Delegation and Security Issues
You have two methods for transferring administrative permissions to selected users you can use the Delegation of Control Wizard, or you can add access control entries ACEs to discretionary access control lists DACLs of individual OUs. The Delegation of Control Wizard appears to be easier to use although this is rather subjective . This wizard takes you step-by-step through the delegation process whereas manual configuration is more susceptible to human error and may take more time. To delegate...
Group Policy User Security
You can find associated security policies in the Computer Configuration section I Policies I Windows Settings I Security Settings I Account Policies, which contain three main groups of settings Password Policy, Account Lockout Policy, and Kerberos Policy. Let's reiterate once again, that these settings cannot be modified on an organizational unit or site level settings defined in the domain policy will become effective. Password policy, account lockout policy, and Kerberos policy were reviewed...
Namespace Considerations
AD uses the DNS namespace as the basis for naming AD domains. Careful planning of the namespace will invariably make it easier to expand AD into new trees and domains, and will also make it easier to access resources using intuitive names. Ease of adding child domains as your network grows will prove critical in the Active Directory namespace life cycle. Choosing a naming structure most appropriate for your organization will undoubtedly be influenced by the business factors. Obviously, domain...
Configuring DNS Zone Transfers
Zone transfers are configured in the properties of the primary zones, and during secondary zone setup. Zone transfers may be denied altogether or allowed to any server, only the servers that are listed on the name servers tab to other authoritative servers of the zone , or other designated servers which are not necessarily authoritative for the zone . Allowing transfers to any server is a pretty dangerous setting, and it is not recommended. Typically, DNS zones should be configured as...
Delegation of Zones
A DNS server configured with one zone and a domain can self-sufficiently serve all requests for records contained in the subdomain, providing that the subdomain has also been created. You can create resource records in the subdomain exactly as you would in the parent domain. However, if your domain name contains a large amount of records or you simply want to have someone else administer the subdomain, you could also delegate authority for the subdomain to a separate DNS server. Delegation was...
About the Technical Editor
Alex Khassanov has been working with Microsoft technologies for the last 15 years, lately with an emphasis on Directory Services and Microsoft Exchange activities. IT infrastructure assessments and project management take up most of his time in his work as a Senior Consultant for Toronto-based CMS Consulting Inc. Along with a Bachelor of Science degree in mathematics, he holds numerous certifications from different vendors including MCITP Enterprise Administrator, MCSE NT 2000 2003, CCSP, CCNA,...
Group Policy Scope in Active Directory
A key feature of group policies is that they can be configured to have different application scope within the infrastructure. Users or computers that fall into the scope of any given policy can be grouped according to several criteria, such as their location within an OU structure. Different types of users will usually require specific computing environment configurations, and hence, configurations implemented by one particular group policy will not suit all of the users. From the group policy...
Federation Service Proxy
A federation service proxy, as the name implies, is an independent participant in the AD FS system that facilitates communication between untrusted Internet applications that are requesting authentication services and an internal AD DS or AD LDS system. A proxy is deployed to DMZ parts of the network and becomes the only system that is exposed to connections from the partner network. Federation service proxies can and should be deployed on both ends of the federation, in resource partner and...
Impact of Domain Functional Levels on Group Management
As discussed previously, Windows Server 2008 has several domain functional levels and forest functional levels. Please refer to earlier chapters for more information on functional levels. In previous versions of the Windows Server operating system, namely, Windows 2000 and Windows Server 2003, the following features were affected by the domain functional level of each domain in the infrastructure Group nesting was restricted to distribution groups in mixed mode environments. Group conversion...
Troubleshooting Replication Failures
Replication problems can be caused by a multitude of situations. To determine whether there is a replication problem, check Event Viewer, or use repadmin showreps to view the status of inbound connections and the most recent replication information. Table 7-2 lists some of the possible error messages and potential causes that result in disrupted replication, but this list is not exhaustive. This condition may be caused by outdated computer account passwords that correspond to domain controllers...
Forwarder Server
As the name implies, forwarder servers are used to designate where to forward queries that cannot be resolved by a DNS server from its locally stored zones or subordinate DNS servers. Windows Server 2003 introduced conditional forwarding, whereby administrators may choose different forwarder servers, depending on the domain name. For example, you can configure to forward all requests for sales.flexecom.com domain to be forwarded to a specific DNS server, as shown in Figure 2-9. Windows Server...
DNS Query Functionality
As we have established, the DNS query process is a dialogue between clients requesting IP addresses of resources and servers that are in possession of this information. Questions and answers are formatted in a special way, and the dialogue is constructed in a special manner depending on the situation. The client asks its preferred DNS server for the IP address of resource ABC. The server then uses its knowledge of the DNS hierarchy to help the client resolve the name. It first checks its cache,...
Dnscmd
The Dnscmd command is useful for manipulating DNS server roles. It allows managing DNS server settings, creating new zones, modifying properties and viewing information of existing zones, and exporting zone content. The Dnscmd command -ldapPort number -sslPort number -gcPort number -gcSslPort number -allowUpgrade which could be on read-only media e.g. snapshot . The DIT must be in a consistent state, i.e. ESE logs must be replayed. optional The path should point to a writeable folder, where ESE...
Configuring Clients
For the DNS service to be used in the name resolution process, clients must be configured accordingly, and at the very minimum they must be configured with the DNS server's IP address. This may be achieved using a variety of methods. In the order of increasing priority, these methods are as follows DHCP-assigned settings, locally configured settings Figure 3-2 , local policy-assigned settings, and domain policy-assigned settings Figure 3-3 . These are discussed in more detail in the following...
Active Directory Domains and Trusts and Active Directory Schema Management
Administrators can look up and transfer forest-wide FSMO server roles, namely, the Domain Naming Master and the Schema Master, using the Active Directory Domains and Trusts and Active Directory Schema management consoles. The AD Domains and Trusts console allows transferring the Domain Naming Master role, and Active Directory Schema, the Schema Master role. Figure 5-1 illustrates the Schema Master properties and transfer page. To use the Active Directory Schema console, you need to register it...
Geographical Driver
If company operations are dispersed around the world, a logical choice is the geographical hierarchy, which forms the basis of the OU structure, or the top level. Each geographical location corresponds to one OU. It is wise to keep this geographical structure entirely flat, and not go into states or provinces, cities, etc. Instead, each physical office may simply be represented by its own top-level OU. An advantage of this structure is that both users and administrators can visualize the actual...
Infrastructure Master
There must be one Infrastructure Master in each domain in an AD DS forest. The Infrastructure Master is responsible for updating group memberships and SID-to-DN mapping between domains, where security groups in the local domain contain members from other domains. Objects stored on a given domain controller may reference other objects from other domains in the infrastructure. Such references are usually implemented as records that contain the GUID, SID, and DN of the referenced object. SIDs are...
Site Links
In order to expand your replication topology beyond a single site, you should first define site links between the sites. Only after site links have been created can connection objects for domain controllers in different sites be generated. In contrast to intra-site replication, inter-site replication needs more administrative intervention before things start working smoothly. When you define site links, you must assign link cost, or a relative number that takes into account actual bandwidth...
Schema Master
Schema Master, as pointed out previously, is one of the two operation masters that can exist on only one domain controller per forest. This role manages access to the only read write instance of the schema database. To make modifications to the Active Directory schema, you must connect to this server first. In general, schema modifications are not something you do on a daily basis, although schema changes may happen more often in the very early stages of AD and application rollout and break-in...
Dsquery
A standard OS tool set includes Dsquery, which allows querying Active Directory for specific information. It is an LDAP query and modification tool, a typical example of command-line LDAP client application. To find a specific FSMO server, type dsquery server -hasfsmo lt role gt , where lt role gt is the operation master you are looking for. server -hasfsmo schema This has to be one of the following schema, name, infr, pdc, or rid. To find out which server in the forest is responsible for...
Deploying Active Directory in Firewalled Networks Using Static RPC
Instead of opening up your firewall to incoming connections on thousands of ports, you may opt to hard-code a dynamic RPC port to a single value using the Registry and open up just one port. This solution makes Active Directory in firewalled networks more feasible in concept however, it requires a bit of configuration work on the part of domain controller administrators. First, you need to decide which port should be used by your domain controller to replicate. Anything over 50,000 is a valid...
Creating an Organizational Unit
In this exercise, you create an organizational unit. Before you begin, make sure that you have Domain Admins- or Enterprise Admins-level privileges. 1. Launch the Active Directory Users and Computers snap-in. It is located in the Administrative Tools folder in the Control Panel. 2. In the console tree, select the domain you are about to manage. If you wish to create an OU within another OU, select the OU that will become the parent container. 3. Right-click the parent container and click New,...
Group Conversion
Group conversion is a process of modifying group type or scope without changing group object identifiers, or group membership for that matter. You can convert any distribution group to a security group of corresponding scope that is, convert a domain local security group to a domain local distribution group, or vice versa , and you can convert domain local groups or global groups to universal groups, or convert universal groups to global or domain local groups. Note that you cannot convert a...
Caching Server
When you install a DNS server on a fresh Windows Server 2008 installation, it configures itself as a caching-only server by default, until you configure forward lookup zones. Caching is integral to the DNS server, and in the absence of local zones, caching and resolving of domains through root servers is all they do in essence, caching-only servers are DNS servers that are non-authoritative for any of the zones. Caching servers are best used to decrease response times in local area networks...
DNS Management Tools
Administrators familiar with previous implementations of DNS in Windows Server 2003 and earlier will not be surprised to see very much the same tools in Windows Server 2008. There are two primary DNS management tools in Windows Server 2008 the DNS Manager MMC, dnsmgmt.msc shown in Figure 3-1 and the dnscmd.exe command-line tool. DNS administration on the Core installation server can be performed using the dnscmd command locally or remotely from another server. The core installation server can...
Trust Relationships
When a trust relationship is configured between two domains, users from the trusted domain are able to authenticate to the trusting domain. Trusts make it possible to perform cross-domain authentication. Users from the trusted domain are then able to access resources located in the trusting domain, subject to ACL permissions defined on each resource. Trust management operations are available only to enterprise administrators. Trust relationships within each forest in Windows Server 2008 are...
Plan and Implement a Group Policy Strategy
The main objective of group policy implementation is lowered total cost of ownership TCO through streamlined management. Administrators benefit from this technology greatly by saving a lot of time and effort that they would otherwise expend in performing tedious tasks on a regular basis. However, you must still spend the time on careful planning and initial configuration of group policies. Before you proceed with group policy deployment, the following must take place 1. Analyze the existing...
Delegating Permissions
You can create bulk permissions, delegating all the authority to administrative accounts, or you can delegate a very specific role to authorized people. A good example of using delegation is to assign user management rights to a team leader of a department, or to a help desk person responsible for user support in a decentralized administration model. The same effect can be achieved by assigning permissions to security principals manually however, this would make delegation a tedious task that...
Implementing DNS Services Cay
1.0 B. The ocsetup.exe utility is used to install optional components on the core installation Windows Server 2008 computer. 0 A, C, and D. A is incorrect because oclist.exe shows optional components that are already installed. C and D are both incorrect because dnscmd.exe is used to manage DNS services that are already installed on Windows Server 2008. 2. 0 C. The ipconfig flushdns command flushes the resolver DNS cache on any computer running any Microsoft operating system, from Windows 2000...
Domain Functional Levels
By default, when you install Windows Server 2008, the vast majority of AD features become available at once. Some advanced features may require all domain controllers in the domain to be updated to Windows Server 2008. Beginning with Windows 2000, domains could be configured to operate in two modes mixed mode and native mode. Mixed mode ensures that new features delivered with Windows 2000 will not cause compatibility issues with then-existing Windows NT 4.0 domain controllers. This concept was...
SmartCard Authentication
Smart cards store the private key and corresponding public key in the form of a digital certificate. The private key always remains on the card and is highly sensitive if it leaks, the security is compromised. The public key should be distributed to anyone wishing to conduct encrypted communications with the user in question. When the user inserts the smart card into the reader, this substitutes the ctrl-alt-del procedure and login information entry. The user is prompted for his or her PIN...
Configure Replication Schedules
There are two basic events that may trigger Active Directory replication replication schedule, or changes committed to a domain controller. The first mechanism is specific to inter-site replication and is more complicated, requiring administrators to configure replication intervals and schedules to suit the specific needs of each company. The second mechanism applies to intra-site replication, and as such, administrators need not worry about it. Active Directory replication occurs between all...
Domain Naming Master
There can be only one Domain Naming Master per Active Directory forest. This domain controller must be accessible during addition and removal of domains to and from the forest, and also when you create trusts between domains located in different forests. When you create a new domain, the wizard uses the Remote Procedure Call RPC protocol to connect to the Domain Naming Master controller. You must be a member of the Enterprise Admins group to add or remove domains from the forest or have a...
Assigning Permissions
The mechanism described in the steps in the preceding section can be used to assign permissions using one of the categories described in Table 8-4. Note that the table lists only the standard permissions for generic objects such as containers. Overall, there are 15 permissions that you could assign to objects, and depending on how many attributes the object has, it may have in the neighborhood of 100 read and write permissions for each of its attributes. To manage ACLs on a daily basis, it is...
Reliability and Performance Monitor
This familiar performance monitor tool is greatly improved in Windows Server 2008. When you select the top-level node in the tool's left pane, you are presented with a consolidated snapshot of system health, including charts of key CPU, memory, disk, and network metrics. The Performance Monitor part of the tool features several hundred different counters, such as average disk queue length, CPU utilization, current queue length on a network interface, and memory paging, which you can use to...
Configure Site Boundaries
Before you commence configuring your replication objects, you have to plan and understand how many sites your infrastructure will need in order to implement the desired functionality. You also need to determine which of the networks or subnets will be added to which sites. Conceptual topics, such as what sites are needed for, were discussed earlier. Recall that sites are defined as common network areas that share fast and reliable connections, where plenty of inexpensive bandwidth is available...
Account Policies
With the introduction of Windows 2000, account and password policy settings are configured using group policy objects and Active Directory. In short, the Group Policy Management snap-in allows you to manage computer and user configurations according to their location in the Active Directory structure. The next chapter discusses this technology more thoroughly. But for the purposes of this discussion, we will review just one of the groups of settings configurable through group policies. Password...
RoundRobin Functionality
As mentioned earlier in the chapter, the DNS system has some load-balancing features, namely, round-robin functionality. It may be helpful to distribute incoming connections equally between a few network hosts, such as web servers. If one web server is getting hit with lots of requests, it may be serving pages slowly or may even be rejecting or timing out some of the requests. In this case, one solution may be to set up a twin web server box and load-balance incoming traffic using DNS this is...
IT Container
Based on practical observations, it is often a good idea to create an internal IT OU at the top level of the structure, and nest all important objects such as administrative security groups, administrative accounts, and servers under it. This way it is easier to exclude it from the delegation structure, and avoid granting help desk staff the ability to modify membership of administrative groups they might be tempted to add their own accounts to Domain Admin and the like . It is also advisable...
Forest Trusts
A subtype of external trusts, forest trusts in Windows Server 2003 and 2008 allow setting up transitive trusts at the forest level. Administrators must ensure that forest functional levels are brought up to Windows Server 2003 or higher in all forests to be linked with a trust relationship. Cross-forest trust relationships as they are sometimes called effectively establish a trust between every domain in one forest with every domain in the other forest using just one link definition. If one or...
Creating a Forward Lookup Zone in Windows Server
This exercise uses the DNS Manager console to create a new forward lookup zone for a future Windows Server 2008 Active Directory Domain Services installation. We make an assumption that AD DS is not yet installed in your lab. 1. Click Start Administrative Tools DNS. The DNS Manager console will be launched. 2. Expand TORDCOl or your server name , right-click the Forward Lookup Zones container, and click the New Zone menu option. 3. On the New Zone Wizard welcome screen, click Next. 4. On the...
Active Directory User Accounts
User accounts we also refer to them as user objects, or instances of the user class are unique security identifiers they are needed to interact with Active Directory. User accounts do not necessarily represent just the users of the system system processes also rely on user accounts, as this defines the process security context and bestows certain privileges in the system. The most significant benefits provided by Active Directory in respect to user accounts are Single sign-on SSO Directory...
Other Automation Techniques
When you use either csvde or ldifde, other switches may be handy, depending on the situation these switches apply to both tools , such as -v Enables verbose mode and shows diagnostic information. -s lt servername gt Indicates which domain controller to use during the operation. -j Provides a log file path. -k Forces ldifde to ignore possible errors during the operation. Errors may be caused if you indicated attribute values that violate value types or constraints, if a nonexistent object class...
Ease of Administration
Group policy structure must remain manageable after implementation. Planning is needed to avoid situations in which everything works fine, but no one really has enough courage to make a change. When the system works but is complicated to the point that you don't want to touch it, it is safe to say that it is not manageable. Here are some recommendations that may help in avoiding this situation Name your policies using full, intuitive names that reflect the purpose and maybe even the scope of...
Troubleshooting Active Directory Database Failures
When you perform domain controller installation, the Dcpromo Wizard will ask you, among other things, where you wish to place the ntds.dit and edb.log data and transaction log files. By default, the systemroot ntds directory is suggested, but this is far from ideal. You should always place your Active Directory files on a fault-tolerant set of hardware disks, and preferably on a drive that does not contain any system files or pagefile.sys. If your Active Directory domain controllers will be hit...
Dcdiag
When you have established that network connectivity is not an issue, next you have to verify domain controller functionality. Dcdiag.exe runs a set of tests against a domain controller, similar to Netdiag. These tests include NC Head Security Descriptors Locator Get Domain Controller Running dcdiag without switches will launch a series of tests. It starts with a mandatory connectivity test, which verifies name resolution and pings the resolved IP address Testing server Default-First-Site-Name...
Restore Active Directory Services
You may run into a situation in which certain changes to Active Directory are found to be undesirable after the fact for instance, if an object or two were deleted, or attribute values were overwritten and these changes were replicated to other domain controllers . You may experience hardware failures such as the Active Directory database hard disk or set of disks going defunct as a result of an environmental event or bad hardware which add to the reasons why you should back up Active Directory...
Authoritative Restore
An authoritative restore differs from a non-authoritative one in that the restored objects are assigned higher USNs than the respective USNs on other domain controllers, causing restored objects to be replicated to other domain controllers instead of being overwritten, as happens in non-authoritative restores. Obviously, in addition to restoring objects, an authoritative restore needs to adjust some of their properties in the Active Directory database. The following table summarizes these...
Installing DNS Services
DNS services are not installed as part of Windows Server 2008 out-of-the-box installations. DNS services have to be added they may be installed either manually by someone with administrative rights on the system or as part of the domain controller installation process. If you install DNS services manually, at the end of the installation process you will have a caching server that does not have any forward lookup zones yet. DNS services can also be deployed automatically as part of the dcpromo...
RMS Requirements
AD RMS deployment requires AD DS installation. It also integrates, optionally, with AD FS where extranet content protection is desirable and AD CS for transport-layer security and encryption. If document distribution will extend outside the realms of a single corporate environment, then obtaining SSL certificates from a trusted third-party CA may be more desirable than using AD CS, which would be considered as a trusted CA only on the corporate network, by default. An RMS server must be a...