Reseaux III Win2k8
-
Upload
gaetan-robert-lescouflair -
Category
Documents
-
view
216 -
download
0
Transcript of Reseaux III Win2k8
-
7/28/2019 Reseaux III Win2k8
1/153
Reseaux III
Windows Server 2008Prsent par :
Willio St Preux
-
7/28/2019 Reseaux III Win2k8
2/153
Windows Server 2008 Context Versions
Full
Core Minimum requirement:
512 MB of RAM, 10 GB HD, 1GHz of processor 32 bits,or 1.4 GHz
h"p://www.microso .com/windowsserver2008
-
7/28/2019 Reseaux III Win2k8
3/153
Ac=ve Directory Presenta=onAc ve Directory, Iden ty and Acess (IDA) Stores informa on : users, groups, and other iden es Authen cate and iden ty Control Acces Provide an audit trail
-
7/28/2019 Reseaux III Win2k8
4/153
Ac=ve Directory Presenta=on Consolida on of previous components
Ac ve Directory Domain Services (Iden es) Ac ve Directory Lightweight Directory Services
(Applica on) Ac ve Directory Cer cate Services (Trust) Ac ve Directory Right Management Services
(Integrity) Ac ve Directory Federa on Services (Partership)
-
7/28/2019 Reseaux III Win2k8
5/153
Ac=ve Directory Presenta=on Component of an Ac ve Directory
Infrastructure Ac ve Directory data store Domain controllers Domain Forest Tree
-
7/28/2019 Reseaux III Win2k8
6/153
Ac=ve Directory Presenta=on Component of an Ac ve Directory
Infrastructure Func onal level Organiza onal units Sites
-
7/28/2019 Reseaux III Win2k8
7/153
Presenta=on dAc=ve Directory Preparing to create a new Windows Server
2008 Forest Domains name Whether to support or not previous DC Will DNS be integrated in Ac ve Directory IP congura on for DCs User name and password of the administrator Loca on of data store (ntds.dit) and SYSVOL
-
7/28/2019 Reseaux III Win2k8
8/153
Presenta=on dAc=ve Directory
Adding AD DS Role using Windows Inface
Crea on a Domain Controller
-
7/28/2019 Reseaux III Win2k8
9/153
Administra=on Working With Ac ve Directory Snap-ins
Understanding the Microso_ ManagementConsole
Ac ve Directory Administra ve tools Ac ve Directory Users and Computers Ac ve Directory Sites and Services Ac ve Directory Domains and Trust Ac ve Directory Schema
-
7/28/2019 Reseaux III Win2k8
10/153
Administra=on Working With Ac ve Directory Snap-ins
Finding the Ac ve Directory Administra ve Tools Adding the Administra ve Tools to your Start
Menu Running Administra ve Tools With Alternate
Creden als Crea ng, Distribu ng and Saving a Custom
Console with Ac ve Directory Snap-ins
-
7/28/2019 Reseaux III Win2k8
11/153
Administra=on Crea ng Objects in Ac ve Directory
Crea ng an Organiza onal Unit Crea ng a User Object Crea ng a Group object Crea ng a Computer Object Finding Objects in Ac ve Directory Understanding DNs, RDNs, CNs
-
7/28/2019 Reseaux III Win2k8
12/153
Administra=on Delega on and Security of Ac ve Directory
Objects Understanding Delega on Viewing the ACL of an Ac ve Directory Object Object, Property, and Control Access Right Assigning a Permission Using the Advanded
Security Se ngs Dialog Box Understanding and Managing with Inheritance
-
7/28/2019 Reseaux III Win2k8
13/153
Administra=on Delega on and Security of Ac ve Directory
Objects Repor ng and Viewing Permissions
Dsacl.exe ou=people, dc=contoso ,dc=com Removing or Rese ng Permissions on an Object Understanding effec ve Permissions Designing an OU Structure to Support Delega on
-
7/28/2019 Reseaux III Win2k8
14/153
Users Automa ng the Crea on of User Accounts
Crea ng Users with Templates General Address Account Prole Organiza on Member Of
-
7/28/2019 Reseaux III Win2k8
15/153
Users Automa ng the Crea on of User Accounts
Using Ac ve Diretory Command-Line tools Dsadd :Creates an object in the directory
Ex: dsadd user cn=Mike Fritzmaurice, ou=people,dc=contoso, dc=com Dsget returns specied a ributes of an object
Ex: dsget user cn=Mike Fritzmaurice, ou=people,dc=contoso, dc=com-hmdir
Dsmod Modies a specied a ributes of an object Ex: dsmod user cn=Mike Fritzmaurice, ou=people,dc=contoso.com
dc=com office Amsterdam
Dsrm : removes an object to a new container ou OU EX: dsrm user cn=Mike Fritzmaurice, ou=people,dc=contoso, dc=com
-
7/28/2019 Reseaux III Win2k8
16/153
Users Crea ng Users with Windows PowerShell and
VBScript PowerShell: command lines, Scrip ng language An installed feature of Windows Server 2008 Direct Manipula on of Microso_ .NET
Understanding Windows PowerShell Syntax, Cmdlet, Object Cmdlet : Verb -Noun a verb and a noun separated by an hyphen
Ex: Get-Service and Start-Service
Object : An instance of a class Using variables
$DNS=get-service DNS $DNS.status
-
7/28/2019 Reseaux III Win2k8
17/153
Users Cre ng Users with PowerShell and VBScript
PowerShell: Connect to container ou in which the object will be created
$objOU=[ADSI] LDAP://OU=People, DC=contoso, DC=com
Invoke the create methode of the container with the object class $objUser=$objOU.Create(user, CN=Mary North)
Populate a ributes of the object with put method $objUser.put(sAMAccountName, mary.north)
Commit changes to Ac ve Directory with the objects seCnfo method $objectUser.se nfo()
VBScript: Set objectUser=Getbject(LDAP://UserDN) objectUser.putcompany, contoso, ltd. objectUser.SetInfo()
-
7/28/2019 Reseaux III Win2k8
18/153
Users Administering User Account
Purpose of user object Support to authen ca on of human being or services
User account are provisioned,administered, anddeprovisioned
Administra ves task rela ve to user accounts are:
Resse ng password, unlocking an account, enabling,dele ng, moving and renaming.
-
7/28/2019 Reseaux III Win2k8
19/153
Users Administering user accounts
Resse ng a users Password Commande-line: dsmod UserDN pwd newpassword mustchpwd yes Powershell: $objUser=[ADSI] LDAP://UserDN
$objUser.setPassword(NewPassword) with no commit
$objUser=[ADSI] LDAP://UserDN$objUser.Put(pwdLastSet, 0)
VBScript: Set objUser=GetObject(LDAP://UserDN) objUser.SetPassword NewPassword objUser.Put pwdlastSet, 0 objUser.SetInfo
-
7/28/2019 Reseaux III Win2k8
20/153
Users Administering user accounts
Unlocking a User Account Neither the command line nor PowerShell provides tool for unlocking account
- VBScript: Set objUser=GetObject(LDAP://UserDN)
objUser.IsAccountLocked = FalseobjUser.SetInfo
Disabling and Enabling a User Account Command line: dsmod user UserDN disabled yes
PowerShell : $objUser=[ADSI] LDAP://UserDN$objUser.psbase.InvokeSet(account Disabled, $true)
$objUser.SetInfo()- VBScript : Set objUser=GetObject(LDAP://UserDN)
objUser.AccountDisabled=True
-
7/28/2019 Reseaux III Win2k8
21/153
Users Administering user accounts
Dele ng a User Account Command line : dsrm UserDN PowerShell : SobjOU = [ADSI] LDAP://Organiza onal units DN
$objOU.Delete (user, CN=UserCN
VBScript : Set objOU = GetObject(LDAP://Organiza onal units DN)objOU.Delete user, CN=UserCN
- Moving a User account Command line : dsmove UuserDN newparent TargetOUDN
PowerShell : $objUser=[ADSI] LDAP://UserDN$objUser.psbase.MoveTo(LDAP://TargetOUDN)
VBScript Set obJOU = GetObjec(LDAP://TargetDN)ObjOU.MoveHere LDAP://UserDN, MoveHere
-
7/28/2019 Reseaux III Win2k8
22/153
Groups Crea ng and managing groups
Dening Group Naming Conven ons It should reects the type and the purpose
Ex: ACL Sales Folder Read Understanding Group Types
Security and Distribu on
Uderstanding scope Local, Domain local, Global, Universal
-
7/28/2019 Reseaux III Win2k8
23/153
Groups Understanding Scope
Local , characteris cs: Replica on
The group is dine only in the local SAM of a member server The group and its membership are not replicated to any other system
Membership Any security principal from the domain : users, computers, global groups, or domain local
groups Users, computers, and global groups from any domain in the forest. Users, computers, and global groups from any trusted domain Universal groups dened in any domain in the forest
Availability Only computer wide scope, it cannot be used as a member of any other group
-
7/28/2019 Reseaux III Win2k8
24/153
Groups Understanding Scope
Domain Local Groups Replica on
To every domain controller in the in the domain Membership
Users, computers, global groups, or other domain local groups Users, computers, and global groups from any domain in the forest Users, computers, and global groups from any trusted domain Universal groups dened in any domain in the forest
Availability
Can be added to ACLs on any ressource on any domain member Can be a member of any other domain local groups or even computer local group
-
7/28/2019 Reseaux III Win2k8
25/153
Groups Understanding Scope
Global Groups Replica on
To all domain controllers in the domain Membership
Can contain as members: users, computers, and other global groups in the same domainonly.
Availability Can be used by all domain members as well as all other domain in the forest and all
external trus ng domain Can be added to any domain local or universal group in the domain or forest Can be added to ACLs in the domain, forest, or trus ng domain
-
7/28/2019 Reseaux III Win2k8
26/153
Groups Understanding Scope
Universal Groups Replica on
Dened in a single domain but replicated to global catalog Membership
Can contain as members: users, global groups, and other universal groups from any domain in theforest.
Availability Can be a member of a universal group or domain local group anywhere in the forest Can also be used to manage ressource as a domain local group does
-
7/28/2019 Reseaux III Win2k8
27/153
Groups Conver ng Group Scope and Type
A group type can be converted at any me By conver ng a Security group to Distribu on one
any permission assigned to this group will be lost A group scope can be changed the following way:
Global to Universal
Domain Local to Universal Universal to global Universal Domain Local
-
7/28/2019 Reseaux III Win2k8
28/153
Groups Managing Group Membership
Membership of a group can be added or removed Group nes ng:
Accounts are members of Global Groups are members of Domain Local groups that represent management rules
that are added to Acces control lists(ACLs), which provide level access
required by the rule
-
7/28/2019 Reseaux III Win2k8
29/153
Groups Automa ng the Crea on and Management of
Groups Crea ng Groups with Dsadd
Dsadd group groupDN Dsadd group cn=MarkeCng, ou=Groups, dc=contoso, dc=com samid
MarkeCng secgrp yes -scope g A"ributes of group:
-secgrp {yes | no} specied group type
-scope {I |g|u} determine the scope domain local (L), global (g) oruniversal (u) -samid Name species the sAMAccountName of the group -desc DescripCon congures the group descripCon -members MemberDN adds members to the groups
-
7/28/2019 Reseaux III Win2k8
30/153
Groups Impor ng Groups with SVDE
Introduced in chapter 3 csvde import and exportdata from comma-separated value
Ex: objectClass, sAMAccount,DN,membergroup,Marke ng, CN=Marke ng,ou=Groups,dc=contoso,dc=com , cn=linda
mitchel, ou=people,dc=contoso,dc=com;cn=scomitchel,ou=people,dc=contoso,dc=com
File can be imported into ac ve directory using this commandEx: csvde -i f lename k
Csvde can be used to retrieve le, not to modied
-
7/28/2019 Reseaux III Win2k8
31/153
Groups Retrieving Group Membership with Dsget
Ac ve Directory users and computers contains noop on to list all member of a group
Dsget allows to retrieve all members of a groupincluding nested members, or the groups of whicha user is a member
Dsget group groupDN members [-expend] Dsget user UserDN memberof [-expand]
-
7/28/2019 Reseaux III Win2k8
32/153
Groups Changing group membership with dsmod
Dsmod group groupDN [op on] -addmbr Member DN adds members to the group
-rmmbr MemberDN Removes members from the group ex: dsmod group
cn=research,ou=Groups,dc=contoso,dc=com addmbrcn=mike danseglio, ou=people,dc=contoso,dc=com
Dsget combines with dsmod Ex: dsget group cn=sales,
ou=groups,dc=contoso,dc=com | dsmod groupcn=marke ng, ou=Groups, dc=contoso,dc=com -addmbr
-
7/28/2019 Reseaux III Win2k8
33/153
Groups Moving and Renaming Groups with dsmove
Dsmove objectDN [-Newname NewName] [-Newparentnewparent]
To change the name of marke ng group to public rela on
Dsmove cn=marke ng, ou=groups,dc=contoso,dc=com newname public rela on
Move that group to Marke ng OU Dsmove cn=public rela on,
ou=groups,dc=contoso,dc=com newparentou=Marke ng, dc=contoso, dc=com
-
7/28/2019 Reseaux III Win2k8
34/153
Groups Dele ng Groups with Dsrm
Basic syntax: dsrm objectDN .[-subtree [-exclude]] [-noprompt] [-c] Object is specied by its objectDN You are asked for conrma on of each object dele on, unless specied with
noprompt. [-c] puts the command in con nuous opera on mode in which errors are reported
without the command will stop at rst error. Ex: dsrm CN=Public Rela on, ou=Marke ng,dc=contoso,dc=com
-
7/28/2019 Reseaux III Win2k8
35/153
Groups Managing Group Membership with Windows
PowerShell and VBScript Determine the aDSPath of the member Connect to the group Use the Add or Remove method specifying the aDSPath PowerShell: $MemberADSPath = LDAP://cn=Mike Danseglio, OU=people,dc=contoso,dc=com
$objGroup=[ADSI] LDAP://CN=Research,OU=Group,DC=contoso,DC=com$objGroup.Add ($MemberADSPath)
VBScript: MemberADSPath = LDAP://cn=Mike Danseglio, OU=people,dc=contoso,dc=comSet ObjGroup = GetObject(LDAP://CN=Research,OU=Group,DC=contoso,DC=com)objGroup.Add MemberADSPath
To remove members use the remove method instead of Add
-
7/28/2019 Reseaux III Win2k8
36/153
Groups Administering Group in an Enterprise
Best Prac ce for Groups A ributes Establish and adhere to a strict naming conven on Summarize a groups purpose with its descripCon
a ribute Details a groups purpose in its Notes
-
7/28/2019 Reseaux III Win2k8
37/153
Groups Protec ng Groups from Accidental Dele on
Groups is used to manage ressources, its dele on result the lost of access by itsmembers or giving acces to those that have been assigned access deny
Recreate the group will not give acces to ressources because it has been given adifferent SID
Instead you should perform a recovery to reanimate the group before the tomstoneinterval is reached 60 days to be deleted from ac ve directory.
To protect a group follow the steps In the Ac ve Directory Users And Computers Snap-ins, click View menu and make sure the Advanced Feature is
selected Open the Proper es dialog box for a group On the Object tab, select the Protect Object From Accidental Delec on check box Click OKThis is one of the few places in Windows where you actually have to click OK, clicking Apply does not modify the
ACL based on your selec on
-
7/28/2019 Reseaux III Win2k8
38/153
Groups Delega ng the Management of Group
Membership Delega ng Membership Management with the
managed By Tab
-
7/28/2019 Reseaux III Win2k8
39/153
GROUPS Understanding Groups
Group that contains same users as an OU Default Groups
Enterprise Admins Schema Admins Administrators Domain Admins Server Operators Account Operators Backup Operator Print OperatorBe careful with these groups in adding members in them because they are very powerful
-
7/28/2019 Reseaux III Win2k8
40/153
Special Iden==e These groups are controlled by the OS, and are not visible in
Ac ve Directory Users And Computers. They can be seenwhen permission is assigning. Anonymous Logon Authen cated Users Everyone Interac ve NetWork
-
7/28/2019 Reseaux III Win2k8
41/153
Computers Crea ng Computers and Joining the Domain
The default congura on of any version of windows isworkgroup.
Before you can log on to a computer with a domain account
that computer must belong to the domain. To join the domain, the computer must have an account
which like a user account, include a logon name(sAMAccountName), a password, and a security iden er(SID).
Those creden als enable the computer to authen cateagainst the domain and to create a secure rela onship thatto enable users to log on to the system with a domainaccount
-
7/28/2019 Reseaux III Win2k8
42/153
Computers Crea ng Computers and Joining the Domain
Understanding Workgroups, Domain, and Trust In a workgroup, each system maintains an iden ty store of
user and group accounts against which users can beauthen cated and access can begin.
The local iden ty store on each computer is called SecurityAccount Manager (SAM) database.
If a user connect to another system to access a le forexample, the user is re-authen cated against the iden tystore of the remote system.
From a security perspec ve, a Workgroup is, for all intentsand purpose, a stand alone system.
-
7/28/2019 Reseaux III Win2k8
43/153
Computers Crea ng Computers and Joining the Domain
Understanding Workgroups, Domain, and Trust When a computer joins a domain, it delegates the task of
authen ca ng users to the domain.
The computer con nues to maintain its SAM database to supportlocal user and group accounts. When a user logs on the computer with a domain account, the
user is now authen cated by a domain controller rather than bythe computer SAM.
Said another way, the computer trust another authority tovalidate a users iden ty.
Trust generally discussed in the context of two domains, but thereis also trust between each domain member computer and itsdomain that is established when the computer joins the domain.
-
7/28/2019 Reseaux III Win2k8
44/153
Computers Crea ng Computers and Joining the Domain
Iden fying Requirements for Joining a Computerto the Domain
Three things are required to join a computer to anAc ve Directory Domain
A computer object must be created in the directory services You must have the appropriate permissions to join the
computer object. The permissions allow you to join acomputer with the same name as the object to the domain. You must be a member of the local Administrator group on
the computer to change its domain or workgroupmembership
-
7/28/2019 Reseaux III Win2k8
45/153
Computers Crea ng Computers and Joining the Domain
Computers Container When you create a domain, the Computers container is
created by default (CN=Computers) this container is not anOU; it is an object of class container.
There is a subtle but important differences between acontainer and an OU.
You can not create an OU within a container, so can notsubdivide the computers OU, and you can not link a GPO toa container.
Therefore, it is highly recommended to create custom OUsto host computer objects instead of using the computerscontainer
-
7/28/2019 Reseaux III Win2k8
46/153
Computers Crea ng Computers and Joining the Domain
Crea ng OUs for Computers Most organiza ons create at least 2 OUs for computer
objects; one to host computer accounts for client andanother for servers beside of the Domain Controllers OUcreated by default during the installa on of Ac ve Directory.
Your administra ve model might necessitate further dividingyour client and server OUs for specic types ofmanagement. For instance your OU server might contain
other OUs for database, les, and print servers. By doing sothe team of administrators for each type of server can bedelegated permission to manage computer object in theappropriate OU.
-
7/28/2019 Reseaux III Win2k8
47/153
Computers Crea ng Computers and Joining the Domain
Crea ng OUs for Computers Addi onally, separate OUs enable you to create
different baseline congura ons, using different GPOlinked to client and server OUs
-
7/28/2019 Reseaux III Win2k8
48/153
Computers Crea ng Computers and Joining the Domain
Delega ng Permission to Create Computers By default, the enterprise Admins, Domain admins,
Administrators, and Account Operators groups have permission tocreate computer objects in a new OU. However it is recommended
that you restrict ghtly the membership of the rst three, and youdo not add any member to the Account Operators group. Instead, delegate permission to create computer objects to
appropriate member or support personel. The permission required to create a computer object is Create
Computer Object. This permission is assigned to group of an OU, allows members ofthe group to create computer objects in that OU. Crea ng
Computers and Joining the Domain
-
7/28/2019 Reseaux III Win2k8
49/153
Computers Crea ng Computers and Joining the Domain
Prestaging a Computer Account A_er having the permission to create computer object,
you can do so by right-clicking the OU an choosingComputer from the New Menu.
-
7/28/2019 Reseaux III Win2k8
50/153
Computers Crea ng Computers and Joining the Domain
Prestaging a Computer Account Enter the name, following the naming conven on of
your Enterprise. Select the user or the group that will be allowed to join
the computer to the domain by clicking the changebuton.
This process is called prestaging the account. This givesyou the advantage of crea ng the object in the correctOU.
-
7/28/2019 Reseaux III Win2k8
51/153
Computers Crea ng Computers and Joining the Domain
Importance of Prestaging Computer Objects The best prac ce is to prestage a computer account prior joining
the computer to the domain. Unfortunately windows enables youto join a computer without following the best prac ce.
You can log to a Workgroup as local administrator and change thecomputers membership to the domain There are three problems with this behavior.
First the computer created is place in the default Computer Container You must move the computer to the correct container Any user can join a computer to the domain, no domain level
administra ve privilege is required. This expose a poten al security vulnerability, because a computer object
is a security principal thus the creator is the owner, and can change thea ributes.
-
7/28/2019 Reseaux III Win2k8
52/153
Computers Crea ng Computers and Joining the Domain
Importance of Prestaging Computer Objects When you join a computer to domain without prior prestaging it,
windows creates it in the default computer container, the problemrelates to this has already been discussed earlier.
Two steps are recommended to reduce the likelyhood of thisproblem. First always try to prestage computer accounts
Second to reduce the possibility of joining a computer object tothe domain without prior prestaging it, change the defaultcomputer container so that it is not the computer container itselfbut, instead, is an OU that is subject to appropriate delega on andcongura on.
Here is the command: redircmp DN of OU for the new computerobject
-
7/28/2019 Reseaux III Win2k8
53/153
Computers Crea ng Computers and Joining the Domain
Importance of Prestaging Computer Objects Restric ng the Ability or Users to Create Computers
When a computer object is prestage, the permissions on theaccount determine who is allowed to join the computer to thedomain. When it is not prestage, windows will allow anyauthen cated user to join this computer to the domain in thedefault computer container.
Windows will allows any authen cated user to create up to tencomputer objects in default computer container by default.
Ten computer quota is congured by the ms-DS-MachineAccountQuota a ribute of the domain. This allow anyauthen cated user to join a computer to the domain, noques ons asked
-
7/28/2019 Reseaux III Win2k8
54/153
Computers Crea ng Computers and Joining the Domain
Importance of Prestaging Computer Objects It is highly recommended that you close this loophole
so that non administra ve users cannot join computersto the domain. To change the ms-DS-MachineAccountQuota a ribute, follow these steps:
-
7/28/2019 Reseaux III Win2k8
55/153
Computers Crea ng Computers and Joining the Domain
Importance of Prestaging Computer Objects
-
7/28/2019 Reseaux III Win2k8
56/153
Computers Automa ng the crea on of Computer Objects
As users objects you can import Computers with LIDIFDEor CSVDE.
As well you can create computer object with:Dsadd, Netdom, PowerShell or VBScript
-
7/28/2019 Reseaux III Win2k8
57/153
Computers Suppor ng Computer Objects and Accounts
- A computer account begin his life cycle when it iscreated and when the computer joins the domain.
- A day-to-day administra ve tasks include:- Conguring computer proper es- Moving computer between OUs- Managing computer itself- Renaming, rese ng, disabling, enabling and eventually
dele ng the computer object.
-
7/28/2019 Reseaux III Win2k8
58/153
Computers Suppor ng Computer Objects and Accounts
Understanding the Computer Secure Chanel Every computer in an Ac ve Directory Domain
maintains a computer account with user name(sAMAccount) and a password, just like a user accountdoes. This computer stores its password in the form ofa local security authority (LSA) secret and change itspassword every 30 days or so.
The Netlogon service uses the creden als to log on tothe domain, which establishes the secure chanel with adomain controller.
-
7/28/2019 Reseaux III Win2k8
59/153
Computers Suppor ng Computer Objects and Accounts
Recognizing Computer Account Problems Computer accounts and the secure rela onships between
the computers and their domain are strong. However itmight arise certain scenarios in which a computer is nolonger able to authen cate with the domain. Example ofsuch scenario includes:
A_er reinstalling the opera ng system on a worksta on, it willhave a new SID, thus it does not know the password toauthen cate with the domain.
A computer is completely restored from a outdate backup that isolder than 30 days. The fact that every 30 days the password ofthe computer changes. The old password from the backup is nolonger existed.
A computers LSA secret gets out of synch with the passwordknown by the domain. It is like the computer forgets hispassword
-
7/28/2019 Reseaux III Win2k8
60/153
Computers Suppor ng Computer Objects and Accounts
The most common sign of computer account problemsare:
Messages at log on indicate that a domain could not becontacted.
The computer account might be missing The password on the computer account is incorrect The trust between the computer and the domain has been
lost. An example is shown in the following gure:
-
7/28/2019 Reseaux III Win2k8
61/153
Computers Suppor ng Computer Objects and Accounts
Recognizing Computer Account Problems
-
7/28/2019 Reseaux III Win2k8
62/153
Group Policy Infrastructure Implemen ng Group Policy
Group Policy is a feature of Windows that enables you to managechange and congura on for users from a central point ofadministra on
Policy se ngs The most granular component of the group policy is an individual
policy se ng.
Group Policy Object (GPOs)A GPO is an object that contains one or more policy se ngs an thereby apply one or more congura on se ngs for a user or computer
-
7/28/2019 Reseaux III Win2k8
63/153
Group Policy Infrastructre Implemen ng Group Policy
Edi ng a GPO A GPO is divided in two parts: Users and Computer se ng
Conguring a Policy Se ng
Scope : collec on of users and computers that willapply the se ngs in the GOP.
Resultant Set of Policy (RSoP)
Group Policy refresh
-
7/28/2019 Reseaux III Win2k8
64/153
Group Policy Infrastructre Implemen ng Group Policy
Group Policy Refresh: every 90- 120 a_er the start up Group Policy Client and Client-Side Extensions
Slow Links and Disconnected System Detec on of the connec on speed Speed is considered as slow if less than 500kbs When working disconnected previously GPO are applied exept
that startup, shutdown, logon and logoff will not run if user isdisconnected.
Group Policy Object Local GPOs
-
7/28/2019 Reseaux III Win2k8
65/153
Group Policy Infrastructure Domain based GOPs
Default Domain Policy Default Domain Controllers Policy
Crea ng, Linking, and Edi ng GPO GPO Storage GPO Replica on
Policy Se ngs Computer Congura on and User Congura on
So_ware Se ngs Node Windows Se ngs Administra ve Templates Node Preference Node: New to Windows gives more than 20 CSE
-
7/28/2019 Reseaux III Win2k8
66/153
Group Policy Infrastructure Administra ve Template Node
Central Store : New to Windows 2008 Reside in SYSVOL holds all the ADMX and ADML les that are
required, once set up GPME loads from it all the
administra ve templates instead of local computer Filtering Administra ve Template Policy Se ngs Commen ng Starter GPO
Contains administra ve templates se ngs, GPO can be createdfrom a starter GPO in which case it contain the se ngs of thestarter GPO
Manage and Unmanaged Policy Se ngs
-
7/28/2019 Reseaux III Win2k8
67/153
Managing Group Policy Scope GPO Links
Link a GPO to Mul ple Ous Dele ng or Disabling a GPO Link GPO Inherintance and Precedence Precedence of Mul ple Linked Group Policy Object Block Policy Inheritance Enforcin a GPO Link
-
7/28/2019 Reseaux III Win2k8
68/153
Managing Group Policy Scope Using Security Filtering to Modify GPO Scope
Filtering a GPO to Apply to Specic Groups Filtering a GPO to Exclude Specic Groups
Enabling or Disabling GPOs and GPO Nodes Enabled : Computer and User congura on se ngs will be
processed by CSE during the policy refresh All Se ngs Disabled: CSE will not process to GPO to policy
refresh Computer or User congura ons disabled GPO will not
processed during the policy refresh.
-
7/28/2019 Reseaux III Win2k8
69/153
Managing Group Policy Scope Targe ng Preferences
Preferences New to Windows 2008 have built-in scoping mechanism called item-level
targeCng. A single GOP can have mul ple preference items Each preference can be targe ng or ltered
Ex: you could have a single GOP with a preference that specied folder op ons forengineers, and another item that specied folder op ons for sales people.
Items can be targeted by using a security group or OU.
There are over a dozen other criteria that can be used for various purpose Using item-level may have impact performance on your system, be aware
of that.
-
7/28/2019 Reseaux III Win2k8
70/153
Managing Group Policy Scope Loopback Policy Processing
Replace Merge
-
7/28/2019 Reseaux III Win2k8
71/153
Suppor=ng Group Policy Resultant set of Policy
The following tools are provided by Windows 2008 forperforming RSoP analysys
The Group Policy Results Wizard The Group Policy Modeling Wizard Gpresult.exe
Genera ng RSoP Reports with the Group Policy ResultsWizard
Group Policy Results tool helps you understand which policyse ngs that have applied to a user or computer and why
-
7/28/2019 Reseaux III Win2k8
72/153
Suppor=ng Group Policy There several requirements for running the Group Policy
Result Wizard: You must have administra ve creden als on the target
computer The target computer must be runnig Windows XP or later
Group Policy Result can not reach Windows 2000Systems.
You must be able to Acces WMI on the target Computer.Meaning it must be running, connected to the networkand accessible through ports 135 and 445
The WMI service must be started on the target computer To analyze the RSoP for a User he must at least have
logged once on the computer
-
7/28/2019 Reseaux III Win2k8
73/153
Suppor=ng Group Policy If the requirements are met run the Group Policy Result by
right clicking in the GPMC and choose Group Policy ResultWizard. You will be prompted to select a computer.
A report will be produced including: A summary Se ngs Policy Events
Genera ng RSoP Report with Gpresult.exe
Gpresult.exe a the command line version of GroupPolicy Result.
-
7/28/2019 Reseaux III Win2k8
74/153
Suppor=ng Group Policy Troubleshoo ng Group Policy with Group Policy
Result and Gpresult.exe You likely encounter scenarios that require GPO
troubleshoo ng, you might need to diagnose and solveproblems including:
GPO are not applied at all The resultant set of policies for computer are not those that
were expected
-
7/28/2019 Reseaux III Win2k8
75/153
Suppor=ng Group Policy Performing What-Analyses with the Group Policy
Modeling wizard. Group Policy Modeling helps foresee through a
simula on what will happen for a given situa on like: Move a computer or user between site, domains, or OU orchange its security membership.
The GPOSs scoped to that user or computer will change andtherefore, the RSoP will be different.
- Examining Policy Event Logs
-
7/28/2019 Reseaux III Win2k8
76/153
Group Policy SeJngs Delega ng the Support of Computers
Tasks can be delegated to support users in order toperform troubleshoo ng on client computers
These task require most of the me administra veprivileges, however support users do not need the highlevel given to the Domain Admins group it is notrecommended to place them in that group.
Therefore, the creden als used by support personnel mustbe at the level of local administrator.
Instead , congure client systems so that a grouprepresen ng support personnel is added to the localadministrators group.
This can be done by Restricted groups
-
7/28/2019 Reseaux III Win2k8
77/153
Group Policy SeJngs Delega ng the Support of Computers
Understanding Restricted Groups Policies Restricted groups policy se ngs enable you to manage
the memberships of groups, there are two types: This Group Is A Member Of: species that the group is a
member of another group Member Of This Group: mean that the group contains other
members
-
7/28/2019 Reseaux III Win2k8
78/153
Suppor=ng Group Policy Managing So_ware with Group Policy
So_ware installa on. Some tools are available to deploy so_ware
installa on within an organiza on including: Microso_ System Congura on Manager Microso_ System Management Server.GPO can be used to effec vely deploy most so ware
without these tools using GPO So_Ware Installa on
-
7/28/2019 Reseaux III Win2k8
79/153
Suppor=ng Group Policy Managing So_ware with Group Policy So_ware
installa on. Understanding Group Policy So_ware Installa on
Group Policy Sofware installa on is used to create a managehd environment that has the
following characteris cs: Users have acces to the applica on they need to do their job, no ma er which computer they
log on to Computer have the required applica ons, whitout interven on from a technical support
representa ve Applica on can be updated, maintained, or removed to meet the needs of the organiza on
Windows Installer Packages GPSI uses Windows Installer Service to install, maintain, or remove so_ware Windows Intaller Service manages so_ware using the informa on contained
in the applica ons Windows installer packges
-
7/28/2019 Reseaux III Win2k8
80/153
Suppor=ng Group Policy Windows Installer Packages
The package contains explicit instruc ons regarding theinstalla on and removal of an applica on
It can be customized by using one of the following type ofles:
Transform (.mst) les: these les provide a means forcustomizing the installa on.
Patch (.msp) these le are use to update an exis ng .msifor security updates, bug xes, and service pack
GPSI can make limited use of non-MSI le (.zap), also knownas down level applica on packages, that specify theloca on of the so_ware distribu on point and thecommand set up
-
7/28/2019 Reseaux III Win2k8
81/153
Suppor=ng Group Policy Managing So_ware with Group Policy So_ware
installa on. So_ware Deployment Op ons
So_ware can deployed either by assignment to users or
computer or by publishing the applica on for users Assigning Applica on: When you assign an applica on to a user the applica on local
registry se ngs, including lename extensions, are updated andits shortcuts are created on the start menu or desktop toadver se the availability of the applica on
Publishing an applica on: When you publish an applica on to users, the applica on doesnot appear as if it is installed on the users computer, norshortcut are visible on the desktop or Start menu
-
7/28/2019 Reseaux III Win2k8
82/153
Suppor=ng Group Policy Preparing an SDP
SDP is a shared folder from which users andcomputers can install applica ons
Create a shared folder Create a separate folder for each applica on Then copy the so_ware, modica on, and all necessary
le to the applica on folders Set the appropriate permission that allow users or
computers Read and Execute permission theminimum required.
-
7/28/2019 Reseaux III Win2k8
83/153
Suppor=ng Group Policy Crea ng a So_Ware Deployment GPO
Advanced op on enables you to specied whether the applica on ispublished or assigned and gives you as well the opportunity tocongure advanced proper es of the so_ware package.
Deployment type : congure Published or Advanced
Deployment Op=ons : based on the selected type, different choices will appear onin the deployment sec on.
Unistall This Applica=on When It Falls Out Of The Scope Of Management : if thisop on is selected, the applica on will be automa cally removed when the GPO nolonger applies to the user or computer
Upgrade: you can specied
Categories: it enable you to associate the package with one or more categories Modica=on: if you have a transform (.mst) that customizes the package, click Add
bu on to associate the transform with the epackag
-
7/28/2019 Reseaux III Win2k8
84/153
Suppor=ng Group Policy Managing a Scope with a So_ware
Deployment GPO Maintaining Applica on Deployed with Group
Policy You need redeploy an applica on if you want to
update
You can upgrade it with the GPSI, for a newversion of the applica on in so_ware installa onnode of the GPO
-
7/28/2019 Reseaux III Win2k8
85/153
Suppor=ng Group Policy Two op ons are offered to remove an
applica on: Right click the package, chose all task then select
remove to choose one of the following op ons: Immediately Uninstall The So_ware from the users and
computers. (Forcing removal) Allow Users To Con nue To Use The So_ware, But
Prevents New Installa ons (Op onal removal) GPSI and Slow Links
-
7/28/2019 Reseaux III Win2k8
86/153
Suppor=ng Group Policy Audi ng
Audit policy at Default Domain Controller Policylevel
Dene the policy Succes or Faillure events can be enable
Audi ng Acces o Files and Folders Specifying Audi ng Se ngs on a File or Folder
File or Folder can be audited by adding audi ng entries to itsACL.
This can be achieved through security tab from the proper esdialog box of the le or object
-
7/28/2019 Reseaux III Win2k8
87/153
Suppor=ng Group Policy Evalua ng Events in the Security Log
Events log can be viewed in the security log of the server Open Event Viewer console from the Administra ve Tools Expand
Windows Logs\Security Audi ng Directory Service Changes Audit Directory Services Access policy enables you to log
a empts to access objects in Ac ve Directory Difference between Audit Directory Service Access and
audit Directory Service Changes Directory Service Access enables you to monitor changes in
directory objects Directory Sevice Access lets you see the previous and the current
value of a change a ribute Directoy Service Access needs to be enable:
Auditpol /set /subcategory: directory service change /success:enables
-
7/28/2019 Reseaux III Win2k8
88/153
Authen=ca=on Conguring Password and Lockout Policies
Understanding Password Policies Understanding Password Lockout Policies Conguring Domain Password and Lockout Policy Fine-Grained Password and Lockout Policy
Domain password and lockout policy can be overideswith a new feature of Windows 2008 called ne-grained password policy
Domain Func onal level must be at Windows 2008
-
7/28/2019 Reseaux III Win2k8
89/153
Authen=ca=on Understanding Password Se ngs Objects
Se ng are inden cals to those in the PasswordPolicy And Account Policy node of a GPO.
Fine-grained password policies are not part ofGPO nor they are as part of the GPO
They are separated class of object in Ac veDirectory : password se ng object
-
7/28/2019 Reseaux III Win2k8
90/153
Authen=ca=on PSO Precedence and Resultant PSO
If mul ple PSO apply to groups to which the userbelongs. The PSO with highest precedence prevail
If one or more PSO are linked directly to a user,PSO linked to groups are ignore, the user-linkedPSO with highest precedence prevail
If one or more PSO have the same precedence,Ac ve Directory choses the one with lowerst GUID
PSO and UOs
-
7/28/2019 Reseaux III Win2k8
91/153
Authen=ca=on Audi ng Authen ca on
Account Logon and Logon Events Account log on Event occurs:
When a user log on to any computer using his account, andthe domain controller authen cates the a empt to log on tothe domain account.
Log on Event occurs: When a user connects to a folder on a server in the domain,
that server authorizes the user to a type of log on called a
network log on. (local)again the server does not authen cate the user, it relies on acket given to the user by the domain controller
-
7/28/2019 Reseaux III Win2k8
92/153
-
7/28/2019 Reseaux III Win2k8
93/153
Authen=ca=on Scoping Audit Policie
Domain users logging on to a client computer toconnec ng to a server generate a logon event on
that system Only domain controllers generates account logon
events Viewing Log on Events
Account and log on event, if audited appears in thesecurity log of the system that generated the event
-
7/28/2019 Reseaux III Win2k8
94/153
Authentication Conguring Read-Only Domain Controleur
Authen ca on and domain controller placement in abranch office
Read Only Domain Controllers Deploying an RODC
Ensure that the forest func onal level is Windows Server2008
If the forest has any DC running Microso_ Windows Server2003, run Adprep /rodcprep
Ensure at least on writable DC is running Windows Server2008 Install the RODC
-
7/28/2019 Reseaux III Win2k8
95/153
Authen=ca=on Placing a writable Windows Server 2008 Domain
Controller Installing a RODC
Password Replica on Policy Congure Domain-Wide Password Replica on Policy
Allowed RODC Password Replica on group is added to the allowedlist of each new RODC
If needed add users to the group. By default a new RODC will not any user creden al
Denied RODC Password Replica on group is added to the Deniedlist of each new RODC
Congure RODC-Specique Password Replica on Policy
-
7/28/2019 Reseaux III Win2k8
96/153
Authen=ca=on Administer RODC Creden al Caching
Account Whose Password Are Stored On ThisRead Only Domain Controller
Account That Have Been Authen cated To ThisRead Only Domain Controller.
-
7/28/2019 Reseaux III Win2k8
97/153
Authen=ca=on Administra ve Role Separa on
RODC support local Administra on through a featurecalled AdminiCve Role SeparaCon
Each RODC maintains a local database of groups forspecique administra ve purpose
It can be congured the following ways From a command prompt Type dsmgmt and press Enter Type local role and press Enter Type Add the username administrators. Where username is
the pre-windows 2000 logon of a domain users
-
7/28/2019 Reseaux III Win2k8
98/153
Integra=ng Domain Name System With AD DS
Understanding DNS First thing to understand when working
with DNS is how it works to resolve a me.DNS relies on a hierarchy of servers becausea DNS server cannot hold all possible namerecords within itself. Because of this DNS
service relies on name referrals to performme resolu on
-
7/28/2019 Reseaux III Win2k8
99/153
Integra=ng Domain Name System With AD DS
-
7/28/2019 Reseaux III Win2k8
100/153
Integra=ng Domain Name System With AD DS Here is how the name resolu on works
1. You try to look up a Web page on Microso_ Technet Web Site. To do so you typeh p://technet.microso_.com in the address bar et press Enter
2. Your computer sends a request to its local DNS server or at least one of the serverslisted in its IP congura on se ngs for the name
3. If the server does not include the name in its own database or cache, it sends a referralrequest to the.com name server (referral server)
4. The .com server is the authority for all names that ends in the .com suffix.5. The DNS server for Microso_.com sends the corresponding IP address for the
requested page to the client computer.6. The name resolver on the client uses the IP address to request the actual page from its
Internet provider7. If the page is not already in the local cache of the internet provider, it requests the
actual page and sends to the clientThis procedure occurs within second depending of internet connec on speed.
-
7/28/2019 Reseaux III Win2k8
101/153
Integra=ng Domain Name System With AD DS Understanding DNS
Windows Server 2008 DNS Service support tree typeof DNS server
Primary Zones that can be integrated with AD DS or that can be of the
former type. They are authorita ve for the name space Secondary
Zones that are of the former, standard type and are only a replicaof the data maintained by a primary or authorita ve server for aname space, it needs the address of the primary server
Stub Zone Zones that are nothing but pointers to other, authorita ve for
the servers they maintain. Once again, a stub zone needs a list ofserver(s) that are authorita ve for the namespace
-
7/28/2019 Reseaux III Win2k8
102/153
Integra=ng Domain Name System With AD DS
Understanding DNS Type of records of DNS in Windows Server 2008
Alias (CNAME): Used to create an alternate record or alias for aname that already specied as another record type in a speciczone, it is also known as a canonical name
Host record (A or AAAA): The most common record type in DNS.They represent computer objects in the namespace and are usedto resolve a specic IP address to a device
Mail exchange (MX): Route e-mail messages to a specicnamespace.
Pointer (PTR): Point to a specic loca on within the namespace.PTR records are usually used to provide reverse lookup capabili eswithin the namespace.
Service loca on: indicates the loca on of a specic TCP/IP service
-
7/28/2019 Reseaux III Win2k8
103/153
-
7/28/2019 Reseaux III Win2k8
104/153
Integra=ng Domain Name System With AD DS Windows Server DNS creates 2 applica on
directory par ons to host data for each forest. These par ons are respec vely :
ForestDnsZones : for the en re forest DomainDnsZones: for each child domain within a forest
To provide security against spoong DNS nowsupports the addi on of global query block list forclients that use Web Proxy Automa c DiscoveryProtocol (WPAD) and rely on DNS to resolve hostnames.
-
7/28/2019 Reseaux III Win2k8
105/153
Integra=ng Domain Name System With AD DS Integra on with AD DS
Because of its special windows features, always deployWindows DNS server when you deploy AD DS.
When you use the Windows DNS server with AD DS, all DNScontent is congured by default. However a third-party can be
used to provide name resolu on, but it is signicantly morework to set up. If AD DS is deployed for a forest domain root, a place holder will
be created for the forward lookup zone (FLZ), the reverselookup zone, and the condi onal forwarder (CF)
Two zones will then be generated for the FLZ. The rst will be acontainer for the en re forest created during the installa on ofAD DS, and one within the FLZ for the root domain itself asshown in the following gure.
-
7/28/2019 Reseaux III Win2k8
106/153
Integra=ng Domain Name System With AD DS
-
7/28/2019 Reseaux III Win2k8
107/153
Integra=ng Domain Name System With AD DS When AD DS process creates a domain tree in an exis ngforest, a manual delega on is required before the domain
tree is created, because the name of the domain tree isdifferent from the root domain name
It must be different because that is the deni on of thetree within a forest
When AD DS process creates a child domain in an exis ngforest, it automa cally creates a delega on within the top-level root domain and properly stores the DNS data for the
child domain in the child domain par on. Dcpromo.exe allows you remove DC role and the DNS data
created for a domain if this DC is the least DC in a domain
-
7/28/2019 Reseaux III Win2k8
108/153
Integra=ng Domain Name System With AD DS Congura on and Using Domain Name System
Conguring DNS The DNS congura on involves several ac vi es
including: Considering the security of your DNS server to reduce their
a ack surface Conguring scavenging se ngs for the servers as a whole. Finalizing the congura on of your FLZs Crea ng RLZs Adding custum records to FLZs for specic services and
resources
-
7/28/2019 Reseaux III Win2k8
109/153
Conguring and Using Domain Name System
security considera on for DNS Server Role DNS servers that are exposed to the internet are notorious
for malicious users The most common a ack is a denial-of-service (DNS). Another common a ack form occurs when an a ackers tries
to obtain all the data contain within a DNS server. Intendingto use it to inden fy the object a network contains. This iscalled footprinCng the network
Two more a ack: a empt to modify data within the serveror redirect the users query from a valid DNS servers thatwould under the a ackers control
-
7/28/2019 Reseaux III Win2k8
110/153
-
7/28/2019 Reseaux III Win2k8
111/153
Integra=ng Domain Name System With AD DS Working with DNS Server Se ngs
Finalizing FLZ Congura on by conguring the followingse ngs on each produc on DNS zone as a best prac ce:
Domain based DNS zones should replicate to all DNSserver in the domain. Each DC that hosts the DNS role willall include the role
Forest DNS should replicate to all DNS servers in theforest
If you maintain Windows 2000 Servers DC in yournetwork, you must use the To All Domain Controllers InThis Domain (For Windows 2000 Compa bility) op onbecause Windows Server does not support applica ondirectorys
-
7/28/2019 Reseaux III Win2k8
112/153
Integra=ng Domain Name System With AD DS
You can also set replica on to custom applica ondirectory par ons, but you must create the par onrst
Crea ng Reverse Lookup Zones Network fewer than 500 does not require RLZ. These zones
are used to provide resolu on from an IP address to a nameinstead of a name to an IP address. They are most used byapplica on.
However clients that have the ability to update their ownrecords dynamically will also create a PTR record a reverserecord that maps the IP address to the name
-
7/28/2019 Reseaux III Win2k8
113/153
Integra=ng Domain Name System With AD DS Conguring and using Domain Name System
Custom records They are created manually and provide a variety of services
in your network like crea ng an MX record to point your e-mail server, an alias record such as intranet.contoso
Forwarder vs. Root Hints Name resolu on is performed by using two methods
Root Hints or Forwarders By default, Windows DNS Server relies on root hints to perform
lookups. This ts small network Forwarders are preferred for highly secured network
-
7/28/2019 Reseaux III Win2k8
114/153
Integra=ng Domain Name System With AD DS Conguring and using Domain Name System
Single-Label Name Management To use Single-label names, you need to create manually
a GNZ, a single GNZ is required for each forest. If you are using AD DS integrated DNS server and each
of your DC is also running the DNS service, thisopera on must be performed on each DC, it is a vesteps required opera on.
However you can create GNZ, but enabling its supportin a DNS server requires a modica on of the Windowsregistry with the dnscmd.exe
Dnscmd /cong /enableglobalnamessuport 1
-
7/28/2019 Reseaux III Win2k8
115/153
Integra=ng Domain Name System With AD DS Conguring and using Domain Name System
Working with Applica on Directory Par ons In certain circumstances, you will want to create
applica on directory par on to support datareplica on; applica on directory par on controls theyreplica on data scope of the data it contains, DNScreates to applica on directory, these two applica onmight not be appropriate in complex forests
-
7/28/2019 Reseaux III Win2k8
116/153
Integra=ng Domain Name System With AD DS Consider this scenario, your forest includes 3domains: the forest root, a global child
produc on, and a produc on domain. Youcreated the development domain because your
developers have special access rightrequirements and you do not want to grantthese access right in the produc on domain. Allproduc on domain users except for systemadministrators have standard user rights. In thedevelopment domain, however you can grantdeveloper higher access right, because thisdomain does not affect produc on opera on.
-
7/28/2019 Reseaux III Win2k8
117/153
Integra=ng Domain Name System With AD DS In addi on, you created only one single
domain account for each developer. Thisaccount is located in the global child domain
and has standard user right, but throughtransi ve trust inherent in each forestdeveloper can use their account from theproduc on domain to access objects indevelopment domain where their produc ondomain account have higher access rights.
-
7/28/2019 Reseaux III Win2k8
118/153
Integra=ng Domain Name System With AD DS By default, name resolu on between the twochild domain passes through the forest root
domain. Developers can access this domain on aconstant basis every day, so to provide them with
faster name resolu on, you create a customapplica on directory par on to share the DNSrecords between the development domain andthe produc on domain, produc on DNS serverwill not need to pass through the forest rootdomain to resolve development domain names.(See the scenario in next gure)
-
7/28/2019 Reseaux III Win2k8
119/153
Integra=ng Domain Name System With AD DS
-
7/28/2019 Reseaux III Win2k8
120/153
Domain controllersInstalling a domain controller with Windows interface
-
7/28/2019 Reseaux III Win2k8
121/153
Domain controllers Una ended Installa on Op ons and Answer Files Installing Addi onal Domain Controllers in a
Domain Installing the rst Windows Server 2008 Domain
Controller in an Exis ng Forest or Domain. Logon sur le shema master comme adminitrator Copier le contenu du repertoir \source\Aprep du Windows
Server 2008 dans un repertoire sur le schema master Ouvrir un command prompt et changer de repertoire au
Adprep Taper adprep /forestprep Et/ou adprep /rodc selon que vous installer un RODC dans
un domain ayant un DC 2003
-
7/28/2019 Reseaux III Win2k8
122/153
Domain controllers Installing an Addi onal Domain Controller
Install From Media Source Domain Controller by specifying Use This
Specic Domain controller
Installing a Windows 2008 Child domain
-
7/28/2019 Reseaux III Win2k8
123/153
Domain Controllers
-
7/28/2019 Reseaux III Win2k8
124/153
Domain ControllersInstalling a New Domain Tree
-
7/28/2019 Reseaux III Win2k8
125/153
-
7/28/2019 Reseaux III Win2k8
126/153
Domain Controllers Intalling AD DS from Media Removing a Domain control
To remove forcefully, use: dcpromo /forceremoval
-
7/28/2019 Reseaux III Win2k8
127/153
Domain Controllers Conguring Opera ons Masters
Understanding Single Masters Opera ons A number of opera ons are not permi ed to occur at
different places at the same me and must be the
responsibility of only one domain controller in andomain or forest. These opera ons and the donmainare perform are refered to by a variety of term:
Opera ons Masters Opera ons master roles Single master roles Opera on token Flexible single master opera on
-
7/28/2019 Reseaux III Win2k8
128/153
Domain Controllers Forest Wide Opera ons Master Roles
Domain Naming Master Role Schema Master Role
Domain Wide Opera on Master Role RID Master Role Infrastructure Master Role PDC Emulator Role
-
7/28/2019 Reseaux III Win2k8
129/153
Domain Controllers Forest Wide Opera ons Master Roles
Domain Naming Master Role It is used when adding or removing domains in the forest, it
must be accessible when performing such opera on.
Schema Master Role It responsible of making any changes to the forests schema,
all other DCs hold a copy of the schema. If you want tomodify the schama, or install anpplica on that modify the
schema, it recommanded that you do so on the domaincontroller that holding the schema master role
-
7/28/2019 Reseaux III Win2k8
130/153
Domain Controllers Domain Wide Opera on Master Role
RID Master Role It allocates a pool of unique RIDs to each domain controller in the
domain, thus in domain controller can be condent that the SID itgenerates are unique.
Infrastructure Master Role In a mul domain environment, it is common for an objectto reference object in other domains, for instance a groupcan include members from another domain, it mul valuedmember a ribute contains the dis nguished names of
each member. If the member in other domain is moved orrenamed, the infrastructure master of the groups domainupdates the groups member a ribute accordingly.
-
7/28/2019 Reseaux III Win2k8
131/153
Domain Controllers Domain Wide Opera on Master Role
PDC Emulator The PDC Emulator tools performs mul ple func on for
a domain: Emulates a PDC for backward compa bility Par cipates is special update handling for the domain Manage group policy updates within the domain Provides a master me source for the domain Act as a domain master browser
-
7/28/2019 Reseaux III Win2k8
132/153
Domain Controllers Placing Opera on Masters
When the forest root domain is created with isrst domain controller, all ve opera ons master
role are performed by the same domaincontroller. As domain controllers are added,opera on master roles can be transferred toother domain controllers. The best prac ces for
placement of opera on master role are as follow:
-
7/28/2019 Reseaux III Win2k8
133/153
Domain Controllers Placing Opera on Masters
Co-locate the schema master and the domain namingmaster
Co-locate the RID and PDC Emulator Place the infrastructure on a DC that is not a GC
It can only be done if all roles are place on a single DC For install if you only on DC for your en re forest
Have a fail over plan Determine in advance, a plan for transferring the opera ons
roles in other DCs in the event that one master role is offline
-
7/28/2019 Reseaux III Win2k8
134/153
Domain Controllers Iden fying Opera ons Masters
PDC Emulator, RID, Infrastructure Master : Ac=veDirectory Users And Computers snap-in. Right click thedomain and Opera on Masters.
Domain Naming: Ac=ve Directory Domain And Trustsnap-in. Right click the root node of the snap-in (Ac veDirectory Domain And Trust) and Opera on Master
Schema Master : The Ac=ve Directory Schema snap-n
Right click the node of the snap-in(Ac ve DirectorySchema) and choose Opera on Master
-
7/28/2019 Reseaux III Win2k8
135/153
Domain Controllers Transferring Opera ons Master Roles
You can transfer a single master role easily. It can betransferred in the following scenarios:
When a forest is rst established all roles reside in the samedomain controller. When you add a domain in the forest allthree are performed by the rst domain controller in thatdomain. As you add DCs you can transfer the roles
If you plan to take a domain controller offline that is currentlyholding an opera on master role transfer that role to anotherdomain controller prior taking it offline.
If you decommissioning a domain controller that is currentlyholding an opera on master role transfer that role to anotherdomain controller prior to decommissioning.
-
7/28/2019 Reseaux III Win2k8
136/153
Domain Controllers Recognizing Opera on Master Failures
Several opera ons master roles can be unavailable forquite some me before their absence becomes aproblem. Other master roles play a crucial role in theday-to-day opera on of your enterprise. Problems canbe iden ed by viewing the event log in DirectoryService event log.However you will o_en discover that an opera on hasfailed when you a empt to perform a func on
managed by the master and the func on fails. Forinstance the RID master fails, eventually you will beprevented from crea ng new security principals.
-
7/28/2019 Reseaux III Win2k8
137/153
Domain Controllers Seizing and Returning Master Roles
In case of failure roles can be seized some can bereturned to their original holder other cannot:
PDC and Infrastructure: holder can be brought online Schema, Master, and Domain holders can not be brought
online
-
7/28/2019 Reseaux III Win2k8
138/153
Domain Controllers Conguring DFS Replica on of SYSVOL
THE SYSVOL folder locates at %SystemRoot%\SYSVOL bydefault. It contains logon script, group policy templates(GPT)and other cri cal resources for the health management of theAc ve Directory domain, it should be consistent for eachdomain controller. However, changes to GPO and logonscripts are made from me to me, so you must be ensurethat those changes are replicated effec vely and efficiently to
all domain controllers.
-
7/28/2019 Reseaux III Win2k8
139/153
Domain Controllers Conguring DFS Replica on of SYSVOL
In previous version of Windows, FRS was used toreplicates the content of SYSVOL between alldomain controllers. FRS has limita on in bothcapacity and performance that cause it to breakoccasionally. Unfortunately, troubleshoo ng andconguring FRS is quite difficult. In Windows
Server 2008 domains, you have the op on to useDFS-R to replicate the contents of SYSVOL.
-
7/28/2019 Reseaux III Win2k8
140/153
Domain Controllers Raising the domain controllers Understanding Migra on Stages
Because SYSVOL is cri cal to the health of your domain,Windows does not provide a mechanism with which tconvert replica on of SYSVOL from FRS to DFS-Rinstantly. In fact, migra on to DFS-R involves crea on aparallel SYSVOL structure, when the parallel structure issuccessfully in place clients are redirected to the new
structure as domains system volume, when theopera on has proven successfully, you can eliminateFRS.
ll
-
7/28/2019 Reseaux III Win2k8
141/153
Domain Controllers Migra on to DFS-R consists of four stages or status:
0 (start) the default state of a domain controller 1 (prepared) a copy of SYSVOL is created in folder called
SYSVOL DFSR folder on all domain controllers and is added
to a replica on set. DFSR begins to replicate the contents ofthe SYSVOL DFSR to all domains controllers. However FRScon nue to use to replicates the original folders and clientscon nue to use SYSVOL.
2 (redirected) the SYSVOL share, which originally refers toSYSVOL\sysvol, is change to refer to SYSVOL DFSR\sysvol
3 (eliminated) replica on of the old SYSVOL is stopped
-
7/28/2019 Reseaux III Win2k8
142/153
i i k l d
-
7/28/2019 Reseaux III Win2k8
143/153
Managing Disk, Volume, and Par==on Understanding Basic and Dynamic disks
On basic disk that use the GUID par on table(GPT) par on style, you can create up to 128primary par ons
Because of this you do not need an extendedpar on
GPT disks are recommended for disks larger than2 terabytes and for disk on 64 bits systems
U d di B i d D i di k
-
7/28/2019 Reseaux III Win2k8
144/153
Understanding Basic and Dynamic disks Dynamic disks provide advanced features that
basic disks do not support, features such as theability to create an unlimited number of volumesthere are 5 types of volumes:
Simple, Spanned, Striped, mirrored, and RAID-5
M i Di k V l d P
-
7/28/2019 Reseaux III Win2k8
145/153
Managing Disk, Volume, and Par==on
Crea ng volumes Volumes are basic drives that are not fault tolerant. A
basic volume can consist of a single disk or mul pleregion on the same disk and linked together.
Spanned volumes A spanned volume is a dynamic volume consis ng of
disk space on more than one physical disk, if a volumeis not a system volume or a boot volume you can
extend it across addi onal disks to create a spannedvolume, or you can a new volume by using unallocatedspace on one or more than one disks
M i Di k V l d P
-
7/28/2019 Reseaux III Win2k8
146/153
Managing Disk, Volume, and Par==on Striped volume A striped volume, which is also known as RAID-0, is a
dynamic volume that stores data in stripes across to or morephysical disks. Striped volumes offer the best performanceof all the volumes available in Windows. They do notprovide fault tolerance
Mirrored volumes Also known as RAID-1, a mirrored volume is a fault-tolerant
volume that provide redundancy by using two copies, ormirrors, of the same volume. All data wri en mirrored toboth volumes, which are located on separated physical
disks. If one of the physical disk fails, the data on the fail diskbecomes unavailable, but the system con nue to operateusing the unaffected disk
M i Di k V l d P
-
7/28/2019 Reseaux III Win2k8
147/153
Managing Disk, Volume, and Par==on
RAID-5 volume A RAID-5 volume is a fault tolerant volume that
combines areas of free space from at least 3 physicalhard disks into a logical one volume. RAID-5 volumes
stripe data along with parity informa on across a set ofdisk. When a single disk fails, Windows Server 2008user this parity informa on to re-create the data on thefailed disk. RAID-5 volumes can accept the loss of onlyone disk in the set.
M i Di k V l d P
-
7/28/2019 Reseaux III Win2k8
148/153
Managing Disk, Volume, and Par==on
Extending a volume You can add more space to exis ng simple or spanned
volumes by extending them into unallocated space onthe same disk or on a different disk. To extend a
volume, it must be either forma ed with NTFS lesystem or unforma ed. Extended a volume can bedone in Disk management.
Shrinking a Volume You can decrease the space used by a simple or
spanned volume into a con guous free space at theend of the volume.
df df df
-
7/28/2019 Reseaux III Win2k8
149/153
gsdfgsdfgsdf
df df df
-
7/28/2019 Reseaux III Win2k8
150/153
gsdfgsdfgsdf
g dfg dfg df
-
7/28/2019 Reseaux III Win2k8
151/153
gsdfgsdfgsdf
-
7/28/2019 Reseaux III Win2k8
152/153
gsdfgsdfgsdf
-
7/28/2019 Reseaux III Win2k8
153/153
gsdfgsdfgsdf