image Unattend File - o/s options
dc promo prompts
dcpromo /? [{Promotion|CreateDCAccount|UseExistingAccount|Demotion}]
returns all options during install of AD DS
CreateDCAccount - returns all parameters you can specify while createing a read only DC RODC Account
UseExistingAccount - to specify while attaching a server to a read only domain controller account RODC
Demotion - all parameters you can specify while removing AD DS from a domain controller
Create a client unattend install
copy the client unattend file to the RemoteInstallWDSClient Unattend folder
Then open the Windows Deployment Services Microsoft Management Console MMC snap in from the start menu\admin tools
Right Click on the domain you want to add the file to and choose properties
Choose Client Tab and check enable unattend installation and attach the file
To associate a client unattend file with a particular computer go to cmd prompt in admin level
use WDSUTIL command
WDSUTIL/Set-DEvice /Device:Device name>
[/ID:] [/ReferralServer:]
[/BootProgram:] [/WDSClientUnattend:]
[/User:][/JoinRights:{joinONly|Full}]
[/Joindomain:[Yes|No}] [/BootImagePath:]
[/Domain:] [/ResetAccount]
WDSUTIL Example
c:\users\amdinistrator.easynomad>WDSUTIL /Set-Device /Device:”Comuter12” /ID:”00-B0-57-58-2G-DV”
/WDSClientUnattend:”C:\WDSUserUnattend\unattend.xml”
ADMT
Active Directory Migration tool
Restructuring Domains with ADMT in the AD environment can involve two types of migration
Interforest migration - move resources between AD Domians in different forests
intraforest migration - move resource between AD domains in the same forest. aka for merging domains is known as grafting and the process of removing objects is known as pruning
PES
Passwrod Expert Server Service - use before migration to other server levels
Allows you to migrate passwords and SID history information, you first need to export the password key from the target domain
admtsetup.exe
program that loads ADMT
Before running ADMT you must
- Assign proper permissions
- Create the target organizational unit (OU) structure
- Create two-way trusts
ADMT Reports
created in the windows\admt\logs folder on the dc where you installed the admt in the target domain
You can use the retry task wizard to troubleshoot migration failures
Migrated User Account Migrated Computer Accounts Expired Accounts Account References Account Name Conflicts
To use adprep
copy the contents of the \soruces\adprep folder to an adprep folder on the schema master from the 2008 dvd
run the utility from cmd and the adprep folder
c:\adprep>adprep /forestprep
adprep /domainprep to prepare forest for 2008 dc
Installing the infrastructure master role in a multiple domain environment will on the same server as the global catalog server
can cause conflicts
ldp tool (LDAP)
start, run
ldp and ok
By default replication is scheduled between sites every
3 hours or 180 minutes
Setup of DNS allows you to configure it by
Creating a forward or reverse look up zone
Setting the types of updates it must allow
Specifying whether queries must be forwarded and to which servers
Create Root Hints
Multimaster Replication is
when schema objects like attributes, classes, andtoher objects are updated on a domain these updates are replicated to all the other DC’s in the directory schema
It prevents separate DCs within a directory schema from holding inconsistent entries
FSMO flexible single Master Operations Role/Operations master
to ensure consistency of the schema dnto prevent conflicting updates into the AD database AD employees this Role. The DC containing roles that affect only the domain in which it’slcoate dor only the forest in which that domain is contained
AD assigns the following five operations master roles to a dc in each forest
- Domain Naming Master
- Schema Master
- Primary Domain Controller (PDC) Emulator - handles account lockouts and password changes
- Infrastructure Master - keeps GUIDs and SIDs updated across DCs
- Relative Identifier (RID) Master - per domain role, on a DC in each domain, it assigns a block of RIDS to each DC that uniquely identifies a group in a domain.
FSMO to configure do the following:
- Leave the operations master roles on the first DC in the regional domain
- Ensure that the regional DC is not a global catalog server
- Deploy another domain controller to the domain on which the first domain controller is deployed. This additional DC will be the standby operations master
- Host the primar Domain Controller (PDC) emulator operations master role on a powerfule and reliable domain controller. This ensures that it has the availability and capacity to handle the workload.
You change the default installation of the operations master roles by:
- Transferring Roles
- Seizing Roles - used when dc is permanently out of service you transfer the role. Preferred method is transferring not siezing
Recommended best practice for operation roles placement in a large domain
Domain naming master and the schema master role should remain together on the same domain server
Relative ID Master and the PDC emulator should stay together as well. If you experience performance issues then the PDC can be placed on a third DC
The domain naming role is on the same server as a global catalog server because it contains the info on objects and the role needs that info.
The infrastructure Master role must not be assigned along with what type of server?
It updates object references outside of the domain it is installed on and replicates the data to other DC
Global Catalog Server - if installed on a global catalog server it will not find the object references
AD replication can be configured using to ensure replication to the other DCs
persistent connection to ensure that it is automatically performed after a specified interval. Use Active Directory Sites and Services snap in to configure interval
You can also use on-demand connection with reciprocal replication. Two way process between a receiver and a sender - Use the AD Service Interfaces (ADSI) Edit tool on a dc to configure this
In order to change roles assigned to a DC (operation roles) you must have the following rights
Change Domain Master Right - Enterprise Group by Default
change Schema Master Right - Schema Admin Group by default
Change PDC Right - Domain Admins
Change RID Master Right - Domain Admins
Change Infrastructure Master Right - Domain Admins
What service will stop the operations master from performing its job?
DNS
InetOrgPerson object is derived from the user class
It acts as a security principal in the same way as other user classes. This object enables an administrator to easily migrate user accounts form third party directories into the AD
Create it by going into the Active Directory Users and Computers, access server folders and right click on users and choose new then choose InetOrgPerson - when creating “user has to change password at next logon is default” and you have to uncheck disabled
To easily remove a DC from a domain
remove AD DS , if you remove the last DC you have to remove the whole environment
You can use:
- the windows interface
- unattended installation parameters
- an answer file
remove a dc from a domain answer file
DCINSTALL username=Administrator userdomain=easynomadtravel.com password=passwrod123 administratorpassword=password123 removeapplicationpartitions=yes removeDNSDelegation=yes DNSDElegationUserName=Administrator DNSDelegationPassword=password123
What is the default protocol for trusts in server 2003, 2008 and vista
Kerberos 5
Transitive Trust
can be extended beyond the two domains in which it is formed - used to establish trust in multiple domain environments, flows from the bottom to the top in a domain heiracrch and has trusts between all domains. child gets trust upward whcih allows the trust path to expand. This trust is established by default in 2008 forest with a new domain creation
Nontransitive trust
limited to the two domains it exists between, it cannot be extended to any other domains, one-way trusts by default you can make it a two way by creating two one-way trusts.
NT by default has a nontransitive
one way trust
4 different types of trusts in 2008
External Trusts
Forest Trusts
Realm Trust
Shortcut Trust
External Trusts
nontransitive
one and two way
enables users to access resoruces that are stored on external domains located in separate forests. Also provides resources present on a NT domain
ADDS creates a foreign security principal object in the internal domain to represent a security principal from the trusted external domain. the Foreign secuirty principal becomes a member of the internal domains local groups and is allowed to access the Domains resources
Forest Trusts
Transitive
one way or two way
creatd between 2 forest root domains to enable users to share resources across differernt forests
Good for merger or acquisition scenarios and for application service providers
Realm Trusts
transitive or non-transitive
one way and two way
Windows server 2008 domain and a non windows kerberos realm.
This provides cross platform operability with security services based on other versions of the kerberos 5 protocol
Shortcut trust
transitive
one way or two way in 2008
used when users belonging to a domain regualarly lo on to other domains within a forest. Makes the authentication process between domains faster and more efficient especially if separated by two domain trees. Normally authentication request first travels a trust path between domains, can take time so a shortcut shortens path
Netdom command line tool
netdom trust
enables you to manage domain trusts relationships
RODC contains the following characteristics
- A limited number of users
- Low physical server security
- low bandwidth connections to a hub site
- Lack of information technology knowledge
- by default doesn’t contain accunt passwords or enable any user or admin to update the database directly
Benefits of RODC are
Improved Security
Improved Connectivity
Improved Efficiency
PRP
Password Replication Policy used in RODC
RODC Filtered attribute set
any object in this set is not allowed to replicate to the RODC. It is a dynamic set of attributes in the schema for the domain
Can be labeled confidential. this removes the permissions that are necesary to read the credential like data
KDC
Key Distribution Center (an RODC serves as one) and manages ticket requests form computer and user accounts at the remote site. Account storage does not happen by default but you can enable it
Multiple RODCs at same site
can have them if they belong to different domains
Before you deploy RODC in a network you need to install 2008 server
cannot create the “krbtgt” account to perform the RODC operations on anything but 2008, has to be on a PDC emulator.
- Global Catalog Server
- PRP Password Replicaiton Policy
Has to have AD DS installed
Has to be on servers 2003 or higher
run adprep /rodcprep command
Enterprise Admin Group to run
updates the permisions on all the DNS apps directory partitions in the forest. . this will ensure the required directory partitions will be replicated to all RODCs that are also DNS servers
DNS and Global Catalog on the RODC is installed or not installed by default
Installed
AD RMS new features in 2008
improved installation and administration - installed as a server role
integration with Active Directory Federation Services (AD FS)
Self-Enrollment of AD RMS Servers New AD RMS Administrative Roles 1. Administrator 2. Template Administrator 3. Auditors
AD RMS installation
must have write rights to the AD DS container
RMS registers the service connectionpoint (SCP) during installto ensure the cluster will be created in AD DS
Should have its own database for logging and configuration information
AD RMS Processes
licensing rights protected information
acquiring licenses to decrypt rights-protected content and applying usage policies
Creating rights-protected files and templates
AD Server Roles to include
AD LDS (ldap) AD FS AD CS (certificate Services)
AD LDS features
A directory Service Solution
Compatibility with AD DS
Multiple Independent Instances
Security Principles and Access Controls
AD FS new features that reduce admin support to key apps
Installation - new validation checks that occur during the install to ensure required components are present
Application support - integrated with office sharepoint 2007 and AD RMS, improve compatibility
Establishment of federated trusts don’t need to create a trust for external forests. you can export and import trust policy settings to an xml file which includes everything to create a federated trust which reduces configuration
AD CS
Binds a user’s identity to a public key for encryption
Repsonsible for issuing certs to users, computers and services
Certificate revocation list or CRL isused to track and revoke certs that have expired. an online responder decodes the revocation statust
after evaluation the online responder sends back a signed repsonse
PKI
Public Key identifier
system of digital certs, CAs, registration authorities that verify
Every Certificate has the following values
Serial Number Version Signature Algorithm Identifier Issuer Name Validity Period Subject Name
Secure communication requires
Authentication
encryption
digital signatures
Certificate Chain
certs issued by subordinate CAs are considered to be trusted if theos issued by a root CA are trusted.
server 2008 can be configured as the following CA types
Enterprise CA - can be a root or suborndiante, only one root enterprise ca is permissable in a root heirachy. advanced CAs and customizable certifcate templates and publish their certificates and CRLs to the AD
Standalone CA - basic certs cannot be modified, may or may not be intergrated with AD DS. Info is stored localy and do not respond to cerficate enrollment autmatically. Requests wait in a queue and the admin must approve or deny them manually. Can be a root and have subordinate CA.
AD CS Configuration
Root CA Role is first ( by installing Active Directory Certificate Services)
Certificate Authority
AD CS Features include
support for cyrptography next generation
use of Online certificate status protocol (OCSP)
The Network Device Enrollment Service (NDES)
Web Enrollment
Support for Policy Settings
A Restricted Enrollment Agent
Support for Enterprise PKI Management
Server Core 2008 does not support AD CS
AD RMS includes
enhanced admin and install features (server role, automatically configures the windows internal db as the ADRMS config and logging database)
Self Enrollment
Intergration with AD FS
Improved Delegation
Licensing of rights protected information (RAC -Rights Account Certificates)
AD RMS and AD DS good practice
to create AD security groups for each of the RMS administrative roles and to add them to their respective local security groups
Good to separate db server as the ad rms logging database in which you store all configuration and logging information
To use AD FS yo must have federated trusts and external partners before you install AD RMS
Need to log off windows after installation before you will be able to use it and access the Rights management console
AD FS (SSO -single sign on)
is a server role that allows users to access apps in another forest or network without providing a web server with secondary credentials
It establishes trust between two organizations and allows users to access using single sign on
B2B
Business to Business (AD FS)
Resource Org - provide resources to users
Account Org - manage users and rights using cookies
AD FS has 2 types of services
Federation and Web Agent Services using security tokens
Security Token usually has the following info
name, password, key, certificate, group and privileges
Claim Aware Agent
AD FS has this and enables you to query the AD DS security token
AD FS Configuration for servers
minimal - AD DS DC and one or more servers running AD FS role in each domain
After servers join domain you run AD FS role installation using the domain admin account
The following steps have to be completed when installing AD FS
- Install AD FS and AD FS WEb Agetns
- Configure IIS on the federation servers
- Create and Export the required certifcates to configure the web and federation servers
- Configure the federation services on servers in both the resource and account domain.
- After install you need to configure IIS to require SSL on the resource and account domains Federation servers.
a. admin tools, IIS Manager
b. click on AD FS Server in the connections panel
c. double click the default website
d. scroll to the SSL Setttings icon
e. choose your SSL or 128 Bit SSL and whether to accept client certificates - Now you need to creat a self signed server certificate in the IIS Manager
After configuring AD FS and the IIS security level you need to create and export the required certs to configure the web and federation servers.
- Create a self signed server authentication cert for the web server
a. select the server in the connections panel of the IIS Manager Console
b. Choose the Server Certificates Icon
c. Create Self Signed Certificate and input name and ok and it is created
d. Export the token signing certs fromt eh FS of the account domain to a file and then imported into the resurce domain’s FS - admin tools, AD FS, right click on server and choose properties, view or select cert, choose details tab and copy to file and follow the export wizard.
- In order to allow trusted communications between the web server and Federation server of the resource domain you need to export the server authentication cert from the federation server to a file
a. go to IIS Manager Console
b. Server Certificates Icon
c. R. Click on web srver and select Export from menu, follow the wizard - next import the server authentication cert for a FS to the Web Server
a. run mmc from the run box
b. File - Add/Remove Snap In
c. Choose Certificates and Add button - Export the accunt domains federation server token signing cert to a file on the FS Account Domain and needs to be imported to the resources domains federation server to allow trusted communications.
After installing FS and IIS and setting up certificates and trust you need to configure the IIS server further to enable secure certs using data encryption
Https over a particular port and the appropriate SSL
- click on bindings on the right hand menu after clicking on the server name in the left.
Put info in and click ok. - Then configure Claims aware application
r. click on default website and choose add application
a. save the file in a folder under c:\inetpub\wwwroot folder and make a new folder - create the default.aspx, web.config and default.aspx.cs files and put them in the new folder in the IIS Management Console
To create an AD FS Server you need to :
- Configure the trust policy for the server
- Create group claims for the appropriate claims aware application
- Add and Configure and AD DS Account Store.
What features of AD RMS are included in server 2008
- Integration with AD FS
The self enrollment of AD RMS servers
An imporved installation and administration experience
AD RMS administrative roles
To use WSRM you need to
install it and enable the service
enables you to manage system performance by managing the allocation of resources, to ensure optimal performance it uses specific algorithms to allocate resources to the processes
install from Server manager, feature
to activate, services find in the list and start service
then go into server manager, diagnostic node and choose reliability and Performance node which collect data through 3 tools:
Resource overview
Perfomance Monitor
Reliability Monitor
RSop access
start, run rsop.msc
run in 2 modes
Logging - only monitor users and the computers they are logged onto
Planning - you can use simultaions to view the RSoP for policy settings that you want to apply to users nad computers. this enables you to test the effects of policies before you apply them.
active directory for users and computers,
users and pick user
Action, All tasks, Resultant Set of Policy(planning) option results display in the RSOP node console
AD DS maintenance task when AD DS is running is known as
online maintenance tasks
an offline when offline
can use AD restore mode from other server versions but 2008 supports it. F8 during bootup. 2008 has a better way, go into services and stop AD DS
AD DS and DNS will no longer function but DHCP will.
defragmentation
online - default runs every 12 hours on the ad database, not to the file system ntds.dit file
Offline (aka compaction) removes white space form AD DB and File system , ntds.dit file, this process can free up space
to start it use the cmd ntdsutil.exe
next prompt type acitvate instance ntds enter
next prompt type files enter
next specify location of where the compact ntds.dit file drive:\path - if path has spaces double quote it and only need to specify a drive letter if you are using a shared folder on a remote computer
to compact type compact to drive:\path
exit utility by type quit at the file maintenance prompt and the ntdsutil prompt
then remove the oldlog files for ntds.dit, use the del command with the path location del drive:\pathtologfiles*log and then copy the defraged ntds.dit file to the local windows\ntds folder
best practice is rename old file first before overwriting so you can revert back if needed. copy drive:\ntds.dit originaldrive:\path\ntds.dit
then ensure the integrity of file
ntdsutil, active instance ntds
file maintenance prompt: by ntdsutil:files
and type integrity
process is complete and restart AD DS service
ntds.dit db file stores the directory data for AD DS, any changes made to the AD are saved to the transactionlog files before they are saved to the directory data db and the ntds.dit file
ntds.dis files and transaction logs are stored ont eh same hard disk, by default, the %systeroot%\ntds it is perferable that you store these two types on different hard drives for performance
if on 2 hard drive partitions you will need 500 mb or 20% of total size of files
on same hdd partition you will need 1 GB or 20% of the combined file size of free space
once size is confirmed backup the system state data using windows server backup utility
to move the ntds.dit and simutaneously ensure that the registry is updated use the ntdsutil.exe
this utility will update the HKEY_Local_machien\system\currentcontrolset\services\ntds\registry key.
If you don’t use the utility to move ntds.dit file you could corrupt the file without the registry changes to reflect the logs.
check sizes of files
cmd cd\ cd:\temp dir find files and sizes and add them together
to move the files ntds.dit and logs
stop AD DS
ntdsutilproompt and acitvate the ntds instance, then access the file maintenance prompt
type - move db to path
move logs to path
then perform a backup of the system state
setup permissions on the new folders holding the files Administrator group and system folder both need full control and don’t allow inherited permissions from the parent to overwrite your changes.
server 2008 backup
on all versions except Standard Core install - need to use the command utility
backups automatically include the sys volume
from mmc
wbadmin command line tool
on DC critical items (not including data volumes)- boot files, OS, registry, SYSVOLtree,
AD db and log files
can backup to:
shared folder
dvd or other removable or optical media - has to be 1 gig or more available or it won’t detect that it is available and you also cannot recover individual items
internal hdd - can do everything from these including system state
external hdd - can do everything from these including system state and move to another location for disaster recovery protection
VSS - Windows Server Backup uses Volume Shadow Copy Service
does snapshots.
Have to have configure backup once the first full backup completes ONly data that has changed since the last backup is then saved
use copy and not full if you want to keep log files intact.
Allows for point in time or shadow copies of data
Shadow Copies fo Shared Folders Feature - access and recover previously saved versions of files or folders on a file server. - NOT single files or folders on ly volumes of data - access via the mmc
limitations of Windows Server Backup
Support only for NTFS
need to reconfigure settings when upgrading
use of a separate disk for scheduled backups
lack of support for tape as a storage medium
incompatibility with Ntbackup.exe
wbadmin
wbadmin start systemstaebackup -backupTarget: VolumeName [-quiet]
and has to be on local attached disk to backup system state
Simplified Restoration
can choose individual items to restore
manage data retrieval from full and incremental,
in 2008 you can select the backup to restore by date
Simplified OS recovery
RE - Windows Recovery Environment tools
RE and Windows Server backup allows for OS recovery
Shadow Copies of Shared Folders allows you to :
Recover a file that has been accidentally deleted.
Recover a file that has been overwritten
Compare versions of a file
3 windows RE tools
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
Allows you to access the command prompt on a server that won’t boot normally
Before you can perform a full server recovery you need:
- full server backup on hdd, dvd or network share
- OS DVD or installed the Windows RE on a separate partition to the DCs critical partitions
- Ensure that new hardware has enough space to store all recovered data if restoring to a new machine
unathorative restore
for a single DC, replication occurs and the restored DC is updated with the current AD data on other DCs
On DFSR - Distributed File System REplication is done by default
to use the command line utility, restart the DC and F8 to advance options
IN order to restore AD db you select Directory Services Restore Mode
When prompted to log into windows, choose locally rather than logging on to the domain
systemstaterecovery to choose unathoratative
wbadmin get versions
Bcdedit.exe
can configure the server to automatically boot to Directory Services Recovery Mode
after restored a AD DS on a DC you need to do the following to verify the process was successfuly
when the DC is rebooted, both the AD DS and AD CS automatically detect the recovered data, perform an integrity check and re-index the AD database
- restored directory contains all the user objects ans group objects that were present at the time the backup was created
- all the mmebers of an FRS replica set and the cert issued by AD CSs are present in the restored backup
- Synchronization of the Windows Time service (W32tiem) is correctd
- the Netlogon and Sysvol folders are shared properly
- preferred DNS server address is configured properly
- host (A) and Service (SRV) resource reocrds are registered correctly in the DNS
wbadmin get versions
obtain info on backps availabe
systemstaterecover
want to restore the system data for the DC named IW-DC7
Authoritative Restore
used with multiple DCs
Sysvol - use -authsysvol switch with the recovery command
Don’t want to use this with a full restore of a DC
can do items in the AD
version number of the OU is changed to identify the object as more recent. this info will then be propogated to other DCs in domain and restored to AD DS
authoritative restore: restore object “OU=test,DC=easy,DC=com”re
net stop ntds command
stops the AD Service from a command prompt
ntdsutil
manage and control master roles, schema , AD, has to be used from an elevated command line prompt
netdom
to manage domains and trusts in AD
dsdbutil
database maintenance in AD
dnscmd
manage dns
dsadd
used to add users, objects, OU, computers to AD DS
windows logs in event viewer
applicaton, security, setup, system and forwarded events
security logs in event viewer
record events related to audit policies, file and folder access or user logon and network shares
