AD DS 2008 R2 Flashcards
2008 R2 licensing changes
Cal for R2 without Hper V Editions CAL requirement initiation when used to host virtual machines license suites for VD infrastructure Foundation Remote Desktop Services
new install options
improved command line and server manager
updated system center manager 2007 mgmt pack
AD Forest Functional Level
Creation of an answer file
integrated Best Practices Analyzer
when installing you can choose to Use Advanced Mode Installation option - don’t need to run the dcpromo with the /adv anymore
install in Advance mode options
create a new domain tree
define the PRP - short for password replication policy for an RODC
Choose which source DC to use for the AD DS install
decrease initial replication network traffic
modify the default generated NetBios Name
can’t use this wizard to configure DNS or RODC roles
AD DS install wiz has some new pages:
set function levels select domain select a site confg addt DC options create DNS delegation specify the Password Replication Policy Delegate RODC installation and administration
2008 R2 supports several upgrade paths
2003 SP2 2003 R2 2008 RTM-SP1 (release to manufacturing version with SP1) 2008 SP2 2008 RC (release candidate) 2008 IDS (internal developer server) 2008 RTM
adprep /options
found in the cd 2008 R2 \support\adprep install disc
you need to prep all existing DCs to work with the first 2008 R2 DC in a forest
/forestprep
/domainprep - has to be run on the infrastructure master or on any that will be DCs
domainprep/gpprep - same as above - it brings inheritable access control entries ACEs on the GPOs located in Sysvol shared resource and also allows for RSop functionality to be enabled
/rodcprep
in order to use the AD recycle bin
server function level has to be set to 2008 R2
Can’t add a DC lower than the highest function level. So if you need to have a DC 2008 or earlier don’t raise it to 2008 R2
to raise forest level
AD Domains and Trusts
right click on same node and choose raise forest function level
for domain, right click the domain node and do the same thing
WSM - Windows Migration Tool
needs to be installed on both servers
servers have to be a member of the network, unique server name and IP Address
MIgration assumes that after the migration the destination server will take over the source server’s functions and that source server will be removed, retired, retained as an addtl DC or changed into a member server
migration steps for 2008 R2
- planning
- preparing the source server
- gathering DNS and AD settings from the source server
- Preparing the destination server for migration by adding the server to the network and making this Windows Server 2008 R2 64 based server a DC
- migrating the mandatory sedtting sof the AD and DNS
- Validating that migration process was successful by verifying the destination server config
- Carrying out all post-migration tasks
- Migrating DNS Server Role
Active Directory Administrative Center
an AD data mgmt tool for mgmt of AD objects, admin and object tasks
can’t use it to mgmt LDAP instances or configuration sets
use it for:
new or mng existing groups and user accounts, OUs and containers, computer accounts
Using the query building search feature to filter AD data
Connecting to on or more DC or Domains
Managing or viewing the DC or Domains Directory info
new functions to this are
the breadcrumb bar
object property page
query building search
You install this feature by:
installing the AD DS server role
specifying a server as a DC
Manually using a wizard - do it by add features wizard in the Remote Server Admin Tools, needs net framework 3.5.1 and powershell’s AD module
install by server manager feature node, install remote server admin tools
AD DS and AD LDS Tools
global searches -
Normal Mode if you want touse keywords and build a global search query
ADWS
Active Directory Web Services
new 2008 R2
provides a web service interface to AD Directory mounting tool instances, AD LD Services instances,aka AD LDS and AD domains
can adjust parameters in the ADWS config file. Adjustments do not affect other DC because they are only applicable to the ADWS running on the DC whose parameters you adjusted. use microsoftactivedirectory.webservices.exe config file.
on this versions
Datacenter
Enterprise
Standard
AD Mangement Gateway service provides the same thing and is needed to run the AWDS service and can be installed on 2003 SP2, R2, 2008 and 2008 SP2 - it doesn’t support AD Database Mounting Tool
2003 and 2008 (not R2)
you could restore deleted AD objects via:
backups of AD DS through ntdsutil
has to be offline DSRM for an authoritative restore and changes between backup and restore will be lost for that object
Tombstone reanimation - restoring through a process before it is actually deleted which is 180 days by default - drawbacks, ln valued attributes are removed during the process of being tombstoned ie: group membership and the same for non linked values
AD Recycle Bin
online
maintain there original state
logical deletion, put in the deleted objects container for a period of time (deleted objects lifetime) in its original state - logically deleted
Once time frame as a logically deleted object it is changed and is stripped of its links and is called recycled object and then can only be restored through authoritative restore
When lifetime completely expires they are completely removed from db through garbage collection process
disabled by default need to consider:
forest function lever - has to be 2008 R2
Irreversibility -
once enabled you cannot turn it off or disable.
make changes by using the DN of the object:
CN=Partitions,CN=Configurations, DC=mydomain,DC=com:Acitve Directory Recycle Bin GUID
Enable-ADOptionalFeature - Identity ADOptionalFeature -Scope ADOptionalFeatureScope - Target ADEntity
steps to do before enabling AD Recycle Bin
Prepare forest - run adprep /forestprep
Schema Master
Infrastructure Master - adprep /domainprep/gpprep
update all DC to 2008R2
raise the forest level - run setADForestMode cmdlet or by running ldp.exe
identify two of the steps to prepare your environment for the recycle bin
update AD forest by raising it to 2008R2
Update AD schema by running adprep
isdeleted
is the attribute you want to remove from a deleted object in ldp.exe
Powershell recover of deleted objects
powershell- recommended that you use GetADOb ject to retrieve deleted object and pass it through the pipline to Restore-ADObject which recovers it
GetADObject-Filter -includeDeletedObjects
ie: string = displayNmae -eq “AbuJones”
Restore-ADObject-Identity NewName -TargetPath
Simplest way to recover get object first using:
Get-ADObject-Filter-IncludeDeletedObejects|Restore-ADObject
offline domain join benefits
Streamlines the process - useful when VM Data center environments
Reduces network traffic -
AD state changes without creating traffic
Computer state changes w/out traffice to a
DC
Make ea set of changes at a different time
Reduces cost of ownership - reduces start up time for servers, increases relaibility of domain joins ops in test and production environments
Performing domain joins using and RODC -
- create computer acct
- adjust pass2word replicationpoicy of ther RODC to allow passwrod caching for the computer you want to join to the domain
- force replication of secrets for the computer you want to join
- Communicate the password offline to the computer you want to join to the domain
- Run a custome script that targets the RODC to complete the join.
Offline domain join
Create the account beforehand in AD DS
Specify tha the doamin joining computer must consume a previously created test file
Once the computer consumes the data in the text file and starts up, it is automatically joined to the domain
Rapid Deployment
offline domain join may be of particluar interest to network architects as well as security and datacenter admins because reduces bottlenecks when many users access the network simutaneously
unattended windows setup answer files with deployment tools , such as
Windows System Image Manager which provides relevant data to join a domain
2008R2 and Windows 7 support these options
Prerequisite user rights to perform and offline join
- Member of the domain Admin group
- Edit the ACL
- Create an OU ie: grant yout he Create Child-Allow permission, pass the /machineOU parameter to the djoin
/provision command
to create a join file:
ldp.exe to join, go to connect, tree, etc.
then right click on DN in the list for the domain controller,
Choose Advanced, Security Descriptor
ACE windows type in the name of the permission to join - check Create Child and inherit, drop down of Object Type: Computer class, ok. update
then use the djoin.exe
djoin.exe commands
/provision -
/requestODJ - inserts the provisioned metadata into the Windows directory of the domain joining computer
it targets the DC running 2008 R2 by default but can be modified. do this by using the /downlevel parameter
djoin /provision /domain domain_mane /machine destination_computer_name /savefile filename.txt
doing the join offline
can be used in several situations
Hyper V machines (use 3 VMs - DC, Provisioning server and the computer to join
provisioning cmd and the request cmd have to be run on 7 or 2008 R2 computers
setup an account with the proper user rights
use djoin.exe /provision cmd to create the computer metadata account info. Must be done on a machine joined already and 2008 R2 or Windows 7. - This becomes the provisioning server
use the blob file you created to joining the computer with 2 options:
djoin /request ODJ to call the metadata and cpy it to the Windows directory of the computer you want to join.
djoin /requested
djoin /requestodj /loadfile filename.txt /windowspath windows_directory_path_to_offline_image /localos - run at the command prompt on the machine to join after you have copied the xml file, then reboot and the computer will have been joined.
or use an unattended XML file
create an undattend.xml file that contains sections for the
ComputerAccountMetadata
enable recycle bin (forest level already completed)
- Run ldp.exe, connect and bind to AD DS
- Access the options to modify the partitions container in the config dir partition
3 Specify attribute to add to the partitions container is an optional feature - Specify the distinguished name of the AD recycle bin which includes the GUID
activate the display of the deleted objects container
- ldp.exe
- options tab
- Access the controls dialog box
- Select the option to display the deleted objects container
