Search This Blog

What is an enforced group policy object?

Enforced Group Policy Object (GPO): A Group Policy Object (GPO) that is specifically associated with a scope of management (SOM) so that the associated GPO has a higher GPO precedence compared to non-enforced GPOs that are associated with the same SOM and compared to all GPOs that are associated with descendant SOMs. An enforced GPO cannot be blocked by a descendant SOM using the gpOptions attribute.

The “Enforced” within the GPMC controls how the Group Policy Object and the settings within the Group Policy Object are handled with regard to precedence of the settings. In short, when all GPOs apply from Active Directory, those GPOs that are linked to organizational units (OUs) have the highest precedence, then those linked to the domain, and finally those linked to Active Directory sites. Local GPOs on the target endpoint have the weakest precedence of all. What this means is that if there is a conflicting setting within two GPOs at different levels, the setting within the highest precedence GPO will “win” and be applied over the setting in the GPO that has lower precedence.

What is the order in which GPOs are applied?

The Group Policy objects (GPOs) that apply to a user (or computer) do not all have the same precedence. Settings that are applied later can override settings that are applied earlier.

Order of processing settings

Group Policy settings are processed in the following order:

1. Local Group Policy object - Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.

2. Site - Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.

3. Domain - Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

4. Organizational units - GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)

Exceptions to the default order of processing settings

The default order for processing settings is subject to the following exceptions:

  • A GPO link may be enforced, or disabled, or both. By default, a GPO link is neither enforced nor disabled.
  • A GPO may have its user settings disabled, its computer settings disabled, or all settings disabled. By default, neither user settings nor computer settings are disabled on a GPO.
  • An organizational unit or a domain may have Block Inheritance set. By default, Block Inheritance is not set.

What are GPOs?

Group Policy Object (GPO) is a collection of settings that control the working environment of user accounts and computer accounts. GPOs defines registry-based polices, security options, software installation and maintenance options, scripts options, and folder redirection options.

Microsoft provides a program snap-in that allows you to use the Group Policy Microsoft Management Console (MMC). The selections result in a Group Policy Object. Group Policy Object Editor can be thought of as an application whose document type is the Group Policy object, just as a word processor might use .doc or .txt files.

There are two kinds of Group Policy objects: local and nonlocal. Local Group Policy objects are stored on individual computers. Only one local Group Policy object exists on a computer, and it has a subset of the settings that are available in a nonlocal Group Policy object. Local Group Policy object settings can be overwritten by nonlocal settings if they are in conflict; otherwise, both groups of settings apply. For more information, see Local Group Policy.

Nonlocal Group Policy objects, which are stored on a domain controller, are available only in an Active Directory environment. They apply to users and computers in the site, domain, or organizational unit with which the Group Policy object is associated.

What Are Lingering Objects?

When restoring a backup file, Active Directory generally requires that the backup file be no more than 180 days old. If attempt to you restore a backup that is expired, you may encounter problems due to “lingering objects”.

A lingering object is a deleted AD object that re-appears (“lingers”) on the restored domain controller (DC) in its local copy of Active Directory. This can happen if, after the backup was made, the object was deleted on another DC more than 180 days ago.

When a DC deletes an object it replaces the object with a tombstone object. The tombstone object is a placeholder that represents the deleted object. When replication occurs, the tombstone object is transmitted to the other DCs, which causes them to delete the AD object as well.

Tombstone objects are kept for 180 days, after which they are garbage-collected and removed.

If a DC is restored from a backup that contains an object deleted elsewhere, the object will re-appear on the restored DC. Because the tombstone object on the other DCs has been removed, the restored DC will not receive the tombstone object (via replication), and so it will never be notified of the deletion. The deleted object will “linger” in the restored local copy of Active Directory.

How to Remove Lingering Objects

Windows Server 2003 and 2008 have the ability to manually remove lingering objects using the console utility console utility REPADMIN.EXE. Use the command:

REPADMIN.EXE /removelingeringobjects .

Why cannot you restore a DC that was backed up 4 months ago?

When restoring a backup file, Active Directory generally requires that the backup file be no more than 180 days old. If attempt to you restore a backup that is expired, you may encounter problems due to “lingering objects”.

How do you change the DS Restore admin password?

To Reset the DSRM Administrator Password

1. Click, Start, click Run, type ntdsutil, and then click OK.

2. At the Ntdsutil command prompt, type set dsrm password.

3. At the DSRM command prompt, type one of the following lines:

o To reset the password on the server on which you are working, type reset password on server null. The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted. Note that no characters appear while you type the password.

-or-

o To reset the password for another server, type reset password on server servername, where servername is the DNS name for the server on which you are resetting the DSRM password. Type the new password when you are prompted. Note that no characters appear while you type the password.

4. At the DSRM command prompt, type q.

5. At the Ntdsutil command prompt, type q to exit.

How do you backup AD?

Backing up Active Directory is essential to maintain the proper health of the Active Directory database. Backing up the Active Directory is done on one or more of your Active Directory domain Controllers (or DCs), and is performed by backing up the System State on those servers. The System State contains the local Registry, COM+ Class Registration Database, the System Boot Files, certificates from Certificate Server (if it’s installed), Cluster database (if it’s installed), NTDS.DIT, and the SYSVOL folder.

Windows Server 2003

You can backup Active Directory by using the NTBACKUP tool that comes built-in with Windows Server 2003, or use any 3rd-party tool that supports this feature.

Method #1: Using NTBACKUP

1. Open NTBACKUP by either going to Run, then NTBACKUP and pressing Enter or by going to Start -> Accessories -> System Tools.

2. If you are prompted by the Backup or Restore Wizard, I suggest you un-check the "Always Start in Wizard Mode" checkbox, and click on the Advanced Mode link.

3. Inside NTBACKUP's main window, click on the Backup tab.

4. Click to select the System State checkbox. Note you cannot manually select components of the System State backup. It's all or nothing.

5. Enter a backup path for the BKF file. If you're using a tape device, make sure NTBACKUP is aware and properly configured to use it.

6. Press Start Backup.

7. The Backup Job Information pops out, allowing you to configure a scheduled backup job and other settings. For the System State backup, do not change any of the other settings except the schedule, if so desired. When done, press Start Backup.

8. After a few moments of configuration tasks, NTBACKUP will begin the backup job.

9. When the backup is complete, review the output and close NTBACKUP.

10. Next, you need to properly label and secure the backup file/tape and if possible, store a copy of it on a remote and secure location.

Method #2: Using the Command Prompt

1. You can use the command line version of NTBACKUP in order to perform backups from the Command Prompt.

2. For example, to create a backup job named "System State Backup Job" that backs up the System State data to the file D:\system_state_backup.bkf, type:

ntbackup backup systemstate /J "System State Backup Job" /F "D:\system_state_backup.bkf"

Windows Server 2008

Before you can backup Server 2008 you need to install the backup features from the Server Manager.

1. To install the backup features click Start → Server Manager.

2. Next click Features → Add Features

3. Scroll to the bottom and select both the Windows Server Backup and the Command Line Tools.

In Server 2008, there isn’t an option to backup the System State data through the normal backup utility . We need to go “command line” to backup Active Directory.

1. Open up your command prompt by clicking Start and type “cmd” and hit enter.

2. In your command prompt type “wbadmin start systemstatebackup -backuptarget:e:” and press enter.

Note: You can use a different backup target of your choosing

3. Type “y” and press enter to start the backup process.

When the backup is finished running you should get a message that the backup completed successfully. If it did not complete properly you will need to troubleshoot.

Windows Server 2008 R2

1. Open Windows Server Backup

2. In action panel click Backup Once

3. Different Options is Selected, click Next

4. Choose Custom, click Next

5. Click Add Items

6. Select System State, click Next

7. Specify Backup Destination, Local drive (Apart from System Volume) or Network Share

8. Click Backup to start System State Backup

9. You may close the wizard and the backup operation will continue to run in background.

How do you configure a "stand-by operation master" for any of the roles?

No utilities or special steps are required to designate a domain controller as a standby operations master. However, the current operations master and the standby operations master should be well connected . “Well connected” means that the network connection between them must support at least a 10-megabit transmission rate and be available at all times. In addition, creating a manual connection object between the standby domain controller and the operations master will ensure direct replication between the two operations masters. By making the operations master and the standby operations master direct replication partners, you reduce the chance of data loss in the event of a role seizure, which reduces the chance of directory corruption.

To ensure that the current operations master role holder and the standby operations master are replication partners, you can manually create connection objects between the two domain controllers. Even if a connection object is generated automatically, we recommend that you manually create a connection object on both the operations master and the standby operations master. The replication system can alter automatically created connection objects anytime. Manually created connections remain the same until an administrator changes them.

You can use this procedure to create the following:

  • A manual connection object that designates the standby server as the From Server on the NTDS Settings object of the operations master
  • A manual connection object that designates the operations master server as the From Server on the NTDS Settings object of the standby server

Administrative credentials

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

  1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.
  2. Expand the site name in which the current operations master role holder is located to display the Servers folder.
  3. Expand the Servers folder to see a list of the servers in that site.
  4. To create a connection object from the standby server on the current operations master, expand the name of the operations master server on which you want to create the connection object to display its NTDS Settings object.
  5. Right-click NTDS Settings, click New, and then click Connection.
  6. In the Find Active Directory Domain Controllers dialog box, select the name of the standby server from which you want to create the connection object, and then click OK.
  7. In the New Object-Connection dialog box, enter an appropriate name for the connection object or accept the default name, and then click OK.
  8. To create a connection object from the current operations master to the standby server, repeat steps 4 through 7, but in step 4, expand the name of the standby server. In step 6, select the name of the current operations master.

What is the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why?

Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the FSMO is no longer available.

If the domain controller that is the Schema Master FSMO role holder is temporarily unavailable, DO NOT seizes the Schema Master role.

If you are going to seize the Schema Master, you must permanently disconnect the current Schema Master from the network.

If you seize the Schema Master role, the boot drive on the original Schema Master must be completely reformatted and the operating system must be cleanly installed, if you intend to return this computer to the network.

I want to look at the RID allocation table for a DC. What do I do?

In Command prompt type

C:\>dcdiag /test:ridmanager /s:<dcname> /v

Here dcname is the name of our DC

What is the difference between LDIFDE and CSVDE? Usage considerations?

Ldifde

Ldifde creates, modifies, and deletes directory objects on computers running Windows Server 2003 operating systems or Windows XP Professional. You can also use Ldifde to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory with data from other directory services.

What are the DS* commands?

Microsoft included a set of command line tools with their server operating systems to allow better and more productive management of the directory service. The DS Commands are these tools. Simple commands with but a few parameters that can increase the productivity of Systems Administrators and keep their Active Directory Domains running and in tip top shape.

How would you find all users that have not logged on since last month?

You can use DSQuery user command for this purpose. DS commands are used to retrieve information from Active Directory through command line. To use DSQuery, you must run the DSQuery command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

C:\>dsquery user -inactive 4

"CN=Service User,OU=IT,DC=nishantsoft,DC=com"

"CN=IT JOURNAL,OU=Management,OU=Gurgaon,DC= nishantsoft,DC= com "

"CN=Dipak Khanna,OU=RC,OU=Gurgaon,DC= nishantsoft,DC= com "

"CN=Amit Mishra,OU=RC,OU=Gurgaon,DC= nishantsoft,DC= com "

"CN=Test Account,OU=Development,OU=Gurgaon,DC= nishantsoft,DC= com "

"CN=Jeevan Singh,OU=Development,OU=Gurgaon,DC= nishantsoft,DC= com "

What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?

If you're installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display the Windows 2003 R2 Continue Setup screen.

If you're installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this is a minor change and mostly related to the new Dfs replication engine). To update the schema, run the Adprep utility, which you'll find in the Cmpnents\r2\adprep folder on the second CD-ROM. Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later).

What do you do to install a new Windows 2003 DC in a Windows 2000 AD?

Check that Windows 2000 Service Pack 4 installed on all the domain controllers and Exchange Servers. If it is not already installed install it now, after that run the Adprep.exe utility on the windows 2000 domain controllers currently holding the schema master and infrastructure master roles. The adprep /forestprep command must first be issued on the windows 2000 server holding schema master role in the forest root domain to prepare the existing schema to support windows 2003 active directory.

What is tombstone period?

The tombstone lifetime in an Active Directory forest determines how long a deleted object - aka a ‘tombstone’ - is retained in Active Directory. The tombstone lifetime is determined by the value of the tombstoneLifetime attribute on the Directory Service object in the configuration directory partition.

Tombstone Lifetime assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. Actually when an object is deleted from Active Directory, it is not physically removed from the Active Directory for some days. Instead, the Active Directory sets the‘isDeleted’ attribute of the deleted object to TRUE and move it to a special container called ‘Tombstone’.

  • Windows 2000 (all SPs) = 60 days
  • Windows Server 2003 without SP = 60 days
  • Windows Server 2003 with SP1 = 180 days
  • Windows Server 2003 R2 with SP1 installed with both R2 discs = 60 days
  • Windows Server 2003 R2 with SP1 installed only with the first R2 Disc = 180 days
  • Windows Server 2003 with SP2 = 180 days
  • Windows Server 2003 R2 with SP2 = 180 days
  • Windows Server 2008 onwards 180 days

The tombstone lifetime attribute remains same on all the domain controllers and it is deleted from all the servers at the same time. This is because the expiration of a tombstone lifetime is based on the time when an object was deleted logically from the Active Directory, rather than the time when it is received as a tombstone on a server through replication.

Reconfiguring Tombstone Lifetime:

Default period of Tombstone Life time is 180 days in Windows Server 2003 SP2 or later. The default Tombstone Lifetime can be modified through ADSIEDIT console, if necessary.

This attribute is located in the below path:

cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=

To Change the Value, Run > ADSIEDIT.msc

Expand: Configuration > CN= Configuration > CN=Services > CN=Windows NT > and right click on CN= Directory Service

You will get an attribute window, Drill down to tombstoneLiftime, and double click it. You will get a field to type down the value, type the value you intended and click OK.

The below picture will help you out to reach the correct object.

Name some OU design considerations.

The Group Policy architecture is flexible and allows for many types of design. The guiding principle as you design your organizational unit structure should be to create a structure that is easy to manage and troubleshoot.

Delegation of authority, separation of administrative duties, central versus distributed administration, and design flexibility are important factors you'll need to consider when designing Group Policy and selecting which scenarios to use for your organization.

What tool would I use to try to grab security related packets from the wire?

Network tap is best solution for grabbing data packet in a network. It is a hardware device which provides a way to access the data flowing across a computer network. Computer networks, including the Internet, are collections of devices, such as computers, routers, and switches that are connected to each other.

Network taps are commonly used for security applications because they are non-obtrusive, are not detectable on the network, can deal with full-duplex and non-shared networks, and will usually pass-through traffic even if the tap stops working or loses power.

Can I get user passwords from the AD database?

By default user account passwords are stored as password hash (Hash is based on one-way encryption, which means you can’t reverse it to get plaintext). These hashes are stored in Active Directory (C:\Windows\NTDS\ntds.dit file on DCs). If you need to get user password than you have to change the way it is stored in AD. You have store passwords ciphered with reversible encryption algorithm.

To enable this option globally:

1. Select Start > Programs > Administrative Tools > Active Directory Users and Computers.

2. In the Active Directory Users and Computers window, right click on your domain and select Properties.

3. In the Group Policy tab, select "Default Domain Policy" and click Edit.

4. In the Group Policy window, navigate to Password Policy in the left-panel Tree view: Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.

5. Right click on "Store password using reversible encryption for all users in the domain" and select Security.

6. In the Security Policy Setting window, select the "Define this policy setting" checkbox and the Enabled radio button. Click OK.

7. Close all applications and restart the computer, and log into your domain.

To enable this option for a specific user:

1. Select Start > Programs > Administrative Tools > Active Directory Users and Computers.

2. In the Active Directory Users and Computers window, right-click on the user and select Properties.

3. In the Account tab, check "Store password using reversible encryption." Click OK.

4. Close all applications and restart the computer, and log into your domain.

When this is enabled (per user or for the entire domain), Windows stores the password encrypted, but in such a way that it can reverse the encryption and recover the plaintext password. This feature exists because some authentication protocols require the plaintext password to function correctly; the two most common examples are HTTP Digest Authentication and CHAP.

Niels Teusink have done great research on it

http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html

http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html

He also developed a nice tool called “RevDump” to decipher this encrypted password.

How can you forcibly remove AD from a server, and what do you do later?

Dcpromo is the Windows 2000 and Windows Server 2003 GUI interface for promoting a server to the role of being a Domain Controller, and if is already a DC, then dcpromo will be the tool to use to demote it back to being a member server. If you run Dcpromo on an existing DC to demote it and it fails that you can Dcpromo with the /forceremoval switch (The big Hammer), which tells the process to ignore errors. With /forceremoval, an administrator can forcibly remove Active Directory and roll back the system without having to contact or replicate any locally held changes to another DC in the forest.

After you use the dcpromo /forceremoval command, all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers, and therefore you must manually remove it by using the NTDSUTIL command.

For more information please read:

http://www.petri.co.il/forcibly_removing_active_directoy_from_dc.htm

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

What can you do to promote a server to DC if you're in a remote location with slow WAN link?

Best solution in this scenario is to install DC from media, a new feature introduced with windows 2003 server. You have to take the system state backup of current Global Catalog server, burn it on the CD/DVD and send it to the destination (remote location). On the remote server which needs to be promoted to be DC restore files to Alternate Location and Run, type dcpromo /adv.

For more information please read: http://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htm

What are the requirements for installing AD on a new server?

Requirements for Installing AD DS

  • Preinstalled Windows Server 2008 or Windows Server 2008 R2.
  • Administrative rights on server
  • Domain Name System (DNS) infrastructure is in place. When you install AD DS, you can include DNS server installation, if it is needed. When you create a new domain, a DNS delegation is created automatically during the installation process.
  • A NIC
  • Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)
  • A network connection (to a hub or to another computer via a crossover cable, loopback will also work)
  • In order to install a read-only domain controller (RODC), there must be a writable domain controller running Windows Server 2008 or Windows Server 2008 R2 in the domain.
  • The drives that store the database, log files, and SYSVOL folder for Active Directory Domain Services (AD DS) must be placed on a local fixed volume. SYSVOL must be placed on a volume that is formatted with the NTFS file system.
  • Windows Server 2008 or Windows Server 2008 R2 media

What is the ISTG? Who has that role by default?

For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG).

By Default the first Server has this role. If that server can no longer perform this role then the next server with the highest GUID takes over the role of ISTG.

What is the KCC?

The Knowledge Consistency Checker (KCC) is an Active Directory component that is responsible for the generation of the replication topology between domain controllers. The KCC creates separate replication topologies depending on whether replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the topology to accommodate new domain controllers, domain controllers moved to and from sites, changing costs and schedules, and domain controllers that are temporarily unavailable.

What is Active Directory Naming Context or Directory Partition?

Each domain controller in a domain forest controlled by Active Directory Domain Services includes directory partitions. Directory partitions are also known as naming contexts. A directory partition is a contiguous portion of the overall directory that has independent replication scope and scheduling data. By default, the Active Directory Domain Service for an enterprise contains the following partitions:

1. Schema Partition - One per forest. The schema naming context contains the definitions of all objects that can be instantiated in Active Directory. It also stores the definitions of all attributes that can be a part of objects in Active Directory. Every domain controller has one fully writeable copy of the schema directory partition, although schema updates are allowed only on the domain controller that is the schema operations master.

1. Configuration Partition - One per forest. It stores forest-wide configuration data that is required for the proper functioning of Active Directory as a directory service. The configuration partition contains replication topology and other configuration data that must be replicated throughout the forest. Every domain controller has one fully writeable copy of the configuration directory partition.

2. Domain Partition - One per domain. The domain partition contains the directory objects, such as users and computers, and other objects for that domain. All domain controllers that are joined to the domain share a full writeable copy of the domain directory partition. Additionally, all domain controllers in the forest that host the global catalog also host a partial read-only copy of every other domain naming context in the forest.

Windows Server 2003 introduces the Application Directory Partition, which provides the ability to control the scope of replication and allow the placement of replicas in a manner more suitable for dynamic data.