Planning and Implementing an Active Directory Infrastructure
- With an L2TP connection, you have to use the IPSec protocol for data encryption.
- Sharing a printer on the member server, which is part of the domain, automatically publishes the printer in Active Directory.
- In order to provide permissions to a user to monitor performance counters on the file server locally and from remote computers, add the user’s account to the Performance Monitor Users group.
- The PTR records resolves the IP addresses to host names.
- Multicast boundaries are configurable administrative barriers that limit the extent of the IP Internetwork over which multicast traffic can be forwarded.
- IP packet filters allow or block packets from passing through specified ports. They can filter packets based on service type, port number, source computer name, or destination computer name.
- The global catalog is built automatically by the Active Directory replication system. All directory partitions on a Global Catalog server, whether full or partial partitions, are stored in a single directory database (NTDS.DIT) on the same server.
- A global catalog is created automatically on the first domain controller in the forest.
- The relative ID (RID) master, PDC emulator master, and infrastructure master roles are necessary within each domain. At least one domain controller must fulfill each of these roles.
- You cannot rename a domain controller unless the functional level of the domain is Windows Server 2003 and the domain controller is running the Windows Server 2003 operating system.
- Universal group membership caching is a feature of Windows 2003, which reduces the need of placing Global Catalog servers at all the remote locations for user authentication.
- Enabling universal group membership caching on one of the domain controllers in each site will minimize the logon traffic on the WAN link.
- The universal group membership caching feature can be enabled on any domain controller in a site. The domain controller, with universal group membership caching enabled, contacts a Global Catalog server whenever a user attempts to log on for the first time. The server then caches the user information locally and uses this information to authenticate the user the next time he attempts to log on.
- Universal group membership caching can handle only the logon authentication part of a Global Catalog server. It is not capable of handling directory-wide queries.
- When a user logs on to the network containing multiple domains, the domain controller that is authenticating the user’s logon request needs to locate a global catalog in order to construct the universal groups that the user belongs to. If the domain controller fails to locate the global server, or the cached credentials for the user do not exist, the user is denied logon.
- Global catalog is a central location of information about the objects in a tree or forest of the Active Directory integrated network.
- In order to provide fault tolerance for the DNS zone so that the DNS queries from the network computers can be resolved even if the DNS server is unavailable, configure a new DNS server as a secondary server.
- Schema master and domain naming master are operations master roles that are applied to the entire forest within an Active Directory network.
- Schema master is a forest-wide operations master role. It is responsible for propagating the changes to all the domain controllers within a forest.
- Domain naming master is a forest-wide operations master role. It is required to keep track of all the domains within an Active Directory forest. The domain controller with the domain naming master role is accessed whenever domains are added to or removed from a tree or forest.
- The RID master and infrastructure operations master have domain-wide roles and these roles must be unique in each domain.
- Primary domain controller (PDC) emulator master is a domain-wide operations master role. The PDC emulator master is responsible for maintaining backward compatibility with Windows NT domain controllers within a domain. There can be only one PDC emulator in a domain.
- In order to transfer and seize the operations master roles, the NTDSUTIL utility is used.
- The infrastructure master role should not be assigned to the domain controller that is hosting the global catalog, as the infrastructure master will stop functioning. The infrastructure master will never replicate any changes to the other domains, as it will never find any data that is out-of-date.
- PDC emulator master is required to provide backward compatibility with Windows NT 4.0 domain controllers.
- The RENDOM command-line utility is used to rename the domain.
- A PTR record in the appropriate zone provides address-to-name mapping.
- DNS resolves host name or domain name to IP address. For this, client computers on the network must be configured with the address of a DNS server.
- In order to perform recursive queries on behalf of the DNS clients to resolve FQDNs on the Internet, configure the DNS server to forward queries for external names to an external DNS server, such as the ISP’s DNS server.
- NSLOOKUP is a tool for diagnosing and troubleshooting Domain Name System (DNS) problems. It performs its function by sending queries to the DNS server and obtaining detailed responses at the command prompt.
- An exclusion range is a range of IP addresses within a scope that are not being assigned by the DHCP server to the DHCP clients on the network. On the other hand, client reservation is used to ensure that a particular DHCP client computer always receives the lease of the same IP address at its startup.
- When a new child domain is created within a tree, the child domain automatically trusts the parent domain and vice-versa.
- The following two conditions must be met before raising the forest level to Windows Server 2003:All the domain controllers in the forest must run Windows Server 2003 and all domain functional levels in the forest must be raised to Windows Server 2003.
- The Windows Server 2003 functional level supports only the Windows Server 2003 operating system for domain controllers.
- The external trust is a nontransitive trust created between Windows Server 2003 in different forests or between a Windows Server 2003 domain and a domain whose domain controller is running Windows NT 4.0 or earlier. This trust can be configured as one-way or two-way. The external trust provides backward compatibility with the Windows NT environment. This trust is useful for managing communication between the domains located in different forests that are not joined by forest trusts.
- In a Windows 2003 trust environment, the Kerberos version 5 and NTLM protocols are used to authenticate users and applications
- The ADPREP tool is used to prepare Windows 2000 domains and forests for an upgrade to Windows Server 2003.
- To run ADPREP /forestprep, the administrator must be a member of the Enterprise Admins group and the Schema Admins group in Active Directory. The ADPREP /forestprep command must be run on the schema master.
- Windows 2003 allows you to rename and restructure domains in a forest. The RENDOM utility is used for renaming and restructuring the domains.
- Renaming a domain is a thorough multi-step process that requires a detailed understanding of the operation. It affects every domain controller in the forest.
- In trust relationships, the domains involved allow pass-through authentication where the trusting domain honors the logon authentication of the trusted domain.
- In order to rename a domain controller in the domain, the following criteria must be met: The domain controller must be running Windows Server 2003 and the functional level of the domain to which the domain controller is joined should be set to Windows Server 2003.
- By using Active Directory Domains and Trusts, you can determine the scope of authentication between two forests that are joined by a forest trust. You can set, selective authentication, to enable administrators to make flexible forest-wide access control decisions. If you use forest-wide authentication on an incoming forest trust, users from the remote forest will have the same level of access to the resources in the forest as that of the users who belong to the local forest.
- A DHCP relay agent is required for subnets that do not have a DHCP server to forward DHCP requests.
- SRV resource record is a DNS record that enables users to specify the location of servers for a specific service, protocol, and DNS domain.
- Create a separate site for each location minimizes the replication traffic on the WAN. This can be more effective by configuring the frequency and replication of site links between the sites.
- If a firewall is used to protect a site, you must specify a preferred bridgehead server in the company’s network. You should establish your firewall proxy server as the preferred bridgehead server, making it the contact point for exchanging information with the servers outside the firewall. If this is not done, the directory information may not be successfully exchanged.
- All domain controllers are used to exchange information between sites. You can control the replication behavior by specifying a preferred bridgehead server for inter-site replicated information.
- Configure the computer with the highest bandwidth as a preferred bridgehead server.
- The lower the site link cost, the more preferred is the link.
- Sites are created to physically group the computers and resources for optimizing the network traffic. Administrators can configure Active Directory access and replication technology to take advantage of the physical network by configuring sites.
- If a site is configured with a preferred bridgehead server, the Active Directory replication takes place only through this server. In case of a failure of this server, the replication is also stopped. In case a preferred bridgehead server is not configured on the site, the knowledge consistency checker (KCC) selects a domain controller to act as a bridgehead server automatically.
- All the domains within a forest share a common schema and Global Catalog.
- Creating different organizational units (OUs) and delegating the authority for the resource administration will allow local Administrators of the branch offices to have control of their own resources, whereas only members of the Domain Admins group will be able to administer the user accounts of the domain.
- Enable block policy inheritance on the OU to which you do not want its members to be affected by GPO applied at higher level.
- The Delegation of Control wizard enables Administrators to delegate other Administrators with the necessary permissions on specific Active Directory objects.
- Security groups are used to provide access to resources on a network. Security groups are also used to assign user rights in Active Directory and to assign permissions on shared resources on the network.
- Distribution groups can be used only with e-mail applications (such as Exchange) to send e-mail to a collection of users. Distribution groups are not security-enabled, which means that they cannot be listed in discretionary access control lists (DACLs).
Managing and Maintaining an Active Directory Infrastructure
- GPRESULT is a command-line tool that is used to obtain the Resultant Set of Policy (RSoP). RSoP is the sum of the group policies that are applied to a user or computer.
- A forest trust is a two-way transitive trust. It is created explicitly (manually) by system administrators between the two forest root domains. It allows all authentication requests made from one forest to reach the other forest.
- The external trust provides backward compatibility with the Windows NT environment. This trust is useful for managing communication between the domains located in different forests that are not joined by forest trusts.
- Conditional forwarding is a new feature of Windows 2003 DNS. It provides administrators the ability to configure a DNS server to forward queries conditionally, based on the domain specified in the name resolution request.
- Trust is a logical relationship between two domains, which allows the sharing of resources between them.
- The ADPREP tool is used to prepare Windows 2000 domains and forests for an upgrade to Windows Server 2003. It extends the schema, updates default security descriptors of selected objects, and adds new directory objects as required by some applications.
- DCPROMO is an Active Directory Installation wizard. It is used to promote member servers to domain controllers. It can also be used to demote a domain controller back to member server.
- Schema is a centralized data store that can contain information of different types of objects such as users, groups, computers, network devices, applications, etc.
- A preferred bridgehead server is a domain controller in a site, specified by an administrator, to act as a bridgehead server. Administrators can specify more than one preferred bridgehead server, but only one server is active at a time in a site.
- Replication traffic prefers the site link that has the lower cost for the replication. By default, a site link cost is set to 100.
- A site is a collection of one or more well-connected (usually a local area network) TCP/IP subnets. The network between the subnets must be highly reliable and fast (512 Kbps and higher). Although the sites are defined on the basis of location, they can be spanned over more than one location.
- Subnets are subdivisions of an IP address network, used for creating smaller broadcast domains and for better utilization of the bits in the host ID.
- The Security log contains events related to logon events by users. It also logs events such as opening, creating or deleting of files, folders, and other resources.
- % Network utilization counter indicates how close the network is to full capacity.
- Replication is a process through which the changes made to a replica on one domain controller are synchronized to replicas on all other domain controllers in the network.
- Microsoft Windows 2000 Server uses the File Replication Service (FRS) to replicate system policies and logon scripts stored in the system volume (SYSVOL). Each domain controller keeps a copy of SYSVOL for the network clients to access the resources.
- In a nonauthoritative restore operation, the objects in the restored directory are not treated as authoritative. The restored objects are updated with changes held on other domain controllers in the domain.
- In order to authorize the DHCP servers on the network, a user must be a member of the Enterprise Admins group.
- A DHCP server configures DHCP-enabled client computers on the network. It runs on servers only. It also provides integration with the Active Directory directory service.
- The DHCP messages cannot pass through the routers that are non-BOOTP relay enabled. To overcome this, either the router should be configured to route BOOTP broadcast frames or a DHCP Relay Agent should be installed in the segment lacking a DHCP server.
- The Windows Server 2003 Backup application supports the following three types of restoration methods: Primary restore, Non-authoritative restore, and Authoritative restore.
- Run the NTDSUTIL utility to authoritatively restore the Active Directory component.
- If the restored backup of Active Directory database is non-authoritative and has an older timestamp, it was replaced by the existing copy of the database in the other domain controllers through replication.
- Windows 2003 provides the facility to install the system state data from a backup media and over the network.
- When an object is deleted from Active Directory, the original object is removed from it, and an object is created that contains a small subset of the object’s original attributes. This object is called tombstone. This tombstone object remains in Active Directory for the duration of the tombstone lifetime (by default, it is configured as 60 days) before it gets completely removed.
- NTDSUTIL.EXE is a command-line tool that is used to manage Active Directory.
- If the RID master fails, no new objects can be created in the domain.
- If a domain controller is removed from the network without being properly uninstalled, it leaves behind the metadata in Active Directory. This prevents other servers from using the name of the previous server.
- Site links are transitive in nature. For example, if Site 1 is linked with Site 2 and Site 2 is linked with Site 3, then Site 1 and Site 3 are linked transitively. Administrators can control transitivity of the site links. By default, transitivity is enabled for each transport. Site link transitivity can be enabled or disabled through a bridge.
- Global Catalog server is a domain controller that stores information about all objects in a forest. Global Catalog is required for the logon process.
- Ingress filters can be used in a router to minimize attacks from the Internet.
- Network administrators use ADSIEdit for performing common administrative tasks such as adding, deleting, and moving objects with a directory service.
- Windows 2003 provides the facility to install the system state data from a backup media and over the network.
Planning and Implementing User, Computer, and Group Strategies
- Universal security groups cannot be created in a Windows 2000 mixed-mode domain.
- The Enforce Password History setting sets how frequently old passwords can be reused. Setting the Enforce Password History to a higher value will track a larger number of old passwords by using a password history that is unique for each user. This will prevent the users from reusing their old passwords frequently. The recommended value for the Enforce Password History setting is 20 passwords.
- Microsoft recommends the following structure of groups and rights for planning a security group strategy:
- Create universal groups for groups that contain members from multiple domains in more than one forest. Make global groups members of the universal groups. Use the universal groups when providing access to resources across multiple forests.
- Create domain global groups for groups that contain members from a single domain, but that will be granted access to resources within other domains. Make universal groups members of domain global groups as applicable. Make users members of domain global groups.
- Create domain local groups for groups that contain members from a single domain whether or not they will be granted access to resources within other domains. Make domain global groups members for the appropriate domain global groups. Grant domain-wide rights to domain local groups.
- Create local groups on member servers and computers. Make domain local groups members of local groups. Grant local rights to local groups.
- Windows Server 2003 supports the following two types of groups: Security groups and Distribution groups.
- The following group scopes can be used for groups to assign permissions: Domain local, Global, and Universal.
- The scope of a group defines two characteristics: It determines the level of security applying to a group and which users can be added to a group.
- Print Operators built-in group has permissions to manage, create, share, and delete the printers connected to domain controllers in the domain. It also has the permissions to manage Active Directory printer objects in the domain.
- The Account Lockout Threshold policy determines the number of failed logon attempts after which a user account will be locked out. A locked out account cannot be used until the account lockout duration expires or an administrator resets it.
- Security templates are used to apply consistent security to multiple computers. Security templates work as a security policy, but they can be applied to any computer and provide an easy way to apply a customized set of default security settings.
- Internet Authentication Service (IAS) performs centralized connection authentication, authorization, and accounting for dial-up and virtual private network (VPN), remote access, and router-to-router connections.
- The use of smart cards for user authentication is a strong form of authentication.
- Enabling the Extensible Authentication Protocol check box and require smart card authentication on the Routing and Remote Access server on the network forceS remote users to use smart cards for authentication when they connect to the network.
- A roaming user profile is stored in a centralized place and can be accessed from the network. When users log on to their workstations, they receive the desktop setting as it existed when they logged off. Also, when several users log on to the same computer, each receives a customized desktop.
- A mandatory user profile is a roaming user profile that cannot be modified and saved by a user. It is created by changing the name of the NTUSER.DAT file in the directory to NTUSER.MAN and entering the profile UNC path into the User Profile Path located in the User Environment Profile dialog box for each user.
- GPOs are supported and applied only on the computers running the following operating systems: Windows 2000 Professional/Server, Windows XP Professional, Windows Server 2003 and later.
- The Advanced System Information-Policy tool is used to create an RSoP query and view the result in HTML format.
- Organizational units (OUs) are defined to delegate administration, to administer group policy, or to hide objects. Delegating administration is the prime reason for defining OUs.
- Deploying the GPOs at the domain ensures that any computer included in the network later automatically receives the settings of the GPOs.
- In order for the policies to be applied through GPO, users must be having the rights to Read and Apply the GPO.
- The Block Policy Inheritance option deflects all the group policy settings that reach a site, domain, or OU from an object higher in the hierarchy. It can be applied to the site, domain, or OU.
- When an account is created, even if the same account name is used, a new SID is generated for the account. This SID is used to differentiate user accounts.
- In order to define an audit policy to check whether the user is actually changing rights to his account, choose the success audit of policy change events.
- In order to configure the Automatic Updates settings using a group policy, the ADM template file must be loaded. The Automatic Updates settings will not be available within a group policy object without loading the ADM template file.
- If an object in Active Directory has been created in or moved to a location that is missing after replication, the object is considered as “lost” and is moved to the LostAndFound container.
- The LostAndFound container includes objects that lost their parent container due to a replication conflict.
Planning and Implementing Group Policy
- Security Configuration and Analysis Tool is used to import and export templates. It is also used to compare a template with the security settings of the local computer.
- The two modes available with the RSoP Wizard to collect data for RSoP queries are Logging mode and Planning mode.
- The GPUPDATE command is used to refresh the local and Active Directory-based group policy settings.
- By default, group policies are inherited from the site, then from the domain, and then finally from the organizational unit level. The order and the level in which group policy objects are applied (by linking them to their targets) determine the group policy settings that a user or a computer actually receives.
- The Block Policy Inheritance option can be applied to the site, domain, or OU. It deflects all group policy settings that reach the site, domain, or OU from the object higher in the hierarchy.
- When multiple group policy objects are assigned, group policies are applied in the following order: The local group policy object is applied first. Then, the group policy objects linked to sites are applied. If multiple GPOs exist for a site, they are applied in the order specified by an administrator. GPOs linked to domains are applied in the specified order. Finally, GPOs linked to OUs are applied.
- The Forest trust helps Windows 2003 Server to make multiple forest deployment easier.
- By configuring the loopback setting, administrators can reverse the process of application of policies. When the Loopback option is configured, the computer settings take precedence on the users settings.
- Windows Management Instrumentation (WMI) filters are used to filter the effect of a group policy object (GPO).
- If the GPO containing the restriction policy is set at the OU level and is applied first and then another GPO is configured with different policy and is applied at the domain level, the domain policy will overwrite the OU policy. However, if you set the no override attribute to the OU policy, it will prevent the OU policy to be overwritten even though the Domain GPO will take precedence.
- An application cannot be published to computers.
- When an application is published to a user, the published application stores the advertisement attributes in the Active Directory. Users can then install the application either by using Add/Remove Programs in the Control Panel or by clicking any file associated with the application.
- In order to prevent users from using the recently expired passwords, you should configure the Default Domain Policy group policy object (GPO) to set the Interactive Logon: Number of previous logons to cache setting to 0.
- Software restriction policies protect the computer environment from unknown code by identifying and specifying the applications allowed to run.
- The /force switch used with the GPUPDATE command reapplies all settings ignoring all processing optimizations.
- GPMC is used to back up, restore, import, and copy group policy objects. It also provides a reporting interface on how group policy objects (GPOs) have been deployed.
- By using the group policy object, the task of software installation will be automated and the administrative burden will be reduced.
- Software restriction policies are supported by the Windows XP and Windows Server 2003 and later operating systems.
- When IIS Server is installed on a member server, the service is installed in a highly secure and locked mode. By default, features such as ASP, ASP.NET, WebDAV publishing, and FrontPage Server Extensions do not work. When a user tries to access such pages, the IIS server returns a 404 error.
- If at any point of time, an application is no longer required, you should remove it by using the removal option in the GPO through which the application is installed. There are two types of removal that you can choose from: Forced and Optional. The Forced removal option immediately uninstalls the software from users and computers. The Optional removal option allows users to continue to use the software but prevents new installations. After software removal is processed, you should delete the GPO so that the application is no longer available.
- Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller’s security log.
- The Shadow Copy Client is also known as the Previous Versions Client. It is the software required to be installed on Windows XP clients in order to use the Shadow Copies feature of Windows 2003. It is located in the %Systemroot%System32ClientsTwclient folder of a Windows Server 2003 computer.
- In order to install the Firewall Client software on all the client computers with minimum administrative effort, you will have to use a GPO to assign the MS_FWC.MSI file to all computers.
- MS_FWC.MSI is a software package file that enables Windows Installer to install the Firewall Client software on Windows 2000 and Windows XP computers.
- If the No Override configuration is set to a GPO, no policy configured in the GPO can be overridden.
- By enabling the Required upgrade for existing packages check box in the Upgrades tab of the software deployment properties of a GPO you can make the upgrade mandatory.
- Terminal Services is a multisession environment that provides remote computers access to Windows-based programs running on a server.
- Predefined security templates are used for creating security policies for a network or computer. These security templates can be used to configure an individual computer or group of computers. By default, the predefined security templates are stored in the SYSTEMROOTSECURITYTEMPLATES folder.
- After successfully testing the policies required for the domain controllers, you should export those policies into a template and import those templates to the required GPOs for implementing it with least administrative efforts.
Managing and Maintaining Group Policy
- Resultant Set of Policy (RSoP) is the sum of the group policies applied to a user or computer.
- Any GPO can be set to No Override. If the No Override configuration is set to a GPO, no policy configured in the GPO can be overridden. If more than one GPO has been set to No Override, then the one that is the highest in the Active Directory hierarchy takes precedence.
- RSoP includes the application of filters and exceptions.
- When an application is assigned to a user, it is advertised to the user the next time he or she logs on to a client computer. The application assigned appears on the Start menu and the registry is updated accordingly. This process is known as “advertisement”.
- As RSoP is a tool provided by Windows 2003, which runs only on the Windows 2003 domain controller.
- Software restriction policies are settings in a GPO, which are used for identifying software and controlling its ability to run on a local computer, site, domain, or organizational unit (OU).
- Instructing users to run the GPUPDATE command will ensure that the policy is effective immediately.
- The GPUPDATE command is used to refresh the local and Active Directory-based group policy settings. It also refreshes security settings.
- Group Policy Management Console (GPMC) is a tool for managing group policies in Windows Server 2003. It provides administrators a single consolidated environment for working on group policy-related tasks.
- When an application is assigned to a user, it is installed when the user selects the application from the Start menu for the first time or when a document associated with the application is activated.
- To remove an application deployed through a GPO, you may choose whether to uninstall the application from all the users and computers or just prevent new installations.
- You can configure a GPO to execute an optional removal of an application. An optional removal is used in case you want to allow users to continue using the application but prevent new installations.
- The deployment of an application through a GPO reduces a lot of administrative burden of deploying the application manually to a group of users. Enabling the Uninstall This Application When It Falls Out Of The Scope Of Management option removes the application when the GPO is no longer applied.
- If a GPO that deploys the application is deleted and you have to remove the software, then the application cannot be uninstalled with the group policy object (GPO). In such case, you will have to manually uninstall the application from each client computer to accomplish the task.
- SUS consists of three components: Software Update Services (SUS) that runs on the server; Automatic Updates (AU) that runs on client computers; Group Policy settings that control AU clients from Active Directory.
- An administrative template can be used to specify the options available for setting the group policy. By creating the administrative template, you can control the options that are available to the other administrators. They can use this template to create group policies for their respective areas.
- The Apply to All Users Except Administrators option is available to prevent restrictions from affecting the administrators’ accounts in the domain. This option allows administrators to bypass the restrictions applied by the policy.
Hi Guys,
Thanks for sharing your insightful thoughts and suggestions – very helpful, and appreciated indeed.
On a related note, we needed a quick and efficient way to enumerate nested security groups for security audits (i.e. find out which groups were nested in other groups.) So we asked our on-site MS consultant and he recommended using the Gold Finger from Paramount Defenses Inc.
Gold Finger pleasantly surprised us because not only was it endorsed by Microsoft but also 100% FREE and loaded with almost 250 useful Active Directory security, Exchange and ACL management reports. BTW, you can download it for free from http://goldfinger.paramountdefenses.com
Thought I’d share this with you incase it could help you too, especially if you’re into AD security reporting.
Thanks again, and looking forward to your next post.
Best wishes,
Jonathan