Figure Lzf
Specifying the application directory partition name After specifying what you will use for an application directory partition, you have the option to specify where the data files for AD LDS will be stored. This is the same data-file technology as in Exchange Server, SQL Server, and Active Directory databases. As you can see in Figure 10.19, the Data Files text box lets you specify where the database data file will be located, and the Data Recovery Files text box is used to specify where the...
List Group Members
This script lists the immediate members of a group. Start by binding to the group, then set a variable equal to the Members property. This property returns a Dictionary object containing a list of group members in the Key field. The value field will contain 0. lt script 1anguage VBScript src inc1udes GroupC1ass.vbs gt Dim GroupObject, GroupMembers, Member Set GroupObject New GroupClass GroupObject.BindToGroup Set GroupMembers GroupObject.Members For Each Member In GroupMembers.Keys
Delegating a Subdomain
Another naming scheme is to create a subdomain beneath the company's Internet presence. While this method does not protect the internal resources as efficiently as a private namespace, you can effectively use the security by obscurity method. In other words, if a company uses an external namespace of zygort.com and an internal namespace of internal.zygort.com, the internal namespace should not be available within the external DNS servers. Even if you never add any delegation records to the...
Delegation of Control
One feature in AD DS that enhances our ability to administer networks is delegation of control. This means Windows 2003 and 2008 administrators can now delegate administrative tasks to specific non-administrator users or groups, as well as limit the functionality of other administrators. We can delegate control to practically all levels in our network sites, domains, or OUs. Because we have this granularity of delegation capability, we can assign or delegate what are normally considered...
PowerShell Cmdlets
It's time to introduce you to cmdlets. That isn't a typo it's actually pronounced command-lets, and this is the name by which PowerShell commands are called. Technically these represent the smallest unit of functionality on the PowerShell environment, so they were given their own special name. In our alias list, you might have noticed that the PowerShell cmdlets follow a similar naming format. Specifically, each starts with a verb such as Get, Write, or Start , followed by a dash, and finishes...
Create a Computer Account
Creating a computer account is a common administrative function. After creating a new instance of the ComputerClass class, call the Create method. The Create method takes three arguments the ADsPath of the computer account's container, the CN, and the SAM account name of the new computer account. After you create the new computer account you can continue to set any additional properties with the SetProperty method. This method takes two arguments the property name and the new value. After you...
Figure Lzw
J Group Policy Manager Paste 0 Forest zygort.com O Domains Default Domain Policy Domain Folder Redirection E aj Boston f Boston Admins Settings f Boston Folder Redirection gj j Chicago Admins Settings Domain Controllers Toronto jf Toronto Admins Settings Toronto Firewall Settings j f Toronto Folder Redirection Group Policy Objects jjJ Boston Admins Settings x f Boston Folder Redirection Chicago Admins Settings Default Domain Controllers Poiic jjJ Default Domain Policy Domain Folder Redirection...
Verify Server Health
To verify server health, start by following the same troubleshooting pattern as with the client health check. More often than not, the client has received its settings from a Dynamic Host Configuration Protocol DHCP server, while the server is often assigned with static information. When a server has static settings, the chance for human error always exists. As I was typing that last sentence I hit the Backspace key at least three times. Human error can cause any number of problems with static...
Designing OUs for Group Policy
Group Policy has proved to be one of the most widely used Active Directory technologies and, at the same time, one of the most misunderstood and misused. Many administrators who have taken advantage of Group Policy Objects GPOs to control the security of systems and to distribute software to users and computers do not fully understand the options available when using GPOs. Understanding the settings that can control security, restrict user sessions and desktops, deploy software, and configure...
Understanding the Current DNS Infrastructure
DNS has been around for many years, and chances are you already have DNS within your infrastructure. You'll have to determine if your current DNS implementation will support your needs. After all, what works for the Unix or Novell side of your network may not work the best for Active Directory. Case in point DNS is normally a single-master database. This means that updates and entries into the database can be made on only one server the server holding the primary zone. Every other DNS server...
UserClass
The UserClass class obviously represents a User object in Active Directory. To use this object it must be instantiated like the other classes and then either bound to an existing User object in AD or used to create a new user. User properties can then be modified, the password reset, or the account unlocked. The group membership of the user can be returned, a group can be joined, or the group membership can be copied from another user. Finally, the object can be saved to AD. The Create method...
Password Policy
Password restrictions can be set to control exactly how passwords are used within the domain. If you open the Password Policy node, you will see the following options Enforce Password History This option specifies how many passwords the system will keep track of and how many unique passwords a user will go through before they are allowed to reuse a password. Maximum Password Age This option specifies how long a password will remain valid before the user is forced to change the password. Minimum...
Editing Group Policies
Group Policy templates are the parts of the GPO that are stored within the SYSVOL container of domain controllers, and the parts of the GPO that the GPME can manipulate. When you are editing group policies, make sure you plan how and when you will make the changes. Any change that you make to a GPO goes into effect immediately. Of course, chances are that you will not see the change affect a system as soon as you make it, but the change will be available the next time the periodic processing...
Auxiliary Classes
To answer the question in the previous section, we must look at what kind of class we are talking about. Active Directory has four different types of classes shown in Table 18.2 . Some classes can be used to create objects and some classes cannot. Of the four types of classes, only structural classes can be instantiated. These classes were defined before there was a specification to classify categories of classes. They behave like structural classes but should be treated as abstract. Active...
Designing OUs for Administrative Control
To have complete control over an OU, you must first be delegated full-control permission. This delegation is provided by the domain owner and can be granted to users or groups. For efficiency's sake, create a group that will manage the OU, and delegate permissions to this group. You can then add user accounts that need to manage the objects, otherwise known as the OU owners, to the group with full-control permissions. OU owners control all aspects of the OU over which they have been given...
What Makes Up a Group Policy Object
Two parts make up a Group Policy Object GPO the Group Policy container and Group Policy template. Even though the two parts of the GPO are stored in different locations, both must be available for group policy processing to work. The Group Policy container is a construct of Active Directory. The container is used to control permissions for the GPO and to store attributes that allow us to identify the GPO. The permissions that we can set control who can manage the GPO, as well as the systems and...
Replication Boundary 1
Domain controllers within a domain will share their domain partition, or domain-naming context, with one another, but will be selfish with domain controllers from other domains. There is a perfectly good reason for this. The domain partition will usually be the largest of the Active Directory partitions and is the one that changes the most frequently. To reduce the amount of replication traffic to be sent to each domain controller within your forest, the domain boundary was defined. If you have...
OUs Based on Location
If an organization has resources that are centralized but the administrative staff is based at different geographic locations, the OU design should take on a location-based strategy. Using this strategy, the OU structure is very resistant to reorganizations, mergers, and acquisitions. Because all the objects are located beneath the top-level OU, which is based on company location, as seen in Figure 4.9, the lower-level OUs can be modified and the objects moved within the OUs to accommodate the...
Move a User Object
Because a good Active Directory hierarchy uses containers and or organizational units to organize objects, eventually you will have to deal with user accounts moving from one container object to another. Calling the Move method and passing the ADsPath of the destination container will move the bound User object to its new home. lt script language VBScript src includes UserClass.vbs gt UserObject.BindToUser UserObject.Move
Verify Service Health
To verify the health of the service, follow these steps Verify that the service is installed properly on the server. Verify that the service is running. Verify that the user has permissions to make the request. Regularly review the application event log. The log is where services usually record their events and indicate whether they are error, warning, or informational events. If you find a warning or error event in the event log, determine the source and search knowledge-base information...
Global Catalog Placement
Global catalog GC servers are domain controllers that take on the additional load of hosting objects from every domain within the forest. You should be familiar with the placement of GC servers within your network. The same basic rule applies to a GC server as it does to a domain controller one should be placed within every site. Of course, this could be easier said than done. Budget limitations and security practices may prohibit you from placing GC servers everywhere you want. Follow these...
Kerberos Logging
You can have the system present more-detailed information concerning authentication by turning on Kerberos logging. To do so, you can either edit the registry manually or run a script provided within the Account Lockout and Management Tools see the Account-Lockout Problems section for more information . If you plan to edit the registry on a domain controller to enable Kerberos logging, you will need to open regedt32 and navigate to the following registry key You must add the REG_DWORD entry...
ADDatabase and LogFile Free Space
Every Active Directory database needs free disk space to grow. The AD transaction log files also need free space. This script monitors the amount of available disk space on the drives holding the AD database and log files and raises an alert if the available disk space drops below a given amount. The script begins by retrieving a list of domain controllers from a DomainClass object. The location of the AD database and log files may be different on each domain controller. An advantage of the...
Effective Permissions
As you can see, permissions can be assigned to a user directly although you usually want to avoid this option or to a group, or they can be inherited from parent containers. Trying to ascertain what permissions a user or group has applied or inherited can be daunting. Recall John Doe, our user from our earlier example. He has permissions assigned to him directly he is also a member of a group that has permissions applied to it and inherits permissions from another container. What are John Doe's...
CommandLine Utilities
In case you like typing your commands or if you would like to script the administrative control of accounts, you can use command-line utilities to manipulate Active Directory-based accounts. There are limitations to the Active Directory Users and Computers interface. If you want to create several accounts, you have to right-click on the container or OU where you wish to create the account as shown in the Active Directory Users and Computers section of this chapter, you can only enter the user's...
Step Review the Considerations for Installing AD RMS
The fourth step in the process is to review the following considerations before installing AD RMS in your environment. These considerations are presented by Microsoft in its online documentation, but they are reworded here for clarity. Use a dedicated database server to host the AD RMS database. Avoid using the Windows Internal Database in a production deployment Windows Internal Database is intended to use only for a test environment, and does not support remote connections, which means that...
User Properties and Methods
The IADsInterface manages user accounts in the directory. This interface inherits from the IADs interface described earlier, so it also contains the properties and methods described with that interface. Because we will work extensively with the user object in our scripts, you should familiarize yourself with this object's properties and methods. Two more important reminders not all properties listed here will be available through the Active Directory Users and Computers console the only way to...
Use Secure DDNS
As mentioned before, if you want to make sure the records entered within your DNS zones are valid, you can implement the Secure Only option from the General tab of the zone properties, as seen in Figure 2.13. Once enabled, only clients that are members of your AD DS domain can enter records within the zone. General Start of Authority SOA N lt Replication All DNS servers in this forest Allowing nonsecure dynamic J None vulnerability becauseupdatesl onsecurean ecure To set aging scavenging...
PDC Emulator
Open Active Directory Users and Computers. Right-click on Active Directory Users and Computers and select Change Domain Controller make this the domain controller that you want to be the PDC Emulator . Right-click on the domain controller and select Operations Masters. Click the Change button, and transfer the role to the domain controller you want to use as the PDC Emulator. Seize FSMO roles If a domain controller that holds a FSMO role is down or unresponsive, you may need to seize a FSMO...
Installing and Configuring AD RMS
Now that you've got a basic understanding about AD RMS, it's time to begin installing and configuring it in your organization. The following is a step-by-step guide to build RMS solution in your environment. 1. Ensure that the server meets the hardware and software requirements and recommendations. 2. Create an AD RMS service account. 3. Create an AD RMS installation account. 4. Review the considerations for installing AD RMS. 5. Assign an email address to AD RMS users and groups. 6. Raise the...
Figure Gep
Is Not This is pretty much the opposite of the Is Exactly option. When using the Is Not option, you enter the exact word or phrase that you do not want results returned for. For this option, if you want to find all the accounts that are not part of the Marketing department, you choose User gt Department, pull down the option for Is Not, and then type Marketing. The query returns all the user accounts that are not members of the Marketing department. Present When you use the Present option, you...
Chapter Managing Group Policy
Identify the different group policy types Microsoft has changed the format of group policy templates so that they are easier to manage. Instead of using a proprietary format, the new group policy templates that are used with Vista and Windows Server 2008 are based on XML. Master It Administrative templates are formatted using two different markup languages. What formats are they created in and which operating systems support the group policies that are configured with each Master It Solution...
Design FSMO placement according to AD DS best practices and business
Proper FSMO design and server placement are important to your AD DS design for service availability and performance. Master It You are designing the FSMO role placement in your AD DS environment. You have one forest and two domains. DomainA is a root domain that is used to protect certain resources from the main domain DomainB . DomainA consists of two domain controllers ServerA-1 and ServerA-2. DomainB consists of three domain controllers ServerB-1, ServerB-2, and ServerB-3. ServerB-1 and...
Figure Ire
If you have a network infrastructure that is fully routed and all the locations can communicate directly with one another, you can leave this default setting turned on. However, if you have locations where not all the domain controllers are able to communicate directly with one another for instance, if they are separated by firewalls you may want to turn off the site-link bridging. You may also want to turn it off if you want to manually control where it is allowed. If you have a large, complex...
SwitchedOff NETLOGON Synchronization
Don't worry about this it isn't as bad as it seems. It just means that you will not be able to add additional Windows NT 4 BDCs to your domain. Once you have made the commitment to move to Active Directory, you should not need to install additional Windows NT 4 domain controllers to your network. There are cases in which this may not be true, but if you have eliminated all of the Windows NT 4 BDCs from your domain, you can safely make the move to native mode. Windows NT 4 member servers can...
Chapter Troubleshooting Problems Related to the Active Directory Database
Problems with the AD DS database can cause a multitude of issues in your environment. Determining what is causing a problem with the database can be difficult. Being prepared with a wide array of tools will help you narrow down the issues and come to a quick resolution. Troubleshoot database replication Keeping information current and in sync is very important to the health of your AD DS database. Replication is the technology that keeps all domain controllers up-to-date with changes from other...
StandAlone Certificate Authority
Stand-alone CAs do not require AD Domain Services AD DS , are less automated, and will require more input from the users than will an enterprise CA. However, they are able to use Active Directory, if it is accessible, for publishing user certificates and the CRL. Generally, stand-alone CAs are used as a trusted offline root CA in a large CA hierarchy or where organizations are using an extranet and the Internet. Stand-alone CAs issue certificates for digital signatures, to secure email using S...
Maintaining the Infrastructure Master
If you are working in a multiple-domain environment, the Infrastructure Master can be your best friend or your worst enemy. It is the Infrastructure Master's job to make sure that accounts from other domains that are members of a group are kept up-to-date. You do not want an account to have access to resources that it is not supposed to, and if changes are made to users and groups in other domains, you need to make sure that the same changes are reflected in your domain. For instance, let's say...
Using the Delegation of Control Wizard
To delegate control of an OU, go through Active Directory Users and Computers and right-click the OU you want to delegate then click Delegate Control. There are four steps in the delegation process 1. Choosing which users or groups are going to receive delegated permissions 2. Designating the actual tasks to delegate, and whether you're 3. Specifying the Active Directory object type Creation or deletion of specific child objects In the first step, you choose the users or groups that are going...
Moving Objects in Active Directory
Certain assumptions were made about the growth and structure of the network in the initial design of an Active Directory network. A network is rarely static it will grow and contract. You may add child domains or create new trees or even add forests. Within the domains, you may add or remove OUs to facilitate administration, and you will definitely move users, computers, printers, and other objects. This is especially true if you are taking over a network from someone else and need to...
Active Directory Schema
This is the one snap-in that is not available to administrators unless they choose to register the dynamic link library DLL necessary for it to be displayed and used. The designers of Active Directory did this intentionally because they did not believe the tool should be available to every administrator within the forest. Instead, Microsoft forces anyone who wants to use this tool to research how to get to the schema. Because the schema should not be altered unless there is a valid business...
Set Quotas
In Windows Server 2003- and 2008-based Active Directory domains, you have the ability to set quotas on the number of objects a user is allowed to create within the Active Directory partitions. You can set quotas differently on each Active Directory partition because each partition is evaluated separately. By using quotas you are able to effectively control the number of objects that can be created by an account, thereby quelling any attempt to flood an Active Directory-integrated zone with too...
Unlocking a User
To unlock a user object we can use the Quest Active Directory cmdlet Unlock-QADUser. This cmdlet is also simple all we have to do is pass the identity of the user object to disable, as shown here Find-ADUserDN tempUser01 Unlock-QADUser Find-ADUserDN Temp Unlock-QADUser To unlock all currently locked users, we can pipe the results of the Get-QADUser cmdlet, with the -Locked parameter, into the Unlock-QADUser cmdlet, as shown here Get-QADUser -Locked Unlock-QADUser Keep in mind that this is a...
NativeMode Logon Problems
Once you have switched your domain out of Windows 2000 mixed mode, you will be required to have global catalog servers available. Windows 2000 native, Windows Server 2003, and Windows Server 2008 functional levels require that a global catalog server be available so that a user's universal group membership is checked prior to authentication. Universal security groups do not exist within a Windows 2000 mixed-mode domain. However, once you have changed your domain to support them, each user's...
Auditing for Logon Problems
As with any troubleshooting, you should start with checking out the event logs on the client system and the domain controllers within their sites. Although many administrators criticize the event logs, you can find out some interesting and useful information from them. If you have enabled auditing of account logon and logon events, you will receive events in the security log that pertain to accounts as they authenticate or fail to authenticate. To watch for failures, you must audit the failure...
Account Lockout Policy
The Account Lockout node contains the options that control when a user's account will be locked out, or disabled from use, if too many password attempts fail. This is used to make sure that a user's account is not easily compromised if an attacker is trying to determine the user's password. Following are the options contained within this node Account Lockout Duration This option specifies how long an account remains in a locked-out state. If it's set to 0, the administrator will have to unlock...
Domain Controller Placement
Domain controllers host the database that is Active Directory. In order for users to log on to the domain, they need to be able to connect to a domain controller. The rule of thumb is to locate a domain controller near any user so the user can log on even if WAN connections fail. There are instances when you will not want to place a domain controller at a specific location. In the following sections, we look at the options for placing domain controllers within your infrastructure and, in some...
Creating a Baseline
Just as when you are preparing for performance monitoring, you should create an Active Directory baseline that includes all of the settings you have made during the configuration of your domain controller. You should document all your settings so that you can pull out the documentation whenever you want to review the settings. Make sure you double-check the auditing settings as well as all directory service permissions and service-account administrator-group memberships. Documenting these items...
Active Directory Users and Computers 1
You can use the Active Directory Users and Computers utility to find the domain controllers that hold domain-specific roles. As discussed in Chapter 5, each domain has an Infrastructure Master, a RID Master, and a PDC Emulator. So it only makes sense that to find the role holders of these FSMO roles, you consult a utility that helps you maintain aspects of your domain. When you open Active Directory Users and Computers, it is not immediately obvious that the FSMO role holders can be found...
acctinfodll
The acctinfo.dll file is actually part of the Account Lockout and Management Tools you can download from Microsoft, which we discuss later in the Account-Lockout Problems section. Once added into your system, acctinfo.dll includes an additional property page for the user-account properties. As Figure 17.14 shows, this additional property page will allow you to determine when the account's password was set, when the password expires, when the user last logged on or off the domain, as well as...