Tag: AD

Microsoft: Enabling Recycle Bin feature in Windows Server 2016 Active Directory Domain Services

by Samuel Mitchell, posted in Microsoft, windows, Windows server

There is a new feature available in Active Directory Administrative Center (ADAC) in the Windows Server 2016 that allows you restore deleted AD objects from the Recycle Bin (although it could be activated from Windows server 2008 R2 using Powershell). It allows you to enable it at the Domain or Forest level. The only caveat is once it is enabled, it cannot be disabled. The default lifetime for a deleted object to remain in the AD Recycle Bin is 180 days.

To enable the feature using Powershell:

Enable-ADOptionalFeatureIdentity ‘Recycle Bin Feature’Scope ForestOrConfigurationSetTarget ‘domain.com’Server DC1

To enable the feature in Active Directory Administrative Center:

Go to Server Manager –> Tools –> Active Directory Administrative Center

servermgr_Adac

Highlight the domain or forest on the left pane and then under the Task pane on the right under the domain, select Enable Recycle Bin.

Enable_recycleBin_ADAC

You will get the warning that once it is enabled it cannot be disabled, select Ok.

rc_warn

Microsoft Powershell – Install and Configure AD Certificate Services (Windows Server 2016)

by Samuel Mitchell, posted in Microsoft, Security, windows, Windows server

This article will demonstrate how to install and configure the Active Directory Certificate Services (AD CS) and the Certification Authority (CA) using both the Server Manager and corresponding Powershell cmdlet.

Using Powershell method

Check if the Active Directory Certificate Service is installed

Get-WindowsFeature AD-Certificate

 

To install the Certification Authority features, run the following cmdlet:

Install-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools

 

Configuring the Active Directory Certificate Services with a Standalone Root CA on Host1.

Install-ADcsCertificationAuthority –Credential (Get-Credential) -CAType [StandaloneRootCA]CACommonName“domain-Host1-CA-1”CADistinguishedNameSuffix “DC=domain,DC=com” CryptoProviderName“RSA#Microsoft Software Key Storage Provider” -KeyLength 2048 HashAlgorithmName SHA1 ValidityPeriod Years ValidityPeriodUnits3DatabaseDirectory “C:\windows\system32\certLog”LogDirectory “c:\windows\system32\CertLog”Force

You can select the CA Type by setting the parameter for –CA Type to either StandaloneRootCA, StandaloneSubordinateCA, EnterpriseRootCA or EnterpriseSubordinateCA. For the CA options like the Cryptographic Provider, Hash Algorithm and Key length will have to be known so that it is selected correctly.

Example for the key length, the values can be 512, 1024, 2048, 4096 which has to be typed out.

For Hash Algorithm, the options are: SHA256, SHA384, SHA512, SHA1, MD5, MD4, MD2.

For the Cryptographic Provider, the parameter -CryptoProviderName can be:

  • RSA#Microsoft Software Key Storage Provider
  • ECDSA_P521#Microsoft Software Key Storage Provider
  • ECDSA_P256#Microsoft Software Key Storage Provider
  • ECDSA_P384#Microsoft Software Key Storage Provider
  • DSA#Microsoft Software Key Storage Provider

and any other…

 

Removing the AD CS and CA feature from the server.

Remove-WindowsFeature ADCS-Cert-Authority

 

Using the Server Manager

 

Go to Server Manager–> Manage –> Add Role and Features

servermgr

Select Role-based or feature-based installation

role-based

Select the Server to install it on

server

Tick the Active Directory Certificate Services

adcs_server_role

Tick the Certification Authority

CA_role

The feature will be installed and then you can select Configure Active Directory Certificate Services to setup the CA.

configure_ADCS_CA

Enter the Credential that have permission to configure the CA. Note the following:

For Standalone CA: you need local administrator rights

For Enterprise CA: you need Enterprise Admin rights

ca_credential

Select  role services: Certification Authority (CA)

configure_CA

select Standalone CA. Once you know how to configure Standalone CA then you can easily configure Enterprise CA.

select_StandaloneCA

Select Root CA (this is the first CA)

select_RootCA

Select Create a new private key.

create_key

Select your preferred cryptographic provider, key length and hash algorithm

crypto_options

The Common Name and distinguished name suffix will be generated but you can enter your own name.

CA_CommonName

Select the validity period for the Certificate generated.

CA_Period

You can change certificate database and log path or let it remain at the default path

CA_DB-log

Confirm configuration settings of CA.

CA_result_page

Once the CA installation is complete, you can go to Server Manager –> Tools –> Certification Authority to view CA server in the MMC.

 

 

 

PowerShell: Get a List of AD Groups a specific user is a member of

by Samuel Mitchell, posted in Microsoft, windows, Windows server

Powershell is very versatile and with this wonderful tool, I will share how to get the subject result.

There are two ways of doing this:

  1. Using the cmdlet

Get-ADPrincipalGroupMembership [username] | Format-Table Name -AutoSize

I used the cmdlet with Format-table to output property Name in a table format

2. Using the cmdlet

Get-ADUser [username] -Properties memberof | Select -ExpandProperty memberof | Get-ADGroup | Format-Table Name -AutoSize

I used the additional parameter -Properties to get the variable MemberOf then use the Select cmdlet to expand the array then pipe it to the Get-ADGroup to get the name of group to list it in a table format.

Configuring Domain Controller Cloning

by Samuel Mitchell, posted in Data Center Virtualization, Microsoft, VMware, Windows server

Note: There is an Microsoft Hands-on Lab with code WS00148 that can be used to conduct this exercise. The environment may be required to do additional configuration to execute some of these steps since it is not the main aim and you can ignore the steps in that lab to do your own configuration.

Before cloning a virtual Domain Controller (DC), there are a few requirements that needs to exist in the environment.

The requirements are listed below:

  1. There must exist a DC with the FSMO role PDC Emulator running on atleast Windows Server 2012 which is accessible on the network.
  2. The virtual DC to be clone must be running on a hypervisor that supports the feature VM-GenerationID.
  3. The source virtual DC must be running atleast Windows Server 2012 and is a member of the AD group Cloneable Domain Controllers.
  4. There must be a DC Clone Configuration XML file (namely DCCloneConfig.xml) that holds the settings the clone DC will use to configure itself.

To start the process of cloning a DC, the DC needs to be added to the Cloneable Domain Controllers:

  1. Open Server Manager. server_mgr
  2. Then, go to the Active Directory Users and Computers (ADUC). aduc
  3. Go to the Organization Unit (OU) Users,
  4. Select the security group “Cloneable Domain Controllers“. cloneable_group
  5. Right click and select Properties. cloneable_properties
  6. Then go to Members Tab and Add the DC here. select member
  7. Save and Close the settings.

 

Alternately, PowerShell can be used to the previous step, see command:

 

ADGroupMember -Identity ‘Cloneable Domain Controllers’ -member (Get-ADComputer SRV1)

Next step is to check for excluded Application and generate a file using PowerShell:

Open an PowerShell console and use this command:

This command generates a list of excluded applications that are added to the allowed list and saves it to the C:\Windows\NTDS\.

Get-ADDCCloningExcludedApplicationList -GenerateXml

The next command is used to create the DC Cloning configuration XML file that is used to configure the virtual DC clone that you will import into the desired Hypervisor.

New-ADDCCloningConfigFile -CloneComputerName “DCCloneName” -IPv4Address 10.10.10.10 –IPv4DefaultGateway 10.10.10.1 –IPv4SubnetMask 255.255.255.0 –IPv4DNSResolver 10.10.10.100,10.10.10.102 –Static

Now shutdown the VM DC, export a copy of it and then import it as a copy generating a new VM ID. Once the copied VM is booted, you should see the cloning process initializing at boot up. When the process is completed, it will reboot and the new cloned DC is ready for use.

 

Reference: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100

Cert Exam Prep: Exam 70-742: Identity with Windows Server 2016 – Study notes

by Samuel Mitchell, posted in Microsoft, Windows server
  1. Install and configure Active Directory Domain Services (AD DS) (20–25%)

Install Active Directory

Know the PowerShell commands:

– Add the binaries

Add-WindowsFeature -name ad-domain-services—lncludeManagementTools -Restart

– Add a new forest

Install-ADDSForest —DomainName ‘corp.contoso.com’

– Add a new domain in an existing forest

Install-ADDSDomain -NewDomainName amer ParentDomainName ‘corp.contoso.com’

– Add a new domain controller in an existing domain

Install-ADDSDomainController —DomainName ‘amer. corp.contoso.com’

– Perform a staged read-only domain controller (RODC) installation

Install-ADDSReadOnlyDomainControl|erAccount –DomainControllerAccountName RODC1 -DomainName amercorp contoso com -SiteName Boston

* Then on RODC1: add the ad-domain-services feature, and domain controller role

 

Transferring and seizing FSMO roles

Exam Topic – What you should know!

Transfer FSMO Roles

  • Perform this on a domain controller which will be down for maintenance for a period of time, to ensure there is no loss of the fsmo service

  • Move-ADDirectoryServerOperationMasterRo|e -Identity “Target-DC” -OperationMasterRole SchemaMaster,RlDMaster,InfrastructureMaster, DomainNamingMaster,PDCEmulator

Seize FSMO Roles

  • Perform this if a domain controller is down and cannot be recovered, to ensure there is no loss of the FSMO service

  • Move-ADDirectoryServerOperationMasterRole -ldentity “Target-DC’ -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator -Force

FSMO roles can be represented by numbers

  • Move-ADDirectoryServerOperationMasterRole -Identity “Target-DC” -OperationMasterRole 0,1,2,3,4 -Force

– 0: PDC Emulator

– 1: RID Master

– 2: Infrastructure Master

– 3: Schema Master

– 4: Domain Naming Master

 

Additional common active directory install functions

Install from media

  • Useful when the database is on a domain controller across a slow WAN link

  • Install-ADDSDomainController —DomainName ‘amer.corp.contoso.com” -lnstallationMediaPath C:\ADMedia

Configure a domain controller to not be global catalog server

  • InstalI-ADDSDomainController —DomainName ‘amer.corp.contoso.com” —NoGlobalCatalog

Move the Infrastructure Master FSMO role

  • Needed if the domain controller will be a global catalog server

  • Install-ADDSDomainController —DomainName ‘amer.corp.contoso.com” -MovelnfrastructureMasterRolelfNecessary

Uninstall active directory and demote to a server

  • Uninstall-ADDSDomainController

Time-limited Group Memberships

Users can be added to a security group with time-to-live (TTL)

  • When the TTL expires, the user’s membership in that group disappears

Kerberos token lifetime will be determined by TTL of the user’s memberships

  • TGT (Ticket Generated Ticket) based on shortest group membership
  • ST (Shortest time) based on TGT and resource local domain group membership

Requires new FFL (Force Functional Level)

  • Scavenger thread takes care of cleaning up group memberships

 

Way to join a computer to the domain

System Control Panel

  • System added to default container unless pre—staged

Windows PowerShell

  • Add-Computer -ComputerName ‘Server1′ -DomainName ‘amer.corp.contoso.com’ -Credential Get-Credential -Restart

  • System added to default container unless pre-staged

Desired State Configuration (DSC)

  • Joins a computer to the domain, and re-joins if it ‘falls out‘ of the domain
  • Uses Start-DscConfiguration cmdlet, and can be set to check compliance every x minutes

Offline domain join

  • Run djoin.exe on a domain controller to pre-stage the object and create provisioning file
  • Run djoin.exe on target computer and point to the provisioning file

Tips

  1. Know the PowerShell commands for installing and managing Active Directory
  2. Active Directory, FSMO Roles, DNS. Group Types and scopes haven’t really changed, but if you haven’t managed them lately, brush up
  3. Desired State Configuration (DSC) can be used to join a server to the domain and rejoin it if necessary

 

  1. Manage and Maintain AD DS (15-20%)

Configure service authentication

Service Accounts

  • Used to enhance security but the pain point is the password management and SPN mgmt.
  • Two types: Managed Service Accounts and Group Managed Service Accounts

Create/configure Managed Service Accounts

  • Used for a single computer or server
  • New-ADServiceAccount with the —RestrictToSingleComputer parameter
  • Not supported for scheduled tasks, Exchange, SQL

Create/configure Group Managed Service Accounts

  • Used for multiple servers
  • Minimum of one DC that runs at least Windows Server 2012
  • Before you begin, must create KDS Root Key: Add-KDSRootKey -Effectivelmmediately
  • New-ADServiceAccount and Set-ADServiceAccount

Configure Kerberos delegation

  • IIS may require the Trust this computer for delegation to any service (Kerberos only) option

Manage Service Principal Names (SPNs)

  • Use SetSPN <service type>/<instance name>:<port number>/<service name>

 

 

 

 

 

 

 

 

 

Active Directory Domain Services Offline and Defragmentation

by Samuel Mitchell, posted in Microsoft, Windows server

There is a tradition method of taking the Microsoft Active Directory Domain Services (AD DS) offline to perform maintenance on the database is using the Directory Service Restore Mode (DSRM). The steps are listed below:

  1. Log into your Domain Controller (DC)
  2. Open the command prompt
  3. Run the command:

    bcdedit /set safeboot dsrepair

  4. Reboot the DC so the it can enter into safe mode

To exit the safe mode, run the command

bcdedit /deletevalue safeboot

and then reboot for the DC to return to normal mode.

Another method of taking the AD DS offline is by stopping the AD DS service using the services applet (services.msc).

Now to perform defragmentation on the AD DS database is to use the NTDS utility.

Execute the following command at the prompt:

ntdsutil

activate instance ntds

files

compact to c:\

integrity

quit

quit

copy c:\ntds.dit c:\windows\ntds\ntds.dit

del c:\windows\ntds\*.log

Restart the AD DS services.

Restart-Service NTDS

Please note that you don’t have to restart the server after the maintenance of the database.