PRIPREMA ZA KURS 20742B

Autor: Siniša Lale, dipl. Inž.

Računarski fakultet, Beograd

Autor: Siniša Lale, dipl. Inž.

Računarski fakultet, Beograd

Computer Equipment and Trade - CET

Sadržaj:
Module 1: Installing and configuring domain controllers............................................................................. 3
Module 2: Managing objects in AD DS ......................................................................................................... 5
Module 3: Advanced AD DS infrastructure management .......................................................................... 13
Module 4: Implementing and administering AD DS sites and replication .................................................. 19
Module 5: Implementing Group Policy ....................................................................................................... 23
Module 6: Managing user settings with Group Policy ................................................................................ 26
Module 7: Securing Active Directory Domain Services............................................................................... 27
Module 8: Deploying and managing AD CS ................................................................................................ 32
Module 9: Deploying and managing certificates ........................................................................................ 39
Module 10: Implementing and administering AD FS .................................................................................. 43
Module 11: Implementing and administering AD RMS .............................................................................. 46
Module 12: Implementing AD DS synchronization with Microsoft Azure AD ............................................ 52
Module 13: Monitoring, managing, and recovering AD DS ........................................................................ 57
Module 1: Installing and configuring domain controllers
Lesson 1: Overview of AD DS
Lesson 2: Overview of AD DS domain controllers
Prezentacija osnova Aktivnog direktorijuma:
 Domain Controllers
 Domains
 Forests
 FSMO
Lesson 3: Deploying a domain controller
Instalacija DEMO
Nadogradnja domena
 Windows PDC Upgrade
 ADMT Migration
 ADPREP
Komanda DC Korisnik Gde
Enterprise Admins,
Adprep /Forestprep Schema Master Schema Admins, Domain Jednom u šumi
Admins
Adprep /Domainprep Infrastructure Po jednom u
Domain Admins
/Gpprep Master svakom domenu
Adprep /Rodcprep Bilo koji Enterprise Admins Jednom u šumi

Kloniranje VDC-a
1. Ubaciti postojeći DC objekat koji se klonira, u grupu Cloneable Domain Controllers"
2. Potvrditi preduslove za kloniranje komandom

 Get-ADDCCloningExcludedApplicationList
 Nekompatibilan softver se mora ukloniti
 Ažurirati listu kompatibilnog softvera komandom
Get-ADDCCloningExcludedApplicationList -GenerateXml

1. Definisati instrukcije za novi DC

New-ADDCCloneConfigFile
-CloneComputerName "VirtualDC2"
-SiteName "ADSite01"
-Static -IPv4Address "10.0.1.2"
-IPv4SubnetMask "255.255.255.0"
-IPv4DefaultGateway "10.0.1.1"
-IPv4DNSResolver "10.0.0.2"
 -PreferredWINSServer "10.0.0.3"

C:\Windows\NTDS\DCCloneConfig.xml
Sample: C:\Windows\System32\SampleDCCloneConfig.xml

2. Ugasiti Source DC

Stop-VM -Name "VirtualDC1" - ComputerName "HyperV1"

3. Eksportovati VM

Export-VM -Name "VirtualDC1" - ComputerName "HyperV1" -Path "D:\VMEx-

port"
4. Kopirati eksportovan virtuelni računar na odredišnog hosta
5. Importovati VM

$vm = Import-VM -Path "D:\VMExport\VirtualDC1\Virtual Machines" -Copy –GenerateNewId

6. Preimenovati kloniranu kopiju

Rename-VM -VM $vm -New-Name "VirtualDC2"

7. Obrisati snapshot-ove

Get-VMSnapshot -VMName "VirtualDC2" | Remove-VMSnapshot -IncludeAll-

ChildSnapshots

8. Startovati kloniranu VM
Lab: Deploying and administering AD DS
Virtual machines: 20742B-LON-DC1 and 20742B-LON-SVR1

User name: Adatum\Administrator

Password: Pa55w.rd
Module 2: Managing objects in AD DS
Lesson 1: Managing user accounts
Podela naloga:
 Lokalni (SAM)
 Domenski (AD)
Po načinu nastanka:
 Builtin: Administrator, Guest
 User Created: koje kreiramo
Ostalo:
 Administrativni alati: AD Users and computers ili Active Directory Administrative Center
 RSAT Tools
 Windows Powershell
 Dssadd, dsget,dsmod, dsmove,dsquery,dsrm
 Svojstva korisničkog naloga: User Principal Name – UPN i Pre Windows 2000 User Logon
Name
 SID
 User Profile
o Local
o Roaming
 Modifikacija atributa više naloga istovremeno
 Account Templates
o Address Tab: sve osim Street address
o Account tab: logon hours, logon workstations, account options, account expiration
o Profile tab: sve
o Organization tab: department, company, manager
o Member of tab: sve
 Demo: Kreiranje naloga, preimenovanje, resetovanje lozinke, otključavanje, prebacivanje,
enabling disabling, rad sa templejtima
Lesson 2: Managing groups in AD DS
Podela grupa:
 Lokalne (SAM)
 Domenske (AD)
Po načinu nastanka:
 Builtin: Administrators, Domain Admins, Users, Domain Users… ima ih mnogo
 User Created: koje kreiramo

Domenske grupe
Scope:
 Global
 Domain Local
 Universal
Type:
  Security
 Distribution
Princip
IGDLA
I->G->DL<-A

Default Groups
Universal

 Enterprise Admins
 Schema Admins
Global

 Domain Admins
 Domain Users
Domain Local

 Administrators
 Users
 Server Operators
 Remote Desktop users
 Backup operators
 Print Operators
Special Identites

 Anonymous Logon.
 System
 Authenticated Users.
 Everyone.
 Interactive.
 Network
 Creator Owner.
Lesson 3: Managing computer objects in AD DS
Prestaged/non prestaged

 Computers Container, redircmp

 Ovlašćenje za kreiranje objekata klase Computer (Delegation Control Wizard)
 Secure Channel:
o Gubitak usled reinstalacije
o Gubitak usled dugotrajnog nekorišćenja zbog gubitka sinhronizacije lozinke (computer
password se menja na 30 dana)
 Ponovno uspostavljanje Secure Channel-a:
o Restovanje naloga za računar i ponovno priključenje u domen
o netdom reset <MachineName> /domain <DomainName> /UserO <UserName>
/<PasswordO> {Password | *}
o NLTEST /SERVER:<SERVERNAME> /SC_RESET:DOMAIN\<DOMAINCONTROLLER >
o Powershell: Test-ComputerSecureChannel –Repair
 Redircmp
 Offline Domain Join
Djoin –provision –domain adatum.com machine canberra –savefile C:\can-
berra-join.txt
Djoin –requestodj –loadfile canberra-join.txt –windowspath %systemroot% -
localos

Lab A: Managing AD DS objects

Virtual machines: 20742B-LON-DC1 and 20742B-LON-CL1
User name: Adatum\Administrator

Password: Pa55w.rd
Lesson 4: Using Windows PowerShell for AD DS administration
Korisnički nalozi

Cmdlet Description

New-ADUser Creates user accounts

Set-ADUser Modifies properties of user accounts

Remove-ADUser Deletes user accounts

Get-ADUser Get user information

Set-ADAccountPassword Resets the password of a user account

Set-ADAccountExpiration Modifies the expiration date of a user account

Unlock-ADAccount Unlocks a user account after it has become locked after too many
incorrect sign in attempts

Enable-ADAccount Enables a user account

Disable-ADAccount Disables a user account

$SecurePassword=ConvertTo-SecureString „P@ssword“ –AsPlainText –Force

new-aduser –Name „Susan Fine“ –Path „OU=IT,DC=adatum,DC=com“ –SamAccountName
sfine –UserPrincipalName sfine@adatum.com –AccountPassword $SecurePassword
–enabled $true

ili

New-ADUser "Sten Faerch" –AccountPassword (Read-Host –AsSecureString "Enter

password") -Department IT
Grupe

Cmdlet Description

New-ADGroup Creates new groups

Set-ADGroup Modifies properties of groups

Get-ADGroup Displays properties of groups

Remove-ADGroup Deletes groups

Add-ADGroupMember Adds members to groups

Get-ADGroupMember Displays membership of groups

Remove-ADGroupMember Removes members from groups

Add-ADPrincipalGroupMembership Adds group membership to objects

Get-ADPrincipalGroupMembership Displays group membership of objects

Remove-ADPrincipalGroupMembership Removes group membership from an object

New-ADGroup –Name "CustomerManagement" –Path "ou=managers,dc=adatum,dc=com" –

GroupScope Global –GroupCategory Security

Add-ADGroupMember –Name “CustomerManagement” –Members "Joe"

Računari

Cmdlet Description

New-ADComputer Creates new computer accounts

Set-ADComputer Modifies properties of computer accounts

Get-ADComputer Displays properties of computer accounts

Remove-ADComputer Deletes computer accounts

Test-ComputerSecureChan- Verifies or repairs the trust relationship between a computer and the
nel domain

Reset-ComputerMa-
Resets the password for a computer account
chinePassword

New-ADComputer –Name “LON-SVR8” -Path "ou=marketing,dc=adatum,dc=com" -Ena-

bled $true

Test-ComputerSecureChannel –Repair
Upiti u vezi objekata
CreateUsers.csv

Firstname lastname username password

Marko Markovic mmarko Pa$$w0rd
Petar Petrovic ppetar Pa$$w0rd

CreateUsers.ps1
$csvfile="CreateUsers.csv"
$domain="adatum.com"
$OU="OU=IT,DC=adatum,DC=com"
$users=import-csv $csvfile
foreach ($i in $users){
$FullName="$i.FirstName $i.LastName"
$Username=$i.username
$UPN=$i.username +"@" +$domain
$securePassword=Convertto-securestring $i.password -asplaintext -force
new-aduser -name $FullName -Path $OU -samaccountname $Username
-userprincipalname $UPN -accountPassword $securePassword -enabled $true
}
Lesson 5: Implementing and managing OUs
 Location
 Organization
 Hybrid
Organizacione jedinice
Cmdlet Description

New-ADOrganizationalUnit Creates OUs

Set-ADOrganizationalUnit Modifies properties of OUs

Get-ADOrganizationalUnit Views properties of OUs

Remove-ADOrganizationalUnit Deletes OUs

New-ADOrganizationalUnit –Name “Sales” –Path "ou=marketing,dc=adatum,dc=com"

–ProtectedFromAccidentalDeletion $true

Lab B: Administering AD DS
Virtual machines: 20742B-LON-DC1, 20742B-LON-SVR1, and 20742B-LON-CL1
User name: Adatum\Administrator
Password: Pa55w.rd
Module 3: Advanced AD DS infrastructure management
Lesson 1: Overview of advanced AD DS deployments
Višestruki domeni?

 Distributed Administration – Domain

 DNS Requirements – Domain
 Replication Requirements - Domain
 Merger – Forest
 Incompatible schema – Forest
 Security isolation – Forest
Lesson 2: Deploying a distributed AD DS environment
Domain Functional Levels
Forest Functional Levels
Windows 2000

Ništa novo

Windows 2003

Windows
2008

Ništa novo

Windows 2008 R2

AD Recycle bin

Windows 2012, 2012R2, 2016

Ništa novo
Lesson 3: Configuring AD DS trusts
Karakteristike relacija verovanja
 Smer
 Tranzitivnost
 Način uspostavljanja
Vrste trast relacija i detalji
 Automatic trusts (Parent and Child, Tree-root)
 Shortcut trusts
 External trusts
 Realm trusts
 Forest trusts
Alati za upravljanje relacijama verovanja
 AD Domains and Trusts
 Netdom trust:
o NETDOM TRUST TRUSTINGDOMAINNAME /DOMAIN:TRUSTEDDOMAINNAME /VERIFY
o NETDOM TRUST TRUSTINGDOMAINNAME /DOMAIN:TRUSTEDDOMAINNAME /REMOVE
[/FORCE] /USERD:USER /PASSWORDD:*
Domain Quarantine (SID Filtering)
Uključen by default za External i Forest trust relacije.

Trusting (verujući) domen se oslanja samo na SID naloga Trusted (verovanog) domena. Pri tome se atru-
bit “SID History” naloga verovanog domena ignoriše, da bi se izbegla manipulacija sa “SID history atribu-
tom” u kojoj administrator verovanog domena modifikuje “SID History“ i unese SID koji bi mogao imati
pristup na resurse udaljenog domena.

 NETDOM TRUST TRUSTINGDOMAINNAME /DOMAIN:TRUSTEDDOMAINNAME /QUARANTINE:NO

 NETDOM TRUST TRUSTINGDOMAINNAME /DOMAIN:TRUSTEDDOMAINNAME /QUARAN-
TINE:YES

Modeli autentifikacije
Modeli autentifikacije:

 Selective authentication
 Domain-wide authentication (for an external trust) or forest-wide authentication (for a forest
trust)
Ako se odabere Domain Wide ili Forest – Wide svi korisnici verovanog domena mogu se koristiti za
pristup na bilo koji servis na bilo kom računaru verujućeg domena.

Kod Selektivne autentifikacije korisnik čiji je nalog u verovanom domenu mora imati ovlašćenje Allow to
Authenticate nad Computer objektom verujućeg domena na koji pristupa
Name Suffix Routing
Mehanizam rutiranja autentifikacionih zahteva između šuma povezanih Forest trust relacijama. AD
rutira sve jedinstvene name sufikse. Podržano je filtriranje sufiksa – spečavanje autentifikacije.

Lab: Domain and trust management in AD DS

Virtual machines: 20742B-LON-DC1, 20742B-TOR-DC1, 20742B-LON-SVR2, and 20742B-TREY-DC1

User name: Adatum\Administrator

Password: Pa55w.rd
Module 4: Implementing and administering AD DS sites and replication
Definicija sajta i subnet-a

An Active Directory site represents a unit of the network that is characterized by fast, reliable, inexpen-
sive connectivity. Much documentation suggests that the slowest link speed within a site should be no
less than 512 kilobits per second (kbps). However, this guidance is notimmutable. Some organizations
have links as slow as 56 or even 28 kbps within a site.

Razlozi za korišćenje sajtova

 Kompresija intersajt replikacije

 Brzo lociranje optimalnog domen kontrolera
Multimaster replication model

Update types

 Originating Update, add,change, delete, move

 Replicated Update
Replication Conflicts:

 attribute level,
 move to deleted container,
 Moving two objects with the same RDN to the same Container.
Update Convergence i Replication Latency

Urgent replication:

 promena account lockout polisa

 password polisa,
 promena RID mastera,
 zaključavanje naloga…
Intrasajt replikacija

 Primary Goal Reduce Replication Latency

 Replication Latency, od 15 do priblizno 45s
 RPC
 Change Notification
 Polling Interval 1h
 The Knowledge Consistency Checker – KCC
 Connection object: Logical, one way, connection between domain controllers for replication
 notification delay = 15 s za prvog partnera, subsequent delay 3s za svakog narednog
 USN
 Propagation Dampening
 Prstenasta topologija, 3 hops ,maximum
Intersite replikacija

 Primary Goal Reduce Network Bandwidth

 Shedule samo, ne koristi se Change Notification
 Intersite Topology Generator – ISTG, jedan KCC na site-u
 IP Site Link

o Protokol: RPC, SMTP (ne replicira domensku particiju)

o Schedule
o Frequency
 BridgeHead Servers
 Prefered Bridgehead
 ISTG može generisati konekcioni objekat prema više bridgehead-ova u različitim
 sajtovima
 Site Link transitivity
Site Link Bridge

 Povezuje dva ili više sajt linkova tako da je veza između sajtova tranzitivna. Neophodni su samo
ako je isključena opcija Bridge all Site Links (koja se konfiguriše preko svojstava IP ili SMTP
kontejnera)
 A site link bridge connects two or more site links in a way that creates a transitive link
Globalni katalog

 Brza pretraga
 Smeštaj univerzalnih grupa
 Konfigurisanje globalnog kataloga
 NTDS Settings servera
Universal Group Membership Caching

1. Keširanje članstva univerznih grupa

2. NTDS Site Setting
Praćenje replikacije

Command line alati za dijagnostiku: repadmin (status replikacije) i dcdiag (testiranje ispravnosti i
bezbednosti replikacije)
Powershell cmdlets

Lab: Implementing AD DS sites and replication

Virtual machines: 20742B-LON-DC1 and 20742B-TOR-DC1
User name: Adatum\Administrator
Password: Pa55w.rd
Module 5: Implementing Group Policy
Termini:
Group Policy Object – GPO (Alat GPMC – Group Policy Management Console)
Policy (Alat GPME – Group Policy Management Editor)

Elementi Group Policy objekta

GP Template - GPT
3. The GPT is a folder hierarchy in the shared SYSVOL folder on a domain controller. When you cre-
ate a GPO, Windows Server 2003 creates the corresponding GPT, which contains all Group Policy
settings and information, including administrative templates, security, software installation,
scripts, and folder redirection settings. Computers connect to the SYSVOL folder to obtain the
settings.
GP Container - GPC
The GPC is an Active Directory object that contains GPO status, version information, WMI filter infor-
mation, and a list of components that have settings in the GPO.
The name of the GPT folder is the globally unique identifier (GUID) of the GPO that you created. It is
identical to the GUID that Active Directory uses to identify the GPO in the GPC. The path to the GPT on a
domain controller is %systemroot%\SYSVOL\sysvol.

Group Policy Management

GPO Link
Kreiranje GPO
Kreiranje i linkovanje
Linkovanje
Link enabled/disabled
Default Domain policy, Default Domain Controllers Policy
Nasleđivanje GPO
4. Lokalni GPO objekati: Do Windows-a 2003 svi imaje samo jedan objekat koji se odnosi na sve
korisnike
Od Viste postoji više GPO: jedan koji se odnosi na računar i sve korisnike i po jedan za svakog korisnika
posebno kao i po jedan za administratore i jedan za non-administratore
 Redosled primene:
 Local
 Site
 Domain
 OU
Osnovno pravilo procesiranja polisa
Central Store
 GPME automatski čita polise iz kategorije Administrative Templates iz ADMX fajlova
smeštenih na Central Store-u i ignoriše lokalne osim ako dc nije dostupan kada se koristi
local store.
Starter Gpo
 Ponaša se kao templejt za kreiranje GPO
Specijalne opcije
Block inheritance
Enforced
Security Filtering
WMI Filtering

Time zone Apply policy on all serv- Root\cimv2 ; Select * from

ers located on the East win32_timezone where bias =-300
Coast of the United
States.
Hotfix Apply a policy on com- Root\cimv2 ; Select * from
puters that have a spe- Win32_QuickFixEngineering where
cific hotfix.
HotFixID = 'q147222'
Operating Only target computers Root\CimV2; Select * from Win32_Op-
system running Windows XP Pro- eratingSystem where Caption = "Mi-
fessional.
crosoft Windows XP Professional"
Resources Target only machines Root\CimV2; Select * from
that have at least 600 Win32_LogicalDisk where FreeSpace >
megabytes (MB) availa-
ble. 629145600 AND Description <> "Net-
work Connection"
Make or Target Toshiba Tecra Root\CimV2; Select * from
model models 800 and 810. Win32_ComputerSystem where manufac-
turer = "Toshiba" and Model =
"Tecra 800" OR Model = "Tecra 810"

5. GPME čvorovi Computer i User Configuration

Parametri GPO
 Enabled
 All Settings disabled
 Computer Config. Disabled
 User Config. Disabled
User Group Policy Lopback processing
 Replace
 Merge
Backup and Restore GPO
Slow GPO Processing
Generating RsoP, GUI i GPResult.exe
PowerShell Cmd-lets: New-GPO, New-GPLink, Backup-GPO, Restore-GPO, Copy-GPO, Get-GPO, Import-
GPO, Set-GPInheritance
Managed vs Unmanaged Settings
 Managed:
i. Administrative Templates su Managed
ii. User Interface je blokiran i korisnik ne može da menja konfiguraciju
iii. U slučaju brisanja GPO konfiguracija se vraća na lokalnu.
 Unamanaged:
i. Perzistentna promena u registrima
ii. Ako se GPO ne odnosi na korisnika konfiguracija ostaje
iii. GPME podrazumevano sakriva ovakve polise
Preferences
Unmanaged policies

Lab A: Implementing a Group Policy infrastructure

Virtual machines: 20742B-LON-DC1, 20742B-LON-CL1
User name: Adatum\Administrator
Password: Pa55w.rd

Lab B: Troubleshooting Group Policy infrastructure

Virtual machines: 20742B-LON-DC1, 20742B-LON-CL1
User name: Adatum\Administrator
Password: Pa55w.rd
Module 6: Managing user settings with Group Policy
Administrative Templates
Configuring Folder Redirection
Scripts
Software Installation
Group Policy Preferences

Lab: Managing user settings with Group Policy

Virtual machines: 20742B-LON-DC1 and 20742B-LON-CL1
User name: Adatum\Administrator
Password: Pa55w.rd
Module 7: Securing Active Directory Domain Services
Lesson 1. Securing domain controllers
Polices Categories
 Account Policies (pokazati detaljno)
 Audit Policy (pokazati detaljno)
 User Righs Assignment
 Security Options
 Event Log
 Restricted Groups (pokazati detaljno)
 Windows Firewall with Advanced Security.
 Public Key Policies.
 Advanced Audit Policy Configuration.

Securing physical access to domain controllers

 Only deploy domain controllers where physical security is ensured
 Use RODCs
 Use BitLocker on domain controller disk volumes
 Monitor hot-swap disk systems because they can lead to domain controller theft
 Protect virtual disks; virtual machine admins must be highly trusted
 Store backups in secure location

Read Only Domain Controllers

 Scenario korišćenja:
 Mreža sa više lokacija
 Smeštaj domen kontrolera na udaljenu lokaciju pomaže efikansnom logon procesu.
 Replikacija neželjenih modifikacija
 Lokacije imaju neadekvatnu fizičku bezbednost
 RODC je dizajniran za Branch office scenario specifično

Karakteristike RODC-a
 Sadrži repliku svih atributa osim lozinki
 Kada stigne zahtev za autentifikacija RODC prima zahtev i prosleđuje ga Doman kontroleru
čvorišnog sajta
 Može se konfigurisati Password Replication policy - PRPkojima se definišu nalozi čije lozinke
RODC sme da kešira
 Ukljanjanje Read Only DC-a se svodi na brisanje računarskog naloga
 Replikacija je jednosmerna ka RODC-ovima čime se eliminiše mogućnost korupcije AD-a
 RODC imaju lokalnu grupu Administrators koja se može koristiti za dodelu lokalnih administra-
tivnih privilegija
  Ako je RODC DNS sa AD integrisanim zonama, one su takođe Read-Only, Dynamic Update
zahtevi se rešavaju referalima na writeable DC

Konfigurisanje keširanja lozinki

1. Podešavanje naloga čije se lozinke mogu keširati na RODC-ovima
 Allowed RODC Password Replication Group
 Denied RODC Password Replication Group (Članovi ove grupe su bezbednosno najo-
setljiviji nalozi)
 Grupa Denied… ima prednost
 Grupe takođe mogu biti članovi
2. Podešavanje password replication polisa
 Properties RODC naloga, tab Password Replication policy

Napomene:
 Da bi se obrisala keširana lozinka mora se resetovati lozinka na hub sajtu
 Može se izvršiti prepopulate
 Prepopulate se ne može izvršiti bez adekvatno podešenih password replication polisa (vredi isti
algoritam replikacije lozinki.

Podrazimevana konfiguracija password replication polisa

 Allowed RODC Password Replication Group - Allow
 Denied RODC Password Replication Group -Deny
 Account Operators - Deny
 Server Operators - Deny
 Backup Operators - Deny
 Administrators- Deny

Podrazimevani članovi grupe Denied RODC Password Replication group

 Enterprise Domain Controllers
 Enterprise Read-Only Domain Controllers
 Group Policy Creator Owners
 Domain Admins
 Cert Publishers
 Enterprise Admins
 Schema Admins
 Domain-wide krbtgt account

Podrazumevani članovi grupe Allowed RODC Password Replication group:

 Nema
Administracija RODC-a pomoću Administrative Roles Separation:
 Open a command prompt on the RODC.
 Type dsmgmt and press Enter.
 Type local roles and press Enter.
 At the local roles prompt, you can type ? and press Enter for a list of commands. You can also
type list roles and press Enter for a list of local roles.
 Type add username administrators, where username is the pre-Windows 2000 logon name of a
domain user, and press Enter

Protected Users security group

 Počev od Windows-a 2012R2, zahteva Windows 2012R2 Domain Functional Level
 Ne može da se autentificira korišćenjem NTLM, Digest, CredSSP metoda
 Nema keširanja lozinki za ove naloge
 Kerberos ne može koristiti DES ili RC4
 Kerberos TGTs lifetime je 4h
 Nema podrazumevanih članova
Fine-grained password and lockout policies
 Administrative Center
 PSO
 Kreiranje
 MOže i Powershell
New-ADFineGrainedPasswordPolicy TestPswd -ComplexityEnabled:$true
-LockoutDuration:"00:30:00" -LockoutObservationWindow:"00:30:00"
-LockoutThreshold:"0" -MaxPasswordAge:"42.00:00:00"
-MinPasswordAge:"1.00:00:00" -MinPasswordLength:"7"
-PasswordHistoryCount:"24" -Precedence:"1"
-ReversibleEncryptionEnabled:$false -ProtectedFromAccidentalDeletion:$true
Add-ADFineGrainedPasswordPolicySubject TestPwd –Subjects0 Marketing

PSO precedence

1. User PSO
2. Group PSO with lowest precedence
3. Group PSO with smaller GUID (u slučaju iste precedence vrednosti)

PSO1 GUID: d1742912-87cd-4172-ac6e-ad1e94965e6b (WINNER)

PSO2 GUID: 7b41e54e-a075-4a4d-869d-0b0e1433de89

4. GPO
Bezbednosna poboljšanja

 Windows Hello:
o For biometric-based sign in to Windows
 Microsoft Passport:
o To leverage Windows Hello and TPM
 Azure Multi-Factor Authentication:
o To enhance account security by adding second factor of verification
o Can be used in cloud or for on-premises applications

Managed Service Accounts - MSA

Šta je servisni nalog?

A service account may be an account that is local to the computer, such as the built-in Local Service,
Network Service, or Local System accounts.

Šta je Managed Service Account?

 A is an AD DS object class that enables simplified password and SPN management for service ac-
counts.
 Klasa msDS-ManagedServiceAccount
 Koristi mehanizam ažuriranja lozinki koji se koristi za Computer objekte bez potrebe za inter-
vencijom korisnika
 SPN - “Service Principal Name”
 Smešteni su u CN=Managed Service Accounts, DC=<domain>,DC=<com> container
 Podržano na Windows Serverima 2012 i 2008 R2
 Pretpostavka za Managed Service Accounts je root key? Add-KDSRootKey –EffectiveTime ((Get-
Date).AddHours(-10))

Procedura konfigurisanja

1. Na DCu. Add-KDSRootkey creates the KDS root key to support group Managed Service Accounts, are-
quirement on Windows Server 2012 DCs:
Add-KDSRootKey –EffectiveTime ((Get-Date).AddHours(-10))

2. Na DCu. New-ADServiceAccount creates the Managed Service Account within AD DS:

New-ADServiceAccount –Name <MSA Name> -DNSHostname <DC DNS Name>
–PrincipalsAllowedToRetrieveManagedPassword <ComputerName>$

3. Na DCu. Add-ADComputerServiceAccount associates the Managed Service Account with a computer

account in the AD DS domain:

Add-ADComputerServiceAccount –identity <Host Computer Name> -ServiceAccount

<MSA Name>
4. Na udaljenom računaru. Install-ADServiceAccount installs the Managed Service Account on a host
computer in the domain, and makes the Managed Service Account available for use by services on the
host computer:

install-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory
Install-ADServiceAccount –Identity <MSA Name>
What Are Group Managed Service Accounts?

Validan za više računara koji pokreću servis pod istim nalogom.

Pretpostavke

1. At least one domain controller must be running Windows Server 2012 to store managed password
information.

2. A KDS root key must be created on a domain controller in the domain.

Add-KdsRootKey –EffectiveImmediately

Primer
New-ADServiceAccount –Name LondonSQLFarm
–PrincipalsAllowedToRetrieveManagedPassword LONSQL1, LON-SQL2, LON-SQL3
Module 8: Deploying and managing AD CS
Lesson 1: Deploying CAs
PKI – Public Key Infrastructure
je kombinacija softvera, tehnologija kriptovanja, procesa I servisa koji omogućavaju obezbeđivanje
komunikacije I poslovnih transakcija. Oslanja se na razmenu digitalnih sertifikata između autentificiranih
korisnika i proverenihs resursa.

Obezbeđuje usluge:

 confidentiality,
 integrity,
 authenticity,
 nonrepudiation
Šta je digitalni sertifikat
 Lična karta ili vozačka dozvola za sajber-prostor.
 Digitalni sertifikat obezbeđuje legitiman transfer poverljivih informacija, novca i drugih osetljivih
materijala posredstvom javnih kriptografskih tehnologija. Vlasnik digitalnog sertifikata ima dva
ključa: privatni koji poseduje samo korisnik a koji omogućava digitalno potpisivanje odlaznih
poruka i dekriptovanje dolaznih poruka i javni ključ koji može koristiti svako za slanje kriptovanih
poruka specifičnom korisniku.
Razlozi za korišćenje digitalnih sertifikata
 L2TP, SSTP, IKEV2 VPN
 EFS
 Digitalni sertifikati za Web servere, SMTP servere i slično
 Zaštita razmene elektronskih poruka
Role servisi
 Certification Authority.
o Izdaje digitalne sertifikate
 Certification Authority Web Enrollment.
o Web aplikacija koja obezbeđuje interfejs za izdavanje digitalnih sertifikata i drugih
funkcija
 Online Responder.
o Servis koji obezbeđuje validaciju digitalnih sertifikata preko Online Certificate Status
Protocol-a
 Network Device Enrollment Service (NDES).
o Obezbeđuje participaciju mrežnih uređaja, npr. rutera i svičeva, koji koriste Simple Cer-
tificate Enrollment Protocol u Majkrosoftovoj PKI infrastrukturi (protokol razvila firma
CISCO).
 Certificate Enrollment Web Service (CES).
o Proxy između klijenata i CA. Funkcije:
 Request, renew, and install issued certificates.
 Retrieve CRLs.
  Download a root certificate.
 Enroll over the internet or across forests (new to Windows Server 2008 R2).
 Certificate Enrollment Policy Web Service.
o Combined with the Certificate Enrollment Web Service, it enables policy-based certifi-
cate enrollment when the client computer is not a member of a domain, or when a do-
main member is not connected to the domain.
Tipologija CA prema oblasti nadležnosti
 Internal (Private)
o veća kontrola upravljanja sertifikatima,
o korišćenje templejta,
o eksterni klijenti mu ne veruju
 External (Public)
o minimalna administracija,
o veruje mu više eksternih klijenata,
o viši troškovi
Tipologija CA prema Majkrosoftovoj implementaciji
 Standalone
o Tipično se koristi u offline režimu
o Ne zavisi od AD-a
o Zahtev za izdavanje sertifikata se šalje manuelno
o Odobrenje za izdavanje se obavlja manuelno
 Enterprise
o Tipično se koristi u online režimu
o Zavisi od AD-a
o Zahtev za izdavanje sertifikata može da se šalje manuelno ili automatski
o Odobrenje za izdavanje se obavlja manuelno ili automatski
Implementacija Hijerarhije CA
Dvoslojna hijerarhija

Troslojna hijerarhija
Povezivanje odvojenih hijerarhija

CAPolicy.inf
The CAPolicy.inf file is stored in the %Windir% folder of the root or subordinate CA. If you want to de-
ploy a root or subordinate CA,and you want to predefine some values for use during installation and de-
fine some additional parameters, you can use the CAPolicy.inf file
[certsrv_server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
CRLPeriod=Days
CRLPeriodUnits=2
CRLDeltaPeriod=Hours
CRLDeltaPeriodUnits=4
ClockSkewMinutes=20
LoadDefaultTemplates=True
AlternateSignatureAlgorithm=0
ForceUTF8=0
EnableKeyCounting=0

Lesson 2: Administering CAs

Administracija CA
Certification Authority MMC ili certutil

Get-Command –Module ADCS*

CA Administrativne role.
Role/group Purpose Information
CA administrator Manage the CA Assigned by using the CA con-
sole
Certificate manager Issue and manage certificates Assigned by using the CA con-
sole
Backup operator Backup and restore files and di- Operating system role
rectories
Auditor Manage auditing and Security Operating system role
Event log
Enrollees Read and enroll Can request certificates

Policy i Exit Modules

 A policy module determines the action that is performed after the CA receives the certificate
request.
 The exit module determines what happens with a certificate after it is issued.
Certutil
Certutil –dump
Dump configuration information or files
Certutil –getreg
Display registry value
Certutil –getreg CA
ca: Use CA's registry key

Upravljanje pomoću GPO

 Credential roaming.
 Autoenrollment of certificates
 Certificate distribution.
CDP/AIA
Certificate Revocation?

CRL sadrži vremenski označenu listu opozvanih sertifikata potpisanih od CA i dostupnih pki korisnicima
preko javnog repozitorijuma. Delta CRL je relativno mala CRL koji sadrži samo izmene u odnosu na
poslednju CRL.

CDP?

CDP = CRL Distribution point

The CDP is a certificate extension that indicates from where the CRL for a CA can be retrieved. It can
contain none, one, or many HTTP, FTP, FILE, or LDAP addresses.

AIA?

AIA addresses are the URLs in the certificates that a CA issues. These addresses tell the verifier of a cer-
tificate where to retrieve the CA's certificate.

Online Responder?

Online Responder provides clients with an efficient way to determine the revocation status of a certifi-
cate by using Online Certificate Status Protocol – OCSP.

Lesson 3: Troubleshooting and maintaining CAs

CA Backup
1. Napraviti backup liste publikovanih Certificate Template-a (samo za Enterprise)
2. <CAName >\All Tasks\Backup CA
3. Eksportovati registarski ključ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ser-
vices\CertSvc\Configuration.
4. Lokacija Windows foldera na serveru na koji se restauracija vrši mora da bude ista kao i kod orig-
inalnog servera.
5. Folderi CA baze podataka takođe moraju biti na istim lokacijama na izvornom i odredišnom serv-
eru.
CA Restore
1. U toku instalacije odabrati korektnu opciju Stand-alone ili enterprise kao na izvornom serveru
2. Na Setup Private Key stranici instalacije, odabrati Use existing private key i locirati privatni ključ
u backup folderu.
3. Na stranici Select Existing Certificate, odabrati Import i uneti putanju do .p12 dateteke u backup
folderu, otkucati lozinku definisanu u procesu backup-a. Na prompt Public and Private Key Pair,
verifikovati da je selektovana opcija Use existing keys.
4. Na Certificate Database stranici definisati lokaciju baze podataka i log fajlova istu kao na izvor-
nom serveru.
5. Sačekati da se završi instalacija
6. Stopirati CA servis
7. Importovati Reg File
 8. <CAName >\All Tasks\Restore CA . Kroz wizard izabrati
 Private key and CA certificate i
 Certificate database log
 Na prompt za Backup folder odabrati lokaciju foldera
9. Nakon završetka importa startovati CA servis
Razni administrativni alati
 Certificates snap-in
 PKIView.msc
o All CA’s:
 CA Health State
 CA health state evaluation (question mark)
 CA has no problems (no indicator)
 CA has a noncritical problem (yellow indicator)
 CA has a critical problem (red indicator)
 CA is offline (red cross over the CA indicator)
 Certification Authority console.
 Certutil.exe.
 Certificate Templates snap-in.
Lab: Deploying and configuring a two-tier CA hierarchy 8-28
Estimated Time: 60 minutes

Virtual machines: 20742B-LON-DC1, 20742B-LON-SVR1, and 20742B-CA-SVR1

User name: Adatum\Administrator

Password: Pa55w.rd

For this lab, you will use

Module 9: Deploying and managing certificates
Lesson 1: Deploying and managing certificate templates
Struktura X.509 v3 digitalnog sertifikata:
 Certificate
o Version Number
o Serial Number
o Signature Algorithm ID
o Issuer Name
 Validity period
o Not Before
o Not After
 Subject name
 Subject Public Key Info
o Public Key Algorithm
o Subject Public Key
 Issuer Unique Identifier (optional)
 Subject Unique Identifier (optional)
 Extensions (optional)
o Basic Constraints
o Key Usage,
o Extended Key Usage
 Certificate Signature Algorithm
 Certificate Signature
Ekstenzije datoteka
 .pem – (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between "-
----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
 .cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too
(see .pem above)
 .p7b, .p7c – PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
 .p12 – PKCS#12, may contain certificate(s) (public) and private keys (password protected)
 .pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files
generated in IIS)
Certificate Templates
Definisanje metapodataka budućih sertifikata, primarno prema Key Usage i Extended Key Usage para-
metrima.
Verzije
1. Windows 2000 Server, version 1
2. Windows Server 2003, version 2
3. Windows Server 2008, version 3 (Suite B cryptographic algorithms)
4. Windows Server 2012, version 4
Configuring Certificate Template Permissions
 Full Control. The Full Control permission allows a security principal to modify all attributes of a
certificate template, which includes permissions for the certificate template itself. It also in-
cludes permission to modify the security descriptor of the certificate template.
 Read. The Read permission allows a user or computer to view the certificate template when en-
rolling for certificates. The Read permission is also required by the certificate server to find the
certificate templates in AD DS.
 Write. The Write permission allows a user or computer to modify the attributes of a certificate
template, which includes permissions assigned to the certificate template itself.
 Enroll. The Enroll permission allows a user or computer to enroll for a certificate based on the
certificate template. However, to enroll for a certificate, you must also have Read permissions
for the certificate template.
 Autoenroll. The Autoenroll permission allows a user or computer to receive a certificate through
the autoenrollment process. However, the Autoenroll permission requires the user or computer
to also have both Read and Enroll permissions for a certificate template.
Lesson 2: Managing certificate deployment, revocation, and recovery
Options for Certificate Enrollment:

 Autoenrollment. Using this method, the administrator defines the permissions and the configu-
ration of a certificate template. These definitions help the requestor to request, retrieve, and
renew certificates automatically without enduser interaction. This method is used for AD DS do-
main computers. The certificate must be configured for autoenrollment through Group Policy.
 Manual enrollment. Using this method, the private key and a certificate request are generated
on a device, such as a Web service or a computer. The certificate request is then transported to
the CA to generate the certificate being requested. The certificate is then transported back to
the device for installation. Use this method when the requestor cannot communicate directly
with the CA, or if the device does not support autoenrollment.
 CA Web enrollment. Using this method, you can enable a website CA so that users can obtain
certificates. To use CA Web enrollment, you must install Internet Information Server (IIS) and
the web enrollment role on the CA of AD CS. To obtain a certificate, the requestor logs on to the
website, selects the appropriate certificate template, and then submits a request. The certificate
is issued automatically if the user has the appropriate permissions to enroll for the certificate.
 The CA Web enrollment method should be used to issue certificates when autoenrollment can-
not be used. This can happen in the case of an Advanced Certificate request. However, there are
cases where autoenrollment can be used for certain certificates, but not for all certificates.
 Enrollment on behalf (Enrollment Agent). Using this method, a CA administrator creates an En-
rollment Agent account for a user. The user with Enrollment Agent rights can then enroll for cer-
tificates on behalf of other users. You would use this method, for example, if you need to allow
a manager to preload logon certificates of new employees on to smart cards
Enrollment Agent
 When a user gets a certificate based on an Enrollment Agent template, he or she has the ability
to enroll for a certificate on behalf of another user.
Restricted Enrollment Agent?
 This functionality allows you to limit the permissions for users who are designated as Enrollment
Agents, to enroll for smart card certificates on behalf of other users..
Lesson 3: Using certificates in a business environment
Conditions for Losing Keys
 User profile is deleted or corrupted.
 Operating system is reinstalled.
 Disk is corrupted.
 Computer is stolen.
Key Archival and Recovery Agents
 To use private key archival, you must enable this functionality on both the CA and specific certif-
icate templates, such as EFS.
 KRAs (Key recovery Agents) are designated users who are able to retrieve the original certificate,
private key, and public key that were used to encrypt the data, from the CA database.
 When you have a configured CA to issue a KRA certificate, any user with Read and Enroll permis-
sion on the KRA certificate template can enroll and become a KRA.
Key archival process
1. Konfigurisati KRA certificate template.
 Dozvoliti KRA: Read, Enroll
2. Publikovati KRA Template
3. KRA sebi izdaje sertifikat baziran na KRA template-u
 Certificates MMC\Personal\AllTasks\Request a new certificate
 Selektovati Key Recovery Agent Template
 Sertifat mora biti izdat manuelno korišćenjem Eksport/Import-a
4. Kofigurisati Recovery Agents.
 Enable KRA. <CAName > properties\Recovery Agents\Archive the key. Dodati jedan ili
više KRA sertifikata na listu.
5. Konfigurisati željene Template sa opcijom Archive subject’s encryption private key
6. Publikovati prethodno podešen template
Oporavak izgubljenog ključa

1. Domenski administrator pokreće Certutil -getkey <serialnumber> outputblob

2. Datoteka ouputblob se prenese Recovery Agent-u
3. Recovery Agent pokreće Certutil -recoverkey outputblob <filename>.pfx
4. Datoteka <filename>.pfx se prenese korisniku koji je izgubio ključ
5. Korisnik vrši import sertifikata sa ključem iz datoteke <filename>.pfx

U vežbi je KRA istovremeno i domenski administrator

Lesson 4: Implementing and managing smart cards

Smart Card?

Virtual Smart Card?

Lab: Deploying and using certificates

Estimated Time: 50 minutes

Virtual machines: 20742B-LON-DC1, 20742B-LON-SVR1, 20742B-LON-SVR2, and 20742B-LON-CL1

User name: Adatum\Administrator

Password: Pa55w.rd
Module 10: Implementing and administering AD FS
Lesson 1: Overview of AD FS
ADFS Enables organizations to establish federation trusts and share resources across organizational and
Active Directory Domain Services (AD DS) boundaries.

Identity Federation
Identity federation enables the distribution of identification, authentication, and authorization across
organizational and platform boundaries. Nije isto što i AD trust.

Claims-Based Identity & Claims based authentication?

Standardna Windows autentifikacija bazirana na Kerberos ili NTLM protokolima ne može lako da se
primeni van granica ADDS šume. Implementacija Forest trast relacija ima sledeće negativne karakteris-
tike:

 Zahteva otvaranje više portova za komunikaciju sa ADDS om

 Može biti neugodno održavanje velikog broja trast relacija
Claims-based autentifikacija adresira probleme primene tipične autentifikacije van granica ADDS
domena i šuma.

 Kod Claims- based autentifikacije korisnik može da se autentificira preko Directory servisa lo-
ciranog unutar svoje organizacije a zatim mu se dodeljuje Claim baziran na toj autentfikaciji.
 Claim se onda može prezentovati aplikaciji koja je pokrenuta u drugoj organizaciji.
 Aplikacija mora biti dizajnirana da omogući pristup prema prezentovanom Claim-u
 Bazirana je na Web servisima: SOAP, XML, WSDL i HTTPS. Web servisi se registruju preko UDDI
protokola.
 U razmeni Claim-ova koristi se Security Assertion Markup Language (SAML je XML based)
 AD FS svojstva
 WEB SSO
 Interoperabilnost sa softverskim rešenjima drugih kompanija
 Podrška za mobilne telefine, PDA, i desktop
 Proširiva arhitektura
Novosti u Windows 2016 implementaciji:
 Sign in with Azure Multi-factor Authentication
 Password-less Access from Compliant Devices
 Sign in with Windows Hello for Business
 Configure access control policies with wizard
 Users in third party, LDAP v3 compliant directories
ADFS in single organization
 The applications may not be running on Windows servers or on any servers that support AD DS
authentication, or on Windows Server servers that are not domain–joined.
 Multiple domains and forests that may be the results of mergers and acquisitions,
 Users from outside the office, that access internal applications, login to computers that are not
part of windows domain
ADFS in single organization

B2B Federation

SSO with Online Services

AD FS requirements and planning
Komponente
 Federation server - issues, manages, and validates requests involving identity claims.
 The federation server proxy is an optional component that you usually deploy in a perimeter
network
 A claim is a statement that is made by a trusted entity about an object such as a user. The claim
could include the user’s name, email address, UPN, or last name …
 Claim rules determine how claims are processed by the federation servers.
 Attribute store AD FS uses an attribute store to look up claim values.
 Claims provider is the server that issues claims and authenticates users
 The relying party is where the application is located, and it enables the second side of the AD FS
authentication and authorization process
 The claims provider trust is configuration data that defines rules under which a client may re-
quest claims from a claims provider, and subsequently submit them to a relying party
 The relying party trust is AD FS configuration data that provides claims about a user or client to a
relying party
 AD FS uses digital certificates when communicating over SSL, or as part of the token issuing pro-
cess, the token receiving process, and the metadata publishing process. Digital certificates are
also used for token signing.
 Endpoints are Windows Communication Foundation (WCF) mechanisms that enable access to
the AD FS technologies including token issuance and metadata publishing.
AD FS Prerequisites
 Network connectivity
 ADDS
 DNS
 PKI and certificate requirements
o Service communication certificates
o Token-signing certificates
o Token-decrypting certificates
Planning a highly available AD FS deployment
 NLB i eksterni SQL server
Lesson 3 Deploying and configuring AD FS
Lesson 4 Web Application Proxy overview
Lab: Implementing AD FS
Virtual machines: 20742B-LON-DC1, 20742B-LON-SVR1, and 20742B-LON-CL1
User name: Adatum\Administrator
Virtual machine: 20742B-TREY-DC1.
User name: TreyResearch\Administrator
Password: Pa55w.rd
Module 11: Implementing and administering AD RMS
Lesson 1: Overview of AD RMS
Tehnologija permanentne zaštite dokumenata

 Scenario 1: The chief executive officer (CEO) copies a spreadsheet file containing the compensa-
tion packages of an organization's executives from a protected folder on a file server to the
CEO’s personal USB drive.
 Scenario 2: An internal document should be viewable by a group of authorized people within
the organization. These people should not be able to edit or print the document.
 Scenario 3: People within the organization should not be able to forward sensitive email mes-
sages that have been assigned a particular classification
Komponente:
1. AD RMS Cluster
 Root Cluster: Obezbeđuje sve AD RMS Servise
 Licencing Only: Opcioni, obezbeđuje samo deo funkcionalnosti root klastera i zanimljiv je
u specifičnim situacijama (podrška za Rights management za spoljne poslovne partnere
kao deo ekstraneta koji zahteva jaku separaciju praćenje pristupa na resurse)
2. Web servisi: IIS Role servis
3. AD DS
4. Database services : smeštaj informacija o korisnicima, ključevima i logovanju poristupa. Može se
koristiti i Windows Interbal database)
5. AD RMS client instaliran automatski na Vista+ a na starije mora de se doda.
6. AD RMS enabled aplikacija npr Microsoft Office.
 Office 2003+
 Exchange 2007+
 Sharepoint Server 2007+
 Adobe reader through third party components
Vrste sertifikata
 Server licensor certificate - SLC. (Identifikuje AD RMS rolu instaliranu na server) The SLC is a self-
signed certificate generated during the AD RMS setup Other members of the root cluster will
share this SLC. If you create a licensing-only cluster, it will generate its own SLC and share it with
members of its cluster. The default duration for an SLC is 250 years.
 Machine certificate (Identifikuje računara kome se može verovati i sadrži javni ključ za računar
na bazi per user per computer)
The first time an AD RMS–enabled application is used, a machine certificate is created. The AD
RMS client in Windows automatically manages this process with the AD RMS cluster. This certifi-
cate creates a lockbox on the computer to correlate the machine certificate with the user’s pro-
file.The machine certificate contains the public key for the activated computer. The private key
is contained within the lockbox on the computer.
 Rights account certificate(RAC) (Identifikuje korisnika prema e-mail adresi ili SID-ju)
RACs are issued to trusted users who have an e-mail-enabled account in AD DS. RACs are gener-
ated when the user first tries to open rights-protected content. Standard RACs identify users in
 relation to their computers and have a duration of 365 days.Temporary RACs do not tie the user
to a specific computer and are valid for only 15 minutes. The RAC contains the public key of the
user as well as his or her private key. The private key is encrypted with the computer’s private
key.
 Client licensor certificate (CLC) (Identifikuje korisnika koji može publikovati RMD zaštitu doku-
menta čak iako nema bvezu sa RMS serverom)
After the user has a RAC and launches an AD RMS–enabled application, the application automat-
ically sends a request for a CLC to the AD RMS cluster. The client computer must be connected
for this process to work, but after the CLC is obtained, the user can apply AD RMS policies even
offline. Because the CLC is tied to the client’s RAC, it is automatically invalidated if the RAC is re-
voked.
 Publishing license - PL (Definiše prava i uslove korišćenja podataka u momentu publikacije) The
publishing license is created when the user saves content in a rights-protected mode. This li-
cense lists which users can use the content and under which conditions as well as the rights
each user has to the content.This license includes the symmetric content key for decrypting con-
tent as well as the public key of the cluster.
 Use license - UL(Omogućava uvid u dokument prema prethodno definisanoj Publishing licenci)
The use license is assigned to a user who opens rights-protected content. It is tied to the user’s
RAC and lists the access rights the user has to the content. If the RAC is not available, the user
cannot work with rights-protected content. It contains the symmetric key for decrypting con-
tent. This key is encrypted with the public key of the user.
What is Azure RMS?
Feature AD RMS Azure RMS Azure RMS for Office 365

IRM for on-premises Exchange Server and SharePoint Yes Yes Yes
Server

IRM for Exchange Online and SharePoint Online No Yes Yes

The ability to share with any organization without fur- No Yes Yes
ther configuration

Default templates No Yes Yes

The ability to protect any file type Yes Yes Yes

RMS protected document tracking No Yes No

Mobile device support Yes Yes Yes

ADRMS Workflow

Lesson 2: Deploying and managing an AD RMS infrastructure

Priprema za instalaciju:
1. Kreirati servisni nalog adrms servisa
2. Kreirati DNS A record za adrms cluster
3. Instalirati i konfigurisati adrms rolu
AD RMS Client Licensing
To use Rights Management Services in your AD DS environment, you must have Windows Rights Man-
agement Client Access Licenses (CALs). These CALs are different from classic Windows Server CALs that
you need to connect the client to the server

Backup and Recovery Strategy

 Back up private key and certificates
 Ensure that the AD RMS database is backed up regularly
 Export templates to back them up
 Run AD RMS server as a virtual machine, and perform full server backup
Decommissioning and Removing AD RMS
Prior to removing an AD RMS server, you should decommission that server. Decommissioning AD RMS
puts the cluster into a state where consumers of AD RMS–protected content are able to obtain special
keys that decrypts that content, irrespective of the existing restrictions that were placed on the use of
that content.

To decommission AD RMS, perform the following steps:

1. Sign in to the server that is hosting AD RMS, and that you wish to decommission.
2. Modify the access control list (ACL) of the file decommissioning.asmx. Grant the Everyone group
Read & Execute permission on the file. This file is stored in the %sys-
temdrive%\inetpub\wwwroot\_wmcs\decomission folder.
3. In the Active Directory Rights Management Services console, expand the Security Policies node,
and then click the Decommissioning node.
4. In the Actions pane, click Enable Decommissioning.
5. Click Decommission.
6. When prompted to confirm that you want to decommission the server, click Yes.
ADRMS Reports
External Sharing
1. Najbolje je ustanoviti Forest trust relacije između dve šume
2. Moguće je deliti dokument i Windows Live ID-jevima
3. Microsoft Federation Gateway
4. Azure Authentication
5. Alternativno Koristiti Trusted User Domains i Trusted Publishing Domains

Trusted User Domains

TPD - Trusted Publishing Domains
Lesson 3: Configuring AD RMS content protection

What Are Rights Policy Templates?

Kolekcije ovlašćenja, Content Expiration polisa i dodatnih konfiguracionih elemenata.

Vrste Templejta
6. Distributed Rights Policy Template,
 dostupan korisnicima,
 može se penzionisati akcijom arhivacije i onda postaje Archived Rights Policy Template
7. Archived Rights Policy Template,
 nije dostupan korisnicima,
 može se koristiti za definisanje novih template-a
Exclusion policies
 Exclusion policies allow you to prevent specific user accounts, client software, or applications
from using AD RMS
 User Exclusion
 Application Exclusion
 Lockbox Exclusion (verzija klijenta)
AD RMS Super Users Group
8. Members of this group can decrypt any rights-protected content file and remove rights-protec-
tion from it.
Lab: Implementing an AD RMS infrastructure
Estimated Time: 60 minutes

Virtual machines: 20742B-LON-DC1, 20742B-LON-SVR1, and 20742B-LON-CL1

User name: Adatum\Administrator

Password: Pa55w.rd
Module 12: Implementing AD DS synchronization with Microsoft Azure
AD
Lesson 1 Planning and preparing for directory synchronization
Azure AD?
 AzureAd je primarno identity rešenje za Internet aplikacije: http port 80 i https 443.
 Ne postoje organizacione jedinice
 Korisnici i grupe nisu u hijerarhijskoj strukturi
 Ne postoje GPO
 LDAP upiti se ne koriste već REST API preko HTTP-a
 Ne koristi Kerberos već SAML-Security Assertion Markup Language/WS-Federation i OpenID
Connect
 Uključuje podršku za Federation servise

Azure AD autentifikacione opcije:
 Cloud Only varijanta
 Sinhronizacija, jednosmerena ili dvosmerna, korisnika, grupa i atributa sa ADDS-om
 ADFS SSO između Cloud i ADDS sistema
 Korisnici čije se lozinke sinhronizuju mogu koristiti Office 365, Microsoft Dynamics CRM i Micro-
soft Intune
 U slučaju korišćenja ADFS-a takođe su na raspolaganju Office 365, Microsoft Dynamics CRM i
Microsoft Intune
Pregled upravljanja identitetima
Exchange Server sync
 Shared Global Address Lists
 Syncronized GA
 Sync Users Azure AD Connect
 Move some or all mailboxes to Office 365 from on Premises Exchange
 Safe and Blocked Senders synced from on premises to Exchange Online
Azure AD object quota
 Do 50000
 Uvećava se do 300000 nakon verifikacije prvog domena
 Za više kontaktirati Microsoft Technical Support
Network Ports
 443

Capacity Planning
AD FS and Azure AD
AD DS domain
controller

6 Federation trust
AD FS
Azure AD
7 10
4

5 9
3
8
2
SaaS application
Client
computer 1 11
Lesson 2 Implementing directory synchronization by using Azure AD Connect
Preduslovi domena
 The AD schema version and forest functional level must be Windows Server 2003 or later. The
domain controllers can run any version as long as the schema and forest level requirements are
met.
 If you plan to use the feature password writeback, then the Domain Controllers must be on
Windows Server 2008 (with latest SP) or later. If your DCs are on 2008 (pre-R2), then you must
also apply hotfix KB2386717.
 The domain controller used by Azure AD must be writable. It is not supported to use a RODC
(read-only domain controller) and Azure AD Connect does not follow any write redirects.
 It is not supported to use on-premises forests/domains using SLDs (Single Label Domains).
 It is not supported to use on-premises forests/domains using "dotted" (name contains a period
".") NetBios names.
 It is recommended to enable the Active Directory recycle bin.

Azure AD Connect zahtevi

 Azure Subscription
 Microsoft .NET Framework 4.5.1 or later
 Windows PowerShell 3.0 or later
 Microsoft Azure AD Module for Windows PowerShell (64-bit version)
 Azure AD Connect requires a SQL Server database to store identity data. By default, SQL Server 2012
Express LocalDB (a light version of SQL Server Express 2012 SP1) is installed,
o Limit na 10GB Database približno 100000 objekata
o Za više komercijalna verzija SQL-a 2008SP4 – SQL 2014

Pregled konfiguracije sinhronizacije

get-adsyncscheduler

Konfigurisanje sinhronizacije
Set-ADSyncScheduler -CustomizedSyncCycleInterval d.HH:mm:ss
Permissions and accounts
 Azure AD Global Administrator
 Enterprise Administrator account for your on-premises AD DS if
Lesson 3 Managing identities with directory synchronization

User writeback
Da bi sinhronizacija naloga od Azure AD-a ka on premises AD-u radila treba uključiti User writeback

Import-Module ‘C:\Program Files\Microsoft Azure Active Directory

Connect\AdPrep\AdSyncPrep.psm1
Initialize-ADSyncUserWriteBack -AdConnectorAccount administrator -UserWrite-
BackContainerDN "CN=users,DC=adatum,DC=com"

Preduslov je instalacija dva softverska paketa

 Microsoft Online Services Sign-in Assistant v8, msoidcli_64.msi

 Windows Azure Active Directory Module for Windows PowerShell Setup,
AdministrationConfig-EN.msi

Password writeback
Users can change their passwords via the login page or user settings in Azure AD
$accountName=Administrator
$PasswordOU="CN=users,DC=adatum,DC=com"
Get-ADSyncConnector | fl name,AADPasswordResetConfiguration
Get-ADSyncAADPasswordResetConfiguration -Connector "adatum.onmicrosoft.com -
AAD"
Set-ADSyncAADPasswordResetConfiguration -Connector "adatum.onmicrosoft.com -
AAD" -Enable
$true
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":CA;`"Reset Pass-
word`";user'"
Invoke-Expression $cmd | Out-Null
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":CA;`"Change Pass-
word`";user'"
Invoke-Expression $cmd | Out-Null
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":WP;lockoutTime;us-
er'"
Invoke-Expression $cmd | Out-Null
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":WP;pwdLastSet;us-
er'"
Invoke-Expression $cmd | Out-Null
Device writeback
Devices that are enrolled with Office 365 mobile decide management (MDM) or Microsoft Intune can
sign in to AD FS–controlled resources based on the user and the device they are on.
Install-WindowsFeature –Name AD-DOMAIN-Services –IncludeManagementTools
Import-Module 'C:\Program Files\Microsoft Azure Active Directory
Connect\AdPrep\AdSyncPrep.psm1'
Initialize-ADSyncDeviceWriteback {Optional:–DomainName [name] Optional:-Ad-
ConnectorAccount [account]}

Preduslovi

 ADDS Forest Windows 2012R2 funkcionalni nivo

 ADFS v3 – minimalno Windsows 2012R2

Bulk Activation
User accounts that you create in Azure AD through directory synchronization are not automatically acti-
vated for cloud services such as Office 365. Atribut isLicenced=True.

1. Connect-MsolService
Uneti podatke o online administratoru:
adatum01@adatum12244.onmicrosoft.com
Pa55w.rd1
2. Get-MsolUser | Where-Object {$_.isLicensed -ne "True"}
3. Get-MsolUser -UnlicensedUsersOnly | Set-MsolUserLicense -AddLicenses SKU

Group Writeback
Group writeback feature also writes groups from Azure AD to on-premises AD DS
Import-Module ‘C:\Program Files\Microsoft Azure Active Directory Con-
nect\AdPrep\AdSyncPrep.psm1’

Initialize-ADSyncGroupWriteBack -AdConnectorAccount $accountName -

GroupWriteBackContainerDN $groupOU

Preduslov

AD DS forest be running Windows Server 2012 R2

Module 13: Monitoring, managing, and recovering AD DS
Lesson 1: Monitoring AD DS
Alati
1. Task Manager
 Realtime
2. Resource Monitor
 Realtime
3. Event Viewer
 Events
4. Performance Monitor
 Realtime
 Data Collector Sets
i. Logged monitoring
ii. Alert Based
5. Windows PowerShell
Important performance counters include:
6. CPU
7. Memory
8. Disk
9. Network
10.AD DS:
 NTDS\ DRA Inbound Bytes Total/sec
 NTDS\ DRA Inbound Object
 NTDS\ DRA Outbound Bytes Total/sec
 NTDS\ DRA Pending Replication Synchronizations
 Security System-Wide Statistics\ Kerberos Authentications/sec
 Security System-Wide Statistics\ NTLM Authentications
Data Collector Sets

Lesson 2: Managing the Active Directory database

Ntdsutil
 Manage and control single-master operations
 Perform Active Directory database maintenance:
 Perform offline defragmentation
 Create and mount snapshots
 Move database files
 Clean domain-controller metadata:
 Domain-controller removal or demotion while not connected to a domain
 Reset DSRM:
 Password
 Set dsrm
 1. Ntdsutil
2. Roles
3. Connections
4. Connect to server <servername>
5. Quit
6.
 Seize infrastructure master
 Seize naming master
 Seize PDC
 Seize RID master
 Seize schema master

 Transfer infrastructure master

 Transfer naming master
 Transfer PDC
 Transfer RID master
 Transfer schema master

7. Quit
8. Quit

Powershell

To transfer all 5 of the FSMO roles.

Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole

PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster

Transfer all 5 FSMO roles using numbers.

Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_Name” –OperationMasterRole

0,1,2,3,4

seize the roles using the –Force parameter.

Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole

PDCEmulator,RIDMaster,InfrastructureMaster,

SchemaMaster,DomainNamingMaster -Force

Of course could have used the short version

Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_Name” –OperationMasterRole

0,1,2,3,4 -force

command line syntax you can use role numbers in place of the role names. The following list details the
role number for each of the five FSMO roles.
PDC Emulator – 0
RID Master – 1
Infrastructure Master – 2
Schema Master – 3
Domain Naming Master – 4

Understanding restartable AD DS
Lesson 3: Active Directory backup and recovery options for AD DS and other identity and
access solutions
Backup AD-a
 AD Recycle Bin
 System state backup
 add-windowsfeature windows-server-backup –includeallsubfeature
 Wbadmin start systemstatebackup –backuptarget:
<lokacija za smeštaj backup-a > -quiet
 Full Server Backup
o Wbadmin start backup -allcritical -backuptarget:<lokacija za
smeštaj backup-a> -quiet
Restauracija AD-a
 NonAuthoritative Restore:
1. Pokrenuti Directory Services Restore Mode
2. Pregled liste system state backup-ova:
wbadmin get versions
3. Snimiti podatak version identifier
4. Pokrenuti restauraciju wbadmin start systemstaterecovery –version:<version> wbad-
min start systemstaterecovery –version:12/03/2007-18:25
5. Restart

 Authoritative Restore
Nastupa neposredno nakon neautoritativne restauracije pre prvog restarta

5. Ntdsutil
6. Activate instance ntds
7. authoritative restore
8. restore database ili restore subtree ou=ouname,dc=dcname,dc=dcname
9. quit
10. quit
11. restart
Snapshots
Kreiranje snapshot-a
1. ntdsutil
2. ntdsutil: snapshot
3. snapshot: activate instance ntds
4. snapshot: create
5. snapshot: quit
6. ntdsutil: quit
Brisanje zastarelih snapshot-ova

1. ntdsutil
2. ntdsutil: snapshot
3. snapshot: list all
2007/12/03:23:18 {42c44414-c099-4f1e-8bd8-4453ef2534a4}
C: {c0dd71ba-5bcd-4daf-9fbb-5cfbdd168022}
D: {2bbd739f-905a-431b-9449-11fba01f9931}
4. snapshot: delete 1
Snapshot {c0dd71ba-5bcd-4daf-9fbb-5cfbdd168022} mounted as
C:\$SNAP_200712032318_VOLUMEC$\
Snapshot {2bbd739f-905a-431b-9449-11fba01f9931} mounted as
C:\$SNAP_200712032318_VOLUMED$\
5. snapshot: quit
6. ntdsutil: quit

Montiranje snapshot-a
1. ntdsutil
2. ntdsutil: snapshot
3. snapshot: list all
2007/12/03:23:18 {42c44414-c099-4f1e-8bd8-4453ef2534a4}
C: {c0dd71ba-5bcd-4daf-9fbb-5cfbdd168022}
D: {2bbd739f-905a-431b-9449-11fba01f9931}
4. snapshot: mount 1
Snapshot {c0dd71ba-5bcd-4daf-9fbb-5cfbdd168022} mounted as
C:\$SNAP_200712032318_VOLUMEC$\
Snapshot {2bbd739f-905a-431b-9449-11fba01f9931} mounted as
C:\$SNAP_200712032318_VOLUMED$\
5. snapshot: quit
6. ntdsutil: quit
Startovanje adlds instance koja reprezentuje sadržaj snapshota
 dsamain radi iz cmd-a ne iz powershell-a
 dsamain –dbpath c:\$snap_200712032318_volumed$\windows\ntds\ntds.dit
-ldapport 10000

Uključenje Recycle Bin-a:

 kroz Administrative Centar
 Enable-ADOptionalFeature Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Fea-
ture,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configura-
tion,DC=contoso,DC=com’ –Scope ForestOrConfigurationSet –Target ‘contoso.com’

Restauracija obrisanog objekta kada se koristi Recycle Bin

 kroz Administrative Centar
 Get-ADObject -Filter {displayName -eq "Mary"} -IncludeDeletedObjects | Restore-ADObject

Lab: Recovering objects in AD DS 13-27

Estimated Time: 60 minutes

Virtual machine: 20742B-LON-DC1

User name: Adatum\Administrator

Password: Pa55w.rd

For this lab, you need to