Session Objectives and Takeaways

Session Objectives and Takeaways

Active Directory Forest

Schema

Master

Infrastructure

Master

Step1:

run: ADPREP /ForestPrep

Step 2:

run: ADPREP /DomainPrep (each domain)

run: ADPREP /DomainPrep /GPPrep (each

domain)

run: ADPREP /DomainPrep /RODCPREP

(optional, depends on using RODC or not)

Step 3: Install Fresh or

Upgrade

WS 2008 R2

Domain

Controller

Demote the original DC gracefully and disconnect from network

Fresh install a Windows server 2008 R2 on a new hardware

Rename to the original name and join to domain

Promote to Windows server 2008 R2 DC

Transfer back all the FSMO roles

Demote the original DC gracefully and disconnect from network

Fresh install a Windows server 2008 R2 on a new hardware

Rename to the original name and join to domain

Promote to Windows server 2008 R2 DC

Transfer back all the FSMO roles

8. Apply any registry key / DC hardening keys that used before

Demote the original DC gracefully and disconnect from network

Fresh install a Windows server 2008 R2 on a new hardware

Rename to the original name and join to domain

Promote to Windows server 2008 R2 DC

Transfer back all the FSMO roles

8. Apply any registry key / DC hardening keys that used before

9. Upgrade DC one by one

Demote the original DC gracefully and disconnect from network

Fresh install a Windows server 2008 R2 on a new hardware

Rename to the original name and join to domain

Promote to Windows server 2008 R2 DC

Transfer back all the FSMO roles

8. Apply any registry key / DC hardening keys that used before

9. Upgrade DC one by one

10. Change domain and forest functional mode

Considerations

netsh

Printbrm.exe

CA backup and restore

New Domain Functional Level

New Forest Functional Level

DES Encryption For Kerberos

DES Encryption For Kerberos

DES Encryption For Kerberos

Encryption Criteria for Kerberos

Role O.S Supported encryption level for Kerberos

DC Windows 2003 RC4 and DES

Client Windows XP DES and RC4

Resource Server Non Windows Kerberos Server DES

DES Encryption is Disabled – So, what?

Role O.S Supported encryption level for

Kerberos

DC Windows 2003 RC4 and DES

Client Windows 7 AES and RC4

Resource Server Non Windows Kerberos

Server

DES

Authoritative Restore of the Krbtgt

Authoritative Restore of the Krbtgt

Authoritative Restore of the Krbtgt

Authoritative Restore of the Krbtgt

Invalid FSMO Role Holder

Invalid FSMO Role Holder

Invalid FSMO Role Holder

Invalid FSMO Role Holder

LDAP Query Policy Hard Limits

LDAP Query Policy Hard Limits

LDAP Query Policy Hard Limits

LDAP Query Policy Hard Limits

LDAP Query Policy Hard Limits

http://support.microsoft.com/kb/2009267

NT4 Crypto

Dynamic Port Range

Dynamic Port Range

Dynamic Port Range

Miscellaneous

Considerations before Upgrade

Considerations before Upgrade

RODC Benefits

Branch office….

RODC Features

RODC Authentication and Client Operations

58

How it works: Password caching during first logon

Hub

`

Read Only DCHub Writable DC

Branch

RODC Authentication and Client Operations

59

How it works: Password caching during first logon

Hub

`

Read Only DCHub Writable DC

Branch

1. AS_Req sent to RODC

(request for TGT)

1

RODC Authentication and Client Operations

60

How it works: Password caching during first logon

Hub

`

Read Only DCHub Writable DC

Branch 2. RODC: Looks in DB: "I

don't have the users

password "

1. AS_Req sent to RODC

(request for TGT)

1

2

RODC Authentication and Client Operations

61

How it works: Password caching during first logon

Hub

`

Read Only DCHub Writable DC

Branch 2. RODC: Looks in DB: "I

don't have the users

password "

3. Forwards Request to a

writeable DC

1. AS_Req sent to RODC

(request for TGT)

1

2

3

RODC Authentication and Client Operations

62

How it works: Password caching during first logon

Hub

`

Read Only DCHub Writable DC

Branch 2. RODC: Looks in DB: "I

don't have the users

password "

3. Forwards Request to a

writeable DC

4. Writeable DC

authenticates request

1. AS_Req sent to RODC

(request for TGT)

1

2

3

4

RODC Authentication and Client Operations

63

How it works: Password caching during first logon

Hub

`

Read Only DCHub Writable DC

Branch 2. RODC: Looks in DB: "I

don't have the users

password "

3. Forwards Request to a

writeable DC

4. Writeable DC

authenticates request

5. Returns authentication

response and TGT back to

the RODC

1. AS_Req sent to RODC

(request for TGT)

1

2

3

4

5

RODC Authentication and Client Operations

64

How it works: Password caching during first logon

Hub

`

Read Only DCHub Writable DC

Branch 2. RODC: Looks in DB: "I

don't have the users

password "

3. Forwards Request to a

writeable DC

4. Writeable DC

authenticates request

5. Returns authentication

response and TGT back to

the RODC

1. AS_Req sent to RODC

(request for TGT)

1

2

3

4

5

6

6. RODC gives TGT to User

and Queues a replication

request for the password

6

RODC Authentication and Client Operations

65

How it works: Password caching during first logon

Hub

`

Read Only DCHub Writable DC

Branch 2. RODC: Looks in DB: "I

don't have the users

password "

3. Forwards Request to a

writeable DC

4. Writeable DC

authenticates request

5. Returns authentication

response and TGT back to

the RODC

6. RODC gives TGT to User

and Queues a replication

request for the password

7) Hub DC checks

Password Replication

Policy to see if

Password can be

replicated

1. AS_Req sent to RODC

(request for TGT)

1

2

3

4

5

6

6

7

7

Note: At this point the user will have a hub signed TGT

RODC Limitations

RODC Considerations

Fine Grain Password Policy (FGPP)

Creating a Fine Grain Password Policy

FGPP – Implementation Considerations

FGPP – Defining Scope

FGPP – Best Practices

Listens on port 9389

Advertised via DC Locator

nltest /dsgetdc:domain /ws

Active Directory Web Services

AD Core

LDAP

S.DS.P / S.DS.AM / S.DS.AD

.NET

S

E

R

V

E

R

C

L

I

E

N

T

ADUC/ADSS/ADDT

WSH

ADSI

LDAP

MMC

…

GUI

DS RPC-Based Protocols

… DSR SAM

CLI

DS RPC-Based Protocols

… DSR SAM

AD Core

LDAP

AD Web Services

S.DS.P / S.DS.AM / S.DS.AD

AD PowerShell MUX

WCF

.NET

WPF

.NET

.NET

S

E

R

V

E

R

C

L

I

E

N

T

WCF

.NET

AD Core

DS RPC-Based Protocols

… DSR SAM

AD Admin Center

GUI

BPA ADUC/ADSS/ADDT

WSH

ADSI

LDAP

MMC

…

GUI

DS RPC-Based Protocols

… DSR SAM

CLI

Recycle Bin

Tombstone

Object

Recycled

Object

Deleted

Object

Windows Server 2008

No Recycle bin feature

Windows Server 2008 R2 with Recycle Bin enabled

Garbage

Collection

Garbage

Collection

Live

Object

Auth Restore

Delete

Delete

Undelete Deleted Object

Lifetime

180 Days

Tombstone

Lifetime

180 Days

Tombstone

Lifetime

180 Days

Live

Object

Recovering Multiple Objects Deleted Objects container

A flat list of all objects in the Deleted state

DN is mangled, attributes preserved, lastKnownParent

Restore objects to live parent

Deleted objects must be restored to a live parent

Perform restore in top-down order

lastKnownParent and lastKnownRDN properties useful in rebuilding hierarchy

RDN over 128 chars truncated

\0ADEL:…

Recovering Multiple Objects Deleted Objects container

A flat list of all objects in the Deleted state

DN is mangled, attributes preserved, lastKnownParent

Restore objects to live parent

Deleted objects must be restored to a live parent

Perform restore in top-down order

lastKnownParent and lastKnownRDN properties useful in rebuilding hierarchy

RDN over 128 chars truncated

Delete

\0ADEL:…

\0ADEL:…

\0ADEL:…

\0ADEL:…

\0ADEL:...

\0ADEL:…

Recovering Multiple Objects Deleted Objects container

A flat list of all objects in the Deleted state

DN is mangled, attributes preserved, lastKnownParent

Restore objects to live parent

Deleted objects must be restored to a live parent

Perform restore in top-down order

lastKnownParent and lastKnownRDN properties useful in rebuilding hierarchy

RDN over 128 chars truncated

\0ADEL:…

\0ADEL:…

\0ADEL:…

\0ADEL:…

\0ADEL:...

\0ADEL:…

Recovering Multiple Objects Deleted Objects container

A flat list of all objects in the Deleted state

DN is mangled, attributes preserved, lastKnownParent

Restore objects to live parent

Deleted objects must be restored to a live parent

Perform restore in top-down order

lastKnownParent and lastKnownRDN properties useful in rebuilding hierarchy

RDN over 128 chars truncated

\0ADEL:…

\0ADEL:…

\0ADEL:…

\0ADEL:…

\0ADEL:...

\0ADEL:…

Undelete

Recovering Multiple Objects Deleted Objects container

A flat list of all objects in the Deleted state

DN is mangled, attributes preserved, lastKnownParent

Restore objects to live parent

Deleted objects must be restored to a live parent

Perform restore in top-down order

lastKnownParent and lastKnownRDN properties useful in rebuilding hierarchy

RDN over 128 chars truncated

\0ADEL:…

\0ADEL:…

Undelete

Recovering Multiple Objects Deleted Objects container

A flat list of all objects in the Deleted state

DN is mangled, attributes preserved, lastKnownParent

Restore objects to live parent

Deleted objects must be restored to a live parent

Perform restore in top-down order

lastKnownParent and lastKnownRDN properties useful in rebuilding hierarchy

RDN over 128 chars truncated

\0ADEL:…

Recycle Bin Considerations

Key new features overview