Professional Documents
Culture Documents
A ive Direcctory
Win
W ndo
ows 2008 R2
R
Be
est Practtice | Step by Step
S
Install & Configuring forr IT Proffessiona
als
Ste p By Steep
Suttipan Passorn
P
|
Microsoft Most
M Valuabble Professioonal | Manaagement Infrrastructure
http://wwww.mvpskill.coom | Changee The Worldd By Contributions
10 Septem
mber 2012 | Version 1.00
W
2008R2
Step By Steep
1. E-Book Activee Directory Windows
" --> --> "
2. E-Book ......."
! :-)
3. E-Book
Microsoft Preess MCTS Self-Paced Trainning Kit Exam
m 70-640.
Sams Windowws Server 2008 R2 Unleasshed.
Pearson MCTTS.70-640 Ceert.Guide.
| Suttipaan Passorn
Founderr
mvpskill.com | Change thee World by Coontributions
:
= ^ ^
=
Tip
Version http://www.mvpsskill.com
Page 1 of 2337
Requirement LAB
Version http://www.mvpskill.com
Page 2 of 237
IP Address
Prefer DNS1/2
Prefer DNS1/2
Self
Version http://www.mvpskill.com
Page 3 of 237
| Table of Contents
......................................................................................................................................................................................... 1
Requirement LAB ................................................................................................................ 2
Module 1: Introducing Active Directory Domain Services (AD DS) ................................................................................................ 12
Module1 .............................................................................................................................................................. 13
Pre Install Active Directory: Active Directory Server Role........................................................ 13
Lab1: Active Directory Domain Service Domain Controller .................................... 14
Checklist Domain Controller ........................................................................................... 20
Active Directory Schema ....................................................................................................................................................... 21
MMC .................................................................................................................................................................. 42
Object Active Directory ................................................................................................................................ 51
Lab3: Find Objects in Active Directory ............................................................................................................................ 52
Page 4 of 237
RSAT .................................................................................................................................................... 89
Version http://www.mvpskill.com
Page 5 of 237
CSVDE .............................................................................................................................................................. 95
LDIFDE = LDAP Data Interchange Format (LDIF)............................................................................................................... 96
Lab7-4: Create and Administer Managed Service Accounts.......................................................................................... 96
Module 4: Managing Groups ............................................................................................................................................................ 98
Group Membership............................................................................................................................. 98
Group ( 2 ) ................................................................................................................................ 100
Scope Group ( 3 Scope) ......................................................................................................................................... 101
Concept AGUDLP ............................................................................................................................... 101
Lab8: Administer Groups ............................................................................................................................................... 102
Page 6 of 237
Version http://www.mvpskill.com
Page 7 of 237
Version http://www.mvpskill.com
Page 8 of 237
Page 9 of 237
Page 10 of 237
Version http://www.mvpskill.com
Page 11 of 237
Version http://www.mvpskill.com
Page 12 of 237
Modulee1
M
Module
Activee Directory
Activve Directory Domain Servvices (ADDS)) =
Roless Windowss Server 20088 ( Windows Server 2003 Activve Directory
) ADDDS
Authenticatioon,
Authhorization, Audditing
Roles
Active Diirectory Domaain Services (ADDS)
Activve Directory Database =
recovery
7. Network Firewall Active Directory Clients / Servers Allow PPort Firewaall Link
L
Keywoord Active Dirrectory and AActive Directorry Domain Services Port RRequirements
http://technet.microsofft.com/en-us/liibrary/dd7727723(WS.10).asspx
8. Configuraation Time-Zoone OSS cllient / server
Timee Zone
Version http://www.mvpsskill.com
Page 13 of 237
2
Version http://www.mvpskill.com
Page 14 of 237
Version http://www.mvpskill.com
Page 15 of 237
Step: 5 Next
Version http://www.mvpskill.com
Page 16 of 237
Version http://www.mvpskill.com
Page 17 of 237
Version http://www.mvpskill.com
Page 18 of 237
Version http://www.mvpskill.com
Page 19 of 237
DDomainn Contrrller
Cheecklist
DDomain Conntroller
Best Practice Do main Controlller
1. Evennt Viewer Error ( Error )
evenntvwr
2. AD DDatabase
?
3. SYSVVOL / Net loggon
Share
?
4. DNS Record (
Domain Coontroller) ?
5. Defauult
Administrative Toolss AD Useers & Computeer / AD Site &
Servvice?
6. Reeview Defaultt Configuration Built-in Container. / Computers Container.
C
/ Doomain Controollers Containeer.
Version http://www.mvpsskill.com
Page 20 of 237
2
Version http://www.mvpskill.com
Page 21 of 237
Page 22 of 237
Domain Controller
Version http://www.mvpskill.com
Page 23 of 237
Dom
main Controlller
http://ttechnet.microosoft.com/en-uus/library/cc7772829(WS.10).aspx
http://technet.micrrosoft.com/en-us/library/cc7754663(WS.1 0).aspx
1. SYSVOLL / NETLOGO
ON
Domain Controller
C
Default Share
re Sysvol Netlogon Script
Logon Join Domain Grroup Policy Deeploy Group Policy
P
Object
net share Domaain Controller Share
/ Defauult Configuration ADDSS
SYYSVOL NNETLOGON
Share Foldeer Paath
Server
2. DNS Serrver
Active Diirectory
DNS DNS Serveer Active Directory
Poort Seervice Active Directory
Version http://www.mvpsskill.com
Page 24 of 237
2
Version http://www.mvpskill.com
Page 25 of 237
Version http://www.mvpskill.com
Page 26 of 237
( )
Additional Domain Controller
Domain Controller Domain Domain Controller
(
Domain Controller
Multi Master)
dc01.demo.local Domain Controller LAB dc02.demo.local
Additional Domain Controller Domain demo.local
Child Domain
Domain ..
Version http://www.mvpskill.com
Page 27 of 237
Domain Tree
Domain Domain
Root Domain demo.local
Domain abc.com Domain Tree
demo.local Administrator Account Enterprise Admin Groups Child Domain
Domain Tree
Enterprise Admins Group Groups Domain
Forest
Version http://www.mvpskill.com
Page 28 of 237
Direcctory Partition :
http://teechnet.microsooft.com/en-uss/library/cc9611591.aspx
http:///www.tech-faaq.com/directoory-partitions.hhtml
1. Doomain Partitiion
Partition
users, coomputers, grooups, Doomain Fore
rest replicate
Domain
D
Controoller Domain
2. Coonfiguration Partition
FForest Foorest Domains, Sites D omain Controoller
Page 29 of 237
2
Forest
4. Application Partition
Partition replicate Domain Controller Application Service
Replicate
Active Directory Active Directory (redundancy, availability, fault tolerance)
Page 30 of 237
Version http://www.mvpskill.com
Page 31 of 237
Page 32 of 237
Version http://www.mvpskill.com
Page 33 of 237
sconfig.cmd
Version http://www.mvpskill.com
Page 34 of 237
Version http://www.mvpskill.com
Page 35 of 237
4 Sconfig.cmd 13
Command line menu DNS Server roles ocsetup DNS-Server-Core-Role
role
oclist >oclist.txt oclist.txt role
dcpromo Domain Controller
Unattened file
Save .txt
[DCINSTALL]
AutoConfigDNS=Yes
DomainNetBiosName=demo
NewDomainDNSName=demo.local
ReplicaOrNewDomain=Domain
NewDomain=Forest
ForestLevel=4
DomainLevel=4
SafeModeAdminPassword=password@1
RebootOnSuccess=Yes
Version http://www.mvpskill.com
Page 36 of 237
dcpromo /unattend:c:\unattend.txt
ADDS
ADDS Domain Controller
Server Core
Server Core Domain Controller
Domain Controller
Version http://www.mvpskill.com
Page 37 of 237
Module
Active Directory
Version http://www.mvpskill.com
Page 38 of 237
Version http://www.mvpskill.com
Page 39 of 237
Version http://www.mvpskill.com
Page 40 of 237
Version http://www.mvpskill.com
Page 41 of 237
Custom Administrative Console
Custom MMC
MMC Alternate Credentials
MMC
MMC Microsoft Management Console Tools Microsoft Shotcut
MMC
menu Run
Version http://www.mvpskill.com
Page 42 of 237
Shotcut mmc
Version http://www.mvpskill.com
Page 43 of 237
Version http://www.mvpskill.com
Page 44 of 237
mmc shotcut
Version http://www.mvpskill.com
Page 45 of 237
Version http://www.mvpskill.com
Page 46 of 237
Version http://www.mvpskill.com
Page 47 of 237
Version http://www.mvpskill.com
Page 48 of 237
PowerShell
Active Directory
User ADUC
Template Query ADUC
Version http://www.mvpskill.com
Page 49 of 237
Version http://www.mvpskill.com
Page 50 of 237
Administrative Center
User Review Properties Administrative Center Properties
6. Group Member
User Active Directory ADUC
User 20000 GUI Object
Active Directory ( Refresh Object)
Version http://www.mvpskill.com
Page 51 of 237
Object
1. Active Directory users and computers (ADUC)
2. Active Directory Administrative Center
3. dsquery.exe Command Line
4. Saved Query Object
Lab3: Find Objects in Active Directory
Object Active Directory
View Object Object
Version http://www.mvpskill.com
Page 52 of 237
Version http://www.mvpskill.com
Page 53 of 237
Object ds commandline
DS GUI ( Object GUI
Load refresh ) user 20000 Domain
Command
Dsquery user limit 20000 ( list User 20000 Users)
List Export File
Dsquery user limit 20000 > user.txt & user.txt
Version http://www.mvpskill.com
Page 54 of 237
list .txt
User
dsquery user -name "*suttipan"
Version http://www.mvpskill.com
Page 55 of 237
Dsquery dsget
| ( = | )
User DN
user = Engineer02 Disable
= dsget user name engineer02 | dsget user -disabled
Version http://www.mvpskill.com
Page 56 of 237
Object ( Query)
dsrm "CN=itsupport01,OU=IT,DC=demo,DC=local"
User Active
User
dsquery user -inactive 10 -limit 0
10
User Computer Object OU
Batch Script user 12
for /f "Tokens=*" %%s in ('dsquery user -inactive 12 -limit 0') do (
DSMOVE %%s -newparent "OU=Quarantine,DC=demo,DC=local"
)
Batch Script user 12
for /f "Tokens=*" %%s in ('dsquery computer -inactive 12 -limit 0') do (
DSMOVE %%s -newparent "OU=Quarantine,DC=demo,DC=local"
)
Version http://www.mvpskill.com
Page 57 of 237
Object
Saved Queries
http://technet.microsoft.com/en-us/library/cc771131(WS.10).aspx
Object Query
Object Save Queries
Function Save Query
5 User Lock Worm / Virus Network
Authentication Server User
Save Query User Account Lock Worm / Virus
Lock User
Version http://www.mvpskill.com
Page 58 of 237
Step 1 AD Users and Computers Saved Queries > New > Query
Version http://www.mvpskill.com
Page 59 of 237
Google
Query Google
Find Groups that contains the word admin
(objectcategory=group)(samaccountname=*admin*)
Find users who have admin in description field
(objectcategory=person)(description=*admin*)
Find all Universal Groups
(groupType:1.2.840.113556.1.4.803:=8)
Empty Groups with No Members
(objectCategory=group)(!member=*)
Finds all groups defined as a Global Group, a Domain Local Group, or a Universal Group
Version http://www.mvpskill.com
Page 60 of 237
(groupType:1.2.840.113556.1.4.804:=14)
Find all User with the name Bob
(objectcategory=person)(samaccountname=*Bob*)
Find user accounts with passwords set to never expire
(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)
Find all users that never log in to domain
(&(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*))))
Find user accounts with no log on script
(objectcategory=person)(!scriptPath=*)
Find user accounts with no profile path
(objectcategory=person)(!profilepath=*)
Finds non disabled accounts that must change their password at next logon
(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
Finds all disabled accounts in active directory
(objectCategory=person)(objectClass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
Finds all locked out accounts
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)
Finds Domain Local Groups
(groupType:1.2.840.113556.1.4.803:=4)
Finds all Users with Email Address set
(objectcategory=person)(mail=*)
Finds all Users with no Email Address
(objectcategory=person)(!mail=*)
Version http://www.mvpskill.com
Page 61 of 237
Page 62 of 237
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service
Pack 2))))))))
Find all Windows XP SP3 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service
Pack 3))))))))
Find all Vista SP1 computers
(&(&(&(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows
Vista*)(operatingSystemServicePack=Service Pack 1)))))
Find All Workstations
(sAMAccountType=805306369)
Find all 2003 Servers Non-DCs
(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server
2003*)))
Find all 2003 Servers DCs
(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server
2003*))))
Find all Server 2008
(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server
2008*))))
Version http://www.mvpskill.com
Page 63 of 237
Dsaddd comm
mand-line User
dsaddd user "cn=suttipan,ou=Maanagement,dcc=demo,dc=loocal" -upn sutttipan@demo..local -fn sutti pan -ln passoorn -pwd
passsword@1 -muustchpwd no -pwdneverexppires no -disaabled no
DSSADD
- upnn = UPN Logon Acouunt username@domainn.local
- fn = First Namee
- ln = LLast Name
- pwd =
- muustchpwd = Loogin
- pwdneverexpiress =
- disabled = Enable / Disaable Users
User Batch Files
Script
OU / USEER
module22-add-user.baat
UUser / OU Commaand Save Noteppad .bat .cmd
( Excel
E Notepad
Exccel
dsaddd ou ou=IT,ddc=demo,dc=local
dsaddd ou ou=Mannagement,dc==demo,dc=loccal
dsaddd ou ou=Salee,dc=demo,dcc=local
dsaddd user "cn=suttipan,ou=Maanagement,dcc=demo,dc=loocal" -upn sutttipan@demo..local -fn sutti pan -ln passoorn -pwd
passsword@1 -muustchpwd no -pwdneverexppires no -disaabled no
dsaddd user "cn=ittsupport01,ou=IT,dc=demo,dc=local" -uppn itsupport011@demo.local -fn itsupport001 -pwd passsword@1 musttchpwd no -ppwdneverexpires no -disabled no
Version http://www.mvpsskill.com
Page 64 of 237
2
dsadd user "cn=itsupport02,ou=IT,dc=demo,dc=local" -upn itsupport02@demo.local -fn itsupport02 -pwd password@1 mustchpwd no -pwdneverexpires no -disabled no
dsadd user "cn=itsupport03,ou=IT,dc=demo,dc=local" -upn itsupport03@demo.local -fn itsupport03 -pwd password@1 mustchpwd no -pwdneverexpires no -disabled no
dsadd user "cn=itsupport04,ou=IT,dc=demo,dc=local" -upn itsupport04@demo.local -fn itsupport04 -pwd password@1 mustchpwd no -pwdneverexpires no -disabled no
dsadd user "cn=itsupport05,ou=IT,dc=demo,dc=local" -upn itsupport05@demo.local -fn itsupport05 -pwd password@1 mustchpwd no -pwdneverexpires no -disabled no
dsadd user "cn=sale01,ou=Sale,dc=demo,dc=local" -upn sale01@demo.local -fn sale01 -pwd password@1 -mustchpwd no
pwdneverexpires no -disabled no
dsadd user "cn=sale02,ou=Sale,dc=demo,dc=local" -upn sale02@demo.local -fn sale02 -pwd password@1 -mustchpwd no
pwdneverexpires no -disabled no
dsadd user "cn=sale03,ou=Sale,dc=demo,dc=local" -upn sale03@demo.local -fn sale03 -pwd password@1 -mustchpwd no
pwdneverexpires no -disabled no
dsadd user "cn=sale04,ou=Sale,dc=demo,dc=local" -upn sale04@demo.local -fn sale04 -pwd password@1 -mustchpwd no
pwdneverexpires no -disabled no
dsadd user "cn=sale05,ou=Sale,dc=demo,dc=local" -upn sale05@demo.local -fn sale05 -pwd password@1 -mustchpwd no
pwdneverexpires no -disabled no
Version http://www.mvpskill.com
Page 65 of 237
OU (Organizational Unit )
OU Active Directory Object
Object Logical OU
Users / Groups / Computers / Printer OU OU
OU Resource OU Delegation Task
Group Policy OU
OU Resource
OU IT Delegate User = IT manager 01 User Reset Password User
OU
OU HR Assigned Group Policy User OU
OU Resource
1. OU = Bangkok OU = Lampang User Site
2. Function OU = IT OU = Engineer
3. Resource OU = UsersOffice OU = Computer Clients
Version http://www.mvpskill.com
Page 66 of 237
4.
OU
Create New Organizational Unit Protect Container from accidental deletion
OU OU ( windows 2003
Deleted Windows 2008 )
Version http://www.mvpskill.com
Page 67 of 237
Check Box OU
Version http://www.mvpskill.com
Page 68 of 237
OU Command Line
OU
DSADD
Domain DN
Domain Demo.local DN
Dc=demo,dc=local
OU
OU IT Management Command Line
dsadd ou ou=IT,dc=demo,dc=local
dsadd ou ou=Management,dc=demo,dc=local
Note Description
dsadd ou ou=Sale,dc=demo,dc=local desc Sale Department
Lab4: Active Directory PowerShell
PowerShell Windows 2008 R2 ( )
Active Directory Module (
)
()
1. PowerShell
Version http://www.mvpskill.com
Page 69 of 237
PowerShell Mode ()
Page 70 of 237
= Import-module ActiveDirectory
1.
PowerShell Active Directory
= Get-Command -Module ActiveDirectory
PowerShell : Users
Get-Help Get-ADUser Full (
)
Get-ADUser (
User Active Directory)
!? (
)
department -eq " IT Department " (
User Department = IT Department)
Page 71 of 237
PowerShell
Error
Error
Copy Command RUN Error
Version http://www.mvpskill.com
Page 72 of 237
Object
Search-ADAccount -PasswordNeverExpires | FT Name, DistinguishedName
Search-ADAccount -AccountDisabled | FT Name, DistinguishedName
Search-ADAccount -AccountExpiring | FT Name, DistinguishedName
Search-ADAccount -LockedOut | FT Name, DistinguishedName
Search-ADAccount -PasswordExpired | FT Name, DistinguishedName
List user Active Directory PowerShell
Get-ADuser Filter * | FT Name, DistinguishedName, Enable
Version http://www.mvpskill.com
Page 73 of 237
PowerShell ISE
Windows PowerShell 2.0 Windows7 Windows2008R2 Sub Feature PowerShell ISE
PowerShell (Integrated Scripting Environment) ISE TAB
PowerShell Command
PowerShell
1. Import-Module ServerManager
2. Get-WindowsFeature Name *PowerShell*
3. Add-WindowsFeature PowerShell-ISE
Version http://www.mvpskill.com
Page 74 of 237
PowerShell-ISE Command
GUI Server Manager
Server Manager > Features > Add Features > Windows PowerShell (Integrated Scripting Environment)
Version http://www.mvpskill.com
Page 75 of 237
PowerShell-ISE
Command Line Powershell_ise.exe
PowerShell ISE
PowerShell : Computers
( Last Logon) Object
Cleanup List Pro-Active
get-Adcomputer -Filter * -Properties * | FT Name, OperatingSystem, LastLogonDate, DistinguishedName
Version http://www.mvpskill.com
Page 76 of 237
Version http://www.mvpskill.com
Page 77 of 237
Version http://www.mvpskill.com
Page 78 of 237
4.
Groups
Get-Help Get-ADGroup Full (
)
Get-ADGroup -Filter *
Get-ADGroup -Identity Sales (
Group G-Finance)
Version http://www.mvpskill.com
Page 79 of 237
Version http://www.mvpskill.com
Page 80 of 237
5. Powershell OU
Get-Help Get-ADOrganizationalUnit Full (
)
Get-ADOrganizationalUnit -Filter * -Properties ProtectedFromAccidentalDeletion (
OU
)
Version http://www.mvpskill.com
Page 81 of 237
Report .html
Get-ADComputer -Filter 'OperatingSystem -like "Windows Server 2008 R2*"' Properties
OperatingSystem,OperatingSystemHotfix,OperatingSystemServicePack,OperatingSystemVersion | ConvertTo-Html -Property
Name,SID,OperatingSystem* | Out-File C:\OSList.htm
C:\OSlist.htm
PowerShell OU
( PowerShell ISE RUN TAB )
new-adorganizationalunit Test1
new-adorganizationalunit Test2
Version http://www.mvpskill.com
Page 82 of 237
PowerShell User
New-ADUser -SamAccountName test02 -Name "test02" -UserPrincipalName test02@demo.local -AccountPassword
(ConvertTo-SecureString -AsPlainText "password@1" -Force) -Enabled $true -PasswordNeverExpires $true -Path
"OU=Engineer,DC=demo,DC=local"
Version http://www.mvpskill.com
Page 83 of 237
Version http://www.mvpskill.com
Page 84 of 237
Version http://www.mvpskill.com
Page 85 of 237
Version http://www.mvpskill.com
Page 86 of 237
Version http://www.mvpskill.com
Page 87 of 237
Advance Delegation
Version http://www.mvpskill.com
Page 88 of 237
Version http://www.mvpskill.com
Page 89 of 237
Step 4
Tools
Version http://www.mvpskill.com
Page 90 of 237
Version http://www.mvpskill.com
Page 91 of 237
Restart
Server Core Join Domain
Version http://www.mvpskill.com
Page 92 of 237
Version http://www.mvpskill.com
Page 93 of 237
Version http://www.mvpskill.com
Page 94 of 237
CSVDE
Version http://www.mvpskill.com
Page 95 of 237
Step 3 TAB
http://www.computerperformance.co.uk/Logon/Logon_CSVDE_Bulk.htm
First Name = givenName
Last Name = sn
Office = physicalDeliveryOfficeName
Destination OU = destinationOU
Common Name = CN
User Logon Name = userPrincipalName
User Must Change Password at next logon = mustChangPassword
Account is Disabled = accountDisabled
Profile Path = profilePath
Login Script = scriptPath
Hone Foler = homeFolder
Step 4 Import
Csvde -i -f c:\import.csv
Page 96 of 237
Version http://www.mvpskill.com
Page 97 of 237
Group Membership
OU = Group Policy
Group =
Groups
A domain local group
is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own
domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on
resources that reside only in the same domain where the domain local group is located.
A global group
is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains.
In all those locations, you can give a global group rights and permissions and the global group can become a member of local
groups. However, a global group can contain user accounts that are only from its own domain.
A universal group
is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You
can give universal security groups rights and permissions on resources in any domain in the forest. Universal groups are not
supported.
Group
Version http://www.mvpskill.com
Page 98 of 237
Version http://www.mvpskill.com
Page 99 of 237
Group ( 2 )
1. Distribution Group
Group Assign Permission / Right
2. Security Group
Group Right / Permission
Distribution Group
Version http://www.mvpskill.com
Concept AGUDLP
Assign Permission Forest Trust
Concept
Account
Global Groups
Version http://www.mvpskill.com
Universal Groups
---------------------------------------------------------Domain Local Groups
Permission
4.
Users OU = IT Group Its
5.
dsquery group name ITs
6.
Group Member dsquery group -name ITs | dsget group members and hit Enter
Schedule Task
Audit_Role
Read_ACL
Version http://www.mvpskill.com
Focus
Version http://www.mvpsskill.com
2. DSQUERY
Group
Batch Run
Group = G-Financee
dsquuery group nname G-Finannce | dsget grooup memberrs
4. PowerShell
Version http://www.mvpsskill.com
User / Group
G
5. csvde
CSVDE -f aduserss.csv -r objecctClass=user
Version http://www.mvpsskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Restart
Computer Object Domain Controller
Version http://www.mvpskill.com
Join Domain 10
= ADSIEDIT
Join Domain ms-DSMachineAccountQuota = xx
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Group Policy ?
Group Policy = Set of rules that you can apply throughout the enterprise. ( Group Policy Pocket
Administrator)
Group Policy Object GPO (feature) Microsoft
(User)
-
Services
(Centralized Management)
Group Policy
Group Policy Object ( GPO)
1500
Game Server Group Policy Management Console (
GPO GPMC)
GPO 1500
Game
GPO
GPO Support User
Desktop Environment
Apply security settings
Manage desktop and application settings
Deploy software
Manage folder redirection
Version http://www.mvpskill.com
LGPO
GPO Domain-based
Proof Of Concept: Local Group Policy
Version http://www.mvpskill.com
Policy Preferences
User Map Network Drive , Map
Network Printer, Shortcut
Refresh Refresh
User Log In
Log In
(Applied Once)
Policy Settings Policy Preferences
Group Policy
IT Active Directory Policy Settings Policy
Preferences Group Policy Domain-based Group Policy
Domain-base Group Policy SYSVOL Group Policy ( GPO)
Group Policy Container (GPC)
GPC Active Directory Database Replicate Domain Controller GPC
Properties GPO Globally Unique Identifier GPO (GUID)
Group Policy Template (GPT)
GPT SYSVOL Replicate Domain Controller GPT
GUID GPC
Version http://www.mvpskill.com
Domain CController
Im
mplement Acti ve Directory
GPOO 2
GPO
Os
Group Policy
P
GPO
GUII Commaand-line
GUI--Based
1. Group Poolicy Management Consolee (GPMC)
Windows Seerver 2008
GPMC
GPO
- GPO
- Copyy, Import, Expport
- Backkup, Restore
- M
Modeling
GPO
2. Group Poolicy Management Editor (GPME)
GPMC GPO EEdit GPM
ME
3. Remote SServer Adminnistration Toolls (RSAT)
Clieent Serveer Console
RSAT GPMC
4. Advance Group Policyy Managemennt (AGPM)
AGPM com
mponent Microsoft Desktop Opttimization Pacck (MDOP)
Version http://www.mvpsskill.com
Command-line Based
1. GPRESULT
2. GPUPDATE
3. RSOP.MSC
4. GPOTOOL.EXE
1. Group Policy Client-side Extension Windows XP, Windows 2003 Windows Vista
CSE Engine Client Feature GPO Windows 2008
Preferences Settings
Version http://www.mvpskill.com
FRS DFS
Reeplicate
-
Sysvvol Active
A
Directoory System Voolume Domain GPO
O, Script Log on, Loog off, Shutdoown,
Starttup
Sysvvol Replicate Domain Co ntroller Replicate Dommain Functionnal Level
Sysvvol Replicate
FRS DFS
FRSS uses a "last writer wins" algorithm
a
FRSS Domain Functionnal Level = Windows
W
2000 Native, Winddows Server 2003
2
DFSS Doomain Functioonal Level = Windows
W
Servver 2008
FRSS Ntfrs.exe Topology Repllicate Schedule Remote Server
S
RPPC
Protoocol
FRSS Configuration Reggistry NTFS File Syystem
FRSS Strore Transactions
T
Doomain Controlller
Groupp Policy
Understaand Group Poolicy
Implement a Group Poolicy
Explore GGroup Policy Settings and Features
Manage Group Policy Scope
Group Poolicy Processing
Version http://www.mvpsskill.com
GPO
2 Object Active Direcctory Com puter Configuuration Usser
Configuraation
- GPO Com
mputer Object Computer
- GPO User Object Usser
Log On
] Grouup Policy Refrresh Interval
[
! (
T T)
Refresh GPO Refresh Time Slow-LLink Detectionn
Mode GPO
GPO
G
O Activve Directory
3
GPO
1. Site GPOOs
2. Domain GGPOs
3. Organizaational Unit (O
OU) GPOs
GPO AActive Directoory
Domain-Bassed Client
GPO
1. Local GPPOs
Version http://www.mvpsskill.com
2. Site GPOs
3. Domain GPOs
4. OU GPOs
Turn Off LGPO = Computer Configuration\Policies.\Administrative Templates\System\Group Policy > Turn Off Local Group
Policy Objects Processing.
Proof Of Concept: GPO ?
LAB OU Users LAB
dsadd ou ou=ACC,dc=demo,dc=local
dsadd user "cn=acc01,ou=ACC,dc=demo,dc=local" -upn acc01@demo.local -fn acc01 -pwd password@1 -mustchpwd no
pwdneverexpires no -disabled no
dsadd user "cn=acc02,ou=ACC,dc=demo,dc=local" -upn acc02@demo.local -fn acc02 -pwd password@1 -mustchpwd no
pwdneverexpires no -disabled no
dsadd user "cn=acc03,ou=ACC,dc=demo,dc=local" -upn acc03@demo.local -fn acc03 -pwd password@1 -mustchpwd no
pwdneverexpires no -disabled no
dsadd user "cn=acc04,ou=ACC,dc=demo,dc=local" -upn acc04@demo.local -fn acc04 -pwd password@1 -mustchpwd no
pwdneverexpires no -disabled no
dsadd user "cn=acc05,ou=ACC,dc=demo,dc=local" -upn acc05@demo.local -fn acc05 -pwd password@1 -mustchpwd no
pwdneverexpires no -disabled no
GPO Link
Group Policy Item Link (Site, Domain, OU) Item
GPO
1 GPO Link !
GPO-Disable Notepad Link
Version http://www.mvpskill.com
GPO Inheritance
GPO Inheritance GPO Object GPO
Link Order
Inheritance OU
Inherited Option Block Inheritance
OU GPO
Version http://www.mvpskill.com
OU GPO
Version http://www.mvpskill.com
Option Enforce
Refresh Time
GPO User 2
1. Server OS Synchronous foreground processing
GPO Apply Computer User Configuration User
2. Client OS Asynchronous foreground processing
GPO Apply User
Background
Option
GPO Refresh
Gpupdate /force = GPO Refresh
Gpupdate /Wait: WaitTime = GPO Refresh
Gpupdate /Logoff = GPO Refresh Logoff
Gpupdate /Boot = GPO Refresh Reboot
Gpupdate /Sync = GPO Refresh Synchronously
Refresh Interval
Tip Refresh Interval Link OU Domain Controller
Version http://www.mvpskill.com
Slow-Link Detection
Function Slow-Link Detect
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Group Policy
GPO User & Computer GPME
Policy Settings
1. Software Settings
Deploy Software GPO
2. Windows Settings
Windows Settings Folder Redirection, Internet Explorer
3. Administrative Templates
Registry-Based
Policy Preferences
1. Windows Settings
Script
2. Control Panel Settings
Environment Control Panel
Proof Of Concept: Review GPMC
- DC
- Sites Link
- Delegating Privileges
- GPO Permission
- Permission Sites Domain
Version http://www.mvpskill.com
Permission
1. Link GPOs
User Group Link GPO
2. Perform Group Policy Modeling Analyses
User Group RSoP Planning
3. Read Group Policy Results Data
User Group RSoP Mode Logging
Delegating Control GPOs
NonAdministrative User Group GPO Permission
1. Read
2. Edit Settings
Version http://www.mvpskill.com
Starter GPOs
Starter GPO Template GPO GPO GPO
Starter GPO Sysvol
Starter GPO Starter GPO GPO Starter GPO
Enable / Disable GPO
GPO GPO
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Filter GPO
GPO
Version http://www.mvpskill.com
WMI GPO
- RAM Apply GPO
- Harddisk Apply GPO
- Version
- System Services
Query
Command Query
Version http://www.mvpskill.com
Operating system
Resources
Resources
http://technet.microsoft.com/en-us/library/cc779036(WS.10).aspx
Default Policies
Active Directory 2 GPO Default
1. Default Domain Policy GPO
2. Default Domain Controller Policy GPO
Version http://www.mvpskill.com
1. Passwordd Policy
2. Account Lockout Policcy
M
Tim
me Clock Synchronization)
3. Kerbeross Policy ( Maximum
Prooof Of Conceptt: Defauult Domain Policy
Defauult Domain Poolicy
3 GPOO
me Administrattor Account
1. Accoounts: Renam
2. Accoounts: Administrator Account Status
3. Accoounts: Guest Account
A
Statuus
4. Accoounts: Renam
me Guest Accoount
5. Netwwork Security:: Force Logofff When Logonn Hours Expirre
6. Netwwork Security:: Do Not Storee LAN Managger Hash Valuue On Next Password Chaange
7. Netwwork Access: Allow Anonym
mous SID/Nam
me Translatioon
Default
D
Domaain Policy
GPO Default Domain Policcy
dcgppofix.exe restore Default Domainn Policy GPO
C
Pollicy
Deffault Domain Controller
Default DDomain Controller Policy Domain Conntroller
1. Audit Policy
2. User righht Assignmentt
3. Security Options
] Move Domainn Controller
OU
[
Version http://www.mvpsskill.com
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Group Policy
GPO Storage
GPC GPT
GPC = Group Policy Container
GPT = Group Policy Template
Store in AD Database
Store in Sysvol
Replicate by AD Replication
Replicate by Sysvol Replication
Store Properties related to the GPO
Used for store files related to the gpo on disk
Identified with a globally unique identifier (GUID)
Identified with a globally unique identifier (GUID)
Group Policy Container
Properties GPC
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Migrate mtedit.exe
SYSVOL
Sysvol GPO File System Policy Script Log On Group Policy
Template Replicate Sysvol
Sysvol
1. Migrate Sysvol Technology Replicate FRS DFS
2. Migrate Raise Domain Functional Level
3. Sysvol Replication FRS DFS net share
Replication Sysvol
Version http://www.mvpskill.com
1. Netlogon
2. FRS ( FRS Replicate)
3. DFS ( DFS Replicate)
1. Net share
Sysvol Share
2. Dcdiag.exe
dcdiag /s:servername /test:replication
dcdiag /s:servername /test:netlogons
3. Repadmin.exe
repadmin /showrepl
repadmin /syncall
Version http://www.mvpskill.com
The Group Policy Results Wizard
Rsop.msc Gpresult.exe Remote Management
Allow Firewall ports 135 and 445. Allow WMI Firewall Rule
The Group Policy Modeling Wizard
GPResult.exe
Version http://www.mvpskill.com
Rsop + GPresult
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Policy Event
Version http://www.mvpskill.com
Version http://www.mvpskill.com
ControlPanelDisplay.adml ControlPanelDisplay.admx
ScreenSaverIsSecure
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
GPO-Preferences
Version http://www.mvpskill.com
GPO-Preferences Folder
GPO-Preference Folder C:\Apps W7-01
Version http://www.mvpskill.com
Assigned
A
to User
U
Start MMenu
File
F Associatioon Made
Option
O
Install at Logon
.msi
. Support
Avaialble
A
for insatallation aagain
Assigned
A
to Computer
C
Install
I
at startup
4. s
Group Poolicy Softwaree Installation (GPSI)
(
Software Group Policy
P
Stepp:
\\
Version http://www.mvpsskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
REM*********************************************************************
REMEnvironmentcustomizationbeginshere.Modifyvariablesbelow.
REM*********************************************************************
REMGetProductNamefromtheOfficeproduct'scoreSetup.xmlfile.
setProductName=Enterprise
REMSetDeployServertoanetworkaccessiblelocationcontainingtheOfficesourcefiles.
setDeployServer=\\server\share\Office12
REMSetConfigFiletotheconfigurationfiletobeusedfordeploymentREM(required)
setConfigFile=\\server\share\Office12\Enterprise.WW\config.xml
REMSetLogLocationtoacentraldirectorytocollectlogfiles.
setLogLocation=\\server\share\Office12Logs
REM*********************************************************************
REMDeploymentcodebeginshere.Donotmodifyanythingbelowthisline.
REM*********************************************************************
IFNOT"%ProgramFiles(x86)%"==""SETWOW6432NODE=WOW6432NODE\
regqueryHKEY_LOCAL_MACHINE\SOFTWARE\%WOW6432NODE%Microsoft\Windows\CurrentVersion\Uninstall\%
ProductName%
if%errorlevel%==1(gotoDeployOffice)else(gotoEnd)
REMIf1returned,theproductwasnotfound.Runsetuphere.
:DeployOffice
start/wait%DeployServer%\setup.exe/config%ConfigFile%
echo%date%%time%Setupendedwitherrorcode%errorlevel%.>>%LogLocation%\%computername%.tx
t
REMIf0orotherwasreturned,theproductwasfoundoranothererroroccurred.Donothing.
:End
Endlocal
Version http://www.mvpskill.com
Version http://www.mvpsskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Security Template
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Generate Report
dsacls "dc=demo,dc=local"
Remove Reset Permissions
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
( 1 )
Version http://www.mvpskill.com
Version http://www.mvpskill.com
(Day:Hours:Minutes:Second)
Version http://www.mvpskill.com
Version http://www.mvpskill.com
=0
Lock 15
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
5.
6.
7.
8.
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Forwarder
DNS Query DNS Server
Forwarders
Standard: Query Forward DNS Server
Conditional: Query Forward DNS Server ( Root Hint)
DNS Zone
DNS Zone
Version http://www.mvpskill.com
A
Directory
Replication Multi-Master Fuunction Active
Streamlinne Data Repliication
Secure DDynamic Updaate
Backwardds Compatible To Secondaary Zones
Stub Zone Domain DNNS
Forwaarder Stubb Zone
Foreest
Forwarrder
Forward Query
Version http://www.mvpsskill.com
DNS Caching
DNS Caching Query Query Caching Record Client Server
Clear Ipcofig /FulshDNS DNSCmd.exe /Clearcache
Cache Server Ipconfig /DisplayDNS
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Backup IFM
C:\Users\Administrator>ntdsutil
ntdsutil: activate instance NTDS
Active instance set to "NTDS".
ntdsutil: ifm
ifm: create sysvol full c:\ifm
Creating snapshot...
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Transfer
Seize
Deleted (Metadata Cleanup)
Refer Step http://support.microsoft.com/kb/255504
http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx#bkmk_graphical
Script Remove Metadata http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3
Step: ntdsutil
Roles
Connections
Connect to server dc01.demo.com
Q
Seize XX
Step:
Ntdsutil
Metadata cleanup
Remove selected server
Version http://www.mvpskill.com
Operations master processes all password updates. Group Policy Update / Time Server Update
The relative ID (RID) operations master
Maintains the global RID pool for the domain and allocates local RIDs pools to all domain controllers to ensure that all security
principals created in the domain have a unique identifier.
The infrastructure operations master for a given domain maintains a list of the security principals from other domains that
are members of groups within its domain. Track update whos in what group and should not in same GC (If Possible)
In addition to the three domain-level operations master roles, two operations master roles exist in each forest:
The schema operations master governs changes to the schema. regsvr32 schmmgmt.dll
The domain naming operations master adds and removes domains and other directory partitions (for example, Domain
Name System (DNS) application partitions) to and from the forest.
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
dfsrmig /getglobalstate
dfsrmig /setglobalstate 0
dfsrmig /getglobalstate
dfsrmig /getmigrationstate
dfsrmig /setglobalstate 1
Version http://www.mvpskill.com
dfsrmig /getmigrationstate
Version http://www.mvpskill.com
Step
dfsrmig /setglobalstate 2
dfsrmig /getmigrationstate
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
ntdsutil
activate instance ntds
files
integrity
Version http://www.mvpskill.com
http://mvpskill.com/blogs/kb/archive/2011/11/24/windows-server-backup-folder.aspx
http://mvpskill.com/blogs/kb/archive/2011/11/21/domain-controller-restoring-system-state-data-windows-server-backupfeature.aspx
http://mvpskill.com/blogs/kb/archive/2011/11/11/domain-controller-backing-up-system-state-data-windows-server-backupfeature.aspx
Step:
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Domain Controller (Backing Up System State Data) Windows Server Backup Feature
http://mvpskill.com/blogs/kb/archive/2011/11/11/domain-controller-backing-up-system-state-data-windows-server-backupfeature.aspx
Domain Controller (Restoring System State Data) Windows Server Backup Feature
http://mvpskill.com/blogs/kb/archive/2011/11/21/domain-controller-restoring-system-state-data-windows-server-backupfeature.aspx
Reset DSRM Password
http://technet.microsoft.com/en-us/library/cc754363(WS.10).aspx
1. Harddisk dc01
Version http://www.mvpskill.com
2.
3.
4.
5.
Password Reset
Install Windows Server Backup Feature
Create a Scheduled Backup
Interactive Backup
Step:
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Authoritative Restore
Ntdsutil
Activate instance ntds
Authoritative restore
Restore subtree ou=05_HR,dc=demo,DC=local
Bcdedit /deletevalue safeboot
2 DC1 DC 2
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Version http://www.mvpskill.com
Trust Trust
Two-Way
Trusted (Outgoing) =
Trusting (Incoming)
Manual Trust
External Trust
Realm Trust
Forest Trust
Shortcut Trust = Authentication Forest Child domain
Version http://www.mvpskill.com