Tag: ADDS

Setting up a Read-only Domain Controller (RODC) using the Staging method

by Samuel Mitchell, posted in Microsoft, Uncategorized, windows, Windows server

In this article, the steps required to setup a Read-only Domain Controller (RODC) for a remote office to authenticate users.

The demonstrataction of this configuration is done using the Active Directory Users and Computers (ADUC) console and performing the same task using Powershell.

The first set of instructions is using Powershell to install the RODC:

Step 1 – Create a normal AD user account

Logon to a writeable Domain Controller and open the Powershell commandline to execute the following commands.

This command is to add a new user account that will perform this task but if a user already exist, this step can be skipped.

New-ADUser -Name Sam -SamAccountName Sam -UserPrincipalName Sam -AccountPassword (Convertto-SecureString -AsPlainText ‘Pa$$w0rd’ -Force)

The command adds user Sam with password and setting the principal name and account to Sam.

Step 2 – Pre-create the Read-only Domain Controller computer account

To pre-create the RODC computer account, run the command below which adds the account to AD. The user account Sam which has no Administrative privileges will be delegated to join the RODC server to the domain.

Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName DC-RO -SkipPreChecks -delegatedAdministratorAccountName Sam -DomainNam ‘mydomain.com’ -SiteName Default-First-Site-Name

Let the user run the following Powershell commands on the prospective RODC server which should not be on the domain.

Step 3 – Install the Active Directory Domain Services on the prospective RODC

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Step 4 – Promote the server to the role of a RODC

Install-ADDSDomainController -DomainName ‘mydomain.com’ -Credential (Get-Credential) -UseExistingAccount

The command will prompt for the delegated account create earlier or the account that was delegated and the Directory Service Restore Mode password (SafeModeAdministratorPassword) to perform this task. Once, the process is completed, the server is going to restart and then the RODC is ready for use.

Reference: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/rodc/install-a-windows-server-2012-active-directory-read-only-domain-controller–rodc—level-200-

Cert Exam Prep: Exam 70-742: Identity with Windows Server 2016 – Study notes

by Samuel Mitchell, posted in Microsoft, Windows server
  1. Install and configure Active Directory Domain Services (AD DS) (20–25%)

Install Active Directory

Know the PowerShell commands:

– Add the binaries

Add-WindowsFeature -name ad-domain-services—lncludeManagementTools -Restart

– Add a new forest

Install-ADDSForest —DomainName ‘corp.contoso.com’

– Add a new domain in an existing forest

Install-ADDSDomain -NewDomainName amer ParentDomainName ‘corp.contoso.com’

– Add a new domain controller in an existing domain

Install-ADDSDomainController —DomainName ‘amer. corp.contoso.com’

– Perform a staged read-only domain controller (RODC) installation

Install-ADDSReadOnlyDomainControl|erAccount –DomainControllerAccountName RODC1 -DomainName amercorp contoso com -SiteName Boston

* Then on RODC1: add the ad-domain-services feature, and domain controller role

 

Transferring and seizing FSMO roles

Exam Topic – What you should know!

Transfer FSMO Roles

  • Perform this on a domain controller which will be down for maintenance for a period of time, to ensure there is no loss of the fsmo service

  • Move-ADDirectoryServerOperationMasterRo|e -Identity “Target-DC” -OperationMasterRole SchemaMaster,RlDMaster,InfrastructureMaster, DomainNamingMaster,PDCEmulator

Seize FSMO Roles

  • Perform this if a domain controller is down and cannot be recovered, to ensure there is no loss of the FSMO service

  • Move-ADDirectoryServerOperationMasterRole -ldentity “Target-DC’ -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator -Force

FSMO roles can be represented by numbers

  • Move-ADDirectoryServerOperationMasterRole -Identity “Target-DC” -OperationMasterRole 0,1,2,3,4 -Force

– 0: PDC Emulator

– 1: RID Master

– 2: Infrastructure Master

– 3: Schema Master

– 4: Domain Naming Master

 

Additional common active directory install functions

Install from media

  • Useful when the database is on a domain controller across a slow WAN link

  • Install-ADDSDomainController —DomainName ‘amer.corp.contoso.com” -lnstallationMediaPath C:\ADMedia

Configure a domain controller to not be global catalog server

  • InstalI-ADDSDomainController —DomainName ‘amer.corp.contoso.com” —NoGlobalCatalog

Move the Infrastructure Master FSMO role

  • Needed if the domain controller will be a global catalog server

  • Install-ADDSDomainController —DomainName ‘amer.corp.contoso.com” -MovelnfrastructureMasterRolelfNecessary

Uninstall active directory and demote to a server

  • Uninstall-ADDSDomainController

Time-limited Group Memberships

Users can be added to a security group with time-to-live (TTL)

  • When the TTL expires, the user’s membership in that group disappears

Kerberos token lifetime will be determined by TTL of the user’s memberships

  • TGT (Ticket Generated Ticket) based on shortest group membership
  • ST (Shortest time) based on TGT and resource local domain group membership

Requires new FFL (Force Functional Level)

  • Scavenger thread takes care of cleaning up group memberships

 

Way to join a computer to the domain

System Control Panel

  • System added to default container unless pre—staged

Windows PowerShell

  • Add-Computer -ComputerName ‘Server1′ -DomainName ‘amer.corp.contoso.com’ -Credential Get-Credential -Restart

  • System added to default container unless pre-staged

Desired State Configuration (DSC)

  • Joins a computer to the domain, and re-joins if it ‘falls out‘ of the domain
  • Uses Start-DscConfiguration cmdlet, and can be set to check compliance every x minutes

Offline domain join

  • Run djoin.exe on a domain controller to pre-stage the object and create provisioning file
  • Run djoin.exe on target computer and point to the provisioning file

Tips

  1. Know the PowerShell commands for installing and managing Active Directory
  2. Active Directory, FSMO Roles, DNS. Group Types and scopes haven’t really changed, but if you haven’t managed them lately, brush up
  3. Desired State Configuration (DSC) can be used to join a server to the domain and rejoin it if necessary

 

  1. Manage and Maintain AD DS (15-20%)

Configure service authentication

Service Accounts

  • Used to enhance security but the pain point is the password management and SPN mgmt.
  • Two types: Managed Service Accounts and Group Managed Service Accounts

Create/configure Managed Service Accounts

  • Used for a single computer or server
  • New-ADServiceAccount with the —RestrictToSingleComputer parameter
  • Not supported for scheduled tasks, Exchange, SQL

Create/configure Group Managed Service Accounts

  • Used for multiple servers
  • Minimum of one DC that runs at least Windows Server 2012
  • Before you begin, must create KDS Root Key: Add-KDSRootKey -Effectivelmmediately
  • New-ADServiceAccount and Set-ADServiceAccount

Configure Kerberos delegation

  • IIS may require the Trust this computer for delegation to any service (Kerberos only) option

Manage Service Principal Names (SPNs)

  • Use SetSPN <service type>/<instance name>:<port number>/<service name>