20411B-ENU-TrainerHandbook
.pdf
Administering Windows Server® 2012 |
MCT |
|
3-9 |
|
|
oThe domain controller hosting the PDC Emulator flexible single master operations (FSMO) role must be available during cloning operations.
•The following requirements must be met to support both VDC cloning and safe restore:
oGuest virtual machines must be running Windows Server 2012.
o The virtualization host platform must support VM Generation ID (VM GENID). This includes |
USE |
|||
Windows Server 2012 Hyper-V®. |
||||
Creating a VDC Clone |
|
|
||
To create a VDC clone in Windows Server 2012, perform the following steps: |
.ONLY |
|||
1. Create a DcCloneConfig.xml file that contains the unique server configuration. |
||||
2. Copy this file into the location of the AD DS database on the source domain controller |
||||
(C:\Windows\NTDS by default). This file can also be stored on removable media, if required. |
||||
3. Take the source VDC offline and export or copy it. |
||||
4. Create a new virtual machine by importing the exported one. This virtual machine is promoted |
||||
|
|
|||
automatically as a unique domain controller. |
|
|
||
Managing Virtualized Domain Controllers |
|
|
||
The Windows Server 2012 safe restore capability |
|
|
|
|
|
STUDENT |
|||
enables VDCs that are running Windows Server |
|
|||
2012 to participate gracefully in the AD DS |
|
|||
replication topology, after you apply a snapshot |
|
|||
within Hyper-V to the virtual machine that is |
|
|||
hosting the domain controller. |
|
|||
Taking and applying snapshots for a VDC in |
|
|||
|
|
|
||
Hyper-V requires specific considerations and |
|
|
|
|
steps. |
|
|
|
|
Validating AD DS Replication |
|
|
|
|
When a virtual machine snapshot is applied to a |
|
|
|
|
|
USE |
|||
|
|
|||
VDC, the safe restore process initiates, inbound replication for the changes in AD DS between the virtual
•A virtual domain controller recovered from a Hyper-V snapshot must be able to contact a writable PROHIBITED domain controller.
•You may not restore all domain controllers in a domain simultaneously. If all domain controllers are restored simultaneously, SYSVOL replication will halt, and all partners in synchronization will be
considered nonauthoritative. This is an important consideration for full environment rollback situations that may occur frequently in a test environment.domain controller and the rest of the AD DS environment. The relative identifier (RID) pool is released,
3-10 Maintaining Active Directory Domain Services
•Changes originated on a restored virtual domain controller that have not replicated since the snapshot was taken are lost. Because of this, you must ensure that all outgoing replication on a domain controller has been completed before taking a snapshot of the virtual machine.
Using Windows PowerShell for Hyper-V Snapshot Management
You can use the following Windows PowerShell® cmdlets to perform snapshot management in Windows Server 2012:
•Checkpoint-VM
•Export-VMSnapshot
•Get-VMSnapshot
•Remove-VMSnapshot
•Rename-VMSnapshot
•Restore-VMSnapshot
Considerations for Managing Virtual Domain Controller Snapshots
Consider the following when managing virtual domain controller snapshots in Windows Server 2012:
•Do not use snapshots to replace regular system state backups. In a frequently changing AD DS environment, snapshots do not always contain the full contents of AD DS objects, due to replication changes.
•Do not restore a snapshot of a domain controller that was taken before it was promoted. Doing so will require that you repromote the server manually after the snapshot is applied and the metadata cleanup occurs.
•Do not host all virtual domain controllers on the same hypervisor or server. This introduces a single point of failure into the AD DS infrastructure, and circumvents many of the benefits that virtualizing your domain-controller infrastructure provides.
PROHIBITED USE STUDENT .ONLY USE MCT
Administering Windows Server® 2012 3-11
Lesson 3 |
MCT |
|
Implementing Read-Only Domain Controllers |
||
|
RODCs provide an alternative to a fully writable domain controller. In many scenarios, such as a remote |
|
branch office or a location where a server cannot be placed in a secure physical environment, RODCs can |
|
|
USE |
provide the functionality of a domain controller without potentially exposing your AD DS environment to unnecessary risks. This lesson will help you to better understand the methods and best practices that you can use to manage RODCs in the Windows Server 2012 environment.
Lesson Objectives
After completing this lesson, you will be able to:
• Explain considerations for implementing RODCs. |
ONLY |
||
• Describe how to manage RODC credential caching. |
|||
• Identify the important aspects of managing local administration for RODCs. |
|||
|
|
. |
|
Considerations for Implementing RODCs |
|
|
|
An RODC has a read-only copy of an Active |
|
|
|
|
STUDENT |
||
Directory domain, which contains all of the |
|
||
domain’s objects, but not all of their attributes. |
|
||
System-critical attributes, such as passwords, |
|
||
do not replicate to an RODC because it is not |
|
||
considered secure. You can prevent additional |
|
||
attributes from being replicated to RODCs by |
|
||
marking the attribute as confidential and adding |
|
||
it to the Filtered Attribute Set (FAS). |
|
||
|
|
||
Understanding RODC Functionality |
|
|
|
You cannot make changes to the domain |
|
|
|
|
USE |
||
|
|
||
database on the RODC, because the AD DS
database on the RODC does not accept modification requests from clients and applications. All requests for changes are forwarded to a writable domain controller. Because no changes occur on the RODC,
replication of Active Directory changes is one way only from writable domain controllers to the RODC.
User and computer credentials are not replicated to an RODC by default. To use an RODC to enhance userPROHIBITED
logon, you need to configure a Password Replication Policy (PRP) that defines which user credentials can be cached. Limiting the credentials cached on the RODC reduces the security risks. If the RODC is stolen, only passwords for the cached user and computer accounts need to be reset.
If user and computer credentials are not replicated to an RODC then a writable domain controller must be contacted during the authentication process. Typically (in a branch office scenario), the credentials for local users and computers are cached on an RODC. When RODCs are placed in a perimeter network, the credentials for users and computers typically are not cached.
3-12 Maintaining Active Directory Domain Services
Administrative Role Separation
To manage a writable domain controller, you must be a member of the domain local Administrators group. Any user placed in the domain local Administrators group is given permissions to manage all domain controllers in the domain. This causes problems for remote-office administration with a writable domain controller, because the administrator in a remote office should not be given access to the organization’s other domain controllers.
This gives the administrator of a remote office permission to manage only that RODC, which may also be configured to provide other services such a file shares and printing.
Read-Only DNS
DNS is a critical resource for a Windows network. If you configure an RODC as a DNS server, then you can replicate DNS zones through AD DS to the RODC. DNS on the RODC is read-only. DNS update requests are referred to a writable copy of DNS.
Deploying RODCs
To deploy an RODC, ensure that the following activities are performed:
•Ensure that the forest functional level is Windows Server 2003 or newer. That means that all domain controllers must be Windows Server 2003 or newer, and each domain in the forest must be at the domain functional level of Windows Server 2003 or newer.
•Run ADPrep /RODCPrep. This configures permissions on DNS application directory partitions to allow them to replicate to RODCs. This is required only if the Active Directory forest has been upgraded.
•Ensure that there is a writable domain controller running Windows Server 2008 or newer. An RODC replicates the domain partition only from these domain controllers. Therefore, each domain with RODCs must have at least one Windows Server 2008 or newer domain controller. You can replicate the Schema and Configuration partitions from Windows Server 2003.
RODC Installation
Like a writable domain controller, you can install an RODC by using an attended or an unattended installation. If you perform an attended installation by using the graphical interface, you select the RODC as one of the additional domain controller options.
You also can delegate the RODC installation to the administrator in the remote office by using a staged installation. In a staged installation, you need to perform the following steps:
1.Ensure that the server to be configured as the RODC is not a member of the domain.
2.A domain administrator uses Active Directory Users and Computers to precreate the RODC account in the Domain Controllers organizational unit (OU). The wizard for performing this process prompts for the necessary information, including the user or group that is allowed to join the RODC to the domain.
3.The administrator in the remote office runs the Active Directory Domain Services installation Wizard, and follows the wizard to join the domain as the precreated RODC account.
PROHIBITED USE STUDENT .ONLY USE MCT
Administering Windows Server® 2012
Managing RODC Credential Caching
RODCs provide the capability to store only a subset of credentials for accounts in AD DS through the implementation of credential caching. With credential caching, a password replication policy (PRP) determines which user and computer credentials can be cached on a specific RODC. If PRP allows an RODC to cache an account’s credentials, authentication and service ticket activities of that account can be processed locally by the RODC. If an account’s credentials cannot be cached on RODC, or they are not cached on the RODC, authentication and service
ticket activities are chained by the RODC to a writable domain controller.
Password Replication Policy Components
3-MCT13
ONLY USE .
•Allowed RODC Password Replication Group is added to the Allowed List of all RODCs. This group hasSTUDENT no members by default.
•Denied RODC Password Replication Group is added to the Denied List of all RODCs. By default, Domain Admins, Enterprise Admins, and Group Policy Creator Owners are the members of this group.onmember.The PRP for an RODC contains both an Allowed List and a Denied List. Each list can contain specificaccountsThere
In most cases, you will want to add accounts separately to each RODC, or add global groups
USE
containing accounts rather than globally allowing password caching. This allows you to limit the number of credentials cached to only those accounts commonly at that location. Domain administrative accounts should not be cached on RODCs in remote offices. You should cache computer accounts to speed up authentication of computer accounts during system startup. Additionally, you should cache service accounts for services that are running at the remote office.
• |
Create separate AD DS global groups for each RODC. |
PROHIBITED |
|
||
• |
Do not cache passwords for domain-wide administrative accounts. |
|
3-14 Maintaining Active Directory Domain Services
Managing Local Administration for RODCs
The management of RODCs is separated from other domain controllers. Therefore, you can delegate administration of RODCs to local administrators in remote offices, without giving those administrators access to writable domain controllers.
You can delegate administration of an RODC in the properties of the RODC computer account on the Managed By tab. You should follow this method to delegate the administration of an RODC because you can manage it centrally and easily.
You can specify only a single security principal on the Managed By tab of an RODC computer account. Specify a group so that you can delegate management permissions to multiple users by making them members of the group.
You also can delegate administration of an RODC by using ntdsutil or dsmgmt with the local roles option, as the following example shows:
C:\>dsmgmt
Dsmgmt: local roles
local roles: add Adatum\Research
You should cache the password for delegated administrators to ensure that you can perform system maintenance when a writable domain controller is unavailable.
Note: You should never access the RODC with an account that has permissions similar to Domain Admins. RODC computers are considered compromised by default, so, you should assume that by logging in to the RODC you are giving up domain admin credentials. Thus domain administrators should have a separate server admin type account that is delegated management access to the RODC.
PROHIBITED USE STUDENT .ONLY USE MCT
Administering Windows Server® 2012 3-15
Lesson 4 |
MCT |
|
Administering AD DS |
||
|
||
AD DS management happens in many different forms. The AD DS environment contains a large number |
||
of management tools that enable you to monitor and modify AD DS, to ensure that your organization’s |
||
|
USE |
|
domain infrastructure is serving its purpose and functioning properly. Windows Server 2012 includes a broader set of tools for working within AD DS than previous Windows versions included. Improvements to the Active Directory Administrative Center and the addition of several cmdlets to the Active Directory
module for Windows PowerShell enable even greater control over your AD DS domain.
Lesson Objectives
After completing this lesson, you will be able to: |
ONLY |
||
|
|
||
• Describe the Active Directory administrative snap-ins. |
|
||
• Describe the Active Directory Administrative Center. |
. |
||
• |
Explain how to manage AD DS by using management tools. |
||
|
|||
•Active Directory Users and Computers. This STUDENT
snap-in manages most common day-to-day
resources, including users, groups, and USE computers. This is likely to be the most
heavily used snap-in for an Active Directory administrator.
•Active Directory Sites and Services. This
manages replication, network topology, and PROHIBITED related services.
•Active Directory Domains and Trusts. This configures and maintains trust relationships and the domain and forest functional level.
•Active Directory Schema. This schema examines and modifies the definition of Active Directory attributes and object classes. The schema is the blueprint for Active Directory, and you typically do not view or change it very often. Therefore, the Active Directory Schema snap-in is not fully installed, by default.
3-16 Maintaining Active Directory Domain Services
Overview of the Active Directory Administrative Center
Windows Server 2012 provides another option for managing AD DS objects. The Active Directory Administrative Center provides a graphical user interface (GUI) built on Windows PowerShell. This enhanced interface allows you to perform Active Directory object management by using taskoriented navigation. Tasks that you can perform by using the Active Directory Administrative Center include:
•Creating and managing user, computer, and group accounts.
•Creating and managing OUs.
•Connecting to and managing multiple domains within a single instance of the Active Directory Administrative Center.
•Searching and filtering Active Directory data by building queries.
•Creating and managing fine-grained password policies.
•Recovering objects from the Active Directory Recycle Bin.
Installation Requirements
You can install the Active Directory Administrative Center only on computers that are running Windows Server 2008 R2, Windows Server 2012, Windows® 7 or Windows 8. You can install the Active Directory Administrative Center by:
•Installing the AD DS server role through Server Manager.
•Installing the Remote Server Administration Tools (RSAT) on a Windows Server 2012 server or Windows 8.
Note: The Active Directory Administrative Center relies on the Active Directory Web Services (ADWS) service, which you must install on at least one domain controller in the domain. The service also requires port 9389 to be open on the domain controller where ADWS is running.
New Active Directory Administrative Center Features in Windows Server 2012
Active Directory Administrative Center contains several new features in Windows Server 2012 that enable the graphical management of AD DS functionality:
•Active Directory Recycle Bin. Active Directory Administrative Center now offers complete management of the Active Directory Recycle Bin. Administrators can use Active Directory Administrative Center to view and locate deleted objects, and manage and restore those objects to their original or other desired location.
•Fine-Grained Password Policy. Active Directory Administrative Center also provides a graphical user interface for the creation and management of password settings objects to implement fine-grained password policies in an AD DS domain.
•Windows PowerShell History Viewer. Active Directory Administrative Center functionality is built on Windows PowerShell. Any command or action that you perform within the Active Directory
Administrative Center interface is carried out in Windows Server 2012 through Windows PowerShell cmdlets. When an administrator performs a task within the Active Directory Administrative Center
PROHIBITED USE STUDENT .ONLY USE MCT
Administering Windows Server® 2012
interface, the Windows PowerShell History Viewer shows the Windows PowerShell commands that were issued for the task. This enables administrators to reuse code to create reusable scripts, and allows them to become more familiar with Windows PowerShell syntax and usage.
Overview of the Active Directory Module for Windows PowerShell
The Active Directory module for Windows PowerShell in Windows Server 2012 consolidates a group of cmdlets that you can use to manage your Active Directory domains. Windows Server 2012 builds on the foundation built in the Active Directory module for Windows PowerShell originally introduced in Windows Server 2008 R2, by adding an additional 60 cmdlets that expand the preexisting areas of Windows PowerShell capabilities and add new capabilities in the areas of replication and resource access control.
The Active Directory module for Windows
PowerShell enables management of AD DS in the following areas:
1.User management
2.Computer management
3.Group management
4.OU management
5.Password policy management
6.Searching and modifying objects
7.Forest and domain management
8.Domain controller and operations master management
9.Managed service account management
10.Site replication management
11.Central access and claims management
3-MCT17 USEONLY
STUDENT . USE
• New-ADComputer creates a new computer object in AD DS.
• Remove-ADGroup removes an Active Directory group.
• Set-ADDomainMode sets the domain functional level for an Active Directory domain.
• By default, on a Windows Server 2008 R2 or Windows Server 2012 server, when you install the AD DS
or Active Directory Lightweight Directory Services (AD LDS) server roles. |
PROHIBITED |
• By default, when you make a Windows Server 2008 R2 or Windows Server 2012 server a domain |
|
controller. |
|
• As part of the RSAT feature on a Windows Server 2008 R2, Windows Server 2012, Windows 7 or |
|
Windows 8 computer. |
|
|
3-18 Maintaining Active Directory Domain Services
Demonstration: Managing AD DS by Using Management Tools
The various AD DS management tools each have a purpose in the administration of the complete AD DS environment. This demonstration will show you the primary tools that you can use to manage AD DS and a task that you typically perform with the tool.
This demonstration shows how to:
•Create objects in Active Directory Users and Computers.
•View object attributes in Active Directory Users and Computers.
•Navigate within Active Directory Administrative Center.
•Perform an administrative task in Active Directory Administrative Center.
•Use the Windows PowerShell Viewer in Active Directory Administrative Center.
•Manage AD DS objects with Windows PowerShell.
Demonstration Steps
Active Directory Users and Computers
View objects
1.On LON-DC1, open Active Directory Users and Computers.
2.Navigate the Adatum.com domain tree, viewing Containers, Organizational Units (OUs) and Computer, User, and Group objects.
Refresh the view
•Refresh the view in Active Directory Users and Computers.
Create objects
1.Create a new computer object named LON-CL4 in the Computers container.
2.To create an object in Active Directory Users and Computers, right-click a domain, or a container (such as Users or Computers), or an organizational unit, point to New, and then click the type of object that you want to create.
3.When you create an object, you are prompted to configure several of the object’s most basic properties, including the properties that the object requires.
Configure object attributes
1.In Active Directory Users and Computers, open the Properties page for LON-CL4.
2.Add LON-CL4 to the Adatum/Research group.
View all object attributes
1.Enable the Advanced Features view in Active Directory Users and Computers.
2.Open the Properties page for LON-CL4, and then view the AD DS attributes.
Active Directory Administrative Center
Navigation
1.On LON-DC1, open Active Directory Administrative Center.
2.In Active Directory Administrative Center, click the Navigation nodes.
PROHIBITED USE STUDENT .ONLY USE MCT