Search This Blog

Showing posts with label L3. Show all posts
Showing posts with label L3. Show all posts

How do you view all the GCs in the forest?

DSQUERY server can be used to locate global catalogs

To search the entire forest

dsquery server -forest -isgc

To locate global catalogs in your current (logon) domain

dsquery server -isgc

To locate global catalogs in a specific domain

dsquery server -domain NISHANT.BIZ -isgc

Here, you search for global catalog servers in the tech.cpandl.com domain.

You can also search for global catalog servers by site, but to do this, you must know the full site name, and cannot use wildcards. For example, if you wanted to find all the global catalog servers for Default-First-Site-Name, you would have to type

dsquery server -site Default-First-Site-Name .

The resulting output is a list of DNs for global catalogs, such as

"CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=NISHANT,DC=BIZ"


How do you create a new application partition?

You can create an application directory partition by using the create nc option in the domain management (partition management in windows 2008) menu of Ntdsutil. When creating an application directory partition using LDP or ADSI, provide a description in the description attribute of the domain DNS object that indicates the specific application that will use the partition. For example, if the application directory partition will be used to store data for a Microsoft accounting program, the description could be Microsoft accounting application. Ntdsutil does not facilitate the creation of a description.

To create or delete an application directory partition

The sample commands below were written for Windows Server 2008. If you're using Windows 2003, you don’t need to include the ACTIVE INSTANCE NTDS command, and you would use DOMAIN MANAGEMENT instead of PARTITION MANAGEMENT.

ntdsutil: activate instance ntds
Active instance set to "ntds".
ntdsutil: partition management
partition management: connections
Connected to \\server1.contoso.com using credentials of locally logged on user.
server connections: connect to server server1.contoso.com
Disconnecting from \\ server1.contoso.com...
Binding to server1.contoso.com ...
Connected to server1.contoso.com using credentials of locally logged on user.

server connections: quit
partition management: list
Note: Directory partition names with International/Unicode characters will only display correctly if appropriate fonts and language support are loaded Found 5 Naming Context(s)
0 - CN=Configuration,DC= contoso,DC=com
1 - CN=Schema,CN=Configuration,DC= contoso,DC=com
2 - DC=contoso,DC=com
3 - DC=DomainDnsZones,DC=contoso,DC=com
4 - DC=ForestDnsZones,DC=contoso,DC=com
partition management: create nc dc=app1,dc=contoso,dc=com
server1.contoso.com
adding object dc=app1,dc=contoso,dc=com
partition management: list
Note: Directory partition names with International/Unicode characters will only display correctly if appropriate fonts and language support are loaded Found 5 Naming Context(s)
0 - CN=Configuration,DC= contoso,DC=com
1 - CN=Schema,CN=Configuration,DC= contoso,DC=com
2 - DC=contoso,DC=com
3 - DC=DomainDnsZones,DC=contoso,DC=com
4 - DC=ForestDnsZones,DC=contoso,DC=com
5 - DC=app1,DC=contoso,DC=com

Create an application directory partition by using the DnsCmd command

Use the following syntax:

DnsCmd ServerName /CreateDirectoryPartition FQDN of partition

To create an application directory partition that is named CustomDNSPartition on a domain controller that is named DC-1, follow these steps:

  1. Click Start, click Run, type cmd, and then click OK.
  2. Type the following command, and then press ENTER: dnscmd DC-1 /createdirectorypartition CustomDNSPartition.contoso.com

When the application directory partition has been successfully created, the following information appears:

DNS Server DC-1 created directory partition: CustomDNSPartition.contoso.com Command completed successfully.

Configure an additional domain controller DNS server to host the application directory partition

Configure an additional domain controller that is acting as a DNS server to host the new application directory partition that you created. To do this, use the following syntax with the DnsCmd command:

DnsCmd ServerName /EnlistDirectoryPartition FQDN of partition

To configure the example domain controller that is named DC-2 to host this custom application directory partition, follow these steps:

  1. Click Start, click Run, type cmd, and then click OK.
  2. Type the following command, and then press ENTER: dnscmd DC-2 /enlistdirectorypartition CustomDNSPartition.contoso.com

DNS Server DC-2 enlisted directory partition: CustomDNSPartition.contoso.com Command completed successfully.


What are application partitions? When do I use them?

An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.

Application directory partitions are usually created by the applications that will use them to store and replicate data. TAPI is an example it. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.

Application directory partitions can contain any type of object, except security principals. The data in it can be replicated to different domain controllers in a forest (for redundancy, availability, or fault tolerance).


What is Active Directory Naming Context or Directory Partition?

Each domain controller in a domain forest controlled by Active Directory Domain Services includes directory partitions. Directory partitions are also known as naming contexts. A directory partition is a contiguous portion of the overall directory that has independent replication scope and scheduling data. By default, the Active Directory Domain Service for an enterprise contains the following partitions:

  1. Schema Partition - One per forest. The schema naming context contains the definitions of all objects that can be instantiated in Active Directory. It also stores the definitions of all attributes that can be a part of objects in Active Directory. Every domain controller has one fully writeable copy of the schema directory partition, although schema updates are allowed only on the domain controller that is the schema operations master.
  2. Configuration Partition - One per forest. It stores forest-wide configuration data that is required for the proper functioning of Active Directory as a directory service. The configuration partition contains replication topology and other configuration data that must be replicated throughout the forest. Every domain controller has one fully writeable copy of the configuration directory partition.
  3. Domain Partition - One per domain. The domain partition contains the directory objects, such as users and computers, and other objects for that domain. All domain controllers that are joined to the domain share a full writeable copy of the domain directory partition. Additionally, all domain controllers in the forest that host the global catalog also host a partial read-only copy of every other domain naming context in the forest.

Windows Server 2003 introduces the Application Directory Partition, which provides the ability to control the scope of replication and allow the placement of replicas in a manner more suitable for dynamic data.


How to recover a deleted file from SYSVOL folder?

Microsoft Windows 2003 Server domain controllers use the File Replication service (FRS) to automatically replicate data between domain controllers. In Windows 2003 Server, the contents of the Sysvol folder are replicated to all the domain controllers in your organization. The Sysvol folder stores logon scripts, default domain profiles, and system policies. If a change is made to a logon script, a default domain profile, or a system policy, the change is replicated to all the domain controllers. This practice keeps the Sysvol folder content the same in all the domain controllers.

Note You have to stop the NT File Replication Service (NTFRS) service, and then set the startup type for NTFRS to Manual on the domain controller where you want to perform the non-authoritative restore. This prevents the service from starting unintentionally while this operation is performed.

To force a non-authoritative restore of the data in the Sysvol folder on a domain controller, follow these steps.

Start a command prompt. To do this, click Start, click Run, type cmd, and then click OK.

  1. At the command prompt, type net stop ntfrs, and then press ENTER.
  2. Click Start, click Run, type services.msc, and then click OK.
  3. In the Services snap-in, double-click File Replication, click Manual under Startup Type, click Apply, and then click OK.
  4. Click Start, click Run, type regedit, and then click OK.
  5. Locate and then click the BurFlags value under the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
  6. IF the key that is mentioned in step 6 does not exist, create it. To do this, click Edit, click New, click DWORD Value, type BurFlags, and then click OK.
  7. In the right pane, right-click BurFlags, click Modify, In the Edit DWORD Value dialog box, type D2 to complete a nonauthoritative restore or type D4 to complete an authoritative restore, and then click OK.
  8. Locate and then expand the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Sysvol Seeding\Domain System Volume (Sysvol share)
    Note: If this registry entry does not exist, you must create it.
  9. On the Edit menu, click New, click String Value, type Replica Set Parent, and then click OK.
  10. In the right pane, right-click Replica Set Parent, click Modify, type the name of a domain controller that has the Sysvol data that you want to replicate in the Value data box, and then click OK.
  11. Quit Registry Editor.
  12. At a command prompt, type net start ntfrs, and then press ENTER.
  13. Click Start, click Run, type services.msc, and then click OK.
  14. In the Services snap-in, double-click File Replication, click Automatic under Startup Type, click Apply, and then click OK.

What is the SYSVOL folder?

System Volume (SYSVOL) is a shared directory that stores the server copy of the domain public files (Policies and scripts) that must be shared for common access and replication throughout a domain. It must be located in NTFS volume (because junctions are used within the SYSVOL folder structure)


How to verify an Active Directory installation?

Default containers : These are created automatically when the first domain is created. Open Active Directory Users and Computers, and then verify that the following containers are present: Computers, Users, and ForeignSecurityPrincipals.

Default domain controllers organizational unit : This holds the first domain controller, and additionally serves as the default container for new domain controllers. Open Active Directory Users and Computers, and then verify this organizational unit.

Default-First-Site-Name : During the promotion of a server to domain controller, the Dcpromo.exe program determines the site of which the domain controller can become a member. If the domain controller that is being created is the first in a new forest, a default site named "Default-First-Site-Name" is created and the domain controller becomes a member of this site. You can verify this item by using Active Directory Sites and Services.

Active Directory database : The Active Directory database is your Ntds.dit file. Verify its existence in the %Systemroot%\Ntds folder.

Global catalog server : The first domain controller becomes a global catalog server, by default

Shared system volume : A domain controller should have a shared system volume located in the %Systemroot%\Sysvol\Sysvol folder. To verify this item, use the net share command.

NETLOGON D:\Windows\SYSVOL\sysvol\DOMAIN.COM\SCRIPTS

SYSVOL D:\Windows\SYSVOL\sysvol

SRV resource records : You must have a DNS server installed and configured for Active Directory and the associated client software to function correctly. Active Directory creates its SRV RRs in the following folders:

_Msdcs/Dc/_Sites/Default-first-site-name/_Tcp

_Msdcs/Dc/_Tcp

In these locations, an SRV RR is displayed for the following services:

_kerberos

_ldap


What is New in Windows Server 2016 Active Directory?

Privileged access management: Privileged access management (PAM) helps mitigate security concerns for Active Directory environments that are caused by credential theft techniques such pass-the-hash, spear phishing, and similar types of attacks. It provides a new administrative access solution that is configured by using Microsoft Identity Manager (MIM). PAM introduces:

  • A new bastion Active Directory forest, the bastion forest has a special PAM trust with an existing forest. It provides a new Active Directory environment that is known to be free of any malicious activity, and isolation from an existing forest for the use of privileged accounts.
  • New processes in MIM to request administrative privileges, along with new workflows based on the approval of requests.
  • New shadow security principals (groups) that are provisioned in the bastion forest by MIM in response to administrative privilege requests. The shadow security principals have an attribute that references the SID of an administrative group in an existing forest. This allows the shadow group to access resources in an existing forest without changing any access control lists (ACLs).
  • An expiring links feature, which enables time-bound membership in a shadow group. A user can be added to the group for just enough time required to perform an administrative task. The time-bound membership is expressed by a time-to-live (TTL) value that is propagated to a Kerberos ticket lifetime.
  • KDC enhancements are built in to Active Directory domain controllers to restrict Kerberos ticket lifetime to the lowest possible time-to-live (TTL) value in cases where a user has multiple time-bound memberships in administrative groups.
  • New monitoring capabilities to help you easily identify who requested access, what access was granted, and what activities were performed.

Requirements

  • Microsoft Identity Manager
  • Active Directory forest functional level of Windows Server 2012 R2 or higher.

Azure AD Join: Azure Active Directory Join enhances identity experiences for enterprise, business and EDU customers- with improved capabilities for corporate and personal devices.

Microsoft Passport: Microsoft Passport is a new key-based authentication approach organizations and consumers. The user logs on to the device with a biometric or PIN log on information that is linked to a certificate or an asymmetrical key pair. The Identity Providers (IDPs) validate the user by mapping the public key of the user to IDLocker and provides log on information through One Time Password (OTP), Phonefactor or a different notification mechanism.

Deprecation of File Replication Service (FRS) and Windows Server 2003 functional levels: The Windows Server 2003 domain and forest functional levels continue to be supported, but organizations should raise the functional level to Windows Server 2008 (or higher if possible) to ensure SYSVOL replication compatibility and support in the future. In addition, there are many other benefits and features available at the higher functional levels higher.


What is New in Windows Server 2012 R2 Active Directory?

  • Join personal devices to the workplace : Windows Server 2012 R2 allows users to join their personal devices, both Windows devices and iOS devices, to Active Directory. When a personal device is Workplace-Joined, it will provide second-factor authentication and single sign-on (SSO) to corporate resources and applications.
  • Provide users access to application and services from anywhere: Windows Server 2012 R2 includes a new Remote Access role service, called Web Application Proxy, which can be used to provide external access to application and services from anywhere.
  • Managing risk with multi-factor access control and multi-factor authentication: Enabling users to join personal devices to the workplace and providing access to applications and services from anywhere comes with additional risks. Windows Server 2012 R2 includes enhancements to AD FS that are intended to manage these risks.


What is New in Windows Server 2012 Active Directory?

  • GUI for Recycle Bin
  • GUI for Fine-Grained Password Policies
  • Dynamic Access Control (DAC): Windows Server 2008 R2 brought the File Classification Infrastructure (FCI). This version's DAC adds far greater functionality to the (optional) second layer of FCI resource authorization.
  • Windows PowerShell History Viewer
  • Windows PowerShell Cmdlets for Active Directory Replication and Topology
  • Active Directory-Based Activation (ADBA)
  • Flexible Authentication Secure Tunneling (FAST)
  • Virtual Snapshot and Cloning Support
  • ADPREP Integrated into DC Promotion
  • Active Directory Federation Services (ADFS) Now In-Box: Adding ADFS no longer requires a separate installation. ADFS also gains multiple improvements. Watch this space, because you'll be seeing and using more ADFS in the years to come.
  • Domain Join via DirectAccess : Computers can now be domain-joined over the Internet. You'll need DirectAccess first. Trust me: You'll want it.
  • Kerberos Constrained Delegation (KCD) Across Domains
  • Group Managed Service Accounts (GMSAs) : MSAs in Windows Server 2008 R2 made administering service accounts easier. GMSAs in this version extend their support to clustered and load-balanced services.

What is New in Windows Server 2008 R2 Active Directory?

  • Active Directory Recycle Bin
  • Active Directory module for Windows PowerShell
  • Active Directory Administrative Center
  • Active Directory Best Practices Analyzer
  • Active Directory Web Services
  • Authentication mechanism assurance: Authentication mechanism assurance makes it possible for applications to control resource access based on authentication strength and method
  • Offline domain join
  • Managed Service Accounts
  • Active Directory Management Pack: The Active Directory Management Pack enables proactive monitoring of availability and performance of AD DS with Systems Center Operations Manager 2007.
  • Bridgehead Server Selection: The bridgehead server selection process enables domain controllers to load balance incoming connections. The new logic for bridgehead server selection allows for even distribution of workload among bridgehead servers


What is New in Windows Server 2008 Active Directory?

AD DS includes many new features that are not available in previous versions of Windows Server Active Directory. These new features make it possible for organizations to deploy AD DS more simply and securely and to administer it more efficiently.

  • AD DS: Auditing
  • AD DS: Fine-Grained Password Policies
  • AD DS: Read-Only Domain Controllers
  • AD DS: Restartable Active Directory Domain Services
  • AD DS: Database Mounting Tool (Snapshot Viewer or Snapshot Browser)
  • AD DS: User Interface Improvements
  • AD DS: Owner Rights

How do you change the Directory Service Restore Mode aka DSRM password?

In Windows Server 2003 onwards, Directory Service Restore Mode password can be changed by Ntdsutil utility. Steps are as follows -

  1. Click, Start, click Run, type ntdsutil, and then click OK.
  2. At the Ntdsutil command prompt, type set dsrm password.
  3. At the DSRM command prompt, type one of the following lines:

    To reset the password on the server on which you are working, type reset password on server null. The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted. Note that no characters appear while you type the password.

    -or-

    To reset the password for another server, type reset password on server servername, where servername is the DNS name for the server on which you are resetting the DSRM password. Type the new password when you are prompted. Note that no characters appear while you type the password.

  4. At the DSRM command prompt, type q.
  5. At the Ntdsutil command prompt, type q to exit.

What is the Active Directory Management Gateway Service?

Windows Server 2008 R2 introduces a web service interface for application accessibility to Active Directory (AD), and the Windows Server 2008 R2 AD PowerShell cmdlets use this service.

ADMGS provides this web service interface for Windows Server 2003 SP2 and Windows Server 2008 domain controllers (DCs). The service lets Server 2008 R2 AD PowerShell cmdlets and other applications work against the DCs with ADMGS installed.


What is SPN?

A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. services.


What is Native Mode?

When all the domain controllers in a given domain are running Windows 2000 Server. This mode allows organizations to take advantage of new Active Directory features such as Universal groups, nested group membership, and inter-domain group membership.


What is Mixed Mode?

Allows domain controllers running both Windows 2000 and earlier versions of Windows NT to co-exist in the domain. In mixed mode, the domain features from previous versions of Windows NT Server are still enabled, while some Windows 2000 features are disabled. Windows 2000 Server domains are installed in mixed mode by default. In mixed mode the domain may have Windows NT 4.0 backup domain controllers present. Nested groups are not supported in mixed mode.


What do you understand by Trust in Active Directory?

To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a forest are automatically created when domains are created.

The forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As well as two-way transitive trust, AD trusts can be a shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in order to connect to other forests or non-AD domains.

Trusts in Windows 2000 (native mode)

  • One-way trust: One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
  • Two-way trust: Two domains allow access to users on both domains.
  • Trusting domain: The domain that allows access to users from a trusted domain.
  • Trusted domain: The domain that is trusted; whose users have access to the trusting domain.
  • Transitive trust: A trust that can extend beyond two domains to other trusted domains in the forest.
  • Intransitive trust: A one way trust that does not extend beyond two domains.
  • Explicit trust: A trust that an admin creates. It is not transitive and is one way only.
  • Cross-link trust: An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.

Windows 2000 Server supports the following types of trusts:

  • Two-way transitive trusts.
  • One-way intransitive trusts.

Additional trusts can be created by administrators. These trusts can be shortcut.

Windows Server 2003 offers a new trust type - the forest root trust. This type of trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts are also transitive for all the domains in the forests that are trusted. Forest trusts, however, are not transitive.


Which is service in your windows is responsible for replication of Domain controller to another domain controller?

KCC generates the replication topology. Use SMTP / RPC to replicate changes.


How many passwords by default are remembered when you check "Enforce Password History Remembered", what is the maximum?

By default, user’s last 6 passwords are remembered, maximum is 24.

The Enforce password history policy setting determines the number of unique new passwords that must be associated with a user account before an old password can be reused.

The possible values for this Group Policy setting are:

  • A user-defined number from 0 through 24.
  • Not defined.