Maintaining AD DS Flashcards
What are the two ways to enable the Active Directory Recycle Bin?
- ADAC (Active Directory Administrative Center)
- Select the Domain
- Click Enable Recycle Bin
- Click Okay
- PowerShell
- Enable-ADOptionalFeature -Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com’ -Scope ForestOrConfigurationSet -Target <domain>
</domain><p> </p></domain>
- Enable-ADOptionalFeature -Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com’ -Scope ForestOrConfigurationSet -Target <domain>
Where do Password Setting Objects Live?
System -> Password Settings Container
- Can you view PSO (Password Setting Objects) in Active Directory Users and Computers?
- Where can you create a PSO?
- Yes
- ADSI Edit and ADAC (Active Directory Administrative Center)
How do PSO apply?
What happens if there are no PSOs?
- A PSO that is linked directly to the user object takes predence
- If no PSO is linked directly to the user object, then PSO linked via gloabl group membership are evaluated. The PSO with the lowest precedence value is applied.
- If no PSO is obtained from conditions (1) and (2), the Default Domain Policy is applied.
What two PowerShell cmdlets do you need to run to create a PSO and apply it to a group?
(Note: You do not need to give the parameters just the cmdlets)
- New-ADFineGrainedPasswordPolicy
- Add-ADFineGrainedPasswordPolicySubject
Example:
- New-ADFineGrainedPasswordPolicy TestPswd -ComplexityEnabled:$true -LockoutDuration:”00:30:00” -LockoutObservationWindow:”00:30:00” -LockoutThreshold:”0” -MaxPasswordAge:”42.00:00:00” -MinPasswordAge:”1.00:00:00” -MinPasswordLength:”7” -PasswordHistoryCount:”24” -Precedence:”1” -ReversibleEncryptionEnabled:$false -ProtectedFromAccidentalDeletion:$true
- Add-ADFineGrainedPasswordPolicySubject TestPswd -Subjects group1
How do you set up a RODC?
- Open ADUC (AD Users and Computers) or ADAC (Active Directory Administrative Center)
- Select the Domain Controller OU
- Right-Click, Select Pre-Create Read-only Domain Controller Account..
- Enter the Computer Name
- Select Additional Options
- DNS Server
- Global catalog
- Select a Group or user for administration (if desired)
- How would you change who the user or group Administer of an RODC Server?
- How do you set up a password to be replicated to an RODC?
- How do you block a password from being replicated to an RODC?
- Right-Click the computer policy, Select Properties
- On the Managed By tab
- Click Change and select a new user or group
- Right-Click the computer policy, Select Properties
- On the Password Replication Policy tab
- Click Add, Select to allow passwords for the account to replicate to this RODC, click ok
- Select a user or group
- Right-Click the computer policy, Select Properties
- On the Password Replication Policy tab
- Click Add, Select to deny passwords for the account to replicate to this RODC, click ok
- Select a user or group
How do users passwords get replicated/cached to the RODC ?
They are apart of a group that is replicating their password to the RODC and are not in a Deny group.
The groups that allow and deny password replication is on the Read-Only DC Computer Object on the Password Replication Policy
What are the requirements for Cloning a DC?
- PDC emulator FSMO role hosted on a Windows Server 2012 DC
- PDC emulator available during cloning operations
- Virtualization host platform supports VM-Generation ID (VMGID)
- at least Windows Server 2012 Server to clone from
How do you create a Clone fo a DC?
- Add the Server 2012 DC to the Cloneable Domain Controllers group
- Run: Get-ADDCCloningExcludedApplicationList
- Any programs or services previously returned by Get-ADDCCloningExcludedApplicationList - and not added to the CustomDCCloneAllowList.xml - must be removed prior to cloning. Uninstalling the application or service is the recommended method.
- Warning: Any incompatible program or service not uninstalled or added to the CustomDCCloneAllowList.xml prevents cloning.
- Run Get-ADDCCloningExcludedApplicationList -GenerateXml -Path C:\Windows\NTDS -force
- Generates the excluded application list as a file named CustomDCCloneAllowList.xml at the specified folder path (C:\Windows\NTDS) and forces overwrite if a file by that name is found to already exist at that path location.
- Run New-ADDCCloneConfigFile
- Shut down the DC
- Run Export-VM -Name <name> -Path <path> (on the host)</path></name>
- Run: $<somevariable> = Import-VM -path <path> -VhdDestinationPath <path> -Copy -GenerateNewId</path></path></somevariable>
- Rename-VM $<somevariable> -NewName <new></new></somevariable>
How can you Transfer FSMO Roles?
- PowerShell
- CMD
- PowerShell
- Move-ADDirectoryServerOperationMasterRole -Identity < Name of DC/Server > -OperationMasterRole < FSMO Role seperated by comma>
- CMD
- ntdsutil
- roles
- connections
- connect to server
- q
- Transfer < FSMO Role seperated by comma>
How do you seize a FSMO Role via
- PowerShell
- CMD
- PowerShell
- Move-ADDirectoryServerOperationMasterRole -Identity < Name of DC/Server > -OperationMasterRole < FSMO Role seperated by comma> -Force
- CMD
- ntdsutil
- roles
- connections
- connect to server
- q
- seize < FSMO Role seperated by comma>
How would you restore a user that has been deleted? Active Directory Recycle Bin is Enabled.
2 ways
- By finding the user in the AD recycle bin and restoring the object
- PowerShell
- Restore-ADOject -Identity
How do you create an Active Directory SnapShot?
- ntdsutil
- activate instance ntds
- snapshot
- create
- (q or quit) x2
How do you mount an Active Directory Snapshot?
- ntdsutil
- activate instance ntds
- snapshot
- mount <guid></guid>
- dsamain -dbpath <path> -ldaport 50000</path>
What are the three states AD DS can be in?
- Started
- Stopped
- DSRM
How do you revover data from a snapshot?
(What is the downside to this?)
You can use LDIFDE
**It does not keep everything in object
How do you an offline defrag of the Active Directory Database?
- Stop the Service: Active Directory Domain Services
- ntdsutil
- activate instance ntds
- files
- compact to C:\
- copy files to C:windows\NTDS\ntds.dit
- and delete old log files from C:\windows\NTDS*.log
- once Completed: run integrity
- then (q or quit) x2
How do you do a metadata clean up on Active Directory?
- ntdsutil
- metadata cleanup
- remove selected server <servername> or remove selected server <servername1> on <servername2></servername2></servername1></servername>
- quit or q twice
How would you optomize an Active Directory database?
perform an Offline defrag
What are the different back Server backups?
- Normal
- Copy
- Incremental
- Differential
- Daily
What is the difference between incremental and differential back ups?
Incremental backups: copies all changed or new files and marked them as backed up
Differential backups: opies all changed or new files but does not mark the files as backed up
How would you do a system state back up of a server using the following tools:
- GUI
- wbadmin
- PowerShell
- GUI:
- Open the Windows Server Backup
- Select local backup
- Select backup once or backup schedule
- In Select items for back up: click add items
- Select System State
- Select the location
- click backup
- wbadmin:
- wbadmin start systemstatebackup -backupTarget:
- PowerShell
- $Policy = New-WBPolicy
- Add-WBSystemState -Policy $Policy
- $BackupLocation = New-WBBackupTarget -VolumePath “D:”
- Add-WBBackupTarget -Policy $Policy -Target $BackupLocation
- Start-WBBackup -Policy $Policy
How would you restore a user object using Tombstone?
You would use LDP
- Connect to the Domain
- Bind with the User Account
- Click View, Select Tree View
- Select the Base of the Domain
- Select Deleted Objects
- Select the object you want to restore
- Right-Click, Select Modify
- Delete the Attribute “isDeleted”
- Replace the DN (DistinguishedName) with where you would like the object to live
- Click Run