Windows 2008 Active Directory Configuration – Week 3 of 6 Microsoft Test: 70-640 Mark McCoy MCSE, CNE, CISSP.

Windows 2008 Active Directory Configuration – Week 3 of 6Microsoft Test: 70-640

Mark McCoyMCSE, CNE, CISSP

Week 3 Agenda Review Week 2:

Ch 3 - Planning and Installation of Active Directory

Ch 4 - Installing and Managing Trees and Forests Week 3 Discussion:

Ch 5 – Configuring Sites and Replication Ch 6 - Configuring Active Directory Server Roles

Questions & Answers Week 3 Homework Assignment

Chapter 1 – Overview of Active Directory The Windows NT 4 Domain Construct (the

“Roots” of The Active Directory Tree and Forest)

The Benefits of Active Directory The Logical Structure of Active Directory Understanding Active Directory Objects Windows 2008 Server Roles Identity and Access (IDA) in Active

Directory Exam Essentials

Comparison of Domain Functional Level CapabilitiesDomain Functional Feature Windows 2000 Native Windows Server 2003 Windows Server 2008

Fine-grained password policies. Disabled Disabled Enabled

Read-only domain controller (RODC). Disabled Enabled Enabled

Last interactive logon information. Disabled Disabled Enabled

Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol.

Disabled Disabled Enabled

Distributed File System replication support for Sysvol.

Disabled Disabled Enabled

Ability to Redirect the Users and Computers containers.

Disabled Enabled Enabled

Ability to rename domain controllers. Disabled Enabled Enabled

Logon Time stamp updates. Disabled Enabled Enabled

Kerberos KDC key version numbers. Disabled Enabled Enabled

InetOrgPerson objects can have passwords. Disabled Enabled Enabled

Converts NT groups to domain local and global groups.

Enabled Enabled Enabled

SID history. Enabled Enabled Enabled

Group nesting. Enabled Enabled Enabled

Universal groups. Enabled Enabled Enabled

NTDSUTIL Command Optionsntdsutil Domain Management Command Purpose

Help or? Displays information about the commands that are available within the Domain Management menu of the ntdsutil command.

Connection or Connections Allows you to connect to a specific domain controller. This will set the context for further operations that are performed on specific domain controllers.

Create NC PartitionDistinguishedName DNSName Creates a new application directory partition.

Delete NC PartitionDistinguishedName Removes an application data partition.

List NC Information PartitionDistinguishedName Shows information about the specified application data partition.

List NC Replicas PartitionDistinguishedName Returns information about all replicas for the specific application data partition.

Precreate PartitionDistinguishedName ServerDNSName Precreates cross-reference application data partition objects. This allows the specified DNS server to host a copy of the application data partition.

Remove NC Replica PartitionDistinguishedName DCDNSName Removes a replica from the specified domain controller.

Select Operation Target Selects the naming context that will be used for other operations.

Set NC Reference Domain PartitionDistinguisedName DomainDistinguishedName

Specifies the reference domain for an application data partition.

Set NC Replicate NotificationDelay PartitionDistinguishedName FirstDCNotificationDelay OtherDCNotificationDelay

Defines settings for how often replication will occur for the specified application data partition.

Chapter 3 – Exam Essentials Know the prerequisites for promoting a server to a domain controller.

You should understand the tasks that you must complete before you attempt to upgrade a server to a domain controller. Also, you should have a good idea of the information you need in order to complete the domain controller promotion process.

Understand the steps of the Active Directory Installation Wizard (DCPROMO). When you run the Active Directory Installation Wizard, you'll be presented with many different choices. You should understand the effects of the various options provided in each step of the wizard.

Be familiar with the tools that you will use to administer Active Directory. Three main administrative tools are installed when you promote a Windows Server 2008 to a domain controller. Be sure you know which tools to use for which types of tasks.

Understand the purpose of application data partitions. The idea behind application data partitions is that, since you already have a directory service that can replicate all kinds of security information, you can also use it to keep track of application data. The main benefit of storing application information in Active Directory is that you can take advantage of its storage mechanism and replication topology. Application-related information stored on domain controllers benefits from having fault-tolerance features and availability.

Creating Domain Trees and Forests (CONT)

Creating Domain Trees and Forests (CON’T)

Chapter 4 Exam Essentials Understand the reasons for using multiple domains There are seven primary reasons for using multiple domains: they

provide additional scalability, they reduce replication traffic, they help with political and organizational issues, they provide many levels of hierarchy, they allow for decentralized administration, legality, and they allow for multiple DNS or domain names.

Understand the drawbacks of using multiple domains With multiple domains, maintaining administrative consistency is more difficult. The number of administrative units multiplies as well, which makes it difficult to keep track of network resources. Finally, it is much more difficult to rearrange the domain topology within an Active Directory environment than it is to simply reorganize OUs.

Know how to create a domain tree To create a new domain tree, you need to promote a Windows Server 2008 computer to a domain controller, select the option that makes this domain controller the first machine in a new domain, and make that domain the first domain of a new tree. The result is a new domain tree.

Know how to join a domain tree to a forest Creating a new tree to form or add to a forest is as simple as promoting a server to a domain controller for a new domain that does not share a namespace with an existing Active Directory domain. In order to add a domain to an existing forest, you must already have at least one other domain. This domain serves as the root domain for the entire forest.

Understand how to manage single-master operations Single-master operations must be performed on specially designated machines within the Active Directory forest. There are five main single-master functions: two that apply to an entire Active Directory forest (Schema Master and Domain Naming Master) and three that apply to each domain (RID Master, PDC Emulator Master, and Infrastructure Master).

Understand how to manage trusts When configuring trusts, you'll need to consider two main characteristics: transitivity and direction. The simplest way to understand transitive relationships is through an example like the following: If Domain A trusts Domain B and Domain B trusts Domain C, then Domain A implicitly trusts Domain C. Trusts can be configured as intransitive so that this type of behavior does not occur. In one-way relationships, the trusting domain allows resources to be shared with the trusted domain. In two-way relationships, both domains trust each other equally. Special trusts include external trusts, realm trusts, cross-forest trusts, and shortcut trusts.

Understand how to manage UPN suffixes By default, the name of the domain in which the user is created determines the UPN suffix. By adding additional UPN suffixes to the forest, you can easily choose more manageable suffixes when it comes time to create new users.

Understand how to manage Global Catalog (GC) servers You can configure any number of domain controllers to host a copy of the GC. The GC contains all of the schema information and a subset of the attributes for all domains within the Active Directory environment. Servers that contain a copy of the GC are known as GC servers. Whenever a user executes a query that requires information from multiple domains, they need only contact the nearest GC server for this information. Similarly, when users must authenticate across domains, they will not have to wait for a response from a domain controller that may be located across the world. The end result is increased overall performance of Active Directory queries.

Understanding Universal Group Membership Caching You can enable a domain controller as a universal group membership caching server. The universal group membership caching machine will then send a request for the logon authentication of a user to the GC server. The GC will then send the information back to the universal group membership caching server to be cached locally for 8 hours (by default). The user can then authenticate without the need to contact the GC again.

Chapter 5 - Configuring Sites and Replication Chapter 5 Exam Objectives Overview of Network Planning Overview of Active Directory Replication

and Sites Implementing Sites and Subnets Configuring Replication Monitoring and Troubleshooting Active

Directory Replication Exam Essentials

Chapter 5 Exam Objectives Configuring the Active Directory

Infrastructure Configure sites. May include but is not limited

to: create Active Directory subnets; configure site links; configure site link costing; configure sites infrastructure

Configure Active Directory replication. May include but is not limited to: Distributed File System; one-way replication; Bridgehead server; replication scheduling; configure replication protocols; force intersite replication

Overview of Network Planning Three Types of “Networks”

LAN: Well-Connected/Reliable Fast Link Speeds (10M – Gigabit)

WAN: Somewhat “unreliable” Slower Link speeds (56K – 1.5M)

Internet Network Constraints

Bandwidth Cost

Overview of AD Replication and Sites Replication

Active Directory Database is copied, in a “Multi-Master” fashion, from “One” to “All” Domain Controllers

“Sites” represent the Physical Structure of the Organization

Replication “Building Blocks” Site Subnet Site Links Bridgehead Server

Replication Building Blocks Site

Physical Location within the company Contains Domain Controller (s) that must replicate with each other, within a

site and between sites Can contain a single Domain or Multiple Domains

Subnet The IP Subnet that defines the Site from a Routing Perspective

Site Link The Physical Connectivity from one site to another within the company The Site Link will be given a relative cost, which will be assigned a lower

value for faster links Link transport protocol can be via RPC over IP or SMTP

Bridgehead Server Server within a site that is “Speaks for the Site” when replicating AD

information to another site DC’s within a site replicate with their Bridgehead Server and the Bridgehead

Server replicates AD data to other sites, conserving bandwidth

Implementing Sites and Subnets A Site in Active Directory, represents a physical location with a company

CBSHOME Real Estate Sites may be as follows: Agent Services West Dodge Sales Office Northwest Sales Office Davenport Sales Etc

Each site is associated with an IP Subnet CBSHOME Subnets would be as follows:

Agent Services: 192.168.2.0/24 West Dodge Sales Office: 192.168.1.0/24 Northwest Sales Office: 192.168.44.0/24 Davenport Sales Office: 192.168.80.0/24 Etc

Each site can contain one or more Domains CBSHOME Sites contain one Domain Two or more Domains can be co-located within a single site

At least one Domain Controller/Global Catalog Server should be placed in each site to provide better Authentication and Resource Location response times.

Lets’ create a few Sites and Subnets using AD Sites and Services Snap-in….

Configuring Replication Replication Comes in Two Flavors

Intra-Site (DC’s within a site Replicate AD Data with one Another)

Normally uses RPC over IP due to link being “well-connected and reliable”

Inter-Site (DC’s from One Site Replicate AD Data with DC’s in another Site)

Normally uses SMTP due to link being somewhat unreliable Can also use RPC over IP is link is reliable

Site Link properties (which link Sites and their IP Subnets) are used to control replication time and frequencies between sites (which are assumed to be WAN links that are “slow” and somewhat unreliable)

A Bridgehead Server can be defined in a site to handle the Inter-Site replication to cut down on some of the Inter-Site replication traffic.

Lets’ configure a few Site Links and maybe a bridgehead server…

Monitoring and Troubleshooting AD Replication

Monitoring Replication System Monitor Event Viewer (available within Server

manager) Troubleshooting Replication

Verify Network Connectivity Verify Firewall and Router Configuration Verifying That Information is Synchronized Verifying the Replication Topology

Chapter 5 Exam Essentials Understand the purpose of Active Directory replication. Replication is used to keep domain controllers

synchronized and is important in Active Directory environments of all sizes. Replication is the process by which changes to the Active Directory database are transferred between domain controllers.

Understand the concept of sites, site boundaries, and subnets. Subnets define physical portions of your network environment. Sites are defined as collections of well-connected IP subnets. Site boundaries are defined by the subnet or subnets that you include in your site configuration.

Understand the differences between intrasite and intersite replication. Intrasite replication is designed to synchronize Active Directory information to machines that are located in the same site. Intersite replication is used to synchronize information for domain controllers that are located in different sites.

Understand the purpose of bridgehead servers. Bridgehead servers are designed to accept traffic between two remote sites and to then forward this information to the appropriate servers. One way to efficiently synchronize data between sites that are connected with slow connections is to use a bridgehead server.

Implement site links, site link bridges, and connection objects. You can use all three of these object types to finely control the behavior of Active Directory replication and to manage replication traffic. Site links are created to define the types of connections that are available between the components of a site. Site links can reflect a relative cost for a network connection and can reflect the bandwidth that is available for communications. You can use site link bridges to connect site links together so that the relationship can be transitive. Connection objects provide you with a way to set up special types of replication schedules such as immediate replication on demand or specifying a custom schedule for certain servers.

Configure replication schedules and site link costs. You can create multiple site links between sites and you can assign site links a cost value based on the type of connection. The systems administrator determines the cost value, and the relative costs of site links are then used to determine the optimal path for replication. The lower the cost, the more likely the link is to be used for replication. Once you've determined how and through which connections replication will take place, it's time to determine when information should be replicated. Replication requires network resources and occupies bandwidth. Therefore, you need to balance the need for consistent directory information with the need to conserve bandwidth.

Determine where to place domain controllers and Global Catalog servers based on a set of requirements. Where you place domain controllers and Global Catalog servers can positively affect the performance of Active Directory operations. However, to optimize performance, you need to know where the best places are to put these servers in a network environment that consists of multiple sites.

Monitor and troubleshoot replication. The Windows Server 2008 System Monitor administrative tool is designed so that you can monitor many performance statistics associated with using Active Directory. In addition to this monitoring, you should always verify basic network connectivity and router and firewall connections, as well as examine the event logs.

Chapter 6 - Configuring Active Directory Server Roles Understanding Server Manager Configuring Active Directory Certificate

Services Understanding Active Directory Domain

Services Active Directory Federation Services Active Directory Lightweight Directory

Services Active Directory Rights Management

Services Exam Essentials

Chapter 6 Exam Objectives Configuring Additional Active Directory Server Roles

Configure Active Directory Lightweight Directory Service (AD LDS). May include but is not limited to: migration to AD LDS; configure data within AD LDS; configure an authentication server; server core; Windows Server 2008 Hyper-V

Configure Active Directory Rights Management Service (AD RMS). May include but is not limited to: certificate request and installation; self-enrollments; delegation; Active Directory Metadirectory Services (AD MDS); Windows Server virtualization

Configure the read-only domain controller (RODC). May include but is not limited to: unidirectional replication; Administrator role separation; read-only DNS; BitLocker; credential caching; password replication; syskey; Windows Server virtualization

Configure Active Directory Federation Services (AD FS). May include but is not limited to: install AD FS server role; exchange certificate with AD FS agents; configure trust policies; configure user and group claim mapping; Windows Server virtualization

Creating and Maintaining Active Directory Objects Configure account policies. May include but is not limited to: domain password policy; account lockout

policy; fine-grain password policies Configuring Active Directory Certificate Services

Install Active Directory Certificate Services. May include but is not limited to: standalone vs. enterprise; CA hierarchies—root vs. subordinate; certificate requests; certificate practice statement

Configure CA server settings. May include but is not limited to: key archival; certificate database backup and restore; assigning administration roles

Manage certificate templates. May include but is not limited to: certificate template types; securing template permissions; managing different certificate template versions; key recovery agent

Manage enrollments. May include but is not limited to: network device enrollment service (NDES); autoenrollment; Web enrollment; smart card enrollment; creating enrollment agents

Manage certificate revocations. May include but is not limited to: configure Online Responders; Certificate Revocation List (CRL); CRL Distribution Point (CDP); Authority Information Access (AIA)

Understanding Server Manager (The “One Stop” Shop) Add Server Roles

AD Certificate Services AD Domain Services AD Federation Services AD Lightweight Directory Services AD Rights management Services

Add “Services” DHCP DNS IIS Etc

Monitor the Server Event Viewer Configuration Storage Etc

Configuring AD Certificate Services AD Certificate Services enables you to implement:

Secure Socket Layer (SSL)/Transport layer Security (TLS) – HTTPS

Two Factor Authentication – Smart card Logon Email Encryption Etc

Implements what is referred to as “Public Key” Infrastructure (PKI)

Data is encrypted/decrypted by a Public Key (which is “known”), a Private Key (which is highly secured), and an encryption algorithm that relates the two keys

Security of PKI relies on the Private key being Highly Secure

Certificate Services Hierarchy Certificate Authority

Enterprise Root The “Supreme Key Holder” in an AD PKI

Infrastructure Issues Certificates to Subordinate CA’s or Clients

Stand-Alone The “Supreme Key Holder” in a non-AD PKI

Infrastructure Issues Certificates to Subordinate CA’s or Clients

Subordinate Receives Certificate from Enterprise Root or

Stand-Alone CA and issues to Client

AD CS Components Cert Publishers group Certificates are used to increase security by allowing for strong

authentication methods. User accounts are placed within the Cert Publishers group if they need to be able to publish security certificates. Generally, these accounts are used by Active Directory security services.

PKI-savvy applications These applications allow you and your users to do useful things with certificates, like encrypt email or network connections. Ideally, the user shouldn't have to know (or even necessarily be aware) of what the application is doing—everything should work seamlessly and automatically. The best-known examples of PKI-savvy applications are web browsers like Internet Explorer and Firefox and email applications like Outlook and Outlook Express.

Certificate templates Certificate templates act like rubber stamps: By specifying a particular template as the model you want to use for a newly issued certificate, You're actually telling the CA which optional attributes to add to the certificate, as well as implicitly telling it how to fill in some of the mandatory attributes. Templates greatly simplify the process of issuing certificates because they keep you from having to memorize the names of all the attributes you might potentially want to put in a certificate. In Windows Server 2008, multiple templates are available and you also have the ability to secure templates using template permissions.

Online Responder service Some applications—including S/MIME, SSL, EFS, and smart cards—need to validate the status of certificates. The Online Responder service authoritatively responds to such requests.

Certification practice statement A Certification practice statement (CPS) is a statement that is issued by a certificate creator. It represents the creator's practices for issuing and validating certificates. The CPS represents the technical, procedural, and personnel policies and practices of the issuing certification authority (CA) organization.

Enrollment agents Enrollment agents are administrators who have the ability to enroll users into the certificate services program. Enrollment agents can issue and manage certificate requests.

Network device enrollment service (NDES) Network devices such as routers do not have accounts in the Active Directory Domain. The NDES allows such network devices to obtain certificates.

Web enrollment With web enrollment, users can easily request certificates and retrieve certificate revocation lists (CRLs) through a web browser.

Other PKI/AD CS Need to Knows Certificate Templates

Template defines content of the Certificates used for Various Purposes

Auto-Enrollment Authorized Clients automatically receive a

valid certificate Certificate Revocation List (CRL)/CRP

Distribution Point (CDP) When a Private Key has been, or is believed

to have been compromised, all certificates issued based on that key must be revoked and re-issued

Understanding AD Domain Services Introducing the New Domain Services Features in Windows Server 2008

User interface improvements Domain services are easier to install using the updated Installation Wizard for AD DS.

Read-only domain controllers Windows Server 2008 supports a new type of domain controller, the read-only domain controller (RODC).

Auditing Previous versions of Microsoft Windows Server supported auditing of successful or unsuccessful changes to Active Directory objects; however, the nature of the change was not included in the Security Log. In Microsoft Windows Server 2008, you can view the new and old values of the object and its attributes.

Fine-grained password policies In Microsoft Windows Server 2000 and 2003, domain-based password policies and account lockout policies applied to all users in the domain. There was no inexpensive way to implement multiple such policies for individuals or groups. In Windows Server 2008, fine-grained password policies support multiple password and account lockout policies in the same domain.

Restartable Active Directory Domain Services With Microsoft Windows Server 2008, administrators can stop or restart AD DS while other services not dependent on Active Directory (DNS, DHCP, etc.) continue to operate.

Database mounting tool. In previous versions of Active Directory, if an object got deleted, an administrator had to load multiple online backups until they found the object to restore. Windows Server 2008 Active Directory includes a database mounting tool (Dsamain.exe) that makes it quicker and easier to find and restore specific data.

BitLocker Drive Encryption. Another way to add security in a non-secure location is through the use of BitLocker Drive Encryption. The BitLocker data-protection feature, new to Windows Server 2008, allows an IT administrator to encrypt both the operating system volume and additional data volumes within same server

AD Federation Services AD Federation Services Overview:

Active Directory Federation Services (AD FS) provides Internet-based clients a secure identity access solution that works on both Windows and non-Windows operating systems.

Normally when a user from one network tries to access an application in another network, they must have a secondary username and password.

AD FS allows organizations to set up trust relationships between networks and supports single sign-on (SSO), which allows users to access applications on other networks without needing secondary passwords. Security is improved and administrators spend less time resetting passwords when users don't have to remember multiple passwords.

AD FS requires an AD FS server on both ends of the connection. For example, if company A is going to set up trust relationship with company B, the AD FS server needs to be configured at both company A and company B.

AD Federation Services (cont) AD Federation Services Configuration

AD FS Web Agents Administrators have the ability to configure a Windows NT token-based Web Agent. To support this new feature, Windows Server 2008 AD FS includes a user interface for the AD FS Web Agent role service. The Web Agent account is a service account that calls upon other services.

Trust policies The AD FS trust policy is a file that outlines the set of rules that a Federation Service uses to recognize partners, certificates, account stores, claims, and the other numerous properties that are associated with the Federation Service.

User and group claim mapping In basic terms, claims mean that each partnered location agrees and appropriately maps the AD FS trust policy for sharing between federation partner locations. A claim contains user information and helps users connect to a partner's resources. Three types of claims are supported by AD FS:

Identity claim This claim type helps identify the user. The identity claim is included within a security token. A security token can contain up to three identity claims.

Group claim This claim type indicates membership in a group or role. Custom claim This claim type provides any additional information that needs to

be sent. An example might be DepartmentID. This is a custom field and then in turn would be a custom claim. A custom claim can provide any attribute that is located in Active Directory.

AD Lightweight Directory Services Active Directory Lightweight Directory Services (AD LDS) Overview:

Application protocol used for querying and modifying directory services. Allows directory-enabled applications to store and retrieve data without needing the

dependencies AD DS requires. Configuring AD LDS

Configuring an authentication store Let's say that you have a web or data server and you want a way to save authorization information for it. It is in this type of situation that configuring an AD LDS authentication store can help you out. AD LDS works well as an authentication store because it can host user account objects even though they are not Windows security principals. You can authenticate Non-Windows security principles by using LDAP simple binds.

Configuring the data within AD LDS Remember, earlier we said that AD LDS is like an address book and you can edit who is in that address book by configuring the data within AD LDS. To configure the data within AD LDS, you can use the ADSI edit snap-in tool.

Migrating to AD LDS What if your company was using an X.500-style directory service that was integrated into your company's legacy applications and you want to move to AD DS? You can use AD LDS to service the legacy applications while you use Active Directory for the shared security infrastructure.

Windows Server 2008 Hyper-V Windows Server 2008 has a role-based utility called Hyper-V. Hyper-V is a hypervisor-based virtualization feature. (A hypervisor is a virtual machine monitor.) It includes all the necessary features to support machine virtualization. By using machine virtualization, a company can reduce costs, improve server utilization, and create a more dynamic IT infrastructure.

AD Rights Management Services Active Directory Rights Management Services Overview

Active Directory Rights Management Services (AD RMS), included with Microsoft Windows Server 2008, allows administrators or users to determine what access (open, read, modify, etc.) they give to other users in an organization.

Access restrictions can improve security for email messages, internal websites, and documents

These three new administrative roles allow for delegation of AD RMS responsibilities:

AD RMS Enterprise Administrators AD RMS Template Administrators AD RMS Auditors

Self enrollment AD RMS server enrollment allows for the creation and signing of a server licensor certificate (SLC). This SLC gives the AD RMS server the right to issue certificates and licenses whenever they are needed.

Active Directory Metadirectory Service (AD MDS) Microsoft uses an identity management product called Active Directory Metadirectory Service (AD MDS). AD MDS gives systems the tools they need to get identity data from directories and then expose that data through a directory service interface such as LDAP.

Questions and Answers

Week 3 Assignment/Homework

Week 4 Reading: Read Chapter 7: Administering Active

Directory Read Chapter 8: Configuring Group

Policy Objects