Planning Tech

The RODC is a new function on server 2008 and if we want to be prosiest it’s new Domain-Controller. The main purpose of RODC is to provide and resolve security issues. Now we can use the RODC in small sites that we cannot put Physical servers because we cannot provide the ability to secure it. So the RODC will provide us the ability to put Domain-Controller without the sensitive data of our organization and Delegate the appropriate permission to the local administrator.

The RODC works only in one way, that’s mean that all databases that the RODC contains come from the root Domain-Controller, The RODC holds all object and their attributes.

 

So let’s imagine the next scenario, you put RODC in small site and the worst scenario upends and we have a thief in our site, the RODC will protect our organization date as follow:

• First not like Regular Domain-Controller the RODC will not enable access to the organization Active-Directory database because RODC contains only Readable Database so we cannot change objects in the small site.

 

• If we disabled password caching in RODC that’s provide us the ability to disabled the option of an attacker to use Brute-Force to crack our password to gain access to our database because the RODC is not contain objects Credentials .

 

• One of the most sensitive ROLES in DC is the DNS database; by using RODC we create protection on our DNS database so attacker cannot access our DNS records. If our RODC contains DNS role you cannot enabled the dynamic updates option, that’s mean that if you want to update a DNS record it’s not happens on the RODC, The RODC will send the request to the root DC (That’s old writable database) and just then the record will update and send back to the RODC server. 

 

• When you give the Local admin delegations he can install software on the RODC, to be able to get that delegation the local admin need to be including in the Domain Admin group.

 

 

 

 

Note!

In case attacker gets the local admin Password he cannot make changes in other Domain-Controllers.

RODC Deployment

Before we deploy the RODC server our environment need to meet few perquisites:

1. To be able to deploy RODC server we need to have at least one writable DC with server 2008 or server 2008 R2, Both servers need to be in the same Domain. The reason for that is that the RODC needs to get replica of our database because he don’t have one of his own.

 

1. Now we need to prepare our domain and schema , here we need to notice two different possibilities :

 

-          The first option is to have new forest with only 2008 Domain-Controllers , in that case we don’t need to run the  adprep /rodcprep command .

 

 

-          The second option and probably the most relevant are to have both 2003 and 2008 servers in our forest. In that case we need to prepare both forest and domain  with the next two commands :

 

Adprep /foresprep (On the Schema older).

 

Adprep /domainprep /gpprep (On infrastructure master).

 

Adprep /rodcprep (You can run it on any domain controller).

 

1. Be sure your Forest Functional level is Server2003 or higher.

 

1. Add yourself to Domain Admins group.

 

Installing RODC (Full Installation) follow the next easy steps:

1. First connect to your server and add it to the domain (we do it in case we don’t use delegation install).

 

1. Run “Dcpromo”.

 

1. Chose “Existing Forest” and “add domain controller to an existing domain”

 

1. On the Network Credentials page, type the name of a domain in the forest, and then click next.
2. Select the domain for the RODC, and then click next.
3. Chose the site you want to add the RODC.

 

1. In the “additional Domain Controller Options” chose :

 

-          DNS server.

-          Global Catalog.

-          RODC.

 

1. Next -> Finish.

 

Installing RODC (Delegate Installation) follow the next easy steps:

This is an optional possibility for us the organization admins to give the power to another user (Off course we need to trust this person….).

The installation need to follow 2 stages that both people need to be involved in them in the following way:

1. The “Big” admin with the domain credentials need to create the RODC account in

AD-DS, that account will include all records and data that we need for attached the RODC in the second stage. This stage must create with the right credentials (Domains Admin Groups).Darning this stage we also specify the user account that will proceed with the second stage.

 

1. The “Small” admin need to create the connection between the RODC that sits in other physical location into the account that the “Big” admin creates in the first stage of the process. The server that we install the RODC on must be joined to the domain before we precede the RODC installation. During the RODC installation the wizard checks our credentials to fit that has been created in the first stage and also that the name of the RODC much the name of the account created in stage one.

Stage1:

To create an RODC account by using Active Directory:

 

1. Open RUN.
2. Type: DSA.msc (Active Directory Users and Computers snap-in will show up).
3. Open the “Domain-Controller”.
4. Click the “Domain-Controller” -> Actions.
5. Now you need to click on “Pre-create Read-only Domain Controller account”.
6. A wizard will open and display.
7. 7.      On the Network Credentials, under Specify the account credentials to use to perform the installation, click my current logged on credentials.

 

Note!

We can specify credentials of another account:

Alternate credentials -> Set. In the Windows Security dialog box, provide the user name and password for an account that can install the additional domain controller.

1. Now you will ask to provide the name of the RODC server.
2. On the SITE selection you need to provide the site you want that the RODC will be belong into.

 

10.  In the “Additional Domain Controller Option” you need to go throw MICROSOFT recommendations as follow  :

 

1.  
   • DNS server: This option is selected by default so that your domain controller can function as a DNS server. If you do not want the domain controller to be a DNS server, clear this check box. However, if you do not install the DNS server role on the RODC and the RODC is the only domain controller in the branch office, users in the branch office will not be able to perform name resolution when the WAN to the hub site is offline.
   • Global catalog: This option is selected by default. It adds the read-only directory partitions of the global catalog to the domain controller, and it enables global catalog search functionality. If you do not want the domain controller to be a global catalog server, clear this option. However, if you do not install a global catalog server in the branch office or enable universal group membership caching for the site that includes the RODC, users in the branch office will not be able to log on to the domain when the WAN to the hub site is offline.
   • RODC – When you create an RODC account, this option is selected by default and you cannot clear it.

11.  In Select Users, Computers, and Groups, type the names of the accounts that you want to add to the policy -> OK.

1. On the Delegation of RODC Installation and Administration page, type the name of the user or the group who will attach the server to the RODC account that you are creating.
2. Now you need to see the Summery page to check the entire configuration that we created – click next.

That’s was the first stage of the RODC installation, after we created the account we need to install the RODC server and connect it to the account we just created.

 

Stage 2:

Attach the RODC account to the account we created  

 

1. Connect to the RODC server (The server we want to install the RODC)with Local Administrator credentials.
2. Open Run and type: Dcpromo /UseExistingAccount:Attach
3. On the welcome screen click next.
4. On the Network Credentials -> insert the Domain name in the forest where you want to install your additional DC:

Under Specify the Account : chose “Alternate credentials” -> Set -> in the Windows Security you need to provide the credentials that we inherit from the first stage .

1. On the Select Domain Controller Account -> Confirm->Next.
2. Location for Database ,Log Files, and SYSVOL : here you need to specify the location of the following databases.
3. The Directory Services Restore Mode Administrator Password page : insert your recovery credentials

 

Note!

Now its seams not important but when you have database corruption or failed server trust me that you will need this password so keep it in place you can remember!!!!

 

 

    !!!!!Good Luck You Have a New Read Only Domain Controller!!!!!

Group policy is Centralized management tool that helps us do many tasks to many computers in Active Directory Envornmant like security issues, software deployment and many more.

What is using for..?

• Firs we can deploy scripts to all clients- for example we can deploy script that add network folders to users when they log on to their computer.
• Controls what users can and can’t do on a computer network – here we can specify the limits for users- let’s say that we want to create hardening on our network ,with GPO we can limits users to gain access to network resources and many more useful things.
• We can deeply software to clients computer in few single steps – let’s say you need to deploy office2007 to 100 clients, all you need to do is to create policy that install the software and save you the time to pass one by one  computer .

Note!

We can deploy policy in two different ways:

-          We can create policy to computers.

-          We can deploy policy to users.

How we manage group policy deployment..?

The easiest way to work with group policy is to download GPMC (“Group Policy Management Console”),

We can download it from Microsoft site at the following link:

http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

After you download it simply install it by Microsoft directions.

What is Loopback option..?

Group policy can be applied both to users and computers the policy usually deploy by the object location in our Active Directory Infrastructure. But sometimes we want to apply to users based only on the Computer location in our environment, in other words Loopback policy will be applied on the physical computer of the user no matter what policy he takes from another AD policy.

 

 

To create Loopback policy that applied to user based on the physical computer, follow:

Note!

After we enabled Loopback, we direct the system to apply few GPO’S for the computer that user logs on.

1. Open Group Policy Microsoft Management Console (MMC) Snap-In.
2. Open Computer Configuration.
3.  Search for Administrative Templates.
4. Click System.
5. Click Group Policy.
6. Now Enabled Loopback Policy.

 

Note!

To use Loopback option all the objects that we want to apply the policy for need to be in Active – Directory.

What is Wmi Filters …?

WMI Filters are a way to fine tune the application of GPOs. Evaluated at the time of a Group Policy refresh at the client. If any of these queries return a result (essentially meaning they evaluate to true) then the WMI filter is considered to evaluate to true and the GPO to which it is linked is applied. If the WQL queries do not return anything in the result set then the GPO is not applied.

In other words, we can set criteria to apply policies, let give an Example:

If you want to deploy Office 2007 and you already have clients computers installed with office2007, so you can specify the software deployment to all clients (Include the one with office2007) and crate filter that apply the policy only if the client computer doesn’t have office 2007.

What is AdmFile….?

Although the Group Policy is a wonderful tool it’s have limits, the ADM files help us to resolve that problem. For example we can download ADM file with restrictions regards only to office 2007.

So to start working with ADM files we first need to download it from the following address

http://www.microsoft.com/downloads/details.aspx?familyid=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en

Now all you need to do is to search the ADM that you want to use to apply your policies on users.

The main purpose of this Snap-in is to configure the replication topology of your network environment, By default after we install the first Domain-Controller the first site is created and called “Default-First-Site” ,the replication can occur in both ways:

• The first option is to create replication between two Domain Controllers in the same site, in a LAN network.

 

• The second option is to create replication between two sites; here we create replication between two LAN networks that connected in a WAN.

 

The secondary’s purpose to use Sites and Services Snap – in:

• First we can check our replication topology and get all the info that we need about our servers or domain controllers.
• We can create Subnets in two sites to specify different ranges between the sites to reduce network traffic ,for example :

-          Site 1 = 192.168.101.1 – 192.168.101.253.

-          Site 2 = 192.168.103.1 – 192.168.103.253.

• And of course we here we specify our DC to be a Global Catalog server.

So when we talk about Replication let’s understand what replicated, for doing that we firs need to understand Active-Directory Partitions:

The active directory database is separated into 5 different partitions, at a single forest all domains controllers have at Minimum two of those partitions that common: Schema and Configuration partition those two partitions located in the “Forest-Level”, so let’s understand the partitions:

Schema Partition:

This partition is unique because we have only one Schema per forest. The schema partition is stored on each DC in our forest. The schema partition contains all our Object and Attributes that been created in our Active-Directory. The Schema information replicated to each DC in the forest and for that reason we need to follow the Schema definition.

Configuration Partition:

Like the Schema the “Configuration Partition” is also unique because she’s in the forest level and we have only one partition in the entire forest, like the schema partition it’s replicated to all DC in the forest. The configuration partition contains all the information about the Active –Directory Structure in our forest. For that reason we can see in this partition all the information about our Domain Controllers, Services and Sites that exists in the forest.

Domain Partition:

The “Domain Partition” can be found on each Domain –Controller in our forest. This partition contains all the information that we need about Specific objects that created in the domain (Users, groups, Computers and more), the domain partition replicated to all domain controllers. All those object located and stores in Global Catalog.

Application Partition:

The “Application Partitions” store information about applications installed in Active-Directory, an application partitions cannot contain Security Principals objects (Users and more) , not like the Domain Partition here the object NOT stored in a global catalog.

Replication Topology:

Replication is the route which replication data travels throughout your

Network Environment. Replication occurs between two domain controllers at a time.

To create a replication topology, we need to specify in AD which replica goes to each domain controller.

Now if you remember we said before that we have two partitions that belongs to the entire Forest (Schema and Configuration) in other words each DC in the forest holds replica of them, if we have different domains in our forest the DC inside them will also replicate the Domain Partition

Knowledge Consistency Checker (KCC):

This feature is built in process that runs on each DC and verifies that the replication process of the partition that this DC contains will be as it supposes to be with the right order. The KCC runs by default every 15 minutes.

Global Catalog and Replication of Partitions:

The Global Catalog allows us to sheer object from our Active Directory to the entire Forest and Domains. Those resources are stored in the Global Catalog and can be searched by users (nice example will be to search any object in active directory like users or computers), so as you understand without the Global Catalog every server will needs to search on every DC in the forest and that’s not good for us .

By Microsoft recommendation you suppose to have at least one Global Catalog server, hosted on Domain Controller .the Global Catalog is hosted on a Domain Controller and hosted all attributes & objects from Active Directory.

Note!

The default permeations to work with Global Catalog need to be members of the Schema Admins.

The global catalog contains the following list:

1. Default attributes for each object type (Users, Computers…).
2. All attributes that we need when we set query in AD such as a user’s first and last name, and logon name.
3. Information which helps determines the location of an object in AD.
4. Permissions of every object type (That’s ensure that users will receive all the results that they have permissions on, object without permissions will not display on the query respond).

So let’s make the conclusion of GC:

 

• A global catalog server is a domain controller that contains full and writable replica of its domain directory.
• A global catalog server is a domain controller that contains read-only replica of all other domain directory partitions in the forest (Store only the important attributes of an object).

 

Note!

 

Microsoft recommends having a global catalog server for every active directory site in an enterprise network.

 

More about sites and Subnets:

Sites in DC can help us to define our Physical network structure, we can separate sites with TCP\IP subnets .A single site can contain more than one subnet.

 

What is Replication Monitor?

• Displays replicating information both directly and transitively, with this tool we can monitor our replication topology, we also can see which objects have not replicated from a Domain-Controller and create Triggers the KCC to recalculate the replication topology.

 

Note!

We can set replication monitor from each Domain Controller, or any computer that runs server 2003.

 

 

How to configure replication monitor:

1. Open Start->Run and Type: Replmon and press OK.

 

1. Now in View Screen press Options.

 

1. Now you will see “Active Directory Replication Monitor Options page” ,go to status logging tab .and press “Display Changed Attributes when Replication Occurs”
2. Click “Monitored servers” and add your desirable Domain-Controller.

 

Repadmin.exe Tool:

This tool can help us create tasks related to our replication topology.

With this tool we can see our replication topology (On each DC) .we also can use Repadmin to Force replication and view the replication Metadata.

 

          

 

               Dcdiag Tool:

              We can use this tool to analyzes the state of Domain Controllers and check for every problem that occur, we can see problems related to connectivity, Replication, topology integrity, and interstice health.

 

              At a command prompt, type:

 

Dcdiag +

Switch                          Description

/v                                 provides verbose results. When you use /v, the output from dcdiag

Provides a lot of information that can help you troubleshoot a

Problem.

/f: LogFile                    Redirects output to a specified log file.

Windows Server 2008 R2 – Active Directory Recycle Bin

Here I want to talk about the new feature that R2 enables us to do and solve us the administrators a lot of time and screaming from our bosses.

So what these wonderful new features do..? Well as you already understand Microsoft developed this tool to restore deleted objects from our Active Directory without using any backup program.

But as you know not everything good as it’s sounds because when you try to restore an object your Active Directory should go to DSRM and that says that your domain controller need to go to offline mode and as you may already understand offline is the opposite of online….so few services will be stopped for using darning the restore.

Now after we understand what upends when we restore I want to explain what upends between the last backup and the changes that follow from this time. Like every backup all changes that add or change to this object after you created the backup will not restored!

Let’s give an example

 You created the backup on Sunday morning, this backup include the new user for sales department named “Erik Forman”, in Monday your bosses decide to promote Erik to the “Retention” group, well everybody happy but not for long on Monday evening your employ accidently deleted Eric account, so need to be upset because you have R2 so you can recover it but the object will recovered without the changes that you make. Well it’s stooped example because you tell yourself that you can created new user and that’s it, but imagine the next scenario that your worker accidently deleted the entire “Sales” organization unit well you fucked up and here you wish you have tool like the this feature allows you to do.   

When you use the Active Directory Recycle bin feature you also minimize directory service downtime because you not need to reboot the server like you need to do when restoring from tombstone or other backup program.

Well after you understand what the tool can do for you let’s understand what the requirements are for using it. In normal state this feature disabled so if you want to enabled it and enjoy it your network should follow the next requirements. In different sections.

• THE “SCHEMA” – here we need to understand what we have in our environment and how we get there:

 

1. If you install new server 2008 R2 on clean machine(Clean Installation) you should not update your schema because she already have all necessary attributes for using AD Recycle  Bin .

 

1. The second option and off course the most relevant is that you already have forest that include domain controllers running server 2003 or server 2008 , and you need to rise functional level to use this feature so that’s says that you need to update all servers at your forest to Active-Directory  2008 R2 , well it’s not enough because here you need to update your schema , to do so you need to run few command in one of you AD servers , follow the next steps :

 

-          Go to the server that olds the “Schema Master” and run :

           Adprep /foresprep (By running this command you updates your entire forest)

 

-          Adprep /domainprep /gpprep.

 

Note!

If you have RODC on your forest you also need to run:

Adprep /rodcprep

 

• THE “SERVERS” – make sure all your servers running Server 2008 R2.

 

• THE “Functional Level” – you need to make sure that our forest functional server set as “Windows Server 2008 R2” (all your domain controllers need to set to this level before you can raise the forest functional level).

 

 

After we understand all the benefits of this feature let’s start to be more specific and understand how we check all the requirements: 

 

1.    rise the functional level of each DC to “Windows Server 2008 R2” :

 

Start -> All Programs -> Administrative Tools ->”users and computers”-> right-click on your domain name -> Rise Domain Functional Level -> “Windows Server 2008 R2”

 

 

Note!

After we finish raising all DC functionality we need to raise the forest functionality.

 

1. 2.       Rise the functional level of the entire forest :

 

Start -> All Programs -> Administrative Tools ->”Active Directory Domains and Trusts” -> right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.

 

1. 3.       Now we need to Enable Active Directory Recycle Bin:

 

 To do it we can choose two options but here I will cover the methods recommended by Microsoft Using LDAP.EXE.

 

-          Start->Run-> type LDP.exe

-          Now we need to  connect and bind to the DC that’s holds the forest root domain

Connection -> Connect -> click Bind

-          Press on View -> Tree (In BaseDn) -> now we need to chose the configuration partition (You also see the SHEMA partition) – > press OK.

-          Now after the console tree is open go to the distinguished name of the configuration directory partition -> search for CN=Partitions container -> Right on it ->press Modify.

-          Now verify that the DN box is empty and in Edit Entry Attribute, type enableOptionalFeature.

-          In the Modify dialog box, in Values, type CN=Partitions, CN=Configuration, DC=mydomain, DC=com: 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a. Replace mydomain and com with the appropriate forest root domain name of your AD DS environment.

-          In the Modify dialog box, under Operation click Add, click Enter, and then click Run.

 

 

Now after we configured it, we need to understand how to use it.

 

So let’s say that worst case scenario upends and you deleted critical objects, so how we can see what has been deleted…?

 

1. Start->Run-> type LDP.exe -> Options menu -> controls.
2. When the controls dialog opened – > click “Load Predefined” ->press “Return deleted objects” ->click OK.

 

Now for the “Punch Line” the restore process:

 

1. Start->Run-> type LDP.exe
2. Now we need to  connect and bind to the DC that’s holds the forest root domain

Connection -> Connect -> click Bind.

1. Now when you see the console tree search  for “CN=Deleted Objects”
2. Now all you need to do is to locate the deleted objects :

 

-          Locate and right-click the deleted Active Directory objects that you want to restore, and then click Modify.

 

In the Modify dialog that opens do the following:

 

1. In Edit Entry Attribute, type IsDeleted.
2. Now the Values box needs to be empty.
3. Under Operation, click Delete, and then click Enter.
4. In Edit Entry Attribute, type distinguishedName.
5. In Values, type your Active Directory DN
6. Under Operation, click Replace.
7. Click Enter->Run.