Module 3: Managing Active Directory Domain Services Objects

Lesson 1: Managing User Accounts

AD DS Administration Tools
To manage AD DS objects, you can use the following graphical tools:
 Active Directory Administration snap-ins
 Active Directory Administrative Center
You can also use the following command line tools:
 Active Directory module in Windows PowerShell
 Directory Service commands

Lesson2: Managing Groups

Group Types
 Distribution groups  Security groups
 Used only with email applications  Security principal with an SID; can be given
 Not security-enabled (no SID); cannot be permissions
given permissions  Can also be email-enabled
Both security groups and distribution groups can be converted to the other type of group.
Group Scopes
Group scope Members from same Members from Members from Can be assigned
domain domain in same trusted external permissions to
forest domain resources
Local U, C, GG, DLG, UG U, C, GG, UG U, C, GG On the local
and local users computer only
Domain Local U, C, GG, DLG, UG U, C, GG, UG U, C, GG Anywhere in the
domain
Universal U, C, GG, UG U, C, GG, UG N/A Anywhere in the
forest
Global U, C, GG N/A N/A Anywhere in the
domain or a trusted
domain

U User C Computer GG Global Group

DLG Domain Local Group UG Universal Group
Implementing Group Management
I Identities Users or computers, which are members of
G Global groups Which collect members based on members’ roles, which are members of
DL Domain local groups Which provide management such as resource access, which are
A Assigned access to a resource
*This best practice for nesting groups is known as IGDLA.

Default Groups
•Carefully manage the default groups that provide administrative privileges, because these groups: •Typically have
broader privileges than are necessary for most delegated environments •Often apply protection to their members
Group Location
Enterprise Admins Users container of the forest root domain
Schema Admins Users container of the forest root domain
Administrators Built-in container of each domain
Domain Admins Users container of each domain
Server Operators Built-in container of each domain
Account Operators Built-in container of each domain
Backup Operators Built-in container of each domain
Print Operators Built-in container of each domain Cert Publishers Users container of each domain
Special Identities
•Special identities:
 Are groups for which membership is controlled by the operating system
 Can be used by the Windows Server operating system to provide access to resources:
 Based on the type of authentication or connection
 Not based on the user account
•Important special identities include:
 Anonymous Logon  Interactive
 Authenticated Users  Network
 Everyone  Creator Owner
Managing Groups
Lesson 3: Managing Computer Accounts
Specifying the Location of Computer Accounts
•Best practice is to create Organizational Units (OUs) for computer objects
 Servers
 Typically subdivided by server role
 Client computers
 Typically subdivided by region
•Divide OUs:
 By administration
 To facilitate configuration with Group Policy
Performing an Offline Domain Join
Offline Domain join can use to join computers to a Domain when they cannot contact a domain controller.
•Create a domain join file using:
djoin.exe /requestODJ /LoadFile <filepath> /WindowsPath <path to the Windows directory
of the offline image>
•Import the domain join file using:
djoin.exe /requestODJ /LoadFile <filepath> /WindowsPath <path to the Windows directory
of the offline image>

Computer Accounts and Secure Channels

•Computers have accounts
 •sAMAccountNameand password
 •Used to create a secure channel between the computer and a domain controller
•Scenarios where a secure channel can be broken
 •Reinstalling a computer, even with same name, generates a new SID and password
 •Restoring a computer from an old backup, or rolling back a computer to an old snapshot
 •Computer and domain disagree about what the password is
Resetting the Secure Channel
•Do not delete a computer from the domain and rejoin
 •This process creates a new account, resulting in new SID and lost group memberships
•Options for resetting the secure channel
 •Active Directory Users and Computers
 •DSMod.exe
 •NetDom.exe
 •NLTest.exe
 •Windows PowerShell
Bring Your Own Device
AD FS has been enhanced to support bring your own device programs
 •Workplace Join –Creates an AD DS object for consumer devices
 •Multi-Factor Access Control –Increases security by using claims-based authorization rules
  •Multi-Factor Authentication –Increases security by requiring more than one form of authentication
 •Web Application Proxy –Allows apps to be securely publish to the Internet

Lesson 4: Delegating Administration

Considerations for Using Organizational Units
•OUs allow you to subdivide the Domain for management purposes
•OUs are used for:
 •Delegation of control
 •Application of GPOs
 •The OU structure can be:
 •Flat, one to two levels deep
 •Deep, more than 5 levels deep
 •Narrow, anything in between
Effective AD DS Permissions
Permissions assigned to users and groups accumulate
Best practice is to assign permissions to groups, not to individual users
In the event of conflicts:
 •Deny permissions override Allow permissions
 •Explicit permissions override Inherited permissions
 •Explicit Allow over rides Inherited Deny
To evaluate effective permissions, you can use:
 •The Effective Access tab
 •Manual analysis

Module 4: Automating Active Directory Domain Services Administration

Lesson 1: Using Command-line Tools for AD DS Administration
•Benefits of Using Command-Line Tools for AD DS Administration
 •What Is Csvde?
 •What Is Ldifde?
 •What Are DS Commands?
Benefits of Using Command-Line Tools for AD DS Administration
Command-line tools allow you to automate AD DS administration
Benefits of using command-line tools:
 •Faster implementation of bulk operations
 •Customized processes for AD DS administration
 •AD DS administration on server core
What Is Csvde? What Is Ldifde?
Use csvde to export objects to a .csv file: Use ldifde to export objects to a LDIF file:
 -f filename  •-f filename
 -d RootDN  •-d RootDN
 -p SearchScope  •-r Filter
 -r Filter  •-p SearchScope
 -l ListOfAtrributes  •-l ListOfAttributes
Use csvde to create objects from a .csv file:  •-o ListOfAttributes
csvde –i –f filename –k Use ldifde to create, modify, or delete objects:
ldifde –i –f filename –k

What Are DS Commands?

Windows Server 2012 includes command-line tools that are suitable for use in scripts
Examples:
•To modify the department of a user account, type:
Dsmod user "cn=Joe Healy,ou=Managers, dc=adatum,dc=com"–dept IT
•To display the email of a user account, type:
Dsget user "cn=Joe Healy,ou=Managers, dc=adatum,dc=com"–email
•To delete a user account, type:
Dsrm "cn=Joe Healy,ou=Managers,dc=adatum,dc=com"
•To create a new user account, type:
Dsadd user "cn=Joe Healy,ou=Managers,dc=adatum,dc=com"
Using Windows PowerShell Cmdlets to Manage User Accounts
Cmdlet Description
New-ADUser Creates user accounts
Set-ADUser Modifies properties of user accounts
Remove-ADUser Deletes user accounts
Set-ADAccountPassword Resets the password of a user account
Set-ADAccountExpiration Modifies the expiration date of a user account
Unlock-ADAccount Unlocks a user account after it has become locked after too many incorrect login attempts
Enable-ADAccount Enables a user account
Disable-ADAccount Disables a user account

New-ADUser "Sten Faerch" –AccountPassword (Read-Host –AsSecureString "Enter password")

-Department IT

Using Windows PowerShell Cmdlets to Manage Groups

Cmdlet Description
New-ADGroup Creates new groups
Set-ADGroup Modifies properties of groups
Get-ADGroup Displays properties of groups
Remove-ADGroup Deletes groups
Add-ADGroupMember Adds members to groups
Get-ADGroupMember Displays membership of groups
Remove-ADGroupMember Removes members from groups
Add-ADPrincipalGroupMembership Adds group membership to objects
Get-ADPrincipalGroupMembership Displays group membership of objects
RemoveADPrincipalGroupMembership Removes group membership from an object

New-ADGroup –Name "CustomerManagement" –Path "ou=managers,dc=adatum,dc=com" –

GroupScope Global –GroupCategory Security
Add-ADGroupMember –Name “CustomerManagement” –Members "Joe"

Using Windows PowerShell Cmdlets to Manage Computer Accounts

Cmdlet Description
New-ADComputer Creates new computer accounts
Set-ADComputer Modifies properties of computer accounts
Get-ADComputer Displays properties of computer accounts
Remove-ADComputer Deletes computer accounts
Test-ComputerSecureChannel Verifies or repairs the trust relationship between a computer and the domain
Reset -ComputerMachinePassword Resets the password for a computer account

New-ADComputer –Name “LON-SVR8” -Path "ou=marketing,dc=adatum,dc=com" -Enabled $true

Test-ComputerSecureChannel –Repair

Using Windows PowerShell Cmdlets to Manage OUs

Cmdlet
New-ADOrganizationalUnit
Set-ADOrganizationalUnit
Get-ADOrganizationalUnit
Remove-ADOrganizationalUnit
New-ADOrganizationalUnit
Set-ADOrganizationalUnit
Get-ADOrganizationalUnit
Description
Creates organizational units (OUs)
Modifies properties of OUs
Views properties of OUs
Deletes OUs
Creates OUs
Modifies properties of OUs
Views properties of OUs
New-ADOrganizationalUnit –Name “Sales” –Path "ou=marketing,dc=adatum,dc=com" –
ProtectedFromAccidentalDeletion $true

Lesson 3: Performing Bulk Operations with Windows PowerShell

What Are Bulk Operations?
•A bulk operation is a single action that changes multiple objects
•Sample bulk operations
 Create user accounts based on data in a spreadsheet
 Disable all accounts not used in 6 months
 Rename the department for many users
•You can perform bulk operations by using:
 Graphical tools
 Command-line tools
 Script

Querying Objects with Windows PowerShell

Parameter Description
SearchBase Defines the AD DS path to begin searching.
SearchScope Defines at what level below the SearchBase a search should be performed.
ResultSetSize Defines how many objects to return in response to a query.
Properties Defines which object properties to return and display.
Filter Defines a filter by using PowerShell syntax
LDAPFilter Defines a filter by using LDAP query syntax

Descriptions of operators
-eq Equal to -ge Greater than or equal to
-gt Greater than -lt Less than
-ne Not equal to -like Uses wildcards for pattern matching

Show all the properties for a user account:

Get-ADUser –Name “Administrator” -Properties *
Show all the user accounts in the Marketing OU and all its subcontainers:
Get-ADUser –Filter * -SearchBase "ou=Marketing,dc=adatum,dc=com" -SearchScope subtree
Show all of the user accounts with a last logon date older than a specific date:
Get-ADUser -Filter {lastlogondate -lt "January 1, 2012"}
Show all of the user accounts in the Marketing department that have a last logon date older than a specific date:
Get-ADUser -Filter {(lastlogondate -lt "January 1, 2012") -and (department -eq
"Marketing")}

Modifying Objects with Windows PowerShell

Use the pipe character ( | ) to pass a list of objects to a cmdlet for further processing
Get-ADUser -Filter {company -notlike "*"} | Set-ADUser -Company "A. Datum"
Get-ADUser -Filter {lastlogondate -lt "January 1, 2012"} | Disable-ADAccount
Get-Content C:\users.txt | Disable-ADAccount

Working with CSV Files

The first line of a .csv file defines the names of the columns
FirstName,LastName,Department Greg,Guzik,IT Robin,Young,Research Qiong,Wu,Marketing
A foreach loop processes the contents of a .csv that have been imported into a variable
$users=Import-CSV –LiteralPath “C:\users.csv”
foreach ($user in $users) {
Write-Host "The first name is:"
$user.FirstName
}

Module 5: Implementing IPv4

Lesson 1
TCP/IP Applications
Some common application layer protocols:
•HTTP •RDP •POP3
•HTTPS •SMB
•FTP •SMTP

What Is a Socket?
A socket is a combination of an IP address, a transport protocol, and a port

Lesson 2: Understanding IPv4 Addressing

IPv4 Addressing
•Each networked computer must be assigned a unique IPv4 address
•Network communication for a computer is directed to the IPv4 address of the computer
•Each IPv4 address contains:
- Network ID, identifying the network
- Host ID, identifying the computer
•The subnet mask identifies which part of the IPv4 address is the network ID (255) and the host ID (0)

IP Address 172 16 0 10
Subnet Mask 255 255 0 0
Network ID 172 16 0 0
Host ID 0 0 0 10

Public and Private IPv4 Addresses

Public Private
•Required by devices and hosts that connect directly •Not routable on the Internet
to the Internet •10.0.0.0/8
•Must be globally unique •172.16.0.0/12
•Routable on the Internet •192.168.0.0./16
•Must be assigned by IANA/RIR •Can be assigned locally by organization
•Must be translated to access the Internet

How Dotted Decimal Notation Relates to Binary Numbers

Dotted decimal notation is based on the decimal number system, but computers use IP addresses in binary
•Within an 8-bit octet, each bit position has a decimal value
•A bit that is set to 0 always has a zero value
•A bit that is set to 1 can be converted to a decimal value
•The low-order bit represents a decimal value of 1
•The high-order bit represents a decimal value of 128
•If all bits in an octet are set to 1, then the octet’s decimal value is 255, the highest possible value of an octet:
•128 + 64 + 32 + 16 + 8 + 4 + 2 + 1

Lesson 3: Subnetting and Supernetting

Benefits of Using Subnetting
When you subdivide a network into subnets, you create a unique ID for each subnet that is derived from the main
network ID
By using subnets, you can:
•Use a single network address across multiple locations
 •Reduce network congestion by segmenting traffic
•Increase security by using firewalls
•Overcome limitations of current technologies

Calculating Subnet Addresses

When determining subnet addresses you should:
•Choose the number of subnet bits based on the number of subnets required
•Use 2nto determine the number of subnets available from n bits
For five locations, the following three subnet bits are required:
•5 locations = 5 subnets required
•22 = 4 subnets (not enough)
•23 = 8 subnets

Calculating Host Addresses

When determining host addresses you should:
•Choose the number of host bits based on the number of hosts that you require on each subnet
•Use 2n-2 to determine the number of hosts that are available on each subnet
For subnets with 100 hosts, seven host bits are required:
•26-2 = 62 hosts (not enough)
•27-2 = 126 hosts

Lesson 4: Configuring and Troubleshooting IPv4

Using Windows PowerShell Cmdlets to Troubleshoot IPv4
For network configuration and troubleshooting in Windows Server 2012 and earlier versions, use:
•Command-line tools
•Windows PowerShell cmdlets
In earlier versions of Windows Server:
•Windows PowerShell required using Windows Management Instrumentation (WMI) objects
•WMI objects are not as easy to use as native Windows PowerShell cmdlets

Using Windows PowerShell Cmdlets to Troubleshoot IPv4

Some of the new Windows PowerShell cmdlets:
Get-NetAdapter Set-DnsClient
Restart-NetAdapter Set-DnsClientGlobalSetting
Get-NetIPInterface Set-DnsClientServerAddress
Get-NetIPAddress Set-NetIPAddress
Get-NetRoute Set-NetIPv4Protocol
Get-NetConnectionProfile Set-NetIPInterface
Get-DNSClientCache Test-Connection
Get-DNSClientServerAddress Test-NetConnection
Register-DnsClient Resolve-Dnsname

IPv4 Troubleshooting Tools

Use the following tools to troubleshoot IPv4:
•Ipconfig •Pathping •Resource Monitor
•Ping •Telnet •Windows Network Diagnostics
•Tracert •Netstat •Event Viewer
The IPv4 Troubleshooting Process
After you identify the scope of the problem, use the following tools to troubleshoot network connectivity:
Step Windows PowerShell Command-line tool
Identify the network path between Test-NetConnection -Trace Routetracert
hosts
Verify the network configuration is Get-NetIPAddress ipconfig
correct
See if the remote host responds Test-NetConnection ping
Test the service on a remote host Use an application such as Internet
Explorer
See if the default gateway responds Test-NetConnection ping

What Is Microsoft Message Analyzer?

Capture Message Data > Save Message Data > Import Message Data > View Message Data > Filter Message Data >
Create charts from captured data

Module 6: Implementing Dynamic Host Configuration Protocol

Lesson 1: Installing a DHCP Server Role

Benefits of Using DHCP

Automatic IP Configuration
IP addresses are supplied automatically
Correct configuration information is ensured
Client configuration is updated automatically
A common source of network problems is eliminated
Manual IP Configuration
IP addresses are entered manually
IP address could be entered incorrectly
Communication and network issues can result
Frequent computer moves increase administrative effort

How DHCP Lease Renewal Works

1.DHCP client sends a DHCPREQUEST packet
2.DHCP Server1 sends a DHCPACK packet
3.If the client fails to renew its lease after 50% of the lease duration has expired, the DHCP lease renewal process
begins again after 87.5% of the lease duration has expired
4.If the client fails to renew its lease after 87.5% of the lease has expired, the DHCP lease generation process starts
over again with a DHCP client broadcasting a DHCPDISCOVER

How DHCP Interacts with DNS

•DHCP can:
 Register client records into DNS zones •Use DNS dynamic update protocol
•To use secure DNS dynamic updates, add DHCP servers to the AD DS DnsUpdateProxy global group
•DHCP policies:
 Automatically assign settings based on FQDN
 Register workgroup computers with guest DNS suffix
 Disable PTR registrations without disabling host record registration

DHCP Relay Agent - listens for DHCP broadcasts from DHCP clients and then relays them to DHCP servers in different
subnets
DHCP Server Authorization - registers the DHCP Server service in the Active Directory domain to support DHCP
clients.

Lesson 2: Configuring DHCP Scopes

DHCP Scopes - range of IP addresses that are available to be leased
DHCP scope properties include:
•Network ID •Lease duration •Scope name •Subnet mask •Network IP address range •Exclusion range
DHCP Reservation - occurs when an IP address within a scope is set aside for use with a specific DHCP client
DHCP Options –
 Are values for common configuration data
 Apply to the server, scopes, reservations, and class options
Common scope options are:
 Router (Default Gateway)
 DNS Name
 DNS Servers
 WINS Servers

How Are DHCP Options Applied?

You can apply DHCP options at various levels:
•Server •Class
•Scope •Reserved client
Typically, you do not apply the class or reserved client options

DHCP Database – is a dynamic database that contains configuration information such as:
•Scopes
•Address leases
•Reservations

Windows Server 2012 stores the DHCP database in the %Systemroot%\System32\Dhcp folder
The DHCP database files include:
•Dhcp.mdb •Res*.log
•Dhcp.tmp •J50.chk
•J50.log and J50*.log

Steps for moving a DHCP database:

1.Back up the DHCP database on the old server
2.Stop the old DHCP server service
3.Copy the DHCP database to the new server and, if necessary, install the DHCP server role
4.Restore the database
5.Start the DHCP Server service

Lesson 4: Securing and Monitoring DHCP

To prevent an unauthorized computer from obtaining a lease:
 Ensure that unauthorized users do not have physical or wireless access to your network
 Enable audit logging for every DHCP server on your network
 Regularly check and monitor audit log files
 Use 802.1X-enabled LAN switches or wireless access points to access the network
 Configure NAP to validate that a client computer is compliant with system health requirements

DHCP statistics - collected at either the server level or the scope level
Common issues that can occur when you do not configure DHCP properly:
 Address conflicts
 Failure to obtain a DHCP address
 Address obtained from an incorrect scope
 DHCP database suffered data corruption or loss
 DHCP server has exhausted its IP address pool

Module 7: Implementing DNS

Lesson 1: Name Resolution for Windows Clients and Servers
Hostname - a computer name that is added to a domain name and top level to make a fully qualified domain name
(FQDN)

DNS can be used to:

 Resolve host names to IP addresses
 Locate domain controllers and global catalog servers
 Resolve IP addresses to host names
 Locate mail servers during email delivery

DNS zone - a specific portion of DNS namespace that contains DNS records
Zone types:
 Forward lookup zone
 Reverse lookup zone
Resource records in forward lookup zones include: •A, MX, SRV, NS, SOA, and CNAME
Resource records in reverse lookup zones include: •PTR

Split DNS
 External ADI DNS servers host only records that are resolved from the outside: mail and web server
 Internal DNS servers host domain computer records, plus mail and web server in a perimeter subnet

Link-local Multicast Name Resolution

 LLMNR is an additional method for name resolution that does not use DNS or WINS
 LLMNR is designed for IPv6
 Works only on Windows Vista,Windows Server 2008, and all newer Windows operating systems
 Network Discovery must be enabled
 Can be controlledvia Group Policy

How a Client Resolves a Name:

1. Local Host name
2. DNS Resolver Cache/Hosts file content
3. DNS Server
4. LLMNR
5. NetBIOS Name Cache
6. WINS Server
7. Broadcast
8. LMHosts File

Troubleshooting Name Resolution

 A new Windows PowerShell DNS module with numerous cmdlets was introduced with Windows Server 2012
 More cmdlets were added with Windows Server 2012 R2
Command-line tools to troubleshoot configuration issues:
 Nslookup
 DNSCmd
 Dnslint
 Ipconfig
The troubleshooting process:
1.Identify client DNS server with nslookup or Resolve-DnsName
2.Communicate via ping
3.Use nslookup to verify records

Lesson 2: Installing a DNS Server

Root hints - contain the IP addresses for DNS root servers
DNS Queries - A recursive query is sent to a DNS server and requires a complete answer
Queries are recursive or iterative
•DNS clients and DNS servers initiate queries
•DNS servers are authoritative or non-authoritative for a namespace
•An authoritative DNS server for the namespace either:
 Returns the requested IP address
 Returns an authoritative “No, that name does not exist”
•A non-authoritative DNS server for the namespace either:
 Checks its cache
 Uses forwarders
 Uses root hints

Forwarder - is a DNS server designated to resolve external or offsite DNS domain names
Conditional forwarding - forwards requests using a domain name condition

How to Install the DNS Server Role

DNS server installation methods:
•Server Manager
•Active Directory Domain Services Installation Wizard
Tools available to manage DNS Server:
 DNS Manager snap-in
 Server Manager
 DNS Manager console (dnsmgmt.msc)
 DNSCmd command-line tool
 Windows Powershell
 Remote Server Administrative Tools

Lesson 3: Managing DNS Zones

DNS Zone Types
Zones Description
Primary Read/write copy of a DNS database
Secondary Read-only copy of a DNS database
Stub Copy of a zone that contains only records used to locate name servers
Active Directory-integrated Zone data is stored in AD DS rather than in zone files

Dynamic Updates
1.The client sends an SOA query
2.The DNS server returns an SOA resource record
3.The client sends dynamic update request(s) to identify the primary DNS server
4.The DNS server responds that it can perform an update
5.The client sends unsecured update to the DNS server
6.If the zone permits only secure updates, the update is refused 8.The client sends a secured update to the DNS
server

Benefits of an Active Directory–integrated zone:

•Allows multimaster writes to zone
•Replicates DNS zone information by using AD DS replication
•Leverages efficient replication topology
•Uses efficient incremental updates for Active Directory replication processes
•Enables secure dynamic updates
•Delegates zones, domains, resource records for increased security Examples of contoso.com zones include:
•hqdc01 •filesvr01 •desktop101