ActiveDirectory StepByStep-2008 PDF

Acti
A ive Direcctory
Win
W ndo
ows 2008 R2
R
Be
est Practtice | Step by Step
S
Install & Configuring forr IT Proffessiona
als

Ste p By Steep
Suttipan Passorn
P
|

Microsoft Most
M Valuabble Professioonal | Manaagement Infrrastructure
http://wwww.mvpskill.coom | Changee The Worldd By Contributions
10 Septem
mber 2012 | Version 1.00
Active Directory Winndows 2008RR2 Step by Steep

W
2008R2

Step By Steep
1. E-Book Activee Directory Windows
" --> --> "

700-640 TS: Winndows Serverr 2008 Active Directory, Coonfiguring

LAAB

Microsoft Certify
" .... Skill

2. E-Book ......."
! :-)
3. E-Book

Microsoft Preess MCTS Self-Paced Trainning Kit Exam
m 70-640.
Sams Windowws Server 2008 R2 Unleasshed.
Pearson MCTTS.70-640 Ceert.Guide.
| Suttipaan Passorn
Founderr
mvpskill.com | Change thee World by Coontributions
:
= ^ ^
=
Tip
Version http://www.mvpsskill.com

Page 1 of 2337
Active Directory Windows 2008R2 Step by Step
Requirement LAB
LAB Active Directory

Enterprise Infrastructure
LAB VmWare Workstation PC RAM 8 GB Harddisk 100 G
LAB Vm Guest Vm Guest
Harddisk Raid 10 Disk SSD

Windows Server 2008R2 Download Evaluation
http://technet.microsoft.com/en-us/evalcenter/dd459137.aspx
Step by Step Windows Server 2008 Feature
http://www.microsoft.com/en-us/download/details.aspx?id=17157 Keyword Windows Server 2008 Step-byStep Guides
Version http://www.mvpskill.com
Page 2 of 237
Server (Virtual Machine ) LAB ( )

Server Name Domain Name Type of Domain
IP Address
Prefer DNS1/2
1
dc01
demo.local
Root First DC in forest
192.168.1.10
Self
2
dc02
demo.local
Root Additional Domain Controller
192.168.1.20
Self
3
dc03
cm.demo.local Child Domain
192.168.1.30
Self
4
dc04
cm.demo.local Child Additional Domain Controller
192.168.1.40
Self
5
dc05
abc.com
Domain Tree
192.168.1.50
Self
6
dc06
abc.com
Domain Tree Additional Domain Controller 192.168.1.60
Self
Client
Domain Name Type of Domain
IP Address
Prefer DNS1/2
Server (Virtual Machine ) LAB Advance

Server Name Domain Name Type of Domain
IP Address
1
core01
demo.local
Root First DC in forest
192.168.1.10
Prefer DNS1/2
Self
Page 3 of 237
| Table of Contents
......................................................................................................................................................................................... 1
Requirement LAB ................................................................................................................ 2
Module 1: Introducing Active Directory Domain Services (AD DS) ................................................................................................ 12
Module1 .............................................................................................................................................................. 13
Pre Install Active Directory: Active Directory Server Role........................................................ 13
Lab1: Active Directory Domain Service Domain Controller .................................... 14
Checklist Domain Controller ........................................................................................... 20
Active Directory Schema ....................................................................................................................................................... 21
Domain Controller ................................................................................................................. 23

Domain Controller .................................................................................................................... 24
Active Directory Domain ......................................................................................... 27
Active Directory Data Store ......................................................................................................................... 29
Raise Domain & Forest Functional Level ..................................................................................................................... 30
Lab1.1 Advance: ADDS Role Server Core .................................................................................................. 32
1 Introducing Active Directory Domain Services (AD DS) ........................................................ 37

Module 2: Administering Active Directory Securely and Efficiently................................................................................................. 38
Lab2: Administering Active Directory by Using Administrative Tools ............................................................................. 39
MMC .................................................................................................................................................................. 42
Object Active Directory ................................................................................................................................ 51
Lab3: Find Objects in Active Directory ............................................................................................................................ 52
Object ds commandline .............................................................................................................. 54

Page 4 of 237
dsquery: Displays objects matching search criteria ............................................................................................................. 54

dsget: Properties Object .................................................................................................................... 55
Dsquery dsget ................................................................................................................ 56

dsrm: Removes objects ......................................................................................................................................................... 57
User Active .......................................................................................................... 57

dsmove: Moves objects to another container within the domain ......................................................................................... 58
dsmod: Modifies objects ........................................................................................................................................................ 58
Saved Queries ............................................................................................................................................... 58

dsadd Create User ............................................................................................................................... 63
Script OU / USER ........................................................................................................................................... 64
OU (Organizational Unit ) ................................................................................... 66

Lab4: Active Directory PowerShell ............................................................................................................ 69
PowerShell : Users .................................................................................................................................... 71
PowerShell ISE ...................................................................................................................................... 74

PowerShell : Computers .................................................................................................................... 76
PowerShell Password Users ........................................................................................................ 77

PowerShell List User Account............................................................................................................... 78
Delegation Control Wizard ................................................................................................................................ 84
Delegate Reset Password / Unlock User Account....................................................................................................... 85
Security Permission Active Directory Object ........................................................................................... 86
Module 3: Managing Users and Service Accounts ......................................................................................................................... 89
RSAT .................................................................................................................................................... 89
Page 5 of 237
Server Core Remote Sconfig.cmd .................................................................................................. 91

Active Directory Administrative Center ............................................................................................................. 93
Lab5: Create and Administer User Accounts.................................................................................................................. 94
Lab6: Configure User Object Attributes .......................................................................................................................... 94
Lab7: Automate User Account Creation.......................................................................................................................... 95
CSVDE .............................................................................................................................................................. 95
LDIFDE = LDAP Data Interchange Format (LDIF)............................................................................................................... 96
Lab7-4: Create and Administer Managed Service Accounts.......................................................................................... 96
Module 4: Managing Groups ............................................................................................................................................................ 98
Group Membership............................................................................................................................. 98
Group ( 2 ) ................................................................................................................................ 100
Scope Group ( 3 Scope) ......................................................................................................................................... 101
Concept AGUDLP ............................................................................................................................... 101
Lab8: Administer Groups ............................................................................................................................................... 102
Group Members Active Directory .............................................................................................................. 104

Lab9: Best Practices for Group Management............................................................................................................... 108
Module 5: Managing Computer Accounts...................................................................................................................................... 109
Lab10: Create Computers and Join the Domain .......................................................................................................... 109
Offline Domain Join .......................................................................................................................................... 110

Lab11: Administer Computer Objects and Accounts .................................................................................................... 111
Module 6: Implementing a Group Policy Infrastructure ................................................................................................................. 113
Group Policy ? ..................................................................................................................................................... 113
Group Policy............................................................................................................................................. 113

Local Group Policy .......................................................................................................................................... 114
Page 6 of 237
Option Group Policy Windows Server 2008 .................................................................................. 115
Group Policy............................................................................................................................ 115

Group Policy ........................................................................................................... 116
Group Policy Windows 2008................................................................................... 117
Group Policy......................................................................................................... 118
GPO........................................................................................................................................................ 119
GPO Active Directory ................................................................................... 119
GPO Link........................................................................................................................................................................ 120
Group Policy Processing ................................................................................................................................ 122

GPO Link Order ............................................................................................................................................................. 122
GPO Inheritance ............................................................................................................................................................ 122
GPO (Enforcing Inheritance) .................................................................. 123

Refresh Time ........................................................................................................................................... 124
Refresh Interval ..................................................................................................................................... 124
Slow-Link Detection ............................................................................................................................... 125
GPO Loopback Processing ........................................................................................................................................... 126
GPO Modeling GPO Result .......................................................................................................... 126

Group Policy ...................................................................................................................................... 127
Delegating Control GPOs ....................................................................................................................... 128
Starter GPOs ................................................................................................................................. 129
Enable / Disable GPO ........................................................................................................................................... 129
Advance Group Policy Management (AGPM) .................................................................................................................... 130
Page 7 of 237
Search And Filtering GPO .............................................................................................................................. 130

WMI Filter WMI Query ..................................................................................................................... 132
Default Policies ......................................................................................................................................... 133
Default Domain Policy ................................................................................................................................. 133
Default Domain Policy ............................................................................................................ 134
Default Domain Controller Policy................................................................................................................. 134
Top 10 GPO Settings ................................................................................................... 135
Group Policy ........................................................................................................................... 135
GPO Storage ............................................................................................................................................. 135
Protocol Process GPO ................................................................................................................... 137
Import, Migration GPO........................................................................................................................................... 138

Backup / Restore GPO .......................................................................................................................................... 138
SYSVOL ............................................................................................................................................. 139
Replication Sysvol ............................................................................................................. 139
Lab12: Implement Group Policy Create, Edit and Link GPOs ..................................................................................... 140
Lab13: Manage Group Policy Scope ............................................................................................................................ 140
Lab15: Troubleshoot Policy Application ........................................................................................................................ 140
Module 7: Managing User Desktop with Group Policy.................................................................................................................. 147
Lab16: Manage Administrative Templates .................................................................................................................... 147
Lab17: Manage Group Policy Preferences ................................................................................................................... 149
GPO Preferences ....................................................................................................................................... 149

Group Policy Preferences Shortcut Notepad Desktop ......................................................................... 150
Page 8 of 237
GPO-Preferences Folder .............................................................................. 154

GPO-Preferences MAP Network Drive ............................................................................................... 154
LAB18: Manage Software With GPSI ........................................................................................................................... 156
Software Group Policy (GPSI) ................................................................................................................. 156

Lab: Manage Security Settings With Security Template .............................................................................................. 160
Lab: Audit Active Directory Changes ............................................................................................................................ 161
Lab: Link VS Unlink ....................................................................................................................................................... 163
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings ............................................................ 165
Lab19: Use Group Policy to Manage Group Membership ........................................................................................... 165
Lab20: Manage Security Settings ................................................................................................................................. 167
Security Template...................................................................................................................................... 168

Security configuration Wizard ................................................................................................................... 169
Lab21: Audit File System Access.................................................................................................................................. 172
Lab: Audit Active Directory Changes ............................................................................................................................ 173
Lab: Audit Authentication ............................................................................................................................................... 175
Lab22: Configure Application Control Policies .............................................................................................................. 176
Module 9: Securing Administration ................................................................................................................................................ 180
Lab23: Delegate Administration .................................................................................................................................... 180
Lab24: Audit Active Directory Changes ........................................................................................................................ 182
Module 10: Improving the Security of Authentication in an AD DS Domain ................................................................................ 183
Lab25: Configure Password and Account Lockout Policies ......................................................................................... 183
Fine Grained Password Objects ............................................................................................................................ 183

Lab26: Audit Authentication ........................................................................................................................................... 193
Lab27: Configure Read-Only Domain Controller .......................................................................................................... 193
Read Only Domain Controller (RODC) ................................................................................. 193

Page 9 of 237
Module 11: Configuring Domain Name System ............................................................................................................................ 196
DNS Namespace Option............................................................................................................................ 197

DNS Zone .......................................................................................................................................................... 197
DNS Zone Transfer Replication ..................................................................................................... 198
DNS Caching......................................................................................................................................... 199
TIP: DNS / WINS ................................................................................................ 200
Lab28: Install DNS Service............................................................................................................................................ 200
Lab29: Advance Configuration DNS ............................................................................................................................. 201
DNS Stub Zone................................................................................................................................................. 203

Module 12: Administering AD DS Domain Controllers .................................................................................................................. 204
Lab30: Install Domain Controller ................................................................................................................................... 204
Lab31: Install Server Core Domain Controller .............................................................................................................. 208
Lab32: Transfer Operation Master Roles ...................................................................................................................... 210
Operation Master Roles Active Directory ........................................................................................ 212

Seize Operations Master ............................................................................................................................................ 214
Lab33: Configure Global Catalog and Universal Group Membership Caching ........................................................... 216
Global Catalog, Universal Group Membership ................................................................................................................... 216
Lab34: Configure DFS-R Replication of SYSVOL ........................................................................................................ 217
Module 13: Managing Sites and Active Directory Replication ...................................................................................................... 220
Lab35: Configure Site and Subnet ................................................................................................................................ 220
Lab36: Configure Replication ........................................................................................................................................ 220
Module 14: Directory Service Continuity........................................................................................................................................ 222
Lab36: Monitor Active Directory Events and Performance........................................................................................... 222
Lab37: Manage Active Directory Database .................................................................................................................. 224
Lab38: Using Active Directory Recycle Bin .................................................................................................................. 225
Page 10 of 237
Lab39: Backup and Restore Active Directory ............................................................................................................... 230

Module 15: Managing Multiple Domains and Forests ................................................................................................................... 235
Lab40: Configure Name Resolution Between Forest ................................................................................................... 235
Lab37: Configure a Forest Trust ................................................................................................................................... 235
Page 11 of 237
Module 1: Introducing Active Directory Domain Services (AD DS)

ADDS
Active Directory Windows Server Operating System
Server Domain Controller User Active Directory
User Environment
( Windows )
Windows 2000 Windows 2003 AD Active Directory Windows 2008 Active
Directory Domain Services (ADDS)
ADDS IT Pro Microsoft
Microsoft Server Platform Microsoft Platform
Active Directory Domain Services (ADDS) Roles Windows Server (
Authentication & Authorization & Audit) Active Directory Windows Server 2008
(identity and access) IDA
Active Directory
Active Director Microsoft Directory Service Client /
Server
! ( License Windows OS)
Username / Password
Client Environment ( Group Policy)
Software Deployment ( Group Policy)
Security Parameter ( Group Policy)
, User Data Active Directory
Active Directory Exchange / Sharepoint / SQL
Page 12 of 237
Modulee1
M
Module

Activee Directory

Activve Directory Domain Servvices (ADDS)) =
Roless Windowss Server 20088 ( Windows Server 2003 Activve Directory
) ADDDS
Authenticatioon,
Authhorization, Audditing
Cllients Environment Group Policy

main Controlleer (DC) =
Dom
Servver

Roles
Active Diirectory Domaain Services (ADDS)
Activve Directory Database =
Roles Activee Directory Doomain Servicees (ADDS) Winndows Serverr

Dataabase
Objectt UUsers, Compuuter Accountss, Printer, Shaared Folder,
Identities AD database Folder %SSystemroot%\ntds\ntds.dit
Pre Insstall Active Directory:

D
Active Direectory Serveer Role
1. Windowss 2008 R2 CPU x64 Itaanium
2. Seerver OS Activee Directory Seerver
SID Clone
( SID
)
3. (Namespacce & DNS) ( Server domain)
4. DNS Server
ADDDS Best
B Practice DNS SServer Microsoft
M
Windows
5. IP Addreess Server Domaain Controller Statiic IP Address
6. Passwordd Restore Moode Passsword Restore Mode

recovery
7. Network Firewall Active Directory Clients / Servers Allow PPort Firewaall Link
L
Keywoord Active Dirrectory and AActive Directorry Domain Services Port RRequirements
http://technet.microsofft.com/en-us/liibrary/dd7727723(WS.10).asspx
8. Configuraation Time-Zoone OSS cllient / server
Timee Zone

Page 13 of 237
2
Lab1: Active Directory Domain Service Domain Controller

VDO Step By Step
http://www.mvpskill.com/kb/%E0%B8%A7%E0%B8%B4%E0%B8%98%E0%B8%B5%E0%B8%95%E0%B8%B4%E0%B8%94%
E0%B8%95%E0%B8%B1%E0%B9%89%E0%B8%87-active-directory-windows-2008r2.html
Domain Controller
Objective:
ADDS Roles ( Domain Controller )
LAB
Server Name = dc01
Domain Name = demo.local
IP Address = 192.168.1.10
Primary DNS = 192.168.1.10
Domain Controller Forest
1. Add Roles Active Directory Domain Service Server Manager
2. dcpromo.exe Active Directory Wizard
Step By Step: Domain Controller dc01.demo.local
Step: 1 Server dc01 IP Address / Primary DNS Server Manager
Add Roles
Step: 2 Next Active Directory Domain Services
Page 14 of 237
Step: 3 Next ( Next Help Microsoft

KB )
Step: 4 AD DS Role Dcpromo.exe Wizard Active Directory

Run > Dcpromo.exe Wizard Server Roles
Page 15 of 237
Step: 5 Next
Step: 6 Next Domain / Forest Domain Controller

Create a new domain in a new forest
Page 16 of 237
Step: 7 Domain namespace .local domain
Step: 8 Forest Functional Level Domain Controller Windows Server 2008R2

Forest Functional Level = Windows 2008 R2
Page 17 of 237
Functional Level http://technet.microsoft.com/en-us/library/understanding-active-directory-functionallevels(WS.10).aspx

Step: 9 DNS Server
Step: 10 Database / Log / SYSVOL
Page 18 of 237
Step: 11 Active Directory Restore Mode
Step: 11 Reboot Server dc01
Page 19 of 237
DDomainn Contrrller
Cheecklist
DDomain Conntroller
Best Practice Do main Controlller
1. Evennt Viewer Error ( Error )

evenntvwr
2. AD DDatabase
?
3. SYSVVOL / Net loggon
Share
?
4. DNS Record (
Domain Coontroller) ?
5. Defauult
Administrative Toolss AD Useers & Computeer / AD Site &
Servvice?
6. Reeview Defaultt Configuration Built-in Container. / Computers Container.
C
/ Doomain Controollers Containeer.

Page 20 of 237
2
Active Directory Schema

Active Directory Schema Administrative Tools

Register .dll Domain Controller Register .dll
Advance ()
Active Directory Schema Object Advance
Class Attributes

RUN
regsvr32 schmmgmt.dll
Register .dll mmc.exe Add Snap-in

Start > Run > MMC > Add / Remove Snap-in
Page 21 of 237
Advance Active Directory Schema

http://support.microsoft.com/kb/300427/en-us
http://support.microsoft.com/kb/250455
http://serverfault.com/questions/354275/default-full-name-format-in-active-directory
Page 22 of 237
Domain Controller
Domain Controller Windows Server

Domain Controller Windows Server run ADDS Roles
Domain Controller ?
? ? ?
Page 23 of 237
Dom
main Controlller
http://ttechnet.microosoft.com/en-uus/library/cc7772829(WS.10).aspx
http://technet.micrrosoft.com/en-us/library/cc7754663(WS.1 0).aspx
1. SYSVOLL / NETLOGO
ON
Domain Controller
C
Default Share
re Sysvol Netlogon Script
Logon Join Domain Grroup Policy Deeploy Group Policy
P
Object
net share Domaain Controller Share

/ Defauult Configuration ADDSS
SYYSVOL NNETLOGON
Share Foldeer Paath
Server
2. DNS Serrver
Active Diirectory

DNS DNS Serveer Active Directory
Poort Seervice Active Directory

Page 24 of 237
2
_gc Service Global Catalog Port 3268

dc01.demo.local ( )
3. AD Database Active Directory Data store

EDB.LOG Transaction Primary Transaction Log File
EDB.CHK Checkpoint Transaction EDB.LOG
Edbres0001.jrs / Edbres0002.jrs 20 MB Hard disk
4. Flexible Single Master Operations (FSMO)
FSMO = netdom query FSMO
Page 25 of 237
5. Global Catalog (CG)

Object Active Directory Attribuet
Domain
Global Catalog Client Log On Domain Global
Catalog Membership User
Global Catalog Active Directory Sites and Service
Server Name > NTDS Settings > Properties >
Page 26 of 237
Active Directory Domain
( )
Additional Domain Controller
Domain Controller Domain Domain Controller
(
Domain Controller
Multi Master)
dc01.demo.local Domain Controller LAB dc02.demo.local
Additional Domain Controller Domain demo.local
Child Domain
Domain ..
Child Domain cm.demo.local

Server 2 Domain cm.demo.local dc03 dc04
demo.local cm.demo.local cm.demo.local
Page 27 of 237
demo.local demo.local Administrator Account Enterprise Admin Groups

Child Domain Domain Tree
Domain Tree
Domain Domain
Root Domain demo.local
Domain abc.com Domain Tree

demo.local Administrator Account Enterprise Admin Groups Child Domain
Domain Tree
Enterprise Admins Group Groups Domain
Forest
Page 28 of 237
Acctive Directoory Data Stoore

http://teechnet.microssoft.com/en-uss/library/cc7722829(WS.10).aspx
Direcctory Partition :
http://teechnet.microsooft.com/en-uss/library/cc9611591.aspx
http:///www.tech-faaq.com/directoory-partitions.hhtml
1. Doomain Partitiion
Partition
users, coomputers, grooups, Doomain Fore
rest replicate
Domain
D
Controoller Domain

2. Coonfiguration Partition
FForest Foorest Domains, Sites D omain Controoller
Domainn Controller Forest

F
repplicate Domain
D
Controoller Forest
3. Scchema Partition
FForest
Schema replicatee Domain Controller

Page 29 of 237
2
Forest
4. Application Partition
Partition replicate Domain Controller Application Service
Replicate
Active Directory Active Directory (redundancy, availability, fault tolerance)
Raise Domain & Forest Functional Level

http://technet.microsoft.com/en-us/library/cc787290(v=ws.10).aspx
Domain / Forest Functional Level Active Directory Domain Forest
Domain Functional Level 6 ( )

Domain functional level.
1. Windows 2000 mixed (the default in Windows Server 2003)
2. Windows 2000 native
3. Windows Server 2003 interim
4. Windows Server 2003
6. Windows Server 2008 R2
Forest Functional Level
1. Windows 2000 (the default in Windows Server 2003 and Windows Server 2008)
2. Windows Server 2003 interim
3. Windows Server 2003 (the default in Windows Server 2008 R2)
5. Windows Server 2008 R2
Feature Level Link
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
Raise Domain Functional Level
Logon Domain Administrator
Page 30 of 237
Active Directory Domains and Trusts

Domain Raise Domain Functional Level Windows Server 2008 R2
Raise Forest Functional Level

Logon Domain Administrator
Active Directory Domains and Trusts
Page 31 of 237
Lab1.1 Advance: ADDS Role Server Core

Objective:
LAB Advance LAB Virtual Machine
LAB
Windows Server Core Windows Server 2008
Server Core
Windows Server Core Component, Binary, Services
Manual Windows Server Core Attack Surface Graphic Mode
Patch
Page 32 of 237
Windows Server 2008 R2 Server Core Roles Windows GUI

Mode List Roles / Feature Server Core
Roles Windows Server Core
1. Active Directory Certificate Services
2. Active Directory Domain Services
3. Active Directory Lightweight Directory Services (AD LDS)
4. BranchCache Hosted Cache
5. DNS Server
6. Dynamic Host Configuration Protocol (DHCP) Server
7. File Services
8. Hyper-V
9. Print and Media Services
10. Streaming Media Services
11. Web Server (IIS) (including a subset of ASP.NET)
Feature Windows Server Core
1. Failover Clustering
2. Multipath I/O
3. Network Load Balancing
4. Quality of Service (QoS)
5. Removable Storage Management
6. Simple Network Management Protocol (SNMP)
7. Subsystem for UNIX-based applications
8. Telnet client
9. Windows Bitlocker Drive Encryption
10. Windows Internet Name Service (WINS)
11. Windows-on-Windows 64-bit (WoW64)
12. Windows PowerShell
13. Windows Server Backup
: http://technet.microsoft.com/en-us/library/cc753802(v=ws.10).aspx
Page 33 of 237
Windows Server 2012 Roles / Feature

http://technet.microsoft.com/en-us/library/jj574158.aspx
LAB Advance
Windows Server Core
Server Name = dc01
Domain Name = demo.local
Step By Step: Domain Controller dc01.demo.local Windows Server Core
Step: 1 Server Core sconfig.cmd
Command line
sconfig.cmd

Comuter Name 2 Enter

Computer Name core01 Restart Server
Server
Page 34 of 237
Server reboot IP Address 8 Enter Network

Interface Option 1: Set Network Adapter IP Address Static IP
IP Address 192.168.1.10 DNS Server = 192.168.1.10
IP Address DNS Server 2 IP Address 192.168.1.10 ()
Page 35 of 237
4 Sconfig.cmd 13
Command line menu DNS Server roles ocsetup DNS-Server-Core-Role
DNS-Server-Core-Role Case Sensitive

oclist Role

role
oclist >oclist.txt oclist.txt role

dcpromo Domain Controller

Unattened file
Save .txt
[DCINSTALL]
AutoConfigDNS=Yes
DomainNetBiosName=demo
NewDomainDNSName=demo.local
ReplicaOrNewDomain=Domain
NewDomain=Forest
ForestLevel=4
DomainLevel=4
SafeModeAdminPassword=password@1
RebootOnSuccess=Yes
Page 36 of 237
dcpromo /unattend:c:\unattend.txt
1 Introducing Active Directory Domain Services (AD DS)

LAB
1.
2.
3.
4.
5.
ADDS
ADDS Domain Controller
Server Core

Server Core Domain Controller
Domain Controller
Page 37 of 237
Module 2: Administering Active Directory Securely and Efficiently

Module
1. Active Directory Administration Tools
2. Least Privilege
3. Object Active Directory
4. PowerShell Active Directory
Domain Controller User
Module
Active Directory
Page 38 of 237
Active Directory Users and Computers

Active Directory Function Domain
User, Groups, Computers, Printers, Share Folder
Active Directory Sites and Services
Replication, Network Topology, Domain , Forest
Module
Active Directory Domains And Trusts
Trust Relationship Tree
Domain / Forest Functional Level Module
Advance Object Schema Attributes Object
class ( Format )
Lab2: Administering Active Directory by Using Administrative Tools

LAB User / Groups / Computer Object
Windows Server Default
Administrative Console
User Account Control
: LAB Module 2 Script Add User

module2-add-user.bat pdf Server
User
Run module2-add-user.bat Server dc01.demo.local
module2-add-user.bat Copy Server Run
Page 39 of 237
Copy Server Command Line Run > Cmd.exe Run Script

Run Double Click ( Script Run )
RUN Error Error Domain
Run Script User OU
Page 40 of 237
LAB Administrative Console

Start > Administrative Tools ()
Page 41 of 237

Custom Administrative Console
Custom MMC
MMC Alternate Credentials
MMC
MMC Microsoft Management Console Tools Microsoft Shotcut
MMC
menu Run
Page 42 of 237
Shotcut mmc
Page 43 of 237
Custom Administrative Console Save Desktop Suttipan-AdministrativeConsole.msc
Page 44 of 237
mmc shotcut
Page 45 of 237
Active Directory Users & Computers (ADUC)
Active Directory Users and Computers ADUC

Object Active Directory Default
1. Menu View Customize View
Page 46 of 237
2. Add / Remove Columns View > Add / Remove Columns
Page 47 of 237
Active Director Users and Computers Object Active Directory

( Object )
Object Wizard User GUI Base

Active Directory Administrative Center
http://technet.microsoft.com/en-us/library/dd560651(v=ws.10).aspx
Page 48 of 237
Command Line = dsac.exe

Windows 2008 R2
PowerShell
Active Directory

User ADUC
Template Query ADUC
Page 49 of 237
Query Object GUI
Page 50 of 237
Administrative Center
User Review Properties Administrative Center Properties
Object Active Directory

Users / Computers Object Active Directory

1. Disable Deleted User Account
2. Assign Network Map Drive
3. OU
4.
5.

6. Group Member
User Active Directory ADUC
User 20000 GUI Object
Active Directory ( Refresh Object)
Page 51 of 237
Object
1. Active Directory users and computers (ADUC)
2. Active Directory Administrative Center
3. dsquery.exe Command Line
4. Saved Query Object
Lab3: Find Objects in Active Directory
Object Active Directory
View Object Object
Object Active Directory Find
Page 52 of 237
Save Query Object

- User Locked
- User Password Expired
Save Query Query String Google
Page 53 of 237
Object ds commandline
DS GUI ( Object GUI
Load refresh ) user 20000 Domain
Command
dsquery: Displays objects matching search criteria

dsquery
Object Active Directory Object
AD Users and Computers Refresh User User
Dsquery ( OU GUI Base)
User Suttipan Assign Drive Logon Network

user OU Find AD Users & Computers Command
Line
Dsquery List User Active Directory
= dsquery user
User Database 100 User

Dsquery user limit 20000 ( list User 20000 Users)
List Export File
Dsquery user limit 20000 > user.txt & user.txt
Page 54 of 237
list .txt
User
dsquery user -name "*suttipan"
User = Suttipan OU = Management GUI Assign

Drive Logon User
( User 20000 dsquery )
dsget: Properties Object

dsget User User = Suttipan Active Directory
(Office)

dsget user cn=suttipan,ou=Management,dc=demo,dc=local office
Page 55 of 237
User dsget user /?
Dsquery dsget
| ( = | )

User DN

user = Engineer02 Disable
= dsget user name engineer02 | dsget user -disabled
Page 56 of 237
dsrm: Removes objects

Object
User itsupport
Dsquery user -name "*itsupport*"
Object ( Query)
dsrm "CN=itsupport01,OU=IT,DC=demo,DC=local"
User Active
User
dsquery user -inactive 10 -limit 0
10
User Computer Object OU
Batch Script user 12
for /f "Tokens=*" %%s in ('dsquery user -inactive 12 -limit 0') do (
DSMOVE %%s -newparent "OU=Quarantine,DC=demo,DC=local"
)
Batch Script user 12
for /f "Tokens=*" %%s in ('dsquery computer -inactive 12 -limit 0') do (
DSMOVE %%s -newparent "OU=Quarantine,DC=demo,DC=local"
)
Page 57 of 237
dsmove: Moves objects to another container within the domain
Object
dsmove UserDN -newparent TargetOUDN

dsmove "CN=itsupport02,OU=IT,DC=demo,DC=local" -newparent "OU=Management,DC=demo,DC=local"
dsmod: Modifies objects
Properties Object Batch
dsquery user -name "*suttipan" | dsmod user -office "Bangkok"
Tip: username DS commands $username$ %username%.
Saved Queries
http://technet.microsoft.com/en-us/library/cc771131(WS.10).aspx
Object Query
Object Save Queries
Function Save Query
5 User Lock Worm / Virus Network
Authentication Server User
Save Query User Account Lock Worm / Virus
Lock User
Page 58 of 237
Step 1 AD Users and Computers Saved Queries > New > Query
Step 2 Define Query
Step 3 Custom Search TAB Advanced Copy LDAP Query
Page 59 of 237
Step 4 Query F5 Refresh Query
Google
Query Google
Find Groups that contains the word admin
(objectcategory=group)(samaccountname=*admin*)
Find users who have admin in description field
(objectcategory=person)(description=*admin*)
Find all Universal Groups
(groupType:1.2.840.113556.1.4.803:=8)
Empty Groups with No Members
(objectCategory=group)(!member=*)
Finds all groups defined as a Global Group, a Domain Local Group, or a Universal Group
Page 60 of 237
(groupType:1.2.840.113556.1.4.804:=14)
Find all User with the name Bob
(objectcategory=person)(samaccountname=*Bob*)
Find user accounts with passwords set to never expire
(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)
Find all users that never log in to domain
(&(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*))))
Find user accounts with no log on script
(objectcategory=person)(!scriptPath=*)
Find user accounts with no profile path
(objectcategory=person)(!profilepath=*)
Finds non disabled accounts that must change their password at next logon
(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
Finds all disabled accounts in active directory
(objectCategory=person)(objectClass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
Finds all locked out accounts
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)
Finds Domain Local Groups
(groupType:1.2.840.113556.1.4.803:=4)
Finds all Users with Email Address set
(objectcategory=person)(mail=*)
Finds all Users with no Email Address
(objectcategory=person)(!mail=*)
Page 61 of 237
Find all Users, Groups or Contacts where Company or Description is Contractors

(|(objectcategory=user)(objectcategory=group)(objectcategory=contact))(|(description=North*)(company=Contractors*))
Find all Users with Mobile numbers 712 or 155
(objectcategory=user)(|(mobile=712*)(mobile=155*))
Find all Users with Dial-In permissions
(objectCategory=user)(msNPAllowDialin=TRUE)
Find All printers with Color printing capability
Note: server name must be changed
(&(&(&(uncName=*Servername*)(objectCategory=printQueue)(printColor=TRUE))))
Find Users Mailboxes Overriding Exchange Size Limit Policies
(&(&(&objectCategory=user)(mDBUseDefaults=FALSE)))
Find all Users that need to change password on next login.
(&(objectCategory=user)(pwdLastSet=0))
Find all Users that are almost Locked-Out
Notice the >= that means Greater than or equal to.
(objectCategory=user)(badPwdCount>=2)
Find all Computers that do not have a Description
(objectCategory=computer)(!description=*)
Find all users with Hidden Mailboxes
(&(objectCategory=person)(objectClass=user)(msExchHideFromAddressLists=TRUE))
Find all Windows 2000 SP4 computers
(&(&(&(objectCategory=Computer)(operatingSystem=Windows 2000 Professional)(operatingSystemServicePack=Service Pack
4))))
Find all Windows XP SP2 computers
Page 62 of 237
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service
Pack 2))))))))
Find all Windows XP SP3 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service
Pack 3))))))))
Find all Vista SP1 computers
(&(&(&(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows
Vista*)(operatingSystemServicePack=Service Pack 1)))))
Find All Workstations
(sAMAccountType=805306369)
Find all 2003 Servers Non-DCs
(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server
2003*)))
Find all 2003 Servers DCs
(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server
2003*))))
Find all Server 2008
(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server
2008*))))
dsadd Create User

Object Active Diretory
Active Directory Object
User / Computer / Groups GUI ( Active Directory users and computers)
Command Line User dsadd.exe
Page 63 of 237
Dsaddd comm
mand-line User

dsaddd user "cn=suttipan,ou=Maanagement,dcc=demo,dc=loocal" -upn sutttipan@demo..local -fn sutti pan -ln passoorn -pwd
passsword@1 -muustchpwd no -pwdneverexppires no -disaabled no
DSSADD
- upnn = UPN Logon Acouunt username@domainn.local
- fn = First Namee
- ln = LLast Name
- pwd =
- muustchpwd = Loogin
- pwdneverexpiress =

- disabled = Enable / Disaable Users
User Batch Files
Script
OU / USEER
module22-add-user.baat
UUser / OU Commaand Save Noteppad .bat .cmd
( Excel
E Notepad
Exccel
dsaddd ou ou=IT,ddc=demo,dc=local
dsaddd ou ou=Mannagement,dc==demo,dc=loccal
dsaddd ou ou=Salee,dc=demo,dcc=local
dsaddd user "cn=suttipan,ou=Maanagement,dcc=demo,dc=loocal" -upn sutttipan@demo..local -fn sutti pan -ln passoorn -pwd
passsword@1 -muustchpwd no -pwdneverexppires no -disaabled no
dsaddd user "cn=ittsupport01,ou=IT,dc=demo,dc=local" -uppn itsupport011@demo.local -fn itsupport001 -pwd passsword@1 musttchpwd no -ppwdneverexpires no -disabled no

Page 64 of 237
2
dsadd user "cn=itsupport02,ou=IT,dc=demo,dc=local" -upn itsupport02@demo.local -fn itsupport02 -pwd password@1 mustchpwd no -pwdneverexpires no -disabled no
dsadd user "cn=sale01,ou=Sale,dc=demo,dc=local" -upn sale01@demo.local -fn sale01 -pwd password@1 -mustchpwd no
pwdneverexpires no -disabled no
Page 65 of 237
OU (Organizational Unit )
OU Active Directory Object
Object Logical OU
Users / Groups / Computers / Printer OU OU
OU Resource OU Delegation Task
Group Policy OU
OU Resource
OU IT Delegate User = IT manager 01 User Reset Password User
OU
OU HR Assigned Group Policy User OU
OU Resource
1. OU = Bangkok OU = Lampang User Site
2. Function OU = IT OU = Engineer
3. Resource OU = UsersOffice OU = Computer Clients
Page 66 of 237

4.
> Function > OU
OU
Create New Organizational Unit Protect Container from accidental deletion
OU OU ( windows 2003
Deleted Windows 2008 )
OU Menu = View > Advance Features
Page 67 of 237
Check Box OU
Page 68 of 237
OU Command Line
OU
DSADD
Domain DN
Domain Demo.local DN
Dc=demo,dc=local

OU
OU IT Management Command Line
dsadd ou ou=IT,dc=demo,dc=local
dsadd ou ou=Management,dc=demo,dc=local
Note Description

dsadd ou ou=Sale,dc=demo,dc=local desc Sale Department
Lab4: Active Directory PowerShell
PowerShell Windows 2008 R2 ( )

Active Directory Module (
)
()
1. PowerShell
2. PowerShell Module Active Directory PowerShell ()
Page 69 of 237
PowerShell Mode ()
PowerShell Import Module Active Directory

Page 70 of 237
= Import-module ActiveDirectory
PowerShell Administrative Tools
1.
PowerShell Active Directory
= Get-Command -Module ActiveDirectory
PowerShell : Users
Get-Help Get-ADUser Full (
)
Get-ADUser (
User Active Directory)
!? (
)
department -eq " IT Department " (
User Department = IT Department)
Get-ADUser -Filter 'department -eq " IT Department "

Get-ADUser -Filter '(department -eq " IT Department ") -and (office -eq "BKK")'
Page 71 of 237
PowerShell
Error
Error

Copy Command RUN Error
Get-ADUser List Properties User

Get-ADUser suttipan -Properties * (
List Properties User Suttipan)
Page 72 of 237
Search User Active Directory

Search-ADAccount -PasswordNeverExpires | FT Name, DistinguishedName
Object
Search-ADAccount -PasswordNeverExpires | FT Name, DistinguishedName
Search-ADAccount -AccountDisabled | FT Name, DistinguishedName
Search-ADAccount -AccountExpiring | FT Name, DistinguishedName
Search-ADAccount -LockedOut | FT Name, DistinguishedName
Search-ADAccount -PasswordExpired | FT Name, DistinguishedName
List user Active Directory PowerShell
Get-ADuser Filter * | FT Name, DistinguishedName, Enable
Page 73 of 237
PowerShell ISE
Windows PowerShell 2.0 Windows7 Windows2008R2 Sub Feature PowerShell ISE
PowerShell (Integrated Scripting Environment) ISE TAB

PowerShell Command

PowerShell
1. Import-Module ServerManager
2. Get-WindowsFeature Name *PowerShell*
3. Add-WindowsFeature PowerShell-ISE
Page 74 of 237
PowerShell-ISE Command

GUI Server Manager
Server Manager > Features > Add Features > Windows PowerShell (Integrated Scripting Environment)
Page 75 of 237
PowerShell-ISE
Command Line Powershell_ise.exe
PowerShell ISE
PowerShell : Computers
List Computer Object Computer Object OU OS

Version ( Report)
get-Adcomputer -Filter * -Properties * | FT Name, OperatingSystem, DistinguishedName

( Last Logon) Object
Cleanup List Pro-Active
get-Adcomputer -Filter * -Properties * | FT Name, OperatingSystem, LastLogonDate, DistinguishedName
Page 76 of 237
PowerShell Password Users

Password
Get-ADUser -Filter 'office eq "BKK"' | FT name (
User Office BKK)
Get-Help Read-Host Full (

Read-Host)
Page 77 of 237
Get-Help Set-ADAccountPassword Full (

Set-ADAccountPassword)
Get-ADUser -Filter 'office -eq"BKK"' | Set-ADAccountPassword -Reset NewPassword (Read-Host -AsSecureString 'New
password')
password@1 (
Password Offfice BKK = password@1)
PowerShell List User Account

Get-Help Get-ADUser -Parameter Properties(
Parameter Get-ADUser)
Get-ADUser -Filter 'office eq BKK"' Properties Office,StreetAddress,City,State,Country,PostalCode | Format-Table
SamAccountName,Office,StreetAddress,City,State,Country,PostalCode (
PowerShell List
Office BKK )
Page 78 of 237
4.
Groups
Get-Help Get-ADGroup Full (
)
Get-ADGroup -Filter *
Get-ADGroup -Identity Sales (
Group G-Finance)
Get-Help Get-ADGroupMember Full(

)
Get-Help Disable-ADAccount Full(
)
Get-ADGroup -Identity G-Finance | Get-ADGroupMember | Disable-ADAccount WhatIf
Page 79 of 237
Disable User Group / Enable User Group Powershell

Get-ADGroup -Identity G-Finance | Get-ADGroupMember | Disable-ADAccount
Get-ADGroup -Identity G-Finance | Get-ADGroupMember | Enable-ADAccount
Enable User Group Finance
Page 80 of 237
5. Powershell OU
Get-Help Get-ADOrganizationalUnit Full (
)
Get-ADOrganizationalUnit -Filter * -Properties ProtectedFromAccidentalDeletion (
OU
)
Page 81 of 237
6. Powershell Computer Windows2008R2

Get-ADComputer -Filter 'OperatingSystem -like "Windows Server 2008 R2*"' Properties
OperatingSystem,OperatingSystemHotfix,OperatingSystemServicePack,OperatingSystemVersion
Get-Help ConvertTo-Html Full(

html)
Get-Help Out-File Full(
)
Report .html
Get-ADComputer -Filter 'OperatingSystem -like "Windows Server 2008 R2*"' Properties
OperatingSystem,OperatingSystemHotfix,OperatingSystemServicePack,OperatingSystemVersion | ConvertTo-Html -Property
Name,SID,OperatingSystem* | Out-File C:\OSList.htm
C:\OSlist.htm
PowerShell OU

( PowerShell ISE RUN TAB )
new-adorganizationalunit Test1
new-adorganizationalunit Test2
Page 82 of 237
PowerShell User
New-ADUser -SamAccountName test02 -Name "test02" -UserPrincipalName test02@demo.local -AccountPassword
(ConvertTo-SecureString -AsPlainText "password@1" -Force) -Enabled $true -PasswordNeverExpires $true -Path
"OU=Engineer,DC=demo,DC=local"
RUN PowerShell User = Test02 OU = Engineer
Page 83 of 237
Delegation Control Wizard

Active Directory Delegation
User / Computer
Delegation Control Wizard Object Active Directory
Reset Password / Lock User Service Desk

Active Directory Lock Reset Password User
Delegate Control Wizard Object Domain , OU Active Directory
Users and Computers
Page 84 of 237
Delegate Reset Password / Unlock User Account

Active Directory User
- User locked Login
- User Reset Password

Delegate 24x7 Delegate HR
delegate User = itsupport01 Unlock User / Reset Users Password
LAB User = itsupport01 User Service Desk Call User
Lock Reset Passowrd User 24x7
http://support.microsoft.com/kb/294952
http://support.microsoft.com/default.aspx?scid=kb;EN-US;279723
Page 85 of 237
Security Permission Active Directory Object

Delegate Control Wizard Special Security Permission
Object Active Directory Permission Mode Advance Feature
Active Directory Users and Computers View Enable Advance Feature
Permission Object Domain

Demo.local demo.local Properties
Page 86 of 237
TAB Security user demo.local
Page 87 of 237
Advance Delegation
Page 88 of 237
Module 3: Managing Users and Service Accounts

RSAT
Remote Server Administration Tools for Windows 7 Server Client
RSAT Notebook , PC RSAT Config
Server Remote Desktop Server
Admin Active Directory Remote
Server Core Server Core
RSAT Connect Config
RSAT Download Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)
http://www.microsoft.com/download/en/details.aspx?id=7887 Copy Folder
Step 1 Client Join Domain Windows6.1-KB958830-x64-RefreshPkg
Step 2 Control Panel Turn Windows Feature On
Page 89 of 237
Step 3 Remote Server Administration Tools Client
Step 4
Tools
Page 90 of 237
Server Core Remote Sconfig.cmd

http://technet.microsoft.com/en-us/library/ee441254(WS.10).aspx
Step 1 Client Windows6.1-KB958830-x64-RefreshPkg
Page 91 of 237
Step 2 Set IP Address Option 8
Step 3 Enable Remote Management Option 4 Allow
Restart
Server Core Join Domain
Page 92 of 237
Step 4 Enable client Server Manager Windows Feature
Remark: Connect Server Core Hostname
Active Directory Administrative Center

ADAC Active Directory Windows Server 2008 R2

Page 93 of 237
ADAC "Global Search Active Directory"

Object ( Template )
Step 1 User Locked Disable
Lab5: Create and Administer User Accounts

User Account
LAB User GUI, Command Line, Powershell
Best Practice Life Cycle of a User Account
- User , Tempolary Users,
Lab6: Configure User Object Attributes
LAB User Properties GUI, Command Line, Powershell
User Template
Page 94 of 237
Lab7: Automate User Account Creation

User Batch, PowerShell, LDIFDE, CSVDE
!
CSVDE
Export = csvde -f c:\dc01.csv

Step 1 Export c:\dc01.csv
Step 2 Excel Filter user
Page 95 of 237
Step 3 TAB
http://www.computerperformance.co.uk/Logon/Logon_CSVDE_Bulk.htm
First Name = givenName
Last Name = sn
Office = physicalDeliveryOfficeName
Destination OU = destinationOU
Common Name = CN
User Logon Name = userPrincipalName
User Must Change Password at next logon = mustChangPassword
Account is Disabled = accountDisabled
Profile Path = profilePath
Login Script = scriptPath
Hone Foler = homeFolder
Step 4 Import

Csvde -i -f c:\import.csv
LDIFDE = LDAP Data Interchange Format (LDIF)
Export = ldifde -f c:\export.ldf
Import = ldifde -i -f c:\import.ldf

Lab7-4: Create and Administer Managed Service Accounts
http://technet.microsoft.com/en-us/library/ff641729(v=ws.10).aspx
New-ADServiceAccount Name App1_SVR1
Page 96 of 237
Add-ADComputerServiceAccount -identity core01 -ServiceAccount App1_SVR1

Get-ADServiceAccount -Filter 'Name -like "*"' | FT Name,HostComputers A
Core01 Add AD-Powershell Module

Install-ADServiceAccount -Identity App1_SVR1
Page 97 of 237
Module 4: Managing Groups

Module
Group and AGUDLP
Starter Policies Group Policy Preferences
Fine Grained Password Objects
Group Membership
OU = Group Policy
Group =
Groups
A domain local group
is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own
domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on
resources that reside only in the same domain where the domain local group is located.
A global group
is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains.
In all those locations, you can give a global group rights and permissions and the global group can become a member of local
groups. However, a global group can contain user accounts that are only from its own domain.
A universal group
is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You
can give universal security groups rights and permissions on resources in any domain in the forest. Universal groups are not
supported.
Group
Page 98 of 237
Page 99 of 237
Group ( 2 )
1. Distribution Group
Group Assign Permission / Right
2. Security Group
Group Right / Permission
Distribution Group
Page 100 of 237
Scope Group ( 3 Scope)

Group Group
TIP: Group Nesting = Group Member Group
1. Domain Local Group
= Forest
= User, Global Group, (Universal Group - Domain Functional Level )
2. Global Group
= Forest
= User, Global Group, Universal Group ( Group )
3. Universal Group
= Forest
= User, Global Group, Universal Group
Concept AGUDLP
Assign Permission Forest Trust
Concept
Account
Global Groups
Page 101 of 237
Universal Groups
---------------------------------------------------------Domain Local Groups
Permission
Lab8: Administer Groups

Shadow Group = Group that all user in OU as members
Groups User Template
LAB Shadow Group Concept
1. OU IT
2. User OU IT ( it01, it02, it03, it04 )
3. Global Group ITs
Page 102 of 237
4.
Users OU = IT Group Its
5.
dsquery group name ITs
6.
Group Member dsquery group -name ITs | dsget group members and hit Enter
C:\>dsquery group -name ITs

"CN=ITs,OU=IT,DC=demo,DC=local"
C:\>dsquery ou -name IT
"OU=IT,DC=demo,DC=local"
C:\>dsquery group -name ITs | dsget group -members
C:\>dsquery user ou=IT,dc=demo,DC=local | dsmod group "CN=ITs,OU=IT,DC=demo,DC=local" -chmbr
dsmod succeeded:CN=ITs,OU=IT,DC=demo,DC=local
Schedule Task
Group Role Base

Page 103 of 237
Audit_Role
Read_ACL
Group Members Active Directory

Active Directory Groups Members

Report
Export Group member Active Directory
1. Dumpsec.exe
Dompsec.exe Free Download Export Data
Dump user as column
Page 104 of 237
Focus
Export Save .csv

Page 105 of 237
2. DSQUERY
Group
Batch Run
Group = G-Financee

dsquuery group nname G-Finannce | dsget grooup memberrs
Baatch RUN output Textt Files

3. Dos
net group Group
net groupp G-engineer List mem
mber
4. PowerShell

Page 106 of 237
User / Group
G
get-aaduser filter * Propertiess * | FT name,, memberof
5. csvde
CSVDE -f aduserss.csv -r objecctClass=user
.cssv Excel Filed membberof

Page 107 of 237
Lab9: Best Practices for Group Management

ACL_Sales_Folder_Read
Practice Assign Permission
Page 108 of 237
Module 5: Managing Computer Accounts

Module Join Domain Computer Account
Port Active Directory
LDAP TCP-in - 389
LDAP UDP in - 389
LDAP for Global Catalog TCP in - 3268
NetBIOS name Resolution UDP in - 138
SAM/LSA TCP in - 445
SAM/LSA UDP in - 445
Secure LDAP TCP in - 636
Secure LDAP for Global Catalog TCP in - 3269
W32Time NTP UDP in - 123
RPC - RPC Dynamic
RPC Endpoint Mapper
DNS - TCP and UDP 53
Kerberos V5 UDP in - 88
Netbios Datagram UDP in 137
Lab10: Create Computers and Join the Domain
Remote Join Domain ( Firewall )
Remote Join Domain

netdom join W7-01 /domain:demo.local /UserO:Administrator /PasswordO:* /UserD:demo\Administrator /PasswordD:*
/REBoot:5
Remote Join Domain Netdom Command Windows 7
1. Port 135, 139 Function Network Discovery (NB-Name-In)
2. Windows 7 Enable User Administrator
3. Domain Server MAP C$ Windows 7 Network
Page 109 of 237
Prestage Computer Acccount

Remote Control Computer Account
Offline Domain Join
Sysprep
Offline Domain Join =
Offline Join Domain ( Domain Controller)

djoin /provision /domain demo.local /machine W7-03 /savefile C:\W7-03.txt
W7-03 Folder c:\DJOIN\ Copy W7-03.txt Folder

djoin /requestodj /loadfile C:\DJOIN\W7-03.txt /windowspath %SystemRoot% /localos
Restart
Computer Object Domain Controller
Page 110 of 237
Lab11: Administer Computer Objects and Accounts

User
Join Domain 10
= ADSIEDIT
Join Domain ms-DSMachineAccountQuota = xx
Page 111 of 237
Page 112 of 237
Module 6: Implementing a Group Policy Infrastructure

: Module Client 2
Group Policy ?
Group Policy = Set of rules that you can apply throughout the enterprise. ( Group Policy Pocket
Administrator)
Group Policy Object GPO (feature) Microsoft
(User)
-
Services
(Centralized Management)
Group Policy
Group Policy Object ( GPO)
1500
Game Server Group Policy Management Console (
GPO GPMC)

GPO 1500
Game
GPO
GPO Support User
Desktop Environment

Apply security settings
Manage desktop and application settings
Deploy software
Manage folder redirection
Page 113 of 237
Configure network settings
Local Group Policy

Group Policy Windows 2000 Local Environment
Local Group Policy
Local Group Policy %Systemroot%\System32\GroupPolicy\ Option
Windows Vista Multiple Local Group Policy User
LGPO User %Systemroot%\System32\GroupPolicyUsers\
LGPO
GPO Domain-based
Proof Of Concept: Local Group Policy
Page 114 of 237
Tip: Local GPO Remote Command

Gpedit.msc /gpcomputer: %ComputerName%
Option Group Policy Windows Server 2008

Group Policy Policy Settings Windows Vista
Microsoft Group Policy Preferences
Policy Setting Policy Preferences
Policy Settings
(Enforcement)
Disable User Interface User
Policy Preferences

User Map Network Drive , Map
Network Printer, Shortcut
Refresh Refresh
User Log In
Log In
(Applied Once)
Policy Settings Policy Preferences

Group Policy
IT Active Directory Policy Settings Policy
Preferences Group Policy Domain-based Group Policy
Domain-base Group Policy SYSVOL Group Policy ( GPO)

Group Policy Container (GPC)
GPC Active Directory Database Replicate Domain Controller GPC
Properties GPO Globally Unique Identifier GPO (GUID)
Group Policy Template (GPT)
GPT SYSVOL Replicate Domain Controller GPT
GUID GPC
Page 115 of 237
Domain CController
Im
mplement Acti ve Directory
GPOO 2
GPO
Os
Default DDomain Policyy

GPO Domain
Default DDomain Controller Policy
GPO Doma in Controller
[
] Group Policcy
Grooup Policy Computer / Users =

Run Level of Grouup Policy =
Policcy Refresh Tim
me =
GPO
OTool.exe is uused to troubleshoot GPO status, includding problemss caused by thhe replication of GPOs, leaading to
inconnsistent versioons of a GPCC and GPT.

Group Policy
P
GPO
GUII Commaand-line
GUI--Based
1. Group Poolicy Management Consolee (GPMC)

Windows Seerver 2008
GPMC
GPO
- GPO
- Copyy, Import, Expport
- Backkup, Restore
- M
Modeling
GPO
2. Group Poolicy Management Editor (GPME)
GPMC GPO EEdit GPM
ME
3. Remote SServer Adminnistration Toolls (RSAT)
Clieent Serveer Console
RSAT GPMC
4. Advance Group Policyy Managemennt (AGPM)
AGPM com
mponent Microsoft Desktop Opttimization Pacck (MDOP)

Page 116 of 237

Command-line Based
1. GPRESULT
2. GPUPDATE
3. RSOP.MSC
4. GPOTOOL.EXE

1. Group Policy Client-side Extension Windows XP, Windows 2003 Windows Vista
CSE Engine Client Feature GPO Windows 2008
Preferences Settings
Group Policy Windows 2008

1. GPO Windows 2000, Windows XP Windows Server 2003 Policy Change
Windows Logon Process GPO Windows Vista Policy Change
Group Policy Client Service
2. Error GPO Process Windows 2000, Windows XP Windows Server 2003 Error Log
%Systemroot%\Debug\Usermonde\Userenv.log GPO Error Log Windows Vista Event Viewer
Applications And Services Log\Microsoft\Windows\GropupPolicy
3. Client Windows 2000, Windows XP Windows Server 2003 ICMP Windows Server 2008
Network Location Awareness GPO Bandwidth Client-Server ICMP
4. GPOs ADMX ADM GPO ADM
ADMX GPO GPO
GPO ADM 4 MB. ADMX 4 Kilobytes (KB)
5. ADMX Windows Vista
%SsytemRoot%\PolicyDefinitions\LanauageCulture ( Default 146 Object)
6. Replicate SYSVOL Domain Controller Domain Functional Level Domain
Function Level Windows 2000 Native Windows Server 2003 Replicate SYSVOL File
Replication Service (FRS) Domain Functional Level Windows 2008 Replicate SYSVOL
Distributed File System (DFS)
Page 117 of 237
FRS DFS
Reeplicate
-
Sysvvol Active
A
Directoory System Voolume Domain GPO
O, Script Log on, Loog off, Shutdoown,
Starttup
Sysvvol Replicate Domain Co ntroller Replicate Dommain Functionnal Level
Sysvvol Replicate
FRS DFS
FRSS uses a "last writer wins" algorithm
a
FRSS Domain Functionnal Level = Windows
W
2000 Native, Winddows Server 2003
2
DFSS Doomain Functioonal Level = Windows
W
Servver 2008
FRSS Ntfrs.exe Topology Repllicate Schedule Remote Server
S
RPPC
Protoocol
FRSS Configuration Reggistry NTFS File Syystem
FRSS Strore Transactions
T
FRS Jet daatabase (Ntfrss.jdb)

FRSS USN (Update Sequence Numbeer) NTFSS
Flag
Addeed, Deleted, Modified.
M
Scheduule Update Sysvvol
DFSS (Dfssvc.exe)) PDC emuulator Master

DFSS Metadatta Naamespace Client-Server Lookkup
Doomain Controlller
DFSS Common Internet File System (CIFSS) Clieent-Server

CIFSS Extension Serveer Message BBlock (SMB) File
F Sharing Protocol
P
DFSS Enhhancement Replicatatee File Level
FRSS Rsync Teechnology DFS Re mote Differenntial Compresssion (RDC)
FRS DFS
DFS Repliccate FRS
F 300 %
DFSS Comppression 200-300 % Brandwidth

Replicate
Databasee

Groupp Policy
Understaand Group Poolicy
Implement a Group Poolicy
Explore GGroup Policy Settings and Features
Manage Group Policy Scope
Group Poolicy Processing

Page 118 of 237
Troubleshoot Policy Application

A
GPO
2 Object Active Direcctory Com puter Configuuration Usser
Configuraation
- GPO Com
mputer Object Computer
- GPO User Object Usser
Log On
] Grouup Policy Refrresh Interval
[
GPO RRefreshment Time

T
GPOO Doomain Controller Reffresh 5
GPOO Workstation Refresh 900 120
GGPO
Securityy Settings Refresh 16

! (
T T)
Refresh GPO Refresh Time Slow-LLink Detectionn
Mode GPO
GPO
G
O Activve Directory
3
GPO
1. Site GPOOs
2. Domain GGPOs
3. Organizaational Unit (O
OU) GPOs
GPO AActive Directoory
Domain-Bassed Client

GPO
1. Local GPPOs

Page 119 of 237
2. Site GPOs
3. Domain GPOs
4. OU GPOs
Turn Off LGPO = Computer Configuration\Policies.\Administrative Templates\System\Group Policy > Turn Off Local Group
Policy Objects Processing.
Proof Of Concept: GPO ?
LAB OU Users LAB
dsadd ou ou=ACC,dc=demo,dc=local
dsadd user "cn=acc01,ou=ACC,dc=demo,dc=local" -upn acc01@demo.local -fn acc01 -pwd password@1 -mustchpwd no
GPO Link
Group Policy Item Link (Site, Domain, OU) Item
GPO
1 GPO Link !
GPO-Disable Notepad Link
Page 120 of 237
Group Policy Link Policy

Computer User?
GPMC Domain Controller PDC Emulator

Page 121 of 237
Group Policy Processing

GPO client GPO Server
GPO
GPO Link Order
GPO 1-3 GPO 1
GPO Inheritance
GPO Inheritance GPO Object GPO
Link Order
Inheritance OU
Inherited Option Block Inheritance
OU GPO
Page 122 of 237
OU GPO
GPO (Enforcing Inheritance)

Policy Settings
GPO Object
Option Enforce
Page 123 of 237
Option Enforce
Refresh Time
GPO User 2
1. Server OS Synchronous foreground processing
GPO Apply Computer User Configuration User
2. Client OS Asynchronous foreground processing
GPO Apply User
Background
Option
GPO Refresh
Gpupdate /force = GPO Refresh
Gpupdate /Wait: WaitTime = GPO Refresh
Gpupdate /Logoff = GPO Refresh Logoff
Gpupdate /Boot = GPO Refresh Reboot
Gpupdate /Sync = GPO Refresh Synchronously
Refresh Interval
Tip Refresh Interval Link OU Domain Controller

Page 124 of 237
Slow-Link Detection
Function Slow-Link Detect
GPO Link Speed

500 Kbps Client-Server
Bandwidth Client-Server Windows 2008 NLA
(Network Location Awareness Service) Link Speed Link Speed 500 Kbps
Slow-Link Active Directory Client GPO Security Settings
Administrative Template
Page 125 of 237
GPO Loopback Processing
GPO User User Logon Loopback Processing

Computer Computer
GPO User

Hardening User environment MD GPO

GPO MD
Loop back Processing Modes

Replace = GPO User GPO Computer
Merge = GPO User GPO GPO Computer GPO
GPO Computer
GPO Modeling GPO Result

Deploy GPO Group Policy Modeling Group Policy Results
Page 126 of 237
Group Policy Modeling Sites Option Loopback

Processing
Group Policy Results
Proof Of Concept: Group Policy Modeling Group Policy Results
Group Policy
GPO User & Computer GPME
Policy Settings
1. Software Settings
Deploy Software GPO
2. Windows Settings
Windows Settings Folder Redirection, Internet Explorer
3. Administrative Templates
Registry-Based
Policy Preferences
1. Windows Settings
Script
2. Control Panel Settings
Environment Control Panel
Proof Of Concept: Review GPMC
- DC
- Sites Link
- Delegating Privileges
- GPO Permission
- Permission Sites Domain
Page 127 of 237
Permission
1. Link GPOs
User Group Link GPO
2. Perform Group Policy Modeling Analyses
User Group RSoP Planning
3. Read Group Policy Results Data
User Group RSoP Mode Logging
Delegating Control GPOs
NonAdministrative User Group GPO Permission
1. Read
2. Edit Settings
Page 128 of 237
3. Edit Settings, Delete, Modify Security

Allow GPOs
Starter GPOs
Starter GPO Template GPO GPO GPO

Starter GPO Sysvol
Starter GPO Starter GPO GPO Starter GPO

Enable / Disable GPO
GPO GPO
GPO User / Computer Microsoft

Disable GPO
Page 129 of 237
Advance Group Policy Management (AGPM)

AGPM Extension GPMC Technical Term
GPMC AGPM Version 4.0 Microsoft Desktop
Optimization Pack
Change Control
GPO
GPO Version History

http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/agpm.aspx
Search And Filtering GPO

GPO Deploy Option
GPMC
1. Security Group Filters
Security Group GPO
2. Windows Management Instrumentation (WMI) Filters
Deploy GPO
Policy Settings GPMC Version Filter
Deploy GPO Deploy GPO Internet Explorer 6.0
Filter Policy Settings Compatible
Page 130 of 237
Filter GPO
GPO
Page 131 of 237
WMI Filter WMI Query

Windows XP WMI Attribute
WMI Deploy GPO
WMI Namespace Root\CimV2 WMI Query GPO
WMI GPO
- RAM Apply GPO
- Harddisk Apply GPO
- Version
- System Services
Query

Command Query
Page 132 of 237

Operating system
Resources
Resources
Only target computers

running Windows XP
Professional.
Target only machines
that have at least 600
megabytes (MB)
available.
Target only machines
that have at least 256
megabytes (MB)
Memory
Root\CimV2; Select * from Win32_OperatingSystem where

Caption = "Microsoft Windows XP Professional"
Root\CimV2; Select * from Win32_LogicalDisk where FreeSpace
> 629145600 AND Description <> "Network Connection"
Root\CimV2; Select * from Win32_PhysicalMemory where

Capacity > 262000000
Default Policies
Active Directory 2 GPO Default
1. Default Domain Policy GPO
2. Default Domain Controller Policy GPO
Default Domain Policy

Default Domain Policy Best Practice 3 Area GPO
Page 133 of 237
1. Passwordd Policy
2. Account Lockout Policcy
M
Tim
me Clock Synchronization)
3. Kerbeross Policy ( Maximum
Prooof Of Conceptt: Defauult Domain Policy

Defauult Domain Poolicy
3 GPOO
me Administrattor Account
1. Accoounts: Renam
2. Accoounts: Administrator Account Status
3. Accoounts: Guest Account
A
Statuus
4. Accoounts: Renam
me Guest Accoount
5. Netwwork Security:: Force Logofff When Logonn Hours Expirre
6. Netwwork Security:: Do Not Storee LAN Managger Hash Valuue On Next Password Chaange
7. Netwwork Access: Allow Anonym
mous SID/Nam
me Translatioon
Default
D
Domaain Policy
GPO Default Domain Policcy
dcgppofix.exe restore Default Domainn Policy GPO
C
Pollicy
Deffault Domain Controller
Default DDomain Controller Policy Domain Conntroller
GPPO Link OOU Domain Controllerr)

GPO Domainn Controller (

Default
D
Domaiin Controller Policy
P
1. Audit Policy
2. User righht Assignmentt
3. Security Options
] Move Domainn Controller
OU
[

Page 134 of 237
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Top 10 GPO Settings

Log on Banner
Desktop Wallpaper
Screen Saver
Control Devices
Control Internet Explorer
Event Log Settings
Audit Policy
Files Permission
Audit System Access
Password & Lockout Policy
Group Policy
GPO Storage
GPC GPT
GPC = Group Policy Container
GPT = Group Policy Template
Store in AD Database
Store in Sysvol
Replicate by AD Replication
Replicate by Sysvol Replication
Store Properties related to the GPO
Used for store files related to the gpo on disk
Identified with a globally unique identifier (GUID)
Identified with a globally unique identifier (GUID)
Group Policy Container
Properties GPC
Page 135 of 237
Domain Default GPO GUID {31B2F340-016D-11D2-945F-00C04FB984F9}

Domain Controller Default GPO GUID {31B2F210-016D-11D2-945F-00C04FB981F1}
Security TAB Manual GPO
Page 136 of 237
Group Policy Template
Version GPT File GPT.ini
Protocol Process GPO

1. ICMP
2. NLA
3. RPC tcp135
Page 137 of 237
4. LDAP tcp/udp 389

5. DNS udp/53
6. Query GPT in Sysvol by SMB udp/tcp 445
Import, Migration GPO
GPO Copy Import GPMC
Copy Copy GPO Forest (Online Transfer GPO)
Import Offline Files Permission Administrator Forest Copy - Paste
Migrate mtedit.exe
Backup / Restore GPO

Backup / Restore GPO Starter GPO WMI Filter Object Backup
Backup GPO GPO WMI Filter
Page 138 of 237
Default Default Domain Policy Default Domain Controller Policy

dcgpofix.exe Windows 2008
= dcgpofix.exe /target: domain | dc | Both
SYSVOL
Sysvol GPO File System Policy Script Log On Group Policy
Template Replicate Sysvol
Active Directory Sysvol Tasks
Move Sysvol Storage

Default Storage Quota ( 4GB)
Rebuild Sysvol
Sysvol
1. Migrate Sysvol Technology Replicate FRS DFS
2. Migrate Raise Domain Functional Level
3. Sysvol Replication FRS DFS net share
Replication Sysvol
Active Directory Sysvol

Key Sysvol Services Start
Page 139 of 237
1. Netlogon
2. FRS ( FRS Replicate)
3. DFS ( DFS Replicate)

1. Net share
Sysvol Share
2. Dcdiag.exe
dcdiag /s:servername /test:replication
dcdiag /s:servername /test:netlogons
3. Repadmin.exe
repadmin /showrepl
repadmin /syncall
Lab12: Implement Group Policy Create, Edit and Link GPOs

Create, Link
Filtering and Commenting
Lab13: Manage Group Policy Scope

Link GPO
GPO Scope Filtering
Configure Loopback Processing
Lab15: Troubleshoot Policy Application
LAB
GPO
Page 140 of 237

The Group Policy Results Wizard
Rsop.msc Gpresult.exe Remote Management
Allow Firewall ports 135 and 445. Allow WMI Firewall Rule
The Group Policy Modeling Wizard

GPResult.exe
Page 141 of 237
Rsop + GPresult
Page 142 of 237
Page 143 of 237
GPRESULT.EXE Command Line

gpresult /r
gpresult /v
gpresult /z
gpresult /h:"%userprofile%\Desktop\RSOP.html"
GPO Modeling Wizard
Page 144 of 237
Policy Event
Page 145 of 237
Page 146 of 237
Module 7: Managing User Desktop with Group Policy

Lab16: Manage Administrative Templates
Policy Definitions
%Systemroot%\PolicyDefinitions
ControlPanelDisplay.adml ControlPanelDisplay.admx
ScreenSaverIsSecure
Page 147 of 237
Administrative Template .ADM File

http://www.microsoft.com/en-us/download/details.aspx?id=22666
http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=18968
GPO Windows XP Windows Server 2003 GPO Template
Domain Controller Windows 2008R2 Feature Group Policy Central Store
Central Store
Create Folder PolicyDefinitions
%SystemRoot%\SYSVOL\domain\Policies\PolicyDefinitions
Copy .ADMX Files %SystemRoot%\PolicyDefinitions

%SystemRoot%\SYSVOL\domain\Policies\PolicyDefinitions
Page 148 of 237
Lab17: Manage Group Policy Preferences

GPO Preferences
GPO Preferences Actions
1. Create
GPO Preference
2. Replace
Deletes Preference Preference Preference
3. Update
Modifies Preference
4. Delete
GPO Preference
Page 149 of 237
GPO Policy Settings Policy Preferences Preference Log On

Script Environment Script
Preference
Policy Settings Policy Preference Policy
Registry
Group Policy Preferences Shortcut Notepad Desktop
Domain Controller Group Policy GPO Preferences
Page 150 of 237
Page 151 of 237
Page 152 of 237
GPO-Preferences
Page 153 of 237
GPO-Preferences Folder
GPO-Preference Folder C:\Apps W7-01
Option Item-Level Targeting

GPO-Preferences MAP Network Drive
MAP Drive GPO Preferences
Page 154 of 237
Page 155 of 237
LAB18: Manaage Software With GPSI
Softwware Grroup Policy (GPSI)

(
[
] Deploy Software GPO
Software GPSI Instaall Uninsttall

1. Share Insstallation Foldder
2. Mode Publish, Assigned, Addvance
3. Publish Computer Configurationn
Publish to User
Advertissed in Prograams and Featuures
Install oon request
.msi, .zaap
Rebuildd by user chooose install
Assigned
A
to User
U
Start MMenu
File
F Associatioon Made
Option
O
Install at Logon
.msi
. Support
Avaialble
A
for insatallation aagain
Assigned
A
to Computer
C
Install
I
at startup
4. s
Group Poolicy Softwaree Installation (GPSI)
(
Software Group Policy
P
Stepp:
\\

Page 156 of 237
Page 157 of 237
Page 158 of 237
Code Deploy Office 2007

setlocal
REM*********************************************************************
REMEnvironmentcustomizationbeginshere.Modifyvariablesbelow.
REM*********************************************************************
REMGetProductNamefromtheOfficeproduct'scoreSetup.xmlfile.
setProductName=Enterprise
REMSetDeployServertoanetworkaccessiblelocationcontainingtheOfficesourcefiles.
setDeployServer=\\server\share\Office12
REMSetConfigFiletotheconfigurationfiletobeusedfordeploymentREM(required)
setConfigFile=\\server\share\Office12\Enterprise.WW\config.xml
REMSetLogLocationtoacentraldirectorytocollectlogfiles.
setLogLocation=\\server\share\Office12Logs
REM*********************************************************************
REMDeploymentcodebeginshere.Donotmodifyanythingbelowthisline.
REM*********************************************************************
IFNOT"%ProgramFiles(x86)%"==""SETWOW6432NODE=WOW6432NODE\
regqueryHKEY_LOCAL_MACHINE\SOFTWARE\%WOW6432NODE%Microsoft\Windows\CurrentVersion\Uninstall\%
ProductName%
if%errorlevel%==1(gotoDeployOffice)else(gotoEnd)
REMIf1returned,theproductwasnotfound.Runsetuphere.
:DeployOffice
start/wait%DeployServer%\setup.exe/config%ConfigFile%
echo%date%%time%Setupendedwitherrorcode%errorlevel%.>>%LogLocation%\%computername%.tx
t
REMIf0orotherwasreturned,theproductwasfoundoranothererroroccurred.Donothing.
:End
Endlocal
Page 159 of 237
Lab: Managee Security Settings With Seecurity Templaate

mmcc.exe
Secuurity Templatee
Secuurity Configuraation and Anaalysis
Stepp:

Page 160 of 237
Lab: Audit Active Directory Changes

Remark
Type 2 : Console logon - interactive from the computer console
Type 3 : Network logon - network mapping (net use/net view)
Type 4 : Batch logon - scheduler
Type 5 : Service logon - service uses an account
Type 7 : Unlock Workstation
Monitor OU
Step:
1. Enable Auditing Policy
2. Enable Auditing at OU Target
Page 161 of 237
Page 162 of 237
Clear Security Log Monitoring Event Viewer

-Create User
-Deleted User
Log ID 4726 or 4738 or 4720
Lab: Link VS Unlink
Objective:
GPO
Step: Disable / Remove / Unlink
Page 163 of 237
Page 164 of 237
Module 8: Managing Enterprise Security and Configuration with Group Policy

Settings
Lab19: Use Group Policy to Manage Group Membership
Objective:
Restricted Groups Policies
Groups Help-Desk ITSUPPORT02-04
Page 165 of 237
Link GPO OU Computer Object Logon User ITsupport02

Local Administrators
Page 166 of 237
? Restricted Groups Merge or Replace ? ?
Lab20: Manage Security Settings

Objective:
Local Security Domain Controller Remote Server
Page 167 of 237
Security Template
mmc.exe Add Remove Snap-in

Security Template > Security Configuration and Analysis
Step:
Page 168 of 237
Security configuration Wizard

Objective
Page 169 of 237
Page 170 of 237
Transform Security Policy GPO

Run Path C:\Windows\security\msscw\Policies\
scwcmd transform /p:"DC01-Sec.xml" /g:"DC01-Sec"
Page 171 of 237
Lab21: Audit File System Access

Objective
Object
Security Template Audit Share Folder
Page 172 of 237
Lab: Audit Active Directory Changes

Monitor OU
Step:
1. Enable Auditing Policy
2. Enable Auditing at OU Target
Page 173 of 237
Page 174 of 237
Clear Security Log Monitoring Event Viewer

-Create User
-Deleted User
Log ID 4726 or 4738 or 4720
Lab: Audit Authentication

http://www.vmaxx.net/techinfo/Windows/NTLoginInfo.htm
Step:
Type 2 : Console logon - interactive from the computer console
Type 3 : Network logon - network mapping (net use/net view)
Type 4 : Batch logon - scheduler
Type 5 : Service logon - service uses an account
Type 7 : Unlock Workstation
Log
Page 175 of 237
::: Windows 2008

::: 4624 - An account was successfully logged on.
::: 4625 - An account failed to log on.
::: 4649 - A replay attack was detected.
::: 4720 - A user account was created.
::: 4740 - A user account was locked out.
::: 4723 - An attempt was made to change an account's password.
::: 4724 - An attempt was made to reset an account's password.
::: 4698 - A scheduled task was created.
::: e1102 - The Specified user cleared the Security Log.
Logparser.exe "SELECT TimeGenerated, SourceName, EventCategoryName, Message INTO
c:\Logs\4624_SuccessToLogOn.csv FROM Security WHERE EventID = 4624
c:\Logs\4625_FailedToLogOn.csv FROM Security WHERE EventID = 4625
c:\Logs\4649_ReplayAttackDetected.csv FROM Security WHERE EventID = 4649
Logparser.exe "SELECT TimeGenerated, SourceName, EventCategoryName, Message INTO c:\Logs\4720_UserCreated.csv
FROM Security WHERE EventID = 4720
c:\Logs\4740_AccountLocked.csv FROM Security WHERE EventID = 4740
c:\Logs\4723_ChangePassword.csv FROM Security WHERE EventID = 4723
c:\Logs\4724_ResetPassword.csv FROM Security WHERE EventID = 4724
Logparser.exe "SELECT TimeGenerated, SourceName, EventCategoryName, Message INTO c:\Logs\4698_TaskCreated.csv
FROM Security WHERE EventID = 4698
c:\Logs\1102_ClearSecurityLog.csv FROM Security WHERE EventID = 1102
Lab22: Configure Application Control Policies

Objective:
Application
1. Software Restriction Policy
2. AppsLocker
Page 176 of 237
Page 177 of 237
Page 178 of 237
Page 179 of 237
Module 9: Securing Administration

Lab23: Delegate Administration
Objective:
Page 180 of 237
Review Advance Feature
Generate Report
dsacls "dc=demo,dc=local"
Remove Reset Permissions
Page 181 of 237
Lab24: Audit Active Directory Changes

Objective:
LAB
Page 182 of 237
Module 10: Improving the Security of Authentication in an AD DS Domain

Lab25: Configure Password and Account Lockout Policies
Objective:

Hardening Template
Best Practice
Fine Grained Password Objects

Fine Grained Password Option Windows Server 2008 Password Policy
Password Policy OU
: Fine Grained Password Domain Functional Level = Windows Server 2008
Page 183 of 237
Page 184 of 237
( 1 )
Page 185 of 237
Page 186 of 237
(Day:Hours:Minutes:Second)
Page 187 of 237
Page 188 of 237
=0
Lock 15
Page 189 of 237
Page 190 of 237
Page 191 of 237
Page 192 of 237
Lab26: Audit Authentication

Objective:
Lab27: Configure Read-Only Domain Controller

Objective:
Read Only Domain Controller (RODC)

Branch Office Read Only Domain Controller
1. Authentication
2. RODC Password AD Database Caching
3. Replication One Way
4. Login RODC
Page 193 of 237
5.
6.
7.
8.
RODC User (15 30 User )

RODC Server
Network Main Link Branch Offices
Branch Office RODC Exchange Server Site (
Writeable Domain Controller)
9. Upgrade WS2003 adprep / rodcprep RODC
10. RODC Operations Masters
Page 194 of 237
Page 195 of 237
Module 11: Configuring Domain Name System

DNS = Domain Name Service () IP Address Host Name - (Query)
Resolve IP Host Name Host Name IP !
New Feature DNS Windows Server 2008
RODC Authoritative
Pull Writeable DNS Server from same site
Global Names Zone (GNZ)
Provide single-label name resolution instead of using WINS
IPv6 Support
(AAAA Records and Reverse look-ups)
Solution 3rd Party DNS (Unix/Linux Based DNS)
DNS
GNZ Create GlobalNames Zone
GNZ WINS
Dynamic Update WINS
DNS Update repadmin /syncall

DNS AD Integrated
WINS
IPv6 Basic configuration
DNS Component
- DNS Service (Server)
- DNS Database
- DNS Client
DNS Query
DNS Query IP IP client DNS Server
DNS Query 2 Mode
Iterative ( DNS Server )
Recursive ()
Page 196 of 237
Forwarder
DNS Query DNS Server
Forwarders
Standard: Query Forward DNS Server
Conditional: Query Forward DNS Server ( Root Hint)
DNS Namespace Option

DNS Namespace
1. Same Namespace
2. Sub Domain
3. Unique Namespace
DNS
Namespace Subdomain Public Namespace
Subdomain Public Domain (
Public Internal )
DNS Zone
DNS Zone
Page 197 of 237
Activve Directory Inntegrated Zonnes
A
Directory
Replication Multi-Master Fuunction Active
Streamlinne Data Repliication
Secure DDynamic Updaate
Backwardds Compatible To Secondaary Zones
Stub Zone Domain DNNS
Forwaarder Stubb Zone
Foreest
Forwarrder
Forward Query
DNS Zone Transfer Replicatioon

DNNS Zone Trannsfer Repliication

Page 198 of 237
DNS Caching
DNS Caching Query Query Caching Record Client Server
Clear Ipcofig /FulshDNS DNSCmd.exe /Clearcache
Cache Server Ipconfig /DisplayDNS
Clear Cache GUI
Page 199 of 237
TIP: DNS / WINS

DNS Domain Controller Remove Root Hint DNS Console Iterative Query
Allow Transfer DNS TCP Port 53 Firewall Zone Transfer

DHCP / DNS Cache Proxy = DNSUpdateProxy Groups
TTL = Time to Live Cache Record (Default = 1 Hr)

Aging and Scavenging? Record DNS Database Aging Record
Scavenging
1. Client Register Record DNS Database
2. 7 Update Aging 7
3. 7+7+1 Record
Lab28: Install DNS Service

Objective:
LAB DNS Server Role
1. Domain Controller server dc01.demo.com User / Group TS

Page 200 of 237
LAB IIS FTP
Lab29: Advance Configuration DNS

LAB DNS Server Role
1. server dc01
Create New Zone
Primary Zone > AD Integrated > Zone Name "GlobalNames"
command > dnscmd /?
command > dnscmd dc01 /config /enableglobalnamessupport 1
DNS Console GlobalNames Create Host Record
Page 201 of 237
Page 202 of 237
LAB DNScmd.exe DNS Global Name Zone

DNS Stub Zone
Page 203 of 237
Module 12: Administering AD DS Domain Controllers

Lab30: Install Domain Controller
Objective: Install Domain Tree, Additional Domain, Child Domain
Page 204 of 237
Backup IFM
C:\Users\Administrator>ntdsutil
ntdsutil: activate instance NTDS
Active instance set to "NTDS".
ntdsutil: ifm
ifm: create sysvol full c:\ifm
Creating snapshot...
Page 205 of 237
Page 206 of 237
Page 207 of 237
Lab31: Install Server Core Domain Controller

Objective:
LAB Sconfig.cmd Domain / IP /
DNS Role ocsetup
ocsetup DNS-Server-Core-Role
oclist |more DNS
dcpromo /unattend /ReplicaOrNewDomain:replica /ReplicaDomainDNSName:demo.local /ConfirmGC:Yes
/UserName:demo\Administrator /Password:* /safeModeAdminPassword:Pa$$w0rd
Page 208 of 237
Page 209 of 237
Lab32: Transfer Operation Master Roles

Objective: FSMO
http://mvpskill.com/blogs/kb/archive/2011/11/18/fsmo-flexible-single-master-operation-fsmo-role-owner.aspx
Active Directory Domain Service (AD DS) multimaster

Domain Controller master
Microsoft
AD DS 5 FSMO (Flexible Single-Master Operation)
Forest wide FSMO FSMO Role 1 Domain Controller 1 Forest
Schema master (SM)
(Schema) Active Diirectory
FSMO Active
Directory Schema Naming context LDAP://cn=schema,cn=configuration,dc=<domain>
Page 210 of 237
Domain Naming Master (DNM)

(Name Space) Domain Forest child
domain, Domain Tree Name Space Domain Naming Master Naming context
LDAP://CN=Partitions, CN=Configuration, DC=<domain>
Domain wide FSMO FSMO Role 1 Domain Controller 1 Domain ( Forest
Domain FSMO Domain 1 )
PDC Emulator
PDC Emulator domain (Authority)
domain controller member Active Directory Domain

Windows Times Service
Active Directory
password PDC (
replicate Domain Controller
Domain Controller (Forward) Authentication PDC
Lock Account (Account Lockout)

PDC Server Windows NT Windows NT
RID Master
(Object) Active Directory SID (Security ID)
2 1. SID Domain Domain SID Domain
2. RID RID RID Master (
RID Master)
Infrastructure master
Object Active Directory Domain
Domain SID, GUID DN
Domain Controller FSMO Role FSMO Role Ower Domain
Controller FSMO Role Owner Domain Controller
Page 211 of 237
FSMO Roler Ower FSMO Role Owner
Transfer
Seize
Deleted (Metadata Cleanup)
Refer Step http://support.microsoft.com/kb/255504
http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx#bkmk_graphical
Script Remove Metadata http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3
Step: ntdsutil
Roles
Connections
Connect to server dc01.demo.com
Q
Seize XX
Step:
Ntdsutil
Metadata cleanup
Remove selected server
Operation Master Roles Active Directory

Three operations master roles (also known as flexible single master operations or FSMO) exist in each domain:
The primary domain controller (PDC) emulator
Page 212 of 237
Operations master processes all password updates. Group Policy Update / Time Server Update
The relative ID (RID) operations master
Maintains the global RID pool for the domain and allocates local RIDs pools to all domain controllers to ensure that all security
principals created in the domain have a unique identifier.
The infrastructure operations master for a given domain maintains a list of the security principals from other domains that
are members of groups within its domain. Track update whos in what group and should not in same GC (If Possible)
In addition to the three domain-level operations master roles, two operations master roles exist in each forest:
The schema operations master governs changes to the schema. regsvr32 schmmgmt.dll
The domain naming operations master adds and removes domains and other directory partitions (for example, Domain
Name System (DNS) application partitions) to and from the forest.
Page 213 of 237
Netdom query fsmo
Seize Operations Master

Ntdsutil
Activate instance NTDS
Roles
Connections
Connect to server dc02.demo.com
quit
Help
Seize or Transfer Yeh !
Page 214 of 237
Page 215 of 237
Lab33: Configure Global Catalog and Universal Group Membership Caching

Objective: Enable GC, UGMC
Global Catalog, Universal Group Membership

GC Replicate Forest Attribute 200/1000 BW 128k
Universal Group Membership Caching
Domain User BW 128 k Enable GC Site
Roaming user Enable GC
Page 216 of 237
Lab34: Configure DFS-R Replication of SYSVOL

Objective:
dfsrmig /getglobalstate
dfsrmig /setglobalstate 0
dfsrmig /getglobalstate
dfsrmig /getmigrationstate
Page 217 of 237
Event ID 8014 Application and Services Logs
Page 218 of 237
Step
Page 219 of 237
Module 13: Managing Sites and Active Directory Replication

Lab35: Configure Site and Subnet
Objective: Site & Subnet
Lab36: Configure Replication

Objective: Replication
Page 220 of 237
Page 221 of 237
Module 14: Directory Service Continuity

Lab36: Monitor Active Directory Events and Performance
Objective: Monitor ADDS
- Task Manager
- Event Viewer
- Reliability Monitor
- Performance Monitor (Perfmon)
- Data Collector Set
Step:
Page 222 of 237
Page 223 of 237
Lab37: Manage Active Directory Database

Objective:
Defragment AD Database
Step:
ntdsutil
activate instance ntds
- Stop AD Services Files
compact to c:\
Page 224 of 237
Exit To Command Line

copy "c:\ntds.dit" c:\windows\NTDS\ntds.dit
del c:\windows\NTDS\*.log
ntdsutil
activate instance ntds
files
integrity
Lab38: Using Active Directory Recycle Bin

Objective: Feature Active Directory Recycle Bin
Page 225 of 237
http://mvpskill.com/blogs/kb/archive/2011/11/24/windows-server-backup-folder.aspx
http://mvpskill.com/blogs/kb/archive/2011/11/21/domain-controller-restoring-system-state-data-windows-server-backupfeature.aspx
http://mvpskill.com/blogs/kb/archive/2011/11/11/domain-controller-backing-up-system-state-data-windows-server-backupfeature.aspx
Step:
Page 226 of 237
Page 227 of 237
Page 228 of 237
Page 229 of 237
get-adobject -fliter {cn -like 'Userdeleted'} -Includedeletedobjects | Restore-ADObject

or
get-adobject -fliter {displayname eq Sale02} -Includedeletedobjects | Restore-ADObject
Lab39: Backup and Restore Active Directory
Domain Controller (Backing Up System State Data) Windows Server Backup Feature
http://mvpskill.com/blogs/kb/archive/2011/11/11/domain-controller-backing-up-system-state-data-windows-server-backupfeature.aspx
Domain Controller (Restoring System State Data) Windows Server Backup Feature
http://mvpskill.com/blogs/kb/archive/2011/11/21/domain-controller-restoring-system-state-data-windows-server-backupfeature.aspx
Reset DSRM Password
1. Harddisk dc01
Page 230 of 237

2.
3.
4.
5.
Password Reset
Install Windows Server Backup Feature
Create a Scheduled Backup
Interactive Backup
Step:
Page 231 of 237
Backup Deleted OU Restore
Page 232 of 237
Boot DSRM Mode ( F8)

bcdedit /set safeboot dsrepair
bcdedit /set safeboot dsrepair
Page 233 of 237
Authoritative Restore
Ntdsutil
Activate instance ntds
Authoritative restore
Restore subtree ou=05_HR,dc=demo,DC=local

Bcdedit /deletevalue safeboot
2 DC1 DC 2
Page 234 of 237
Module 15: Managing Multiple Domains and Forests

Lab40: Configure Name Resolution Between Forest
Objective:
Lab37: Configure a Forest Trust

Objective:
Trust User Forest Domain

Trust
1. 2 Forest
Printer Object
2. Partner Partner User

Partner
Page 235 of 237
Trust Nontransitive Transitive
Page 236 of 237
Trust Trust
Two-Way
Trusted (Outgoing) =
Trusting (Incoming)
Manual Trust
External Trust
Realm Trust
Forest Trust
Shortcut Trust = Authentication Forest Child domain
Page 237 of 237

ActiveDirectory StepByStep-2008 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ActiveDirectory StepByStep-2008 PDF

Uploaded by

Copyright:

Available Formats

Acti

Active Directory Winndows 2008RR2 Step by Steep

700-640 TS: Winndows Serverr 2008 Active Directory, Coonfiguring

Active Directory Windows 2008R2 Step by Step

LAB Active Directory

Active Directory Windows 2008R2 Step by Step

Server (Virtual Machine ) LAB ( )

Domain Name Type of Domain

Server (Virtual Machine ) LAB Advance

Active Directory Windows 2008R2 Step by Step

Domain Controller ................................................................................................................. 23

1 Introducing Active Directory Domain Services (AD DS) ........................................................ 37

Object ds commandline .............................................................................................................. 54

Active Directory Windows 2008R2 Step by Step

dsquery: Displays objects matching search criteria ............................................................................................................. 54

Dsquery dsget ................................................................................................................ 56

User Active .......................................................................................................... 57

Saved Queries ............................................................................................................................................... 58

OU (Organizational Unit ) ................................................................................... 66

PowerShell ISE ...................................................................................................................................... 74

PowerShell Password Users ........................................................................................................ 77

Active Directory Windows 2008R2 Step by Step

Server Core Remote Sconfig.cmd .................................................................................................. 91

Group Members Active Directory .............................................................................................................. 104

Offline Domain Join .......................................................................................................................................... 110

Group Policy............................................................................................................................................. 113

Active Directory Windows 2008R2 Step by Step

Option Group Policy Windows Server 2008 .................................................................................. 115

Group Policy............................................................................................................................ 115

Group Policy Processing ................................................................................................................................ 122

GPO (Enforcing Inheritance) .................................................................. 123

GPO Modeling GPO Result .......................................................................................................... 126

Active Directory Windows 2008R2 Step by Step

Search And Filtering GPO .............................................................................................................................. 130

Import, Migration GPO........................................................................................................................................... 138

GPO Preferences ....................................................................................................................................... 149

Active Directory Windows 2008R2 Step by Step

GPO-Preferences Folder .............................................................................. 154

Software Group Policy (GPSI) ................................................................................................................. 156

Security Template...................................................................................................................................... 168

Fine Grained Password Objects ............................................................................................................................ 183

Read Only Domain Controller (RODC) ................................................................................. 193

Active Directory Windows 2008R2 Step by Step

Module 11: Configuring Domain Name System ............................................................................................................................ 196

DNS Namespace Option............................................................................................................................ 197

DNS Stub Zone................................................................................................................................................. 203

Operation Master Roles Active Directory ........................................................................................ 212

Active Directory Windows 2008R2 Step by Step

Lab39: Backup and Restore Active Directory ............................................................................................................... 230

Active Directory Windows 2008R2 Step by Step

Module 1: Introducing Active Directory Domain Services (AD DS)

Active Directory Winndows 2008RR2 Step by Steep

Cllients Environment Group Policy

Roles Activee Directory Doomain Servicees (ADDS) Winndows Serverr

Pre Insstall Active Directory:

Active Directory Windows 2008R2 Step by Step

Lab1: Active Directory Domain Service Domain Controller

Step: 2 Next Active Directory Domain Services

Active Directory Windows 2008R2 Step by Step

Step: 3 Next ( Next Help Microsoft

Step: 4 AD DS Role Dcpromo.exe Wizard Active Directory

Active Directory Windows 2008R2 Step by Step

Step: 6 Next Domain / Forest Domain Controller