MCSA Windows Server 2012 R2 Administration Study Guide Exam 70-411 (2015)
Configure and Manage Active Directory
THE FOLLOWING 70-411 EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER:
1. Configure service authentication
§ Create and configure Service Accounts
§ Create and configure Group Managed Service Accounts
§ Configure Kerberos delegation
§ Manage Service Principal Names (SPNS)
§ Configure virtual accounts
2. Configure Domain Controllers
§ Transfer and seize operations master roles
§ Install and configure a read-only domain controller (RODC)
§ Configure domain controller cloning
3. Maintain Active Directory
§ Back up Active Directory and SYSVOL
§ Manage Active Directory offline
§ Optimize an Active Directory database
§ Clean up metadata
§ Configure Active Directory snapshots
§ Perform object- and container-level recovery
§ Perform Active Directory restore
§ Configure and restore objects by using the Active Directory Recycle Bin
4. Configure account policies
§ Configure domain and local user password policy settings
§ Configure and apply Password Settings Objects (PSOs)
§ Delegate password settings management
§ Configure account lockout policy settings
§ Configure Kerberos policy settings
In this chapter, we will dive deeper into the Active Directory realm.
I have covered many important aspects of Active Directory. The most important aspect of any network, including Active Directory, is security. If your network is not secure, then hackers (internal or external) can make your life as a member of an IT department a living nightmare.
In this chapter, you’ll learn how to implement security within Active Directory. By using Active Directory tools, you can quickly and easily configure the settings that you require in order to protect information.
Proper planning for security permissions is an important prerequisite of setting up Active Directory. Security is always one of the greatest concerns for an IT administrator.
You should have a security policy that states what is expected of every computer user in your company. Fine-tuning Active Directory to comply with your security policy and allowing end users to function without any issues should be your goals.
You should know how to use Active Directory to apply permissions to resources on the network, and you should pay particular attention to the evaluation of permissions when applied to different groups and the flow of permissions through the organizational units (OUs) via group policies. With all of this in mind, let’s start looking at how you can manage security within Active Directory.
Active Directory Security Overview
One of the fundamental design goals for Active Directory is to define a single, centralized repository of users and information resources. Active Directory records information about all of the users, computers, and resources on your network. Each domain acts as a logical boundary, and members of the domain (including workstations, servers, and domain controllers) share information about the objects within them.
The information stored within Active Directory determines which resources are accessible to which users. Through the use of permissions that are assigned to Active Directory objects, you can control all aspects of network security.
Throughout this chapter, you’ll learn the details of security as it pertains to Active Directory. Note, however, that Active Directory security is only one aspect of overall network security. You should also be sure that you have implemented appropriate access control settings for the file system, network devices, and other resources. Let’s start by looking at the various components of network security, which include working with security principals and managing security and permissions, access control lists (ACLs), and access control entries (ACEs).
When you are setting up a network, you should always keep in mind that 90 percent of all hacks on a network are internal. This means internal permissions and security (as well as external security) need to be as strong as possible while still allowing users to do their jobs.
Understanding Active Directory Features
Let’s take a look at some of the Active Directory features and what each feature can do for you as an administrator.
Active Directory is the heart and soul of a Microsoft domain, and I can never talk enough about the roles and features included with Active Directory. Many of these features have already been discussed, but what follows will be a good review for the 70-411 exam:
Active Directory Certificate Services Active Directory Certificate Services (AD CS) provides a customizable set of services that allows you to issue and manage public key infrastructure (PKI) certificates. These certificates can be used in software security systems that employ public key technologies.
Active Directory Domain Services Active Directory Domain Services (AD DS) includes new features that make deploying domain controllers simpler and lets you implement them faster. AD DS also makes the domain controllers more flexible, both to audit and to authorize access to files. Moreover, AD DS has been designed to make performing administrative tasks easier through consistent graphical and scripted management experiences.
Active Directory Rights Management Services Active Directory Rights Management Services (AD RMS) provides management and development tools that let you work with industry security technologies, including encryption, certificates, and authentication. Using these technologies allows organizations to create reliable information protection solutions.
Hyper-V Hyper-V is one of the most changed features in Windows Server 2012 R2. Microsoft’s new slogan is “Windows Server 2012 R2, built from the cloud up,” and this has a lot to do with Hyper-V. It allows an organization to consolidate servers by creating and managing a virtualized computing environment. It does this by using virtualization technology that is built into Windows Server 2012 R2.
IPAM IP Address Management (IPAM) was one of the new features introduced with Windows Server 2012. IPAM allows an administrator to customize and monitor the IP address infrastructure on a corporate network.
Kerberos Authentication Windows Server 2012 R2 uses the Kerberos authentication (version 5) protocol and extensions for password-based and public-key authentication. The Kerberos client is installed as a security support provider (SSP), and it can be accessed through the Security Support Provider Interface (SSPI).
Managed Service Accounts Stand-alone managed service accounts, originally created for Windows Server 2008 R2 and Windows 7, are configured domain accounts that allow automatic password management and service principal names (SPNs) management, including the ability to delegate management to other administrators.
Security Auditing Security auditing gives an organization the ability to help maintain the security of an enterprise. By using security audits, you can verify authorized or unauthorized access to machines, resources, applications, and services. One of the best advantages of security audits is to verify regulatory compliance.
TLS/SSL (Schannel SSP) Schannel is a security support provider (SSP) that uses the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols together. The Security Support Provider Interface (SSPI) is an API used by Windows systems to allow security-related functionality, including authentication.
Windows Deployment Services Windows Deployment Services allows an administrator to install Windows operating systems remotely. Administrators can use Windows Deployment Services to set up new computers by using a network-based installation.
Understanding Security Principals
Security principals are Active Directory objects that are assigned security identifiers (SIDs). An SID is a unique identifier that is used to manage any object to which permissions can be assigned. Security principals are assigned permissions to perform certain actions and access certain network resources.
The following basic types of Active Directory objects serve as security principals:
User Accounts User accounts identify individual users on your network by including information such as the user’s name and their password. User accounts are the fundamental unit of security administration.
Groups There are two main types of groups: security groups and distribution groups. Both types can contain user accounts. System administrators use security groups to ease the management of security permissions. They use distribution groups, on the other hand, solely to send email. Distribution groups are not security principals. You’ll see the details of groups in the next section.
Computer Accounts Computer accounts identify which client computers are members of particular domains. Because these computers participate in the Active Directory database, system administrators can manage security settings that affect the computer. They use computer accounts to determine whether a computer can join a domain and for authentication purposes. As you’ll see later in this chapter, system administrators can also place restrictions on certain computer settings to increase security. These settings apply to the computer and, therefore, also apply to any user who is using it (regardless of the permissions granted to the user account).
Note that other objects—such as OUs—do not function as security principals. What this means is that you can apply certain settings (such as Group Policy) on all of the objects within an OU; however, you cannot specifically set permissions with respect to the OU itself. The purpose of OUs is to organize other Active Directory objects logically based on business needs, add a needed level of control for security, and create an easier way to delegate.
You can manage security by performing the following actions with security principals:
§ You can assign them permissions to access various network resources.
§ You can give them user rights.
§ You can track their actions through auditing (covered later in this chapter).
The major types of security principals—user accounts, groups, and computer accounts—form the basis of the Active Directory security architecture. As a system administrator, you will likely spend a portion of your time managing permissions for these objects.
It is important to understand that, since a unique SID defines each security principal, deleting a security principal is an irreversible process. For example, if you delete a user account and then later re-create one with the same name, you’ll need to reassign permissions and group membership settings for the new account. Once a user account is deleted, its SID is deleted.
Users and groups are two types of fundamental security principals employed for security administration. In the following sections, you’ll learn how users and groups interact and about the different types of groups you can create.
Types of Groups
When dealing with groups, you should make the distinction between local security principals and domain security principals:
Local Users and Groups You use local users and groups to assign the permissions necessary to access the local machine. For example, you may assign the permissions you need to reboot a domain controller to a specific domain local group.
Domain Users and Groups Domain users and groups, on the other hand, are used throughout the domain. These objects are available on any of the computers within the Active Directory domain and between domains that have a trust relationship.
Here are the two main types of groups used in Active Directory:
Security Groups Security groups are considered security principals. They can contain user accounts, computers, or groups. To make administration simpler, system administrators usually grant permissions to groups. This allows you to change permissions easily at the Active Directory level (instead of at the level of the resource on which the permissions are assigned).
You can also place Active Directory contact objects within security groups, but security permissions will not apply to them.
Distribution Groups Distribution groups are not considered security principals because they do not have SIDs. As mentioned earlier, they are used only for the purpose of sending email messages. You can add users to distribution groups just as you would add them to security groups. You can also place distribution groups within OUs so that they are easier to manage. You will find them useful, for example, if you need to send email messages to an entire department or business unit within Active Directory.
Understanding the differences between security and distribution groups is important in an Active Directory environment. For the most part, system administrators use security groups for the daily administration of permissions. On the other hand, system administrators who are responsible for maintaining email distribution lists generally use distribution groups to group members of departments and business units logically. (A system administrator can also email all of the users within a security group, but to do so, they would have to specify the email addresses for the accounts.)
When you are working in Windows Server 2003, Server 2008, Server 2008 R2, or Server 2012 functional-level domains, you can convert security groups to or from distribution groups. When group types are running in a Windows 2000 mixed domain functional level, you cannot change them.
It is vital that you understand group types when you are getting ready to take the Microsoft exams. Microsoft likes to include trick questions about putting permissions on distribution groups. Remember, only security groups can have permissions assigned to them.
In addition to being classified by type, each group is given a specific scope. The scope of a group defines two characteristics. First, it determines the level of security that applies to a group. Second, it determines which users can be added to the group. Group scope is an important concept in network environments because it ultimately defines which resources users are able to access.
The three types of group scope are as follows:
Domain Local The scope of domain local groups extends as far as the local domain. When you’re using the Active Directory Users and Computers tool, domain local accounts apply to the computer for which you are viewing information. Domain local groups are used to assign permissions to local resources, such as files and printers. They can contain domain locals, global groups, universal groups, and user accounts.
Global The scope of global groups is limited to a single domain. Global groups may contain any of the users that are part of the Active Directory domain in which the global groups reside or may contain other global groups. Global groups are often used for managing domain security permissions based on job functions. For example, if you need to specify permissions for the Engineering department, you could create one or more global groups (such as EngineeringManagers and EngineeringDevelopers). You could then assign security permissions to each group.
Universal Universal groups can contain accounts or other universal groups from any domains within an Active Directory forest. Therefore, system administrators use them to manage security across domains. When you are managing multiple domains, it often helps to group global groups within universal groups. For instance, if you have an Engineering global group in the research.stellacon.com domain and an Engineering global group in the asia.stellacon.com domain, you can create a universal AllEngineers group that contains both of the global groups. Now whenever you must assign security permissions to all engineers within the organization, you need only assign permissions to the AllEngineers universal group.
For domain controllers to process authentication between domains, information about the membership of universal groups is stored in the global catalog (GC). Keep this in mind if you ever plan to place users directly into universal groups and bypass global groups because all of the users will be enumerated in the GC, which will impact size and performance.
Fortunately, universal group credentials are cached on domain controllers that universal group members use to log on. This process is called universal group membership caching. The domain controller obtains the cached data whenever universal group members log on, and then it is retained on the domain controller for eight hours by default. This is especially useful for smaller locations, such as branch offices, which run less-expensive domain controllers. Most domain controllers at these locations cannot store a copy of the entire GC, and frequent calls to the nearest GC would require an inordinate amount of network traffic.
When you create a new group using the Active Directory Users and Computers tool, you must specify the scope of the group. Figure 6.1 shows the New Object – Group dialog box and the available options for the group scope.
FIGURE 6.1 The New Object – Group dialog box
However, changing group scope can be helpful when your security administration or business needs change. You can change group scope easily using the Active Directory Users and Computers tool. To do so, access the properties of the group. As shown in Figure 6.2, you can make a group scope change by clicking one of the options.
FIGURE 6.2 The Domain Admins Security Group’s Properties dialog box
Built-in Service Account Groups
System administrators use built-in domain local groups to perform administrative functions on the local server. Because these have pre-assigned permissions and privileges, they allow system administrators to assign common management functions easily. Figure 6.3 shows the default built-in groups that are available on a Windows Server 2012 domain controller.
FIGURE 6.3 Default built-in local groups
The list of built-in local groups includes some of the following:
Account Operators These users can create and modify domain user and group accounts. Members of this group are generally responsible for the daily administration of Active Directory.
Administrators By default, members of the Administrators group are given full permissions to perform any functions within the Active Directory domain and on the local computer. This means they can access all files and resources that reside on any server within the domain. As you can see, this is a powerful account.
In general, you should restrict the number of users who are included in this group because most common administration functions do not require this level of access.
Backup Operators One of the problems associated with backing up data in a secure network environment is that you need to provide a way to bypass standard file system security so that you can copy files. Although you could place users in the Administrators group, doing so usually provides more permissions than necessary. Members of the Backup Operators group can bypass standard file system security for the purpose of backup and recovery only. They cannot, however, directly access or open files within the file system.
Generally, backup software applications and data use the permissions assigned to the Backup Operators group.
Certificate Service DCOM Access Members of the Certificate Service DCOM Access group can connect to certificate authority servers in the enterprise.
Cryptographic Operators Members of the Cryptographic Operators group are authorized to perform cryptographic operations. Cryptography allows the use of codes to convert data, which then allows a specific recipient to read it using a key.
Guests Typically, you use the Guests group to provide access to resources that generally do not require security. For example, if you have a network share that provides files that should be made available to all network users, you can assign permissions to allow members of the Guests group to access those files.
Print Operators By default, members of the Print Operators group are given permissions to administer all of the printers within a domain. This includes common functions such as changing the priority of print jobs and deleting items from the print queue.
Replicator The Replicator group allows files to be replicated among the computers in a domain. You can add accounts used for replication-related tasks to this group to provide those accounts with the permissions they need to keep files synchronized across multiple computers.
Server Operators A common administrative task is managing server configuration. Members of the Server Operators group are granted the permissions they need to manage services, shares, and other system settings.
Users The Users built-in domain local group is used to administer security for most network accounts. Usually, you don’t give this group many permissions, and you use it to apply security settings for most employees within an organization.
Windows Server 2012 also includes many different default groups, which you can find in the Users folder. As shown in Figure 6.4, these groups are of varying scopes, including domain local, global, and universal groups. You’ll see the details of these groups in the next section.
FIGURE 6.4 Contents of the default Users folder
Three important user accounts are created during the promotion of a domain controller:
§ The Administrator account is assigned the password a system administrator provides during the promotion process, and it has full permissions to perform all actions within the domain.
§ The Guest account is disabled by default. The purpose of the Guest account is to provide anonymous access to users who do not have an individual logon and password to use within the domain. Although the Guest account might be useful in some situations, it is generally recommended that this account be disabled to increase security.
§ Only the operating system uses the krbtgt, or Key Distribution Center Service account, for Kerberos authentication. This account is disabled by default. Unlike other user accounts, the krbtgt account cannot be used to log on to the domain, and therefore it does not need to be enabled. Since only the operating system uses this account, you do not need to worry about hackers gaining access by using this account.
Managed Service Account and Virtual Accounts
One issue that many administrators run into is how to handle application accounts. What I mean by this is, what type of account and what permissions are needed when installing an application such as Microsoft Exchange?
If you were the administrator for the local system, you could just configure Exchange to run as a Local Service. The problem with using these types of accounts is that they are normally used multiple times among different applications.
Another option that you could have is just to create a domain account for each application. For example, an administrator can create a specific domain account that Exchange could use. The problem with this option is that you have to remember to change the password frequency, and once you change that password, you have to remember which services you configured to use that account and change the passwords for each service. This is not an ideal way to set up an application service.
The two types of accounts available in Windows Server 2012 R2 are the managed service account and the virtual account. These two accounts were originally created in Windows Server 2008 R2 and Windows 7. These accounts are specifically designed for use with applications, and an administrator does not need to change the credentials manually every few months. These two domain accounts provide automatic password management and simplified service principal names management.
Virtual accounts even take it a step further because no password management is needed, and they can access the network using a computer identity from the domain environment.
To use the managed service account and the virtual account, your server needs to be running at least Windows Server 2008 R2 or Windows 7/8. When you are using managed service accounts, a managed service account can be used only for services on a singlecomputer. You are not allowed to share managed service accounts between multiple computers. This also means you can’t use managed service accounts in a server that is going to be part of a cluster.
To configure or manipulate your managed service account or virtual account on a server, you need to use Windows PowerShell cmdlets or any utility that allows you to work with these types of accounts (Dsacls.exe, Services snap-in mmc, SetSPN.exe, and so forth).
Predefined Global Groups
As mentioned earlier in this chapter, you use global groups to manage permissions at the domain level. Members of each of these groups can perform specific tasks related to managing Active Directory.
The following predefined global groups are installed in the Users folder:
Cert Publishers Certificates are used to increase security by allowing for strong authentication methods. User accounts are placed within the Cert Publishers group if they must publish security certificates. Generally, Active Directory security services use these accounts.
Domain Computers All of the computers that are members of the domain are generally members of the Domain Computers group. This includes any workstations or servers that have joined the domain, but it does not include the domain controllers.
Domain Admins Members of the Domain Admins group have full permissions to manage all of the Active Directory objects for this domain. This is a powerful account; therefore, you should restrict its membership only to those users who require full permissions.
Domain Controllers All of the domain controllers for a given domain are generally included within the Domain Controllers group.
Domain Guests Generally, by default, members of the Domain Guests group are given minimal permissions with respect to resources. System administrators may place user accounts in this group if they require only basic access or temporary permissions within the domain.
Domain Users The Domain Users group usually contains all of the user accounts for the given domain. This group is generally given basic permissions to resources that do not require higher levels of security. A common example is a public file share.
Enterprise Admins Members of the Enterprise Admins group are given full permissions to perform actions within the entire forest. This includes functions such as managing trust relationships and adding new domains to trees and forests.
Group Policy Creator Owners Members of the Group Policy Creator Owners group are able to create and modify Group Policy settings for objects within the domain. This allows them to enable security settings on OUs (and the objects that they contain).
Schema Admins Members of the Schema Admins group are given permissions to modify the Active Directory schema. As a member of Schema Admins, you can create additional fields of information for user accounts. This is a powerful function because any changes to the schema will be propagated to all of the domains and domain controllers within an Active Directory forest. Furthermore, you cannot undo changes to the schema (although you can disable some).
In addition to these groups, you can create new ones for specific services and applications that are installed on the server. (You’ll notice that the list in Figure 6.4 includes more than just the ones in the preceding list.) Specifically, services that run on domain controllers and servers will be created as security groups with domain local scope. For example, if a domain controller is running the DNS service, the DnsAdmins and DnsUpdateProxy groups become available. In addition, there are two read-only domain controller (RODC) local groups: the Allowed RODC Password Replication and the Denied RODC Password Replication groups. Similarly, if you install the DHCP service, it automatically creates the DHCP Users and DHCP Administrators groups. The purpose of these groups depends on the functionality of the applications being installed.
Foreign Security Principals
In environments that have more than one domain, you may need to grant permissions to users who reside in multiple domains. Generally, you manage this using Active Directory trees and forests. However, in some cases, you may want to provide resources to users who belong to domains that are not part of the forest.
Active Directory uses the concept of foreign security principals to allow permissions to be assigned to users who are not part of an Active Directory forest. This process is automatic and does not require the intervention of system administrators. You can then add the foreign security principals to domain local groups for which, in turn, you can grant permissions for resources within the domain. You can view a list of foreign security principals by using the Active Directory Users and Computers tool. Figure 6.5 shows the contents of the ForeignSecurityPrincipals folder.
FIGURE 6.5 The ForeignSecurityPrincipals folder
Managing Security and Permissions
Now that you understand the basic issues, terms, and Active Directory objects that pertain to security, it’s time to look at how you can apply this information to secure your network resources. The general practice for managing security is to assign users to groups and then grant permissions and logon parameters to the groups so that they can access certain resources.
For management ease and to implement a hierarchical structure, you can place groups within OUs. You can also assign Group Policy settings to all of the objects contained within an OU. By using this method, you can combine the benefits of a hierarchical structure (through OUs) with the use of security principals. Figure 6.6 provides a diagram of this process.
FIGURE 6.6 An overview of security management
The primary tool you use to manage security permissions for users, groups, and computers is the Active Directory Users and Computers tool. Using this tool, you can create and manage Active Directory objects and organize them based on your business needs. Common tasks for many system administrators might include the following:
§ Resetting a user’s password (for example, in cases where they forget their password)
§ Creating new user accounts (when, for instance, a new employee joins the company)
§ Modifying group memberships based on changes in job requirements and functions
§ Disabling user accounts (when, for example, users will be out of the office for long periods of time and will not require network resource access)
Once you’ve properly grouped your users, you need to set the actual permissions that affect the objects within Active Directory. The actual permissions available vary based on the type of object. Table 6.1 provides an example of some of the permissions that you can apply to various Active Directory objects and an explanation of what each permission does.
TABLE 6.1 Permissions of Active Directory objects
Changes security permissions on the object
Creates objects within an OU (such as other OUs)
Deletes child objects within an OU
Deletes an OU and the objects within it
Views objects within an OU
Views a list of the objects within an OU
Views properties of an object (such as a username)
Modifies properties of an object
Using ACLs and ACEs
Each object in Active Directory has an access control list. The ACL is a list of user accounts and groups that are allowed to access the resource. For each ACL, there is an access control entry that defines what a user or a group can actually do with the resource. Deny permissions are always listed first. This means that if users have Deny permissions through user or group membership, they will not be allowed to access the object, even if they have explicit Allow permissions through other user or group permissions. Figure 6.7shows an ACL for the Sales OU.
FIGURE 6.7 The ACL for an OU named Sales
The Security tab is enabled only if you selected the Advanced Features option from the View menu in the Active Directory Users and Computers tool.
Using Groups Effectively
You are a new system administrator for a medium-sized organization, and your network spans a single campus environment. The previous administrator had migrated the network from Windows 2003 to Windows Server 2012 R2, and everyone seems fine with the network and new workstations. As you familiarize yourself with the network, you realize that the previous administrator applied a very ad hoc approach. Many of the permissions to resources had been given to individual accounts on request. It seems that there was no particular strategy with regard to administration.
Management tells you that the company has acquired another company, ideally the first of several acquisitions. They tell you about these plans because they do not want any hiccups in the information system as necessary changes ensue.
You immediately realize that management practices of the past must be replaced with the best practices that have been developed for networks over the years. One of the fundamental practices that you need to establish for this environment is the use of groups to apply permissions and give privileges to users throughout the network.
It is quite simple to give permissions individually, and in some cases, it seems like overkill to create a group, give permissions to the group, and then add a user to the group. Using group-based permissions really pays off in the long run, however, regardless of how small your network is today.
One constant in the networking world is that networks grow. When they grow, it is much easier to add users to a well-thought-out system of groups and consistently applied policies and permissions than it is to patch these elements together for each individual user.
Don’t get caught up in the “easy” way of dealing with each request as it comes down the pike. Take the time to figure out how the system will benefit from a more structured approach. Visualize your network as already large with numerous accounts, even if it is still small; this way, when it grows, you will be well positioned to manage the network as smoothly as possible.
Implementing Active Directory Security
So far, you have looked at many different concepts that are related to security within Active Directory. You began by exploring security principals and how they form the basis for administering Active Directory security. Then you considered the purpose and function of groups, how group scopes can affect how these groups work, and how to create a list of the predefined users and groups for new domains and domain controllers. Based on all of this information, it’s time to see how you can implement Active Directory security.
In this section, you’ll take a look at how you can create and manage users and groups. The most commonly used tool for working with these objects is the Active Directory Users and Computers tool. Using this tool, you can create new user and group objects within the relevant OUs of your domain, and you can modify group membership and group scope.
In addition to these basic operations, you can use some additional techniques to simplify the administration of users and groups. One method involves using user templates. Additionally, you’ll want be able to specify who can make changes to user and group objects. That’s the purpose of delegation. Both of these topics are covered later in this section.
Let’s start with the basics. In Exercise 6.1, you learn how to create and manage users and groups.
This exercise involves creating new OUs and user accounts within an Active Directory domain. Be sure that you are working in a test environment to avoid any problems that might occur because of the changes you make.
EXERCISE 6.1: Creating and Managing Users and Groups
1. Open the Active Directory Users and Computers MMC snap-in by pressing the Windows key (on the keyboard) and choosing Administrative Tools Active Directory Users And Computers.
2. Create the following top-level OUs:
3. Create the following User objects within the Sales container (use the defaults for all fields not listed):
1. a. First Name: John
2. Last Name: Sales
3. User Logon Name: JSales
4. b. First Name: Linda
5. Last Name: Manager
6. User Logon Name: LManager
4. Create the following User objects within the Marketing container (use the defaults for all fields not listed):
1. a. First Name: Jane
2. Last Name: Marketing
3. User Logon Name: JMarketing
4. b. First Name: Monica
5. Last Name: Manager
6. User Logon Name: MManager
5. Create the following User object within the Engineering container (use the defaults for all fields not listed):
1. First Name: Bob
2. Last Name: Engineer
3. User Logon Name: BEngineer
6. Right-click the HR container, and select New Group. Use the name Managers for the group and specify Global for the group scope and Security for the group type. Click OK to create the group.
7. To assign users to the Managers group, right-click the Group object and select Properties. Change to the Members tab and click Add. Enter Linda Manager and Monica Manager and then click OK. You will see the group membership list. Click OK to finish adding the users to the group.
8. When you have finished creating users and groups, close the Active Directory Users and Computers tool.
Notice that you can add users to groups regardless of the OU in which they’re contained. In Exercise 6.1, for example, you added two user accounts from different OUs into a group that was created in a third OU. This type of flexibility allows you to manage user and group accounts easily based on your business organization.
The Active Directory Users and Computers tool also allows you to perform common functions simply by right-clicking an object and selecting actions from the context menu. For example, you could right-click a user account and select Add Members To Group to change group membership quickly. You even have the ability in Active Directory Users and Computers to drag users from one OU and drop them into another.
You may have noticed that creating multiple users can be a fairly laborious and a potentially error-prone process. As a result, you are probably ready to take a look at a better way to create multiple users—by using user templates, which is discussed in the next section.
Using User Templates
Sometimes you will need to add several users with the same security settings. Rather than creating each user from scratch and making configuration changes to each one manually, you can create one user template, configure it, and copy it as many times as necessary. Each copy retains the configuration, group membership, and permissions of the original, but you must specify a new username, password, and full name to make the new user unique.
In Exercise 6.2, you create a user template, make configuration changes, and create a new user based on the template. This exercise shows you that the new user you create will belong to the same group as the user template you copied it from. You must have completed Exercise 6.1 first before you begin this one.
EXERCISE 6.2: Creating and Using User Templates
1. Open the Active Directory Users and Computers tool.
2. Create the following User object within the Sales container (use the defaults for all fields not listed):
1. First Name: Sales User
2. Last Name: Template
3. User Logon Name: SalesUserTemplate
3. Create a new global security group called Sales Users and add SalesUserTemplate to the group membership.
4. Right-click the SalesUserTemplate User object and select Copy from the context menu.
5. Enter the username, first name, and last name for the new user.
6. Click the Next button to move on to the password screen and enter the new user’s password information. Close the Copy Object—User dialog box when you’ve finished.
7. Right-click the user that you created in step 5, select Properties, and click the Member Of tab.
8. Verify that the new user is a member of the Sales Users group.
Delegating Control of Users and Groups
A common administrative function related to the use of Active Directory involves managing users and groups. You can use OUs to group objects logically so that you can easily manage them. Once you have placed the appropriate Active Directory objects within OUs, you are ready to delegate control of these objects.
Delegation is the process by which a higher-level security administrator assigns permissions to other users. For example, if Admin A is a member of the Domain Admins group, Admin A is able to delegate control of any OU within the domain to Admin B. You can access the Delegation Of Control Wizard through the Active Directory Users and Computers tool. You can use it to perform common delegation tasks quickly and easily. The wizard walks you through the steps of selecting the objects for which you want to perform delegation, what permission you want to allow, and which users will have those permissions.
Exercise 6.3 walks through the steps required to delegate control of OUs. To complete the steps in this exercise, you must first have completed Exercise 6.1.
EXERCISE 6.3: Delegating Control of Active Directory Objects
1. Open the Active Directory Users and Computers tool.
2. Create a new user within the Engineering OU using the following information (use the default settings for any fields not specified):
1. First Name: Robert
2. Last Name: Admin
3. User Logon Name: radmin
4. Password: P@ssw0rd
3. Right-click the Sales OU and select Delegate Control. This starts the Delegation Of Control Wizard. Click Next.
4. To add users and groups to whom you want to delegate control, click the Add button. In the Add dialog box, enter Robert Admin for the name of the user to add. Note that you can specify multiple users or groups using this option.
5. Click OK to add the account to the delegation list, which is shown in the Users Or Groups page. Click Next to continue.
6. On the Tasks To Delegate page, you must specify which actions you want to allow the selected user to perform within this OU. Select the Delegate The Following Common Tasks option and place a check mark next to the following options:
1. Create, Delete, And Manage User Accounts
2. Reset User Passwords And Force Password Change At Next Logon
3. Read All User Information
4. Create, Delete And Manage Groups
5. Modify The Membership Of A Group
7. Click Next to continue. The wizard summarizes the selections that you have made on the Completing The Delegation Of Control Wizard page. To complete the process, click Finish to have the wizard commit the changes.
Now when the user Robert Admin logs on (using radmin as his logon name), he will be able to perform common administrative functions for all of the objects contained within the Sales OU.
8. When you have finished, close the Active Directory Users and Computers tool.
Understanding Dynamic Access Control
One of the advantages of Windows Server 2012 R2 is the ability to apply data governance to your file server. This will help control who has access to information and auditing. You get these advantages through the use of Dynamic Access Control (DAC). Dynamic Access Control allows you to identify data by using data classifications (both automatic and manual) and then control access to these files based on these classifications.
DAC also gives administrators the ability to control file access by using a central access policy. This central access policy will also allow an administrator to set up audit access to files for reporting and forensic investigation.
DAC allows an administrator to set up Active Directory Rights Management Service encryption for Microsoft Office documents. For example, you can set up encryption for any documents that contain financial information.
Dynamic Access Control gives an administrator the flexibility to configure file access and auditing to domain-based file servers. To do this, DAC controls claims in the authentication token, resource properties, and conditional expressions within permission and auditing entries.
Administrators have the ability to give users access to files and folders based on Active Directory attributes. For example, a user named Dana is given access to the file server share because in the user’s Active Directory (department attribute) properties, the value contains the value Sales.
For DAC to function properly, an administrator must enable Windows 8 computers and Windows Server 2012 R2 file servers to support claims and compound authentication.
Using Group Policy for Security
A useful and powerful feature of Active Directory is a technology known as a Group Policy. Through the use of Group Policy settings, system administrators can assign thousands of different settings and options for users, groups, and OUs. Specifically, in relation to security, you can use many different options to control how important features such as password policies, user rights, and account lockout settings can be configured.
The general process for making these settings is to create a Group Policy object (GPO) with the settings you want and then link it to an OU or other Active Directory object.
Table 6.2 lists many Group Policy settings, which are relevant to creating a secure Active Directory environment. Note that this list is not comprehensive—many other options are available through Windows Server 2012’s administrative tools.
TABLE 6.2 Group Policy settings used for security purposes
Account Policies Password Policy
Enforce Password History
Specifies how many passwords will be remembered. This option prevents users from reusing the same passwords whenever they’re changed.
Account Policies Password Policy
Minimum Password Length
Prevents users from using short, weak passwords by specifying the minimum number of characters that the password must include.
Account Policies Account Lockout Policy
Account Lockout Threshold
Specifies how many bad password attempts can be entered before the account gets locked out.
Account Policies Account Lockout Policy
Account Lockout Duration
Specifies how long an account will remain locked out after too many bad password attempts have been entered. By setting this option to a reasonable value (such as 30 minutes), you can reduce administrative overhead while still maintaining fairly strong security.
Account Policies Account Lockout Policy
Reset Account Lockout Counter After
Specifies how long the Account Lockout Threshold counter will hold failed logon attempts before resetting to 0.
Local Policies Security Options
Accounts: Rename Administrator Account
Often, when trying to gain unauthorized access to a computer, individuals attempt to guess the administrator password. One method for increasing security is to rename this account so that no password allows entry using this logon.
Local Policies Security Options
Domain Controller: Allow Server Operators To Schedule Tasks
This option specifies whether members of the built-in Server Operators group are allowed to schedule tasks on the server.
Local Policies Security Options
Interactive Logon: Do Not Display Last User Name
Increases security by not displaying the name of the last user who logged onto the system.
Local Policies Security Options
Shutdown: Allow System To Be Shut Down Without Having To Log On
Allows system administrators to perform remote shutdown operations without logging on to the server.
You can use several different methods to configure Group Policy settings using the tools included with Windows Server 2012. Exercise 6.4 walks through the steps required to create a basic group policy for the purpose of enforcing security settings. To complete the steps of this exercise, you must have completed Exercise 6.1.
EXERCISE 6.4: Applying Security Policies by Using Group Policy
1. Open the Group Policy Management Console tool.
2. Expand Domains and then click the domain name.
3. In the right pane, right-click the Default Domain Policy and choose Edit.
4. In the Group Policy Management Editor window, expand Computer Configuration Policies Windows Settings Security Settings Account Policies Password Policy.
5. In the right pane, double-click the Minimum Password Length setting.
6. In the Security Policy Setting dialog box, make sure the box labeled Define This Policy Setting Option is checked. Increase the Password Must Be At Least value to eight characters.
7. Click OK to return to the Group Policy Management Editor window.
8. Expand User Configuration Policies Administrative Templates Control Panel. Double-click Prohibit Access To The Control Panel And PC settings, select Enabled, and then click OK.
9. Close the Group Policy window.
Fine-Grained Password Policies
The Windows 2012 R2 operating systems allow an organization to have different password and account lockout policies for different sets of users in a domain. In versions of Active Directory before 2008, an administrator could set up only one password policy and account lockout policy per domain.
The Default Domain policy for the domain is where these policy settings were configured. Because domains could have only one password and account lockout policy, organizations that wanted multiple password and account lockout settings had to either create a password filter or deploy multiple domains.
Fine-grained password policies allow you to specify multiple password policies within a single domain. Let’s say you want administrators not to have to change their password as frequently as salespeople. Fine-grained password policies allow you to do just that.
Password Settings objects (PSOs) are created so that you can create fine-grained password policies. You create PSOs using the ADSI editor and then you can use those PSOs to create your fine-grained password policies.
Exercise 6.5 walks through the creation of a custom password policy using the ADSI Edit tool, and then you will link that policy to a group using Active Directory Users and Computers. Before completing this exercise, create a new global group named Passgroup in Active Directory Users and Computers.
EXERCISE 6.5: Fine-Grained Password Policy
1. Open ADSI Edit by pressing the Windows key and choosing ADSI Edit.
2. Right-click ADSI Edit and then choose Connect To.
3. When the Connection Settings dialog box appears, click OK.
4. In the window on the left, expand Default Naming Context DC=yourdomainname,DC=com CN=System CN=Password Settings Container.
5. Right-click CN=Password Settings Container and choose New Object.
6. In the Select A Class box, choose msDS-PasswordSettings and click Next.
7. At the Common Name screen, type CustomPolicy and click Next.
8. At the Password Settings Precedence screen, enter 10 as the value. This works as a cost value. The lowest priority takes precedence.
9. At the Password Reversible Encryption Status For Users Accounts screen, set the value to False (recommended by Microsoft).
10.The Password History Length screen shows how many passwords are remembered before a password can be used again. You can set this for up to 1,024 remembered passwords. Set the value to 12. Click Next.
11.At the Password Complexity screen, set the value to True.
12.The next screen will be the Minimum Password Length screen. Set the value to 8 and click Next.
13.At the Minimum Password Age screen, you must enter a value for the amount of time you want the password to be used at a minimum. Time is done in the I8 format, like so:
1. –600000000 = 1 minute
2. –36000000000 = 1 hour
3. –864000000000 = 1 day
So if you want the minimum to be 10 days, you must calculate −864000000000 × 10 (equaling −8640000000000).
Enter –8640000000000 (10 zeros) as your value for 10 days and click Next. You must put the – (minus) sign in the front of the value.
14.At the Maximum Password Age screen, set the value as –51840000000000 (10 zeros). This value equals 60 days. Click Next.
15.At the Lockout Threshold screen, enter 3 and click Next.
16.At the Observation Window screen, enter –3000000000 (5 minutes) and click Next.
17.At the Lockout Duration screen, enter –18000000000 (30 minutes) and click Next.
18.Click Finished. If you received any errors, check all of your times to be sure the – (minus) sign appears in front of the number.
19.Close ADSI Edit.
20.Open the Active Directory Users and Computers snap-in.
21.On the View menu along the top, make sure Advanced Features is checked.
22.In the window on the left, expand Active Directory Users and Computers yourdomain System Password Settings Container.
23.In the details pane on the right side, right-click CustomPolicy and choose Properties.
24.Click the Attribute Editor tab.
25.Scroll down and select the msDS-PsoAppliesTo attribute. Click Edit.
26.In the Multi-valued Distinguished Name dialog box, click Add Windows Account.
27.Type in Passgroup (this is the group you created before the exercise) and click the Check Name button. Click OK.
28.Click OK twice more, and then you are finished. Close the Active Directory Users and Computers snap-in.
Managing Multiple Domains
You can easily manage most of the operations that must occur between domains by using the Active Directory Domains and Trusts administrative tool. On the other hand, if you want to configure settings within a domain, you should use the Active Directory MMC tools. In the following sections, you’ll look at managing single-master operations (FSMO) roles.
Managing Single-Master Operations
For the most part, Active Directory functions in what is known as multimaster replication. That is, every domain controller within the environment contains a copy of the Active Directory database that is both readable and writable. This works well for most types of information. For example, if you want to modify the password of a user, you can easily do this on any of the domain controllers within a domain. The change is then automatically propagated to the other domain controllers.
However, some functions are not managed in a multimaster fashion. These operations are known as operations masters. You must perform single-master operations on specially designated domain controllers within the Active Directory forest. There are five main single-master functions: two that apply to an entire Active Directory forest and three that apply to each domain.
Forest Operations Masters
You use the Active Directory Domains and Trusts tool to configure forest-wide roles. The following single-master operations apply to the entire forest:
Schema Master Earlier you learned that all of the domain controllers within a single Active Directory environment share the same schema. This ensures information consistency. However, developers and system administrators can modify the Active Directory schema by adding custom information. A trivial example might involve adding a field to employee information that specifies a user’s favorite color.
When you need to make these types of changes, you must perform them on the domain controller that serves as the Schema Master for the environment. The Schema Master is then responsible for propagating all of the changes to all the other domain controllers within the forest.
Domain Naming Master The purpose of the Domain Naming Master is to keep track of all the domains within an Active Directory forest. You access this domain controller whenever you need to add/remove new domains to a tree or forest.
Domain Operations Masters
You use the Active Directory Users and Computers snap-in to administer roles within a domain. Within each domain, at least one domain controller must fulfill each of the following roles:
Relative ID (RID) Master Every security object within Active Directory must be assigned a unique identifier so that it is distinguishable from other objects. For example, if you have two OUs named IT that reside in different domains, you must have some way to distinguish easily between them. Furthermore, if you delete one of the IT OUs and then later re-create it, the system must be able to determine that it is not the same object as the other IT OU. The unique identifier for each object is made up of a domain identifier and a relative identifier (RID). RIDs are always unique within an Active Directory domain and are used for managing security information and authenticating users. The RID Master is responsible for creating these values within a domain whenever new Active Directory objects are created.
PDC Emulator Master Within a domain, the PDC Emulator Master is responsible for maintaining backward compatibility with Windows 95, 98, and NT clients. The PDC emulator is also responsible for processing password changes between a domain user account and all of the domain controllers throughout the domain.
The PDC emulator is also the default time server for all of the domain controllers in the domain. This is why it’s a good practice to make sure that your PDC emulator has the proper time. It’s the system that all others will rely on for time accuracy.
The PDC Emulator Master serves as the default domain controller to process authentication requests if another domain controller is unable to do so. The PDC Emulator Master also receives preferential treatment whenever domain security changes are made. PDC emulators are also the preferred point of contact for many services and applications that run on the domain.
Infrastructure Master Whenever a user is added to or removed from a group, all of the other domain controllers should be made aware of this change. The role of the domain controller that acts as an Infrastructure Master is to ensure that group membership information stays synchronized within an Active Directory domain.
Unless there is only one domain controller, you should not place the Infrastructure Master on a global catalog server. If the Infrastructure Master and global catalog are on the same domain controller, the Infrastructure Master will not function.
Another service that a server can control for the network is the Windows Time service. The Windows Time service uses a suite of algorithms in the Network Time Protocol (NTP). This helps ensure that the time on all computers throughout a network is as accurate as possible. All client computers within a Windows Server 2012 R2 domain are synchronized with the time of an authoritative computer.
Assigning Single-Master Roles
Now that you are familiar with the different types of single-master operations, take a look at Exercise 6.6. This exercise shows you how to assign these roles to servers within the Active Directory environment. In this exercise, you will assign single-master operations roles to various domain controllers within the environment. To complete the steps in this exercise, you need one Active Directory domain controller.
EXERCISE 6.6: Assigning Single-Master Operations
1. Open the Active Directory Domains and Trusts administrative tool.
2. Right-click Active Directory Domains And Trusts and choose Operations Masters.
3. In the Operations Masters dialog box, note that you can change the operations master by clicking the Change button. If you want to move this assignment to another computer, first you need to connect to that computer and then make the change. Click Close to continue without making any changes.
4. Close the Active Directory Domains and Trusts administrative tool.
5. Open the Active Directory Users and Computers administrative tool.
6. Right-click the name of a domain and select Operations Masters. This brings up the RID tab of the Operations Masters dialog box.
Notice that you can change the computer that is assigned to the role. To change the role, first you need to connect to the appropriate domain controller. Notice that the PDC and Infrastructure roles have similar tabs. Click Close to continue without making any changes.
7. When you have finished, close the Active Directory Users and Computers tool.
Remember that you manage single-master operations with three different tools. You use the Active Directory Domains and Trusts tool to configure the Domain Name Master role, while you use the Active Directory Users and Computers snap-in to administer roles within a domain. Although this might not seem intuitive at first, it can help you remember which roles apply to domains and which apply to the whole forest. The third tool, the Schema Master role, is a bit different than these other two. To change the Schema Master role, you must install the Active Directory Schema MMS snap-in and change it there.
Changing roles from one domain controller to another is really simple. An administrator goes into Active Directory or PowerShell and changes an FSMO role from one machine to another. The problem happens when a machine with one of the roles crashes and goes down. You can’t just switch the role from a machine that is not working.
So, what is an administrator to do? Well, at that point, what you need to do is seize control of the role. You do this through the use of PowerShell. Let’s look at how to seize a role using PowerShell.
You may be familiar with seizing FSMO roles from previous versions of Windows Server. In previous versions, you would use the NTDSUtil.exe command-line utility, but in Windows Server 2012 R2 it needs to be done in PowerShell.
Normally, I would show you how to seize control of an FSMO role using an exercise, but since you probably don’t have dozens of Microsoft Windows Server 2012 R2 domain controllers just lying around, I will show you how to seize control through a step-by-step process.
To show you how to set up a step-by-step process, you first have to know what FSMO roles are assigned to what FSMO numbers. The following roles each have a corresponding number:
Now that you know the role and the number associated to it, you just need to know the PowerShell commands to seize control of the role. The following is an example of how to use PowerShell commands to seize control of one of the FSMO roles.
I am using the -Identity switch to specify the target domain controller (I am calling my target domain controller DC1) and the -OperationMasterRole to specify which role to transfer. I’ve also used the -Force command because my current FSMO holder is offline. I will be moving all of the roles to the target domain controller, DC1.
1. On a domain controller, log in as an administrator and start PowerShell with elevated privileges.
2. In PowerShell, type the following command:
Move-ADDirectoryServerOperationMasterRole -Identity DC1 -OperationMasterRole 0,1,2,3,4 -Force
3. Either type Y on each role move prompt or type A to accept all prompts.
4. After a few minutes, all of the FSMO roles should be successfully moved.
Finally, I want to show you a couple of useful PowerShell commands so that you can view which domain controller owns which FSMO role.
Get-ADForest DomainName | FT SchemaMaster,DomainNamingMaster
Get-ADDomain DomainName | FT PDCEmulator,RIDMaster,InfrastructureMaster
Maintain Active Directory
If you have deployed Active Directory in your network environment, your users now depend on it to function properly in order to do their jobs. From network authentications to file access to print and web services, Active Directory has become a mission-critical component of your business. Therefore, the importance of backing up the Active Directory data store should be evident.
As I discussed in earlier chapters, it is important to have multiple domain controllers available to provide backup in case of a problem. The same goes for Active Directory itself—it too should be backed up by being saved. This way, if a massive disaster occurs in which you need to restore your directory services, you will have that option available to you.
Backups are just good common sense, but here are several specific reasons to back up data:
Protect Against Hardware Failures Computer hardware devices have finite lifetimes, and all hardware eventually fails. We discussed this when we mentioned Mean Time Between Failures (MTBF) earlier. MBTF is the average time a device will function before it actually fails. There is also a rating derived from benchmark testing of hard disk devices that tells you when you may be at risk for an unavoidable disaster. Some types of failures, such as corrupted hard disk drives, can result in significant data loss.
Protect Against Accidental Deletion or Modification of Data Although the threat of hardware failures is very real, in most environments, mistakes in modifying or deleting data are much more common. For example, suppose a systems administrator accidentally deletes all of the objects within a specific OU. Clearly, it’s very important to be able to retrieve this information from a backup.
Keep Historical Information Users and systems administrators sometimes modify files and then later find out that they require access to an older version of the file. Or a file is accidentally deleted, and a user does not discover that fact until much later. By keeping multiple backups over time, you can recover information from prior backups when necessary.
Protect Against Malicious Deletion or Modification of Data Even in the most secure environments, it is conceivable that unauthorized users (or authorized ones with malicious intent!) could delete or modify information. In such cases, the loss of data might require valid backups from which to restore critical information.
Windows Server 2012 R2 includes a Backup utility that is designed to back up operating system files and the Active Directory data store. It allows for basic backup functionality, such as scheduling backup jobs and selecting which files to back up. Figure 6.8 shows the main screen of the Windows Server 2012 R2 Backup utility.
FIGURE 6.8 The main screen of the Windows Server 2012 Backup utility
In the following sections, we’ll look at the details of using the Windows Server 2012 R2 Backup utility and how you can restore Active Directory when problems do occur.
Overview of the Windows Server 2012 R2 Backup Utility
Although the general purpose behind performing backup operations—protecting information—is straightforward, system administrators must consider many options when determining the optimal backup-and-recovery scenario for their environment. Factors include what to back up, how often to back up, and when the backups should be performed.
In this section, you’ll see how the Windows Server 2012 R2 Backup utility makes it easy to implement a backup plan for many network environments.
Although the Windows Server 2012 R2 Backup utility provides the basic functionality required to back up your files, you may want to investigate third-party products that provide additional functionality. These applications can provide options for specific types of backups (such as those for Exchange Server and SQL Server) as well as disaster recovery options, networking functionality, centralized management, and support for more advanced hardware.
One of the most important issues you will have to deal with when you are performing backups is keeping track of which files you have backed up and which files you need to back up. Whenever a backup of a file is made, the archive bit for the file is set. You can view the attributes of system files by right-clicking them and selecting Properties. By clicking the Advanced button in the Properties dialog box, you will access the Advanced Attributes dialog box. Here you will see the option Folder Is Ready For Archiving. Figure 6.9shows an example of the attributes for a folder.
FIGURE 6.9 Viewing the Archive attributes for a folder
Although it is possible to back up all of the files in the file system during each backup operation, it’s sometimes more convenient to back up only selected files (such as those that have changed since the last backup operation). When performing backups, you can back up to removable media (DVD) or to a network location.
It is recommended by Microsoft to do a backup to a network location. The reason for this is that if your company suffers from a disaster (fire, hurricane, and so forth), your data can all still be lost—including the backup. If you back up to a removable media source, a copy of the backup can be taken off-site. This protects against a major disaster. Several types of backups can be performed:
Although Windows Server 2012 R2 does not support all of these backup types, it’s very important that you understand the most common backup types. Most Administrators use third-party software for their backups. That’s why it’s important to know all of the different types.
Normal Normal backups (also referred to as system or full backups) back up all of the selected files and then mark them as backed up. This option is usually used when a full system backup is made. Windows Server 2012 R2 supports this backup.
Copy Copy backups back up all of the selected files but do not mark them as backed up. This is useful when you want to make additional backups of files for moving files offsite or you want to make multiple copies of the same data for archival purposes.
Incremental Incremental backups copy any selected files that are marked as ready for backup (typically because they have not been backed up or they have been changed since the last backup) and then mark the files as backed up. When the next incremental backup is run, only the files that are not marked as having been backed up are stored. Incremental backups are used in conjunction with normal (full) backups.
The most common backup process is to make a full backup and then make subsequent incremental backups. The benefit to this method is that only files that have changed since the last full or incremental backup will be stored. This can reduce backup times and disk or tape storage space requirements.
When recovering information from this type of backup method, a system administrator must first restore the full backup and then restore each of the incremental backups.
Differential Differential backups are similar in purpose to incremental backups with one important exception: Differential backups copy all of the files that are marked for backup but do not mark the files as backed up. When restoring files in a situation that uses normal and differential backups, you need only restore the normal backup and the latest differential backup.
Daily Daily backups back up all of the files that have changed during a single day. This operation uses the file time/date stamps to determine which files should be backed up and does not mark the files as having been backed up.
Backing Up System State Data
When you are planning to back up and restore Active Directory, be aware that the most important component is known as the System State data. System State data includes the components upon which the Windows Server 2012 R2 operating system relies for normal operations. The Windows Server 2012 R2 Backup utility offers you the ability to back up the System State data to another type of media (such as a hard disk or network share). Specifically, it will back up the following components for a Windows Server 2012 R2 domain controller:
Active Directory The Active Directory data store is at the heart of Active Directory. It contains all of the information necessary to create and manage network resources, such as users and computers. In most environments that use Active Directory, users and system administrators rely on the proper functioning of these services in order to do their jobs.
Boot Files Boot files are the files required for booting the Windows Server 2012 R2 operating system and can be used in the case of boot file corruption.
COM+ Class Registration Database The COM+ Class Registration database is a listing of all of the COM+ Class registrations stored on the computer. Applications that run on a Windows Server 2012 R2 computer might require the registration of various share code components. As part of the System State backup process, Windows Server 2012 R2 stores all of the information related to Component Object Model+ (COM+) components so that it can be quickly and easily restored.
Registry The Windows Server 2012 R2 Registry is a central repository of information related to the operating system configuration (such as desktop and network settings), user settings, and application settings. Therefore, the Registry is absolutely vital to the proper functioning of Windows Server 2012 R2.
Sysvol Directory The Sysvol directory includes data and files that are shared between the domain controllers within an Active Directory domain. Many operating system services rely on this information in order to function properly.
Bare Metal Backups and Restores
One of the options you have in Windows Server 2012 R2 is to do a Bare Metal Restore (BMR). This is a restore of a machine after the machine has been completely wiped out and formatted. This type of restore is done usually after a catastrophic machine failure or crash.
Windows Server 2012 R2 gives you the ability to backup all of the files needed for a Bare Metal Restore by choosing the Bare Metal Recovery checkbox (see Figure 6.10).
FIGURE 6.10 Bare Metal Option
When you choose the Bare Metal Restore option in Windows Server 2012 R2, all of the sub-options (System State, System Reserved, and Local disk) automatically get checked.
When preparing your network for a Bare Metal Backup, you want to make sure that you have everything you need on hand to complete this type of restore. You may want to keep a copy of the server software, server drivers, and so forth on hand and ready to go, just in case you have to do a full restore.
In addition to specifying which files to back up, you can schedule backup jobs to occur at specific times. Planning when to perform backups is just as important as deciding what to back up. Performing backup operations can reduce overall system performance; therefore, you should plan to back up information during times of minimal activity on your servers.
To add a backup operation to the schedule, you can simply click the Add button on the Specify Backup Time window.
Restoring System State Data
In some cases, the Active Directory data store or other System State data may become corrupt or unavailable. This could be due to many different reasons. A hard disk failure might, for example, result in the loss of data. Or the accidental deletion of an OU and all of its objects might require a restore operation to be performed.
The actual steps involved in restoring System State data are based on the details of what has caused the data loss and what effect this data loss has had on the system. In the best-case scenario, the System State data is corrupt or inaccurate but the operating system can still boot. If this is the case, all you must do is boot into a special Directory Services Restore Mode (DSRM) and then restore the System State data from a backup. This process will replace the current System State data with that from the backup. Therefore, any changes that have been made since the last backup will be completely lost and must be redone.
In a worst-case scenario, all of the information on a server has been lost or a hardware failure is preventing the machine from properly booting. If this is the case, here are several steps that you must take in order to recover System State data:
1. Fix any hardware problem that might prevent the computer from booting (for example, replace any failed hard disks).
2. Reinstall the Windows Server 2012 R2 operating system. This should be performed like a regular installation on a new system.
3. Reinstall any device drivers that may be required by your backup device. If you backed up information to the file system, this will not apply.
4. Restore the System State data using the Windows Server 2012 Backup utility.
I’ll cover the technical details of performing restores later in this section. For now, however, you should understand the importance of backing up information and, whenever possible, testing the validity of backups.
Backing Up and Restoring Group Policy Objects
Group Policy Objects (GPOs) are a major part of Active Directory. When you back up Active Directory, GPOs can also get backed up. You also have the ability to back up GPOs through the Group Policy Management Console (GPMC). This gives you the ability to back up and restore individual GPOs.
To back up all GPOs, open the GPMC and right-click the Group Policy Objects container. You will see the option Back Up All. After you choose this option, a wizard will start asking you for the backup location. Choose a location and click Backup.
To back up an individual GPO, right-click the GPO (in the Group Policy Objects container) and choose Backup. Again, after you choose this option, a wizard will start asking you for the backup location. Choose a location and click Backup.
To restore a GPO, it’s the same process as above except, instead of choosing Backup, you will either choose Manage Backups (to restore all GPOs) or Restore (for an individual GPO).
Setting Up an Active Directory Backup
The Windows Server 2012 R2 Backup utility makes it easy to back up the System data (including Active Directory) as part of a normal backup operation. We’ve already covered the ideas behind the different backup types and why and when they are used.
Exercise 6.7 walks you through the process of backing up the domain controller. In order to complete this exercise, the local machine must be a domain controller, and you must have a DVD burner or network location to back up the System State.
The Windows Server 2012 R2 Backup utility is not installed by default. If you have already installed the Windows Server 2012 R2 Backup utility, skip to step 9.
EXERCISE 6.7: Backing Up Active Directory
1. To install the Windows Server 2012 R2 Backup utility, click the Start Key Administrative Tools Server Manager.
2. In the center console, click the link for Add Roles And Features.
3. At the Select Installation Type screen, choose role-based or feature-based installation and click Next.
4. The Select Destination Server screen appears. Choose Select A Server From The Server Pool, and choose your server under Server Pool. Click Next.
5. Click Next at the Select Server Roles screen.
6. At the Select Features screen, scroll down and check the box next to Windows Server Backup. Click Next.
7. At the Confirmation screen, click the checkbox to Restart the destination server automatically. This will bring up a dialog box. Click Yes, and then click the Install button.
8. Click the Close button when finished. Close Server Manager.
9. Open Windows Backup by clicking the Windows Key Administrative Tools Windows Server Backup.
10.On the left-hand side, click Local Backup. Then, under Actions, click Backup Once.
11.When the Backup Once Wizard appears, click Different Options and click Next.
12.At the Select Backup Configuration screen, choose Custom and click Next.
13.Click the Add Items button. Choose System State and click OK. Click Next.
14.At the Specify Destination Type, choose Remote Shared Folder. Click Next.
15.Put in the shared path you want to use and click Next.
16.At the Confirmation screen, click the Backup button.
17.Once the backup is complete, close the Windows Server Backup utility.
Restoring Active Directory
Active Directory has been designed with fault tolerance in mind. For example, it is highly recommended by Microsoft that each domain have at least two domain controllers. Each of these domain controllers contains a copy of the Active Directory data store. Should one of the domain controllers fail, the available one can take over the failed server’s functionality. When the failed server is repaired, it can then be promoted to a domain controller in the existing environment. This process effectively restores the failed domain controller without incurring any downtime for end users because all of the Active Directory data is replicated to the repaired server in the next scheduled replication.
In some cases, you might need to restore Active Directory from a backup. For example, suppose a system administrator accidentally deletes several hundred users from the domain and does not realize it until the change has been propagated to all of the other domain controllers. Manually re-creating the accounts is not an option because the objects’ security identifiers will be different (and all permissions must be reset). Clearly, a method for restoring from backup is the best solution. You can elect to make the Active Directory restore authoritative or nonauthoritative, as described in the following sections.
Overview of Authoritative Restore
Restoring Active Directory and other System State data is an important process should system files or the Active Directory data store become corrupt or otherwise unavailable. Fortunately, the Windows Server 2012 R2 Backup utility allows you to restore data easily from a backup, should the need arise.
I mentioned earlier that in the case of the accidental deletion of information from Active Directory, you might need to restore the Active Directory from a recent backup. But what happens if there is more than one domain controller in the environment? Even if you did perform a restore, the information on this domain controller would be seen as outdated and it would be overwritten by the data from another domain controller. This data from the older domain controller is exactly the information you want to replace. The domain controller that was reloaded using a backup would have an older time stamp, and the other domain controllers would re-delete the information from the backup.
Fortunately, Windows Server 2012 R2 and Active Directory allow you to perform what is called an authoritative restore. The authoritative restore process specifies a domain controller as having the authoritative (or master) copy of the Active Directory data store. When other domain controllers communicate with this domain controller, their information will be overwritten with Active Directory data stored on the local machine.
Now that you have an idea of how an authoritative restore is supposed to work, let’s move on to looking at the details of performing the process.
Performing an Authoritative Restore
When you are restoring Active Directory information on a Windows Server 2012 R2 domain controller, make sure that Active Directory services are not running. This is because the restore of System State data requires full access to system files and the Active Directory data store. If you attempt to restore System State data while the domain controller is active, you will see an error message.
In general, restoring data and operating system files is a straightforward process. It is important to note that restoring a System State backup will replace the existing Registry, Sysvol, and Active Directory files, so that any changes you made since the last backup will be lost.
In addition to restoring the entire Active Directory database, you can also restore only specific subtrees within Active Directory using the restoresubtree command in the ntdsutil utility. This allows you to restore specific information, and it is useful in case of accidental deletion of isolated material.
Following the authoritative restore process, Active Directory should be updated to the time of the last backup. Furthermore, all of the other domain controllers for this domain will have their Active Directory information overwritten by the results of the restore operation. The result is an Active Directory environment that has been recovered from media.
Overview of Nonauthoritative Restore
Now that you understand why you would use an authoritative restore and how it is performed, it’s an easy conceptual jump to understand a nonauthoritative restore. Remember that by making a restore authoritative, you are simply telling other domain controllers in the domain to recognize the restored machine as the newest copy of Active Directory for replication purposes. If you only have one domain controller, the authoritative restore process becomes moot; you can simply skip the steps required to make the restore authoritative and begin using the domain controller immediately after the normal restore is complete.
If you have more than one domain controller in the domain and you need to perform a nonauthoritative restore, simply allow the domain controller to receive Active Directory database information from other domain controllers in the domain using normal replication methods.
Active Directory Recycle Bin
The Active Directory Recycle Bin is a great feature that allows an administrator to restore an active directory object that has been deleted.
Let’s say that you have a junior administrator who has been making changes to Active Directory for hours. The junior admin then deletes an OU from Active Directory. You would then have to reload the OU from a tape backup, or even worse, you may have to reload the entire Active Directory (depending on your backup software), thus losing the hours of work the junior admin has completed.
The problem here is that when you delete a security object from Active Directory, the object’s Security ID (SID) gets removed. All users’ rights and permissions are associated with the users’ SID number and not their account name. This is where the AD Recycle Bin can help.
The Active Directory Recycle Bin allows you to preserve and restore accidentally deleted Active Directory objects without the need of using a backup.
The Active Directory Recycle Bin works for both the Active Directory Domain Services (AD DS) and the Active Directory Lightweight Directory Services (AD LDS) environments.
By enabling (disabled by default) the Active Directory Recycle Bin, any deleted Active Directory objects are preserved and Active Directory objects can be restored, in their entirety, to the same condition that they were in immediately before deletion. This means that all group memberships and access rights that the object had before deletion will remain intact.
To enable the Active Directory Recycle Bin, you must do the following (you must be a member of the Schema Admins group):
§ Run the adprep /forestprep command to prepare the forest on the server that holds the schema master to update the schema.
§ Run the adprep /domainprep /gpprep command to prepare the domain on the server that holds the infrastructure operations master role.
§ If a read-only domain controller (RODC) is present in your environment, you must also run the adprep /rodcprep command.
§ Make sure that all domain controllers in your Active Directory forest are running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2.
§ Make sure that the forest functional level is set to Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2.
Restartable Active Directory
Administrators have the ability to stop and restart Active Directory in the Windows Server 2012 operating system without the need to reboot the entire system. Administrators can perform these actions either by using the Microsoft Management Console (MMC) snap-ins or the command line.
With Restartable Active Directory Services, an administrator has the ability to stop Active Directory Services so that updates and other tasks can be applied to a domain controller. One task that an administrator can perform while Active Directory is stopped is an offline defragmentation of the database.
One of the advantages of a Restartable Active Directory is that other services running on the same server do not depend on Active Directory to continue to function properly while Active Directory is stopped. An administrator has the ability to stop and restart the Active Directory Domain Services in the Local Services MMC snap-in.
As you learned in the preceding section, there are times when you have to be offline to do maintenance. For example, you need to perform authoritative and nonauthoritative restores while the domain controller is offline. The main utility we use for offline maintenance is ntdsutil.
The primary method by which system administrators can do offline maintenance is through the ntdsutil command-line tool. You can launch this tool by simply entering ntdsutil at a command prompt. For the commands to work properly, you must start the command prompt with elevated privileges. The ntdsutil command is both interactive and context sensitive. That is, once you launch the utility, you’ll see an ntdsutil command prompt. At this prompt, you can enter various commands that set your context within the application. For example, if you enter domain management, you’ll be able to enter domain-related commands. Several operations also require you to connect to a domain, a domain controller, or an Active Directory object before you perform a command.
Table 6.3 provides a list of some of the domain-management commands supported by the ntdsutil tool. You can access this functionality by typing the command at an elevated command prompt. Once you are in the ntdsutil prompt, you can use the question mark to see all of the commands available.
TABLE 6.3 Ntdsutil offline maintenance commands
Ntdsutil Domain Management Command
Help or ?
Displays information about the commands that are available within the Domain Management menu of the ntdsutil utility.
Activate instance %s
Sets NTDS or a specific AD LDS instance as the active instance.
Sets the domain controller for the Authoritative restore of the Active Directory database.
Change service account
This allows an administrator to change the AD LDS service account to user name and password. You can use a “NULL” for a blank password, and you can use * to prompt the user to enter a password.
Allows an administrator to manage configurable settings.
Allows an administrator to view and modify AD DS or AD LDS behavior.
This command allows an administrator to manage the AD DS or AD LDS database files.
Group Membership Evaluation
Allows an administrator to evaluate the security IDs (SIDs) in a token for a given user or group.
Administrators can manage the Lightweight Directory Access Protocol (LDAP) protocol policies.
Removes metadata from decommissioned domain controllers.
security account management
This command allows an administrator to manage SIDs.
Set DSRM Password
Resets the Directory Service Restore mode administrator account password.
Active Directory Database Mounting Tool
One issue that an administrator may run into when trying to restore Active Directory is the need to restore several backups to compare the Active Directory data that each backup contains. Windows Server 2012 R2 has a utility called the Active Directory database mounting tool (Dsamain.exe), which can resolve this issue.
The Dsamain.exe tool can help the recovery processes by giving you a way to compare data as it exists in snapshots (taken at different times) so that you have the ability to decide which Active Directory database to restore.
Creating snapshots on a regular basis will allow you to have enough data so that you can keep accurate records of how the Active Directory database changes over time. The ntdsutil utility allows you to take snapshots by using the ntdsutil snapshot operation.
You are not required to run the ntdsutil snapshot operation to use Dsamain.exe. You have the ability to use a backup of the Active Directory database.
You must be a member of the Domain Admins group or the Enterprise Admins group to view any snapshots taken due to the fact that these snapshots contain sensitive Active Directory data.
Compact the Directory Database File (Offline Defragmentation)
One task that all of us having been doing for years is the process of defragging the operating systems that we run. We have used the defragmentation utility since Windows NT. Defragging a system helps return free space from data to the hard drive.
You can also use the defragmentation process to compact the Active Directory database while it’s offline. Offline defragmentation helps return free disk space and check Active Directory database integrity.
To perform an offline defragmentation, you would use the ntdsutil command. When you perform a defragmentation of the Active Directory database, a new compacted version of the database is created. This new database file can be created on the same machine (if space permits) or on a network location. After the new file is created, copy the compacted Ntds.dit file back to the original location.
It is a good practice, if space allows, to maintain a copy of the older, original database file. You can either rename the older database file and keep it in its current location or copy the older database file to an alternate location.
At times you may need to keep an eye on how your replication traffic is working on your domain controllers. We are going to examine the replication utility that you can use to help determine if there are problems on your domain.
The Repadmin utility is included when you install Windows Server 2012 R2. This command-line tool helps administrators diagnose replication problems between Windows domain controllers.
Repadmin allows administrators to view the replication topology of each domain controller as seen from the domain controller’s perspective. Administrators can also use Repadmin to create the replication topology manually. By manually creating the replication topology, administrators can force replication events between domain controllers and view the replication metadata vectors.
To access the Repadmin utility, open a command prompt using an elevated privilege (Run CMD). At the command prompt, type Repadmin.exe, and all of the available options will appear.
Using the ADSI Editor
Another utility (explained earlier in the chapter) that allows you to manage objects and attributes in Active Directory is the Active Directory Service Interfaces Editor (ADSI Edit). Earlier we used ADSI Edit (Adsiedit.msc) to create multiple password policies to allow for fine-grained password policies. ADSI Edit allows you to view every object and attribute in an Active Directory forest.
One advantage to using the Adsiedit.msc MMC snap-in is that this tool allows you to query, view, create, and edit attributes that are not exposed through other Active Directory Microsoft Management Console (MMC) snap-ins.
ADSI Edit allows you to administer an AD LDS instance. To do this, you must first connect and bind to the instance. After you connect and bind to the instance, you can administer the containers and objects within the instance by browsing to the containers or objects and then right-clicking them. To complete this task, you must be a member of the Administrators group for the AD LDS instance.
Wbadmin Command Line Utility
The wbadmin command allows you to back up and restore your operating system, volumes, files, folders, and applications from a command prompt.
You must be a member of the Administrators group to configure a backup schedule. You must be a member of the Backup Operators or the Administrators group (or you must have been delegated the appropriate permissions) to perform all other tasks using thewbadmin command.
To use the wbadmin command, you must run wbadmin from an elevated command prompt (to open an elevated command prompt, click Start, right-click Command Prompt, and then click Run As Administrator). Table 6.4 shows some of the wbadmin commands.
TABLE 6.4 Wbadmin commands
Wbadmin enable backup
Configures and enables a daily backup schedule.
Wbadmin disable backup
Disables your daily backups.
Wbadmin start backup
Runs a one-time backup.
Wbadmin stop job
Stops the currently running backup or recovery operation.
Wbadmin get items
Lists the items included in a specific backup.
Wbadmin start recovery
Runs a recovery of the volumes, applications, files, or folders specified.
Wbadmin get status
Shows the status of the currently running backup or recovery operation.
Wbadmin start systemstaterecovery
Runs a system state recovery.
Wbadmin start systemstatebackup
Runs a system state backup.
Wbadmin start sysrecovery
Runs a recovery of the full system state.
In this chapter, I talked about important items that pertain to security, such as which default groups are available after a base install of the operating system and how to secure the most vulnerable accounts.
I then covered how passwords and tokens work within Windows Server 2012 R2 and also how to create a separate password policy using the ADSI Edit utility. I discussed the different Operation Master roles (FSMO) and how to change or seize the role to another domain controller.
Finally, in this chapter, you also learned about how important it is to back up and restore a Windows Server 2012 R2 domain controller machine in the event of a hardware or software failure. I also explained how some of the features such as the Active Directory Recycle Bin and ntdsutil are part of Windows Server 2012 R2 domain controller and how these utilities make an administrator’s life easier.
Understand the various backup types available with the Windows Server 2012 Backup utility. The Windows Server 2012 R2 Backup utility can perform full and incremental backup operations. Some third-party backup utilities also support differential and daily backups. You can use each of these operations as part of an efficient backup strategy.
Know how to back up Active Directory. The data within the Active Directory database on a domain controller is part of the system state data. You can back up the system state data to a file using the Windows Server 2012 R2 Backup utility.
Know how to restore Active Directory. Restoring the Active Directory database is considerably different from other restore operations. To restore some or the entire Active Directory database, you must first boot the machine into Directory Services Restore mode.
Understand the importance of an authoritative restore process. You use an authoritative restore when you want to restore earlier information from an Active Directory backup, and you want the older information to be propagated to other domain controllers in the environment.
Understand offline maintenance using ntdsutil. The ntdsutil command-line tool is a primary method by which system administrators perform offline maintenance. Understand how to launch this tool by entering ntdsutil at a command prompt.
1. You are the administrator of a large company, and you need to ensure that you can recover your Windows Server 2012 R2 Active Directory configuration and data if the computer’s hard disk fails. What should you do?
A. Create a complete PC Backup and Restore image.
B. Create a backup of all file categories.
C. Perform an automated system recovery (ASR) backup.
D. Create a system restore point.
2. You need to back up the existing data on a computer before you install a new application. You also need to ensure that you are able to recover individual user files that are replaced or deleted during the installation. What should you do?
A. Create a system restore point.
B. Perform an automated system recovery (ASR) backup and restore.
C. In the Windows Server Backup utility, click the Backup Once link.
D. In the Backup And Restore Center window, click the Back Up Computer button.
3. You are the administrator of a large organization. While setting up your Windows Server 2012 R2 domain controller, you are creating a data recovery strategy that must meet the following requirements:
§ Back up all data files and folders in C:\Data.
§ Restore individual files and folders in C:\Data.
§ Ensure that data is backed up to and restored from external media.
What should you do?
D. Use the Previous Versions feature to restore the files and folders.
E. Use the System Restore feature to perform backup and restore operations.
F. Use the NTBackup utility to back up and restore individual files and folders.
G. Use the Windows Server Backup to back up and restore files.
4. You are a network administrator, and you want to create multiple password policies for the users in your domain. What utility do you use to complete this task?
A. Schema Editor
B. ADSI Edit
5. You are the system administrator for a large organization with multiple Active Directory domain controllers. Currently, the environment supports many different domain controllers, some of which are running Windows 2008 and Windows Server 2012 R2. When you are running domain controllers in this type of environment, which of the following types of groups can you not use? (Choose all that apply.)
. Universal security groups
A. Global groups
B. Domain local groups
C. None—you can use all group types
6. You are the network administrator for your organization. A new company policy has been released wherein if a user enters their password incorrectly three times within 5 minutes, they are locked out for 30 minutes. What three actions do you need to set to comply with this policy? (Choose all that apply.)
. Set Account Lockout Duration to 5 minutes.
A. Set Account Lockout Duration to 30 minutes.
B. Set the Account Lockout Threshold setting to 3 invalid logon attempts.
C. Set the Account Lockout Threshold setting to 30 minutes.
D. Set the Reset Account Lockout Counter setting to 5 minutes.
E. Set the Reset Account Lockout Counter setting to 3 times.
7. You are teaching a Microsoft Active Directory class, and one of your students asks you which of the following folders in the Active Directory Users and Computers tool is used when users from outside the forest are granted access to resources within a domain? What answer would you give your student?
B. Domain Controllers
C. Foreign Security Principals
8. Your manager has decided that your organization needs to use an Active Directory application data partition. Which command can you use to create and manage application data partitions?
9. Robert is a system administrator who is responsible for performing backups on several servers. Recently, he has been asked to take over the operations of several new servers, including backup operations. He has the following requirements:
§ The backup must finish as quickly as possible.
§ The backup must use the absolute minimum amount of storage space.
§ He must perform backup operations at least daily with a full backup at least weekly.
Robert decides to use the Windows Server 2012 R2 Windows Server Backup utility to perform the backups. He wants to choose a set of backup types that will meet all of these requirements. He decides to back up all files on each of these servers every week. Then he decides to store only the files that have changed since the last backup operation (regardless of type) during the weekdays. Which of the following types of backup operations should he use to implement this solution? (Choose two.)
10. You are removing a domain controller from your network. This domain controller holds the forestwide operations master roles. Which roles would you need to transfer to another machine before you remove the domain controller? (Choose all that apply.)
. PDC Emulator Master
A. Schema Master
B. RID Master
C. Domain Naming Master
D. Infrastructure Master