Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Services (AD LDS) allows administrators to create small versions of Active Directory that run as non-operating system services. Because AD LDS does not run as an operating system service, it does not require deployment on a domain controller. Any workstation or server can host an instance, or multiple instances, of AD LDS. Instead of building a domain controller so that developers have an Active Directory database to work with, you could create an instance...

Table Commonly Used Win WMI Classes and Their Properties Classdescription and properties

Represents the computer operating system. Useful properties include Name, Domain, DomainRole, PartOfDomain, Roles, and UserName. Represents the physical disk drives in the system. Useful properties include Name, Model, Size, and Status. Represents both physical and mapped drives. Useful properties include Name, DriveType, FileSystem, and Size. Win32_NetworkAdapterConfiguration Represents the network adapters in a system. Useful properties include Caption, DHCPEnabled, DNSDomain, IPAddress,...

Command Line Options

Some command-line utilities allow you to identify the role holders. Although these utilities may not be as intuitive as the snap-ins we have been discussing, they can come in very handy when you are already at a command prompt. The first, ReplMon, allows you to view role holders and query against them. Netdom shows you all the role holders at the same time, while dsquery allows you to find individual roles when you ask for them. The DCDiag utility shows you all the roles. The final utility,...

Primary Zones

Primary zones have traditionally been held on a single system and are known in the Microsoft world as standard primary zones. Primary zones are the update points within DNS. The limitation to these zones is their inherent single point of failure. Although the zone data can be transferred to another server that acts as the secondary zone, if the server that holds the primary zone is unavailable, you cannot make changes to the zone. In this case, you must promote a secondary zone to primary if...

Ad Rms Roles Prerequisites

The AD RMS server role requires Internet Information Services (IIS) 7.0, Message Queuing, and Windows Internal Database. Installing the AD RMS role will automatically select and install the prerequisite components. 1. Log on to the server on which you want to install AD RMS. 2. Click Start > All Programs > Administrative Tools > Server Manager. 3. In the Roles Summary box, click Add Roles. The Add Roles Wizard opens. 4. Read the Before You Begin section, and then click Next. 5. On the...

Domain Functional Levels

As the engineers behind Active Directory build new and better features, administrators are given more efficient and easier tools with which to work. At the same time, the new features in one operating system are not always supported in legacy operating systems. Windows NT 4 had some serious limitations when it came to secure and efficient administration. Windows 2000 addressed many of the limitations and presented Active Directory as the next generation of directory services. Moving from the...

The Active Directory Schema

The Active Directory database is made up of attributes and object classes that form the Active Directory schema. Some of the object classes are users, groups, computers, domains, organizational units, and security policies. You can modify the schema by defining new object types and attributes associated with them or by adding new attributes to existing objects. This is accomplished by using the ADSI Edit MMC snap-in. This may sound very confusing. Here is a brief description of each schema...

Listing Users

To list all users we can use the Quest Active Directory cmdlet Get-QADUser without any parameters. We can also use the Select-Object and Sort-Object cmdlets to make the output easier to read, as shown here (Get-QADUser Measure-Object).Count Get-QADUser Select Name, DN Sort DN The Get-QADUser cmdlet gives us an easy way to produce a list of user objects that are either disabled or locked. This cmdlet has two parameters designed expressly for this purpose. To find currently disabled user objects...

Common Global Catalog

A forest also provides for a common global catalog (GC) within the forest. A global catalog is a domain controller that hosts objects from every domain naming context within the forest. At first you might think that could be a lot of data for a domain controller to host. If the GC server were to hold all of the attributes from every domain within the forest, you'd be correct. However, to keep network traffic at a minimum, only about 200 of the 1,700+ available attributes for each object are...

Configuration Options for AD LDS

The nice thing about using AD LDS to store information for applications and services is that it can be managed using the same tools as for AD DS. In Server Manager, you will find Active Directory Lightweight Directory Services within the Roles node. When you select this option, the details pane will appear with sections that you can use to determine how well AD LDS is functioning, and with tools that you can use to manage AD LDS. Figure 10.23 shows these sections Summary, Advanced Tools, and...

Domain Local Groups

All of the servers within a Windows NT 4 domain and member servers within Active Directory have local groups to access local resources. Using local groups became cumbersome because we had to re-create the group on every server where we wanted it so that users could access similar resources. Now you can share local groups across the entire domain in Windows 2000 native mode. Domain local group membership can include universal groups, global groups, user accounts, and computer accounts from any...

The importance of Microsoft Server DNS in Active Directory Domain Services DNS

While other DNS servers, such as BIND, may allow you to run Active Directory, certain Active Directory features are available only with Microsoft Windows Server-based DNS servers. Master It You are designing your Active Directory domain infrastructure that consists of multiple physical locations. Your domain will consist of Windows 2008 servers only. You want to implement a DNS infrastructure that provides you with a simple and easy way to manage DNS...

Multiple Forest prosmultipleforest Cons

More secure More administration May have different schema in each forest (e.g., one business unit uses Exchange and another doesn't want its schema extended with the Exchange attributes). Trusts between forests in W2003 and W2008 are transitive and Kerberos-secured. Most small- and medium-sized companies will opt for a single forest. Following are situations that might call for exceptions Extranet application(s) use Active Directory. Acquisitions and or businesses break off into their own...

Add Additional Token Signing Certificates

If you are configuring only one federation server, you can move on to creating claims if, however, you have additional federation servers within the server farm, you should add the token-signing certificates from each one to the Verification Certificates tab on the account partner's properties sheet. To do so, right-click on the account partner within the account partner's node and select Properties. Once the properties sheet appears, select Verification Certificates, as shown in Figure 10.14....

Step Assign an Email Address to Ad Rms Users and Groups

The fifth step in the process is to ensure that you have an email address defined in the properties for each user and group account that you want to configure with AD RMS. Do the following to add an email address to a user account 1. Log on to the domain controller. 2. Click Start > All Programs > Administrative Tools > Active Directory Users and Computers. In the console tree, expand domainname. 3. In the Active Directory Users and Computers console, select Users, right-click the user...

Create groups and OUs that will have delegation applied to them This facilitates security as well as administration

Avoid assigning permissions directly to a user. Create a group (see our earlier discussion) and place the user in that group. Creating a group to house one user is not as burdensome as it might seem initially in fact, it will make your administrative life much easier than trying to track down why this one individual can still perform actions that she or he shouldn't. Least is most Assign the least amount of permissions to users and groups. This will help make your network most secure. Users...

Computer Properties and Methods

The IADsComputer interface manages computer objects in Active Directory, including servers and workstations on the network. Because this interface inherits from the IADs interface, it already has the properties and methods described in that interface. If you browse through the properties in more detail, you will notice it also shares many properties with the user object. Table 18.13 shows the properties of the computer object. Computer's common name for the computer Comment field Computer's...

The Bottom Line

Connect to Active Directory using VBScript Writing Active Directory scripts for your users will increase your productivity and lighten your workload. The first step is to connect to the current domain. A portable script does not reference a particular domain, but rather uses Active Directory itself to connect to the current domain. Master It Develop a script that connects to the current domain using the RootDSE object. Display the default naming context and current time of the domain. Read and...

Implicit and Explicit Permissions

Assigning permissions is one of the first steps in granting or denying someone access to resources. You can grant someone permissions, deny them access, or not grant them permissions at all. If you grant someone access, they get the access level granted, plus any that they might inherit (more on that later). If you do not grant someone access, you have implicitly denied them access. If you select the Deny box for a permission, then you have explicitly denied access, as shown in Figure 7.7. The...

AD DS Domain Design

So far we have looked at what goes into a forest design. The criteria I introduced for forests will flow over into domain design. You are still going to base your design decisions on one major design criterion administrative control. Keep this in mind as you work through the rest of this chapter. All of your decisions will have administrative control as the primary concern, and then group policies and security policies will help you refine your design. As many administrators will tell you,...

Replication Boundary

AD DS forests provide for a complete replication boundary. Every domain controller within the forest will participate in the replication topology, sharing information among them so that each domain controller can respond correctly when a client requests it. Two AD partitions the configuration partition and the schema partition (or naming contexts) will replicate on a forestwide basis. Every domain controller within the forest will share identical data for these two partitions. The schema...

ADSI Providers

One of ADSI's most endearing qualities is its ability to play well with others. This refers not only to its language independence, but also to how many directory services with which it can interact. Active Directory was not the first directory service on the block, and the Active Directory we know today definitely will not be its last version. In the ever-expanding corporate world, where companies routinely take over other companies and have to integrate information systems, there's a good...

Group Class

Many of the functions of the GroupClass class mirror those found in UserClass. When developing scripts with this class, using a common design helps by not making you learn an entirely new set of properties and functions for every class your scripts utilize. A few additional aspects must be noted when dealing with groups. Groups can be one of two types security or distribution. They can also have one of three scopes universal, global, or domain local. You must specify each of these when creating...

Ad Rms Cluster

Every AD RMS deployment, whether it is a single or multiple server deployment, is referred to as an RMS cluster. In a typical RMS deployment scenario, the RMS cluster consists of multiple RMS servers, which could be load-balanced by using either Microsoft Network Load Balancing or a hardware-based load balancer. All servers in an RMS cluster share a common back-end SQL database. The first server in an RMS cluster is referred to as the Primary Root server. All additional RMS servers in the RMS...

Excel Scripts

Beyond administrative use, scripting is used to gather data from Active Directory. Query results (see the discussion of QueryClass earlier in this chapter) can be displayed as command-line output that can be redirected to a text file. The text file can then be loaded into Excel. If the data was formatted correctly in the output file (for example, with commas separating the fields), the data can be imported into separate columns which might then need to be reformatted, with column headers added...

Account Types

You will need to create accounts to differentiate each of your users on the network and to grant the appropriate permissions so those users can access the resources they need to perform their jobs. You will also need to create accounts for the computers that are going to act as members of your domain. Finally, you'll need to create accounts for users and computers within your domain that require the same rights and permissions. Of course, you will also have accounts that will not need any...

Modifying Data

You have seen how to bind to objects, how to read the object's attribute values, and how to save changes to those attributes. Now we can dive into the depths of actually modifying data in Active Directory. One last-minute reminder always check that the object you've bound a variable to actually exists that is to say, it does not have a value of Nothing. If you missed the target it is a lot easier to stop and adjust your aim than to keep firing errant shots into the hillside. In this section, we...

Protecting Systems during Installation

Most administrators dread the thought of installing the operating system on a new system and will instead take measures to automate the installation. The most popular methods of automating the installation include creating an image, using an automated installation file, or using Microsoft's Windows Deployment Services (WDS). There are pros and cons to each of the installation types, but all of them are far more efficient than installing manually. A domain controller's base operating system...

Become Comfortable with Active Directory Tools

The following list of tools will help you in your troubleshooting methodology. Become familiar with the tools to make your troubleshooting efforts easier. Tool Function Covered in Chapter Active Directory Domains Administer domain trusts, 16, 17 and Trusts add user principle name suffixes, and change the domain mode. Active Directory Users and Computers Administer the replication of directory data. Administer and publish information in the directory. View, modify, and set access control lists...

Best Practices for Logon and Account Lockout Troubleshooting

Nothing frustrates administrators and users alike more than logon issues. The calls that flood in right after a mandatory password change can be frustrating, but if you follow the information in this chapter, and especially the following tips, you may be able to reduce the resulting headache. Only enable universal group membership caching if you want to reduce the replication across a WAN link and you have a small number of users who will be affected. Only turn off universal group membership...

Active Directory Essential Services

For Active Directory to function correctly, several services must be operational. Those services include the File Replication Service (FRS), the Intersite Messaging Service (IsmServ), the Kerberos Key Distribution Center (KDC), the NetLogon service (NetLogon), and the Windows Time (W32Time) service. These services are almost always running on each domain controller. The script covered in this section alerts the user when one or more of these services is not running. The script begins by...

Idapdisplayname Schema

Some of the tools we talk about in this section are designed for modifying the schema itself. Rest assured we won't perform any updates in this book. You should not need special permissions to view the schema, and you definitely do not need membership in the Schema Admins group Let's start with the most basic tool, the dsquery utility, which is available after you install the adminpack.msi from the Windows Server 2008 CD. This utility lets us view the schema and properties of objects in Active...

Monitoring on a Budget

A school district moved over to an Active Directory system for managing student and personnel account information, and the district IT manager was very concerned about the uptime of the servers running the Active Directory services. He looked at different solution providers, researching product after product, when he noticed that most projects depend, in one form or another, on the WMI services. Given that it was late in the school's budget year and his unused budget money had already been...

Domain Class

The domain object can be used to access the default domain and its properties. When the object initializes it creates a temporary object referencing the RootDSE of the domain. After using the object to get the default naming context of the domain it de-references the object. One of the most frustrating things about VBScript classes is their lack of support for constants as class members. In other words, a constant can't be declared and used throughout the class definition. To work around this,...

Figure ll

Before Vou Begin Select Server Roles AD RMS Set Up Configuration Data, Specify Service Account Set Up Key Management Specify Password Select Website Specify Cluster Address Server Authentication Certi,,, Specify Friendly Name For, Set Up Revocation Register in AD Web Server (IIS) Role Services Confirm Installation Selections Installation Progress Installation Results The Active Directory Rights Management Services (AD RMS) role requires that an AD RMS duster be setup. An AD RMS duster can...

WINS Troubleshooting Tools

The WINS server itself is fairly robust, but as with all servers, some problems might arise. We will go through some troublesome areas and discuss a few of the tools to use when troubleshooting. (Before performing too much work on the WINS database, you should back up the database by right-clicking the server, clicking the Backup Database option, and specifying the backup location.) One of the most basic problems is a WINS server not giving out addresses. If this happens, ensure the WINS server...

Coming Up Next

Now that we have configured the interoperability options and methods of access to resources using the new Active Directory services, we need to make sure that all of the resources are accessible to the appropriate clients. In the next chapter, we will look at how to control access to objects when they are within our organization and when they leave our network. Controlling the rights others have to our resources allows us to make sure the content is not manipulated in ways we do not intend.

Resolving the IP Address

The most basic of all DNS services provide the ability for a client system to send a query to the DNS server, asking it to return the IP address of a host system. This type of resolution is referred to asforward name resolution. DNS provides this functionality by hosting resource records that specify the IP address for each of the host systems within the DNS namespace. The namespace is referred to within the DNS server as the zone. For instance, if your DNS namespace is zygort.lcl, and you have...

Physical Security for Domain Controllers

Probably the most overlooked area in security is physical access to the domain controllers. I have worked on teams that engage in social engineering to try to find weaknesses in clients' networks. Social engineering is the act of manipulating people to get information about a computer system or network instead of trying to breach the computer systems themselves. We were hired by the company's executives to try to gain access to the network. Of all the processes that we tried, I was very...

Chapter Maintaining the Active Directory Database

Keeping the AD DS database in good health is essential to keeping your environment running its best. You may have to manage the AD DS database manually to perform certain tasks. Defragment the AD DS database The AD DS database performs certain maintenance tasks automatically on a regular basis. One thing it cannot do is rid itself of the white space that occurs as you delete items from the database. Master It Chris is the administrator of a large AD environment that contains user accounts for...

Reading Data

At some point after binding to an object, most scripts read the attributes of that object. Remember that ADSI always sets up a cached copy of our Active Directory objects in a region of memory called the local property cache. Even though we have a cache location, we have no data in that cache yet. Binding to the object doesn't download any of its attributes into the local property cache that task is left to us. ADSI provides three methods for populating the local property cache GetInfo, Get,...

Active Directory Federation Services

As just mentioned, there are traditional methods of allowing access to resources between forests. Servers based on Windows 2000 and later will let you create a trust relationship, known as an external trust, with domains that are outside your Active Directory forest. These domains can be in another Active Directory forest, a Windows NT 4.0 domain, or a Unix Kerberos realm. The drawback to using an external trust is that the trust relationship is restricted to the two domains that are linked...

Chapter Managing Active Directory Rights Management Services

Understanding rights-management servers The AD RMS Server is a server component that will issue RMS certificates and licenses, enroll servers and users, perform administrative functions, and manage licensing of rights-protected information. Master It Shannon is the administrator of a large nationwide distribution company. She is implementing AD RMS servers for different departments in different geographical regions. She has installed the Root Certification server, but the consultant, Jami, said...

Guarding against Remote Access Attacks

You can take many steps to prevent remote-access attacks. You can secure and or delete certain built-in accounts, secure your password information with the Syskey utility, relocate the AD DS database files, and even block ports with Internet Protocol Security (IPSec) so that communication between domain controllers is encrypted. We will look at each one of these settings individually. Domain Controller Audit-Policy Settings Figure 9.2 shows the recommended settings for the audit policy for a...

Handling Errors

Rarely does a script get written perfectly the first time. When a script uses an outside resource, such as a database or a directory service, the chances that something could go wrong only increase. Now not only do you have to account for the usual scripting errors, but you also have to be prepared for errors that might occur on that resource. You might encounter the following error types when developing a script Syntax errors result when your script breaks the rules of the language. This is...

Managing Access with Active Directory Services

Creating an Active Directory-based infrastructure is a good first step in controlling user access to resources within your organization. Having Active Directory in place, however, doesn't mean that gaining access to those resources will be easy for all of your users. Once you have planned out how you are going to implement Active Directory for your organization's users, you may need to enable other user accounts to access your resources. A good case in point is when you are working with another...

Security Principal Accounts

In this section we will discuss three security principal accounts. A security principal is an account that has a SID associated with it it can be assigned access to resources and can also be granted the ability to perform special functions within the forest. Two account types can represent a person who needs access to resources within your network infrastructure the User account and the InetOrgPerson account. Both of these account types will grant users access to resources, but the...

Multiple Forests Pros and Cons

Multi Forest Design

Seeing multiple forests in a medium-sized business is not uncommon. One of my AD DS clients had about 2,000 people and six forests. They used one for production, one for development, two for extranet applications, and two for development that mimicked the extranet production forests. This was a good, secure design for them. Although not every organization will need to go to this extreme, I often recommend that you have a separate forest in which to test changes to AD DS and software...

Creating a Simple Design

The underlying group policy design goal, aside from supporting the organization's objectives, should be simplicity. A simple design will allow more-efficient troubleshooting and processing of group policy settings. The fewer group policy settings that need to be applied to a computer or user, the faster the computer will start up and the quicker the users will be able to log on to their systems because a small GPO can be 1.5 MB in size, network traffic will also be reduced. If problems arise...

Understanding Company Objectives

Before designing the OUs that you will use for implementing GPOs, you need to understand the organization's needs. Although every AD DS rollout will have password requirements, lockout restrictions, and Kerberos policies applied, that is usually where similarities between organizations end. The first thing you should do is document your organization's administrative structure. This will give you a better understanding of how resources are administered within the organization. Base your group...

Figure

Specifying the application directory partition name After specifying what you will use for an application directory partition, you have the option to specify where the data files for AD LDS will be stored. This is the same data-file technology as in Exchange Server, SQL Server, and Active Directory databases. As you can see in Figure 10.19, the Data Files text box lets you specify where the database data file will be located, and the Data Recovery Files text box is used to specify where the...

List Group Members

This script lists the immediate members of a group. Start by binding to the group, then set a variable equal to the Members property. This property returns a Dictionary object containing a list of group members in the Key field. The value field will contain 0. lt script 1anguage VBScript src inc1udes GroupC1ass.vbs gt Dim GroupObject, GroupMembers, Member Set GroupObject New GroupClass GroupObject.BindToGroup Set GroupMembers GroupObject.Members For Each Member In GroupMembers.Keys

Delegating a Subdomain

Another naming scheme is to create a subdomain beneath the company's Internet presence. While this method does not protect the internal resources as efficiently as a private namespace, you can effectively use the security by obscurity method. In other words, if a company uses an external namespace of zygort.com and an internal namespace of internal.zygort.com, the internal namespace should not be available within the external DNS servers. Even if you never add any delegation records to the...

Delegation of Control

One feature in AD DS that enhances our ability to administer networks is delegation of control. This means Windows 2003 and 2008 administrators can now delegate administrative tasks to specific non-administrator users or groups, as well as limit the functionality of other administrators. We can delegate control to practically all levels in our network sites, domains, or OUs. Because we have this granularity of delegation capability, we can assign or delegate what are normally considered...

Power Shell Cmdlets

It's time to introduce you to cmdlets. That isn't a typo it's actually pronounced command-lets, and this is the name by which PowerShell commands are called. Technically these represent the smallest unit of functionality on the PowerShell environment, so they were given their own special name. In our alias list, you might have noticed that the PowerShell cmdlets follow a similar naming format. Specifically, each starts with a verb such as Get, Write, or Start , followed by a dash, and finishes...

Create a Computer Account

Creating a computer account is a common administrative function. After creating a new instance of the ComputerClass class, call the Create method. The Create method takes three arguments the ADsPath of the computer account's container, the CN, and the SAM account name of the new computer account. After you create the new computer account you can continue to set any additional properties with the SetProperty method. This method takes two arguments the property name and the new value. After you...

Verify Server Health

To verify server health, start by following the same troubleshooting pattern as with the client health check. More often than not, the client has received its settings from a Dynamic Host Configuration Protocol DHCP server, while the server is often assigned with static information. When a server has static settings, the chance for human error always exists. As I was typing that last sentence I hit the Backspace key at least three times. Human error can cause any number of problems with static...

Designing OUs for Group Policy

Active Directory Design

Group Policy has proved to be one of the most widely used Active Directory technologies and, at the same time, one of the most misunderstood and misused. Many administrators who have taken advantage of Group Policy Objects GPOs to control the security of systems and to distribute software to users and computers do not fully understand the options available when using GPOs. Understanding the settings that can control security, restrict user sessions and desktops, deploy software, and configure...

Understanding the Current DNS Infrastructure

DNS has been around for many years, and chances are you already have DNS within your infrastructure. You'll have to determine if your current DNS implementation will support your needs. After all, what works for the Unix or Novell side of your network may not work the best for Active Directory. Case in point DNS is normally a single-master database. This means that updates and entries into the database can be made on only one server the server holding the primary zone. Every other DNS server...

User Class

The UserClass class obviously represents a User object in Active Directory. To use this object it must be instantiated like the other classes and then either bound to an existing User object in AD or used to create a new user. User properties can then be modified, the password reset, or the account unlocked. The group membership of the user can be returned, a group can be joined, or the group membership can be copied from another user. Finally, the object can be saved to AD. The Create method...

Password Policy

Password restrictions can be set to control exactly how passwords are used within the domain. If you open the Password Policy node, you will see the following options Enforce Password History This option specifies how many passwords the system will keep track of and how many unique passwords a user will go through before they are allowed to reuse a password. Maximum Password Age This option specifies how long a password will remain valid before the user is forced to change the password. Minimum...

Editing Group Policies

Group Policy templates are the parts of the GPO that are stored within the SYSVOL container of domain controllers, and the parts of the GPO that the GPME can manipulate. When you are editing group policies, make sure you plan how and when you will make the changes. Any change that you make to a GPO goes into effect immediately. Of course, chances are that you will not see the change affect a system as soon as you make it, but the change will be available the next time the periodic processing...

Designing OUs for Administrative Control

To have complete control over an OU, you must first be delegated full-control permission. This delegation is provided by the domain owner and can be granted to users or groups. For efficiency's sake, create a group that will manage the OU, and delegate permissions to this group. You can then add user accounts that need to manage the objects, otherwise known as the OU owners, to the group with full-control permissions. OU owners control all aspects of the OU over which they have been given...

What Makes Up a Group Policy Object

Two parts make up a Group Policy Object GPO the Group Policy container and Group Policy template. Even though the two parts of the GPO are stored in different locations, both must be available for group policy processing to work. The Group Policy container is a construct of Active Directory. The container is used to control permissions for the GPO and to store attributes that allow us to identify the GPO. The permissions that we can set control who can manage the GPO, as well as the systems and...

OUs Based on Location

If an organization has resources that are centralized but the administrative staff is based at different geographic locations, the OU design should take on a location-based strategy. Using this strategy, the OU structure is very resistant to reorganizations, mergers, and acquisitions. Because all the objects are located beneath the top-level OU, which is based on company location, as seen in Figure 4.9, the lower-level OUs can be modified and the objects moved within the OUs to accommodate the...

Move a User Object

Because a good Active Directory hierarchy uses containers and or organizational units to organize objects, eventually you will have to deal with user accounts moving from one container object to another. Calling the Move method and passing the ADsPath of the destination container will move the bound User object to its new home. lt script language VBScript src includes UserClass.vbs gt UserObject.BindToUser UserObject.Move

Verify Service Health

To verify the health of the service, follow these steps Verify that the service is installed properly on the server. Verify that the service is running. Verify that the user has permissions to make the request. Regularly review the application event log. The log is where services usually record their events and indicate whether they are error, warning, or informational events. If you find a warning or error event in the event log, determine the source and search knowledge-base information...

Global Catalog Placement

Global catalog GC servers are domain controllers that take on the additional load of hosting objects from every domain within the forest. You should be familiar with the placement of GC servers within your network. The same basic rule applies to a GC server as it does to a domain controller one should be placed within every site. Of course, this could be easier said than done. Budget limitations and security practices may prohibit you from placing GC servers everywhere you want. Follow these...

Kerberos Logging

You can have the system present more-detailed information concerning authentication by turning on Kerberos logging. To do so, you can either edit the registry manually or run a script provided within the Account Lockout and Management Tools see the Account-Lockout Problems section for more information . If you plan to edit the registry on a domain controller to enable Kerberos logging, you will need to open regedt32 and navigate to the following registry key You must add the REG_DWORD entry...

ADDatabase and Log File Free Space

Every Active Directory database needs free disk space to grow. The AD transaction log files also need free space. This script monitors the amount of available disk space on the drives holding the AD database and log files and raises an alert if the available disk space drops below a given amount. The script begins by retrieving a list of domain controllers from a DomainClass object. The location of the AD database and log files may be different on each domain controller. An advantage of the...

Effective Permissions

As you can see, permissions can be assigned to a user directly although you usually want to avoid this option or to a group, or they can be inherited from parent containers. Trying to ascertain what permissions a user or group has applied or inherited can be daunting. Recall John Doe, our user from our earlier example. He has permissions assigned to him directly he is also a member of a group that has permissions applied to it and inherits permissions from another container. What are John Doe's...

Command Line Utilities

In case you like typing your commands or if you would like to script the administrative control of accounts, you can use command-line utilities to manipulate Active Directory-based accounts. There are limitations to the Active Directory Users and Computers interface. If you want to create several accounts, you have to right-click on the container or OU where you wish to create the account as shown in the Active Directory Users and Computers section of this chapter, you can only enter the user's...

Step Review the Considerations for Installing AD RMS

The fourth step in the process is to review the following considerations before installing AD RMS in your environment. These considerations are presented by Microsoft in its online documentation, but they are reworded here for clarity. Use a dedicated database server to host the AD RMS database. Avoid using the Windows Internal Database in a production deployment Windows Internal Database is intended to use only for a test environment, and does not support remote connections, which means that...

User Properties and Methods

The IADsInterface manages user accounts in the directory. This interface inherits from the IADs interface described earlier, so it also contains the properties and methods described with that interface. Because we will work extensively with the user object in our scripts, you should familiarize yourself with this object's properties and methods. Two more important reminders not all properties listed here will be available through the Active Directory Users and Computers console the only way to...

Use Secure DDNS

As mentioned before, if you want to make sure the records entered within your DNS zones are valid, you can implement the Secure Only option from the General tab of the zone properties, as seen in Figure 2.13. Once enabled, only clients that are members of your AD DS domain can enter records within the zone. General Start of Authority SOA N lt Replication All DNS servers in this forest Allowing nonsecure dynamic J None vulnerability becauseupdatesl onsecurean ecure To set aging scavenging...

PDC Emulator

Open Active Directory Users and Computers. Right-click on Active Directory Users and Computers and select Change Domain Controller make this the domain controller that you want to be the PDC Emulator . Right-click on the domain controller and select Operations Masters. Click the Change button, and transfer the role to the domain controller you want to use as the PDC Emulator. Seize FSMO roles If a domain controller that holds a FSMO role is down or unresponsive, you may need to seize a FSMO...

Installing and Configuring AD RMS

Now that you've got a basic understanding about AD RMS, it's time to begin installing and configuring it in your organization. The following is a step-by-step guide to build RMS solution in your environment. 1. Ensure that the server meets the hardware and software requirements and recommendations. 2. Create an AD RMS service account. 3. Create an AD RMS installation account. 4. Review the considerations for installing AD RMS. 5. Assign an email address to AD RMS users and groups. 6. Raise the...

Chapter Managing Group Policy

Identify the different group policy types Microsoft has changed the format of group policy templates so that they are easier to manage. Instead of using a proprietary format, the new group policy templates that are used with Vista and Windows Server 2008 are based on XML. Master It Administrative templates are formatted using two different markup languages. What formats are they created in and which operating systems support the group policies that are configured with each Master It Solution...

Design FSMO placement according to AD DS best practices and business requirements

Proper FSMO design and server placement are important to your AD DS design for service availability and performance. Master It You are designing the FSMO role placement in your AD DS environment. You have one forest and two domains. DomainA is a root domain that is used to protect certain resources from the main domain DomainB . DomainA consists of two domain controllers ServerA-1 and ServerA-2. DomainB consists of three domain controllers ServerB-1, ServerB-2, and ServerB-3. ServerB-1 and...

Switched Off Netlogon Synchronization

Don't worry about this it isn't as bad as it seems. It just means that you will not be able to add additional Windows NT 4 BDCs to your domain. Once you have made the commitment to move to Active Directory, you should not need to install additional Windows NT 4 domain controllers to your network. There are cases in which this may not be true, but if you have eliminated all of the Windows NT 4 BDCs from your domain, you can safely make the move to native mode. Windows NT 4 member servers can...

Chapter Troubleshooting Problems Related to the Active Directory Database

Problems with the AD DS database can cause a multitude of issues in your environment. Determining what is causing a problem with the database can be difficult. Being prepared with a wide array of tools will help you narrow down the issues and come to a quick resolution. Troubleshoot database replication Keeping information current and in sync is very important to the health of your AD DS database. Replication is the technology that keeps all domain controllers up-to-date with changes from other...

Stand Alone Certificate Authority

Stand-alone CAs do not require AD Domain Services AD DS , are less automated, and will require more input from the users than will an enterprise CA. However, they are able to use Active Directory, if it is accessible, for publishing user certificates and the CRL. Generally, stand-alone CAs are used as a trusted offline root CA in a large CA hierarchy or where organizations are using an extranet and the Internet. Stand-alone CAs issue certificates for digital signatures, to secure email using S...

Maintaining the Infrastructure Master

If you are working in a multiple-domain environment, the Infrastructure Master can be your best friend or your worst enemy. It is the Infrastructure Master's job to make sure that accounts from other domains that are members of a group are kept up-to-date. You do not want an account to have access to resources that it is not supposed to, and if changes are made to users and groups in other domains, you need to make sure that the same changes are reflected in your domain. For instance, let's say...

Using the Delegation of Control Wizard

To delegate control of an OU, go through Active Directory Users and Computers and right-click the OU you want to delegate then click Delegate Control. There are four steps in the delegation process 1. Choosing which users or groups are going to receive delegated permissions 2. Designating the actual tasks to delegate, and whether you're 3. Specifying the Active Directory object type Creation or deletion of specific child objects In the first step, you choose the users or groups that are going...

Moving Objects in Active Directory

Certain assumptions were made about the growth and structure of the network in the initial design of an Active Directory network. A network is rarely static it will grow and contract. You may add child domains or create new trees or even add forests. Within the domains, you may add or remove OUs to facilitate administration, and you will definitely move users, computers, printers, and other objects. This is especially true if you are taking over a network from someone else and need to...

Active Directory Schema

This is the one snap-in that is not available to administrators unless they choose to register the dynamic link library DLL necessary for it to be displayed and used. The designers of Active Directory did this intentionally because they did not believe the tool should be available to every administrator within the forest. Instead, Microsoft forces anyone who wants to use this tool to research how to get to the schema. Because the schema should not be altered unless there is a valid business...

Set Quotas

In Windows Server 2003- and 2008-based Active Directory domains, you have the ability to set quotas on the number of objects a user is allowed to create within the Active Directory partitions. You can set quotas differently on each Active Directory partition because each partition is evaluated separately. By using quotas you are able to effectively control the number of objects that can be created by an account, thereby quelling any attempt to flood an Active Directory-integrated zone with too...

Unlocking a User

To unlock a user object we can use the Quest Active Directory cmdlet Unlock-QADUser. This cmdlet is also simple all we have to do is pass the identity of the user object to disable, as shown here Find-ADUserDN tempUser01 Unlock-QADUser Find-ADUserDN Temp Unlock-QADUser To unlock all currently locked users, we can pipe the results of the Get-QADUser cmdlet, with the -Locked parameter, into the Unlock-QADUser cmdlet, as shown here Get-QADUser -Locked Unlock-QADUser Keep in mind that this is a...

Native Mode Logon Problems

Once you have switched your domain out of Windows 2000 mixed mode, you will be required to have global catalog servers available. Windows 2000 native, Windows Server 2003, and Windows Server 2008 functional levels require that a global catalog server be available so that a user's universal group membership is checked prior to authentication. Universal security groups do not exist within a Windows 2000 mixed-mode domain. However, once you have changed your domain to support them, each user's...

Auditing for Logon Problems

Domain Servers 2008 Disable Audit Policy

As with any troubleshooting, you should start with checking out the event logs on the client system and the domain controllers within their sites. Although many administrators criticize the event logs, you can find out some interesting and useful information from them. If you have enabled auditing of account logon and logon events, you will receive events in the security log that pertain to accounts as they authenticate or fail to authenticate. To watch for failures, you must audit the failure...

Account Lockout Policy

The Account Lockout node contains the options that control when a user's account will be locked out, or disabled from use, if too many password attempts fail. This is used to make sure that a user's account is not easily compromised if an attacker is trying to determine the user's password. Following are the options contained within this node Account Lockout Duration This option specifies how long an account remains in a locked-out state. If it's set to 0, the administrator will have to unlock...

Domain Controller Placement

Domain controllers host the database that is Active Directory. In order for users to log on to the domain, they need to be able to connect to a domain controller. The rule of thumb is to locate a domain controller near any user so the user can log on even if WAN connections fail. There are instances when you will not want to place a domain controller at a specific location. In the following sections, we look at the options for placing domain controllers within your infrastructure and, in some...

Creating a Baseline

Just as when you are preparing for performance monitoring, you should create an Active Directory baseline that includes all of the settings you have made during the configuration of your domain controller. You should document all your settings so that you can pull out the documentation whenever you want to review the settings. Make sure you double-check the auditing settings as well as all directory service permissions and service-account administrator-group memberships. Documenting these items...

Active Directory Users and Computers

You can use the Active Directory Users and Computers utility to find the domain controllers that hold domain-specific roles. As discussed in Chapter 5, each domain has an Infrastructure Master, a RID Master, and a PDC Emulator. So it only makes sense that to find the role holders of these FSMO roles, you consult a utility that helps you maintain aspects of your domain. When you open Active Directory Users and Computers, it is not immediately obvious that the FSMO role holders can be found...

Acctinfodll

The acctinfo.dll file is actually part of the Account Lockout and Management Tools you can download from Microsoft, which we discuss later in the Account-Lockout Problems section. Once added into your system, acctinfo.dll includes an additional property page for the user-account properties. As Figure 17.14 shows, this additional property page will allow you to determine when the account's password was set, when the password expires, when the user last logged on or off the domain, as well as...

Discretionary Access Control List

As mentioned earlier in the chapter, the security descriptor is the basis for access to objects within Active Directory. Part of the security descriptor is the access control list ACL . Access to objects is determined by the access token of the security principal accessing the object, and the object's ACL. The ACL comprises four parts an ACL size, an ACL revision number, an access control entry ACE count, and the ACEs themselves. The ACL size is the amount of memory, in bytes, that the ACL will...

Authorization

After the user has been authenticated to the network, he or she must gain access to network resources. This is known as authorization. Think of authentication as showing your identification at the door of a club. Your identification shows that you are allowed to be there because you are of age. You get in to the club, but your hand is stamped with a red stamp instead of a green stamp. The red stamp means that you can be in the club, but cannot drink alcohol. Authorization comes into play when...

Server Licensor Certificate

A server licensor certificate SLC grants permission to an RMS server to issue certificates and licenses to users, computers, and other RMS servers. In earlier versions of RMS, the RMS server needed to have an Internet connection to receive the SLC from the Microsoft Enrollment Service. This requirement has been removed from AD RMS. The AD RMS included with Windows Server 2008 installs a server self-enrollment certificate and a private key on the AD RMS server, The server self-enrollment...

Table Commonly Used Win WMI Classes and Their Properties continued Classdescription and properties

Win32_Service Represents the running services on a system. Useful properties include Caption, Name, PathName, Started, StartMode, StartName, and State. Win32_Share Represents the shared resources on a system. Useful properties include Name, Path, Type, and Status. To get a better idea of what is available in WMI, let's look at a few tools. The first is a built-in utility named WbemTest.exe. This tool allows you to browse the wealth of WMI information on a system. It is installed with Windows...

Step Verify Ad Rms Functionality

The last step in the process is to verify AD RMS functionality. Do the following to accomplish this 1. Log on to the Windows Vista workstation as DOMAIN User1. 3. Click Tools gt Internet Options and then click the Security tab. 4. Select Local Intranet gt Sites Figure 11.13 and then click the Advanced button. 5. Type https adrmsserver and then click Add Figure 11.14 .