Beruflich Dokumente
Kultur Dokumente
Exam number
and title
70-640: TS: Windows Server
2008 Active Directory,
Configuring
http://www.microsoft.com/learning/
3/11/2014
Course Outline
Module 1: Introducing Active Directory Domain Services
Module 2: Secure and Efficient Administration of Active
Directory
Module 3: Manage Users
Module 4: Manage Groups
Module 5: Support Computer Accounts
Module 6: Implement a Group Policy Infrastructure
Module 7: Manage Enterprise Security and Configuration
Domain Controllers
Module 12: Manage Sites and Active Directory Replication
Module 13: Directory Service Continuity
Module 14: Manage Multiple Domains and Forests
3/11/2014
Module 1
Introducing Active
Directory Domain
Services (AD DS)
Module Overview
Introducing Active Directory, Identity, and Access
Active Directory Components and Concepts
Install Active Directory Domain Services
Extend IDA with Active Directory Services
3/11/2014
SECURELY!
IDA: Identity and Access
AAA: Authentication, Authorization, Accounting
CIA: Confidentiality, Integrity, Availability ( & Authenticity)
3/11/2014
(directory database)
Security principal
Represented uniquely by
descriptor
Discretionary access control
or permissions)
A resources is secured
with an access control
list (ACL): permissions
that pair a SID with a
level of access
3/11/2014
Authentication
Authentication is the process that verifies a users identity
Access Tokens
3/11/2014
Security Descriptor
System ACL
(SACL)
Discretionary ACL
(DACL or ACL)
ACE
Trustee (SID)
Access Mask
ACE
Trustee (SID)
Access Mask
Authorization
Authorization is the process that determines whether to grant
or deny a user a requested level of access to a resource
Access Request
System finds first
ACE in the ACL that
allows or denies the
requested access
level for any SID in
the users token
Security Token
Security Descriptor
System ACL
(SACL)
Discretionary ACL
(DACL or ACL)
List of user
rights
ACE
Trustee (SID)
Access Mask
Other access
information
ACE
Trustee (SID)
Access Mask
3/11/2014
service
Hosted by a server
3/11/2014
Authenticate an identity
Control access
3/11/2014
objectSID
sAMAccountName
unicodePwd
member
Description
User
Group
10
3/11/2014
Organizational Units
Containers
Users
Computers
Organizational Units
Create OUs to
Delegate administrative
permissions
11
3/11/2014
Policy-Based Management
Active Directory provides a single point of management for
Group Policy
Audit policy
Configuration
Schema
Configuration
Schema
SYSVOL
%systemroot%\SYSVOL
Logon scripts
Policies
NTDS.DIT
Configuration
*Domain*
DNS
PAS
12
3/11/2014
Domain Controllers
Servers that perform the AD DS role
Best practices
Domain
Made up of one or more DCs
All DCs replicate the Domain naming
Replication boundary
Password
Lockout
13
3/11/2014
Replication
Multimaster replication
DC3
DC2
Sites
An Active Directory object that represents a well-
Service localization
Site A
14
3/11/2014
Tree
One or more domains in a single instance of AD DS that
treyresearch.net
proseware.com
antarctica.treyresearch.net
Forest
A collection of one or more Active Directory domain trees
First domain is the forest root domain
Single configuration and schema
15
3/11/2014
Global Catalog
Domain A
PAS
attributes
A type of index
Domain B
any domain
PAS
many applications
Functional Level
Domain functional levels
Forest functional levels
New functionality requires that domain controllers are
Windows 2000
16
3/11/2014
integrated
One-to-one relationship between the DNS
Schema
Configuration
Domain
DNS
PAS
Trust Relationships
Extends concept of trusted identity store to another domain
Trusting domain (with the resource) trusts the identity store
Trusted domain
Trusting domain
17
3/11/2014
Server 2008
Prepare to Create a New Forest with Windows Server 2008
Install and Configure a Domain Controller
18
3/11/2014
19
3/11/2014
2 Installation Wizard
5 SYSVOL folder
20
3/11/2014
Lab Scenario
You have been hired to improve identity and access at
Lab Review
After this lab you will have:
Performed post installation tasks in naming a server
21
3/11/2014
Characteristics
Replication
22
3/11/2014
Many uses
Internal-only or external
VPN
23
3/11/2014
Examples
Requires
AD RMS
AD DS
Uses
Business-to-business: partnership
Single sign-on
24
3/11/2014
Module 2
Secure and Efficient
Administration of
Active Directory
25
3/11/2014
Module Overview
Work with Active Directory Snap-Ins
Custom Consoles and Least Privilege
Find Objects in Active Directory
Use DS Commands to Administer Active Directory
26
3/11/2014
Console
Tree
Show/Hide
Actions
Pane
Details
Pane
Actions
Pane
27
3/11/2014
controller
28
3/11/2014
29
3/11/2014
snap-ins
How to register the Active Directory Schema snap-in
Where to save a custom console
standard user
2.Click
3.Enter
30
3/11/2014
location
31
3/11/2014
Administrative Console
Exercise 3: Perform Administrative Tasks with Least
32
3/11/2014
Lab Scenario
In this exercise, you are Pat Coleman, an Active Directory
33
3/11/2014
Lab Review
Which snap-in are you most likely to use on a day-to-day
Computers
Demonstration: Control the View of Objects in Active
34
3/11/2014
35
3/11/2014
Sorting: Use
column headings
in Active
Directory Users
and Computers
to find the
objects based on
the columns
Searching:
Provide the
criteria for which
you want to
search
36
3/11/2014
Find command
or
37
3/11/2014
administration
38
3/11/2014
Lab Scenario
Contoso now spans five geographic sites around the world,
39
3/11/2014
Lab Review
In your work, what scenarios require you to search Active
Directory?
What types of saved queries could you create to help you
40
3/11/2014
The DS Commands
DSQuery. Performs a query based on parameters
DScommand /?
41
3/11/2014
100 is default
scope {subtree|onelevel|base}
42
3/11/2014
Or multiple results:
dsquery user -name "Dan*" | dsget user email
43
3/11/2014
dsrm "cn=DESKTOP234,ou=Client
Computers,dc=contoso,dc=com"
44
3/11/2014
dsadd ou "ou=Lab,dc=contoso,dc=com"
45
3/11/2014
DS commands
LDAP
ldp.exe
Windows PowerShell
Scripting
VBScript
Directory
Logon information
Virtual machine
6425B-HQDC01-A
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
46
3/11/2014
Lab Scenario
Contoso is growing, and changes need to be made to
Lab Review
What can you do to avoid typing distinguished names of
47
3/11/2014
Module 3
Manage Users
48
3/11/2014
Module Overview
Create and Administer User Accounts
Configure User Object Attributes
Automate User Account Creation
49
3/11/2014
User Account
A user account is an object that
50
3/11/2014
51
3/11/2014
Name Attributes
User logon name (pre-Windows 2000): sAMAccountName
Unique in domain
20-character limit
CONTOSO\Tony.Krijnen
Unique in forest
Tony.Krijnen@contoso.com
Tony Krijnen
52
3/11/2014
2.
3.
4.
5.
6.
Initial][-ln LastName]
[-dn DisplayName][-email EmailAddress]
53
3/11/2014
Account Attributes
Logon Hours: logonHours
Log On To: userWorkstations
User must change password at next logon
User cannot change password
Password never expires
Account is disabled
Store password using reversible encryption
Smart Card is required for interactive logon
Account is trusted for delegation
Account expires
Best practices
54
3/11/2014
55
3/11/2014
Common practice
56
3/11/2014
Name Attributes
Lab Scenario
You are the administrator of Contoso, Ltd., an online university for
adult education. Two new employees have been hired: Chris Mayo
and Amy Strande. You must create accounts for these users. As
time passes, Chris Mayo leaves the organization, and his account
must be administered according to the company policy for user
account lifecycle management.
57
3/11/2014
Lab Review
In this lab, which attribute(s) can be modified when you
58
3/11/2014
59
3/11/2014
dsget user /?
60
3/11/2014
61
3/11/2014
File
Logon information
Virtual machine
6425B-HQDC01-A
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
62
3/11/2014
Lab Scenario
You are the administrator of Contoso, Ltd., an online
Lab Review
What options have you learned for modifying attributes of
63
3/11/2014
CSVDE.exe
Active Directory
filename.ldf
Import
CSVDE.exe
64
3/11/2014
CSVDE.exe
Active Directory
filename.ldf
Import
CSVDE.exe
LDIFDE.exe
Active Directory
filename.ldf
Import
65
3/11/2014
Logon information
Virtual machine
6425B-HQDC01-A
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
You are the administrator of Contoso, Ltd., an online
66
3/11/2014
Lab Review
What scenarios lend themselves to importing users with
Module 4
Manage Groups
67
3/11/2014
68
3/11/2014
Module Overview
Manage an Enterprise with Groups
Administer Groups
Best Practices for Group Management
69
3/11/2014
70
3/11/2014
Identity
Access Management
Resource
Identity
Group
Resource
Access Management
71
3/11/2014
Identity
Group
Resource
Access Management
Identity
Group
Access Management
Resource
72
3/11/2014
Identity
Role Group
Rule Group
Resource
Access Management
73
3/11/2014
Use the same name (unique in the domain) for both properties
Naming conventions
Group Type
Distribution groups
Used only with e-mail applications
Not security-enabled (no SID);
cannot be given permissions
Security groups
Security principal with a SID;
can be given permissions
Can also be e-mail enabled
74
3/11/2014
Group Scope
Four group scopes
Local
Global
Domain Local
Universal
Local Groups
Replication
Availability/scope
75
3/11/2014
Availability/scope
Global Groups
Replication
Availability/scope
76
3/11/2014
Universal Groups
Replication
Availability/scope
Group Scope
Members from
Same Domain
Members
from Domain
in Same
Forest
Members
from Trusted
External
Domain
Can be
Assigned
Permissions to
Resources
Local
U, C,
GG, DLG, UG
and local users
U, C,
GG, UG
U, C,
GG
On the local
computer only
Domain Local
U, C,
GG, DLG, UG
U, C,
GG, UG
U, C,
GG
Anywhere in the
domain
Universal
U, C,
GG, UG
U, C,
GG, UG
N/A
Anywhere in the
forest
Global
U, C,
GG
N/A
N/A
Anywhere in the
domain or a
trusted domain
U
C
GG
DLG
UG
User
Computer
Global Group
Domain Local Group
Universal Group
77
3/11/2014
are members of
Global groups
that provide
management
of some kind, such
as management of
resource access
which are
Assigned Access to a resource (for example, on an ACL)
Multi-domain forest: IGUDLA
78
3/11/2014
Access Management
Identity
Role Group
Rule Group
Resource
Identity
Global
Domain Local
Access
79
3/11/2014
scope {g | l | u}
Example
objectClass,sAMAccountName,DN,member
group,Marketing,"CN=Marketing,OU=Role,OU=Groups,
DC=contoso,DC=com",
"CN=Linda Mitchell,OU=Employees,OU=User Accounts,
DC=contoso,DC=com;CN=Scott Mitchell,OU=Employees,
OU=User Accounts,DC=contoso,DC=com"
80
3/11/2014
group type:
Distribution to security
Global to universal
Universal to global
scope { l | g | u }
81
3/11/2014
changetype: modify
Third line: What type of change? Add a value to member
82
3/11/2014
[-expand]
Shows membership of user or computer (ObjectDN),
83
3/11/2014
DSMove command
Delete Groups
Active Directory Users and Computers: Right-click, Delete
DSRm command
Tip: First, record all members and delete all members for a
test period, to evaluate any unintended side effects
84
3/11/2014
Groups
Exercise 2: Manage Group Membership from the
Command Prompt
Exercise 3 (Advanced Optional): Explore Group
Unknown" Permissions
Logon information
Virtual machine
6425B-HQDC01-A
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
In order to improve the manageability of resource access
at Contoso, Ltd., you have decided to implement rolebased management. The first application of role-based
management will be to manage who can access the folders
containing Sales information. You must create groups that
manage access to that sensitive information. Business
rules are that Sales and Marketing employees, as well as a
team of Consultants, should be able to read the Sales
folders. Additionally, Bobby Moore requires Read access.
Finally, you have been asked to discover a way to produce
a list of group members, including those who are in nested
groups; and a list of a user's group membership, including
indirect or nested membership.
85
3/11/2014
Lab Review
Describe the purpose of global groups in terms of role-
based management.
What types of objects can be members of global groups?
Describe the purpose of domain local groups in terms of
groups?
If you have implemented role-based management and are
Tab
Default Groups
Special Identities
86
3/11/2014
convention
description
87
3/11/2014
Tips
Default Groups
Default local groups in the BUILTIN and Users containers
Highly overdelegated
Protected
88
3/11/2014
Special Identities
Membership is controlled by Windows:
Examples
management
89
3/11/2014
Lab Scenario
Your implementation of role-based management at
Lab Review
What are some benefits of using the Description and Notes
fields of a group?
What are the advantages and disadvantages of delegating
group membership?
90
3/11/2014
Module 5
Support Computer
Accounts
91
3/11/2014
Module Overview
Create Computers and Join the Domain
Administer Computer Objects and Accounts
92
3/11/2014
Domain: Authority
is Active Directory
Computers have
"trust relationship"
with the domain
93
3/11/2014
Servers
Client computers
94
3/11/2014
Requires restart
95
3/11/2014
Requires no prestaging
DSAdd
NetDom
96
3/11/2014
CSVDE.exe
Active Directory
filename.ldf
Import
CSVDE.exe
LDIFDE.exe
Active Directory
filename.ldf
Import
Format (LDIF)
LDIFDE.exe
-i: Import
97
3/11/2014
Optional options
-samid ComputerName
-desc Description
-loc Location
98
3/11/2014
Windows Interface
Exercise 2: Secure Computer Joins
Exercise 3: Manage Computer Account Creation with Best
Practices
Logon information
Virtual machine
6425B-HQDC01-A
Pat.Coleman
6425B-SERVER01-B
Pat.Coleman_Admin
Administrator
Password
Pa$$w0rd
Pa$$w0rd
Scenario
You are an administrator for Contoso, Ltd. During a
99
3/11/2014
Lab Review
What did you learn about the pros and cons of various
100
3/11/2014
Description
Location
US\WA\SEA\HQ\Building33\Floor3\Q04\1531
Managed By
Member Of
Move a Computer
Using Active Directory Users and Computers
ParentDN]
101
3/11/2014
Password
Trust
Secure channel
102
3/11/2014
DSMod*
dsmod computer "ComputerDN" reset
NetDom
netdom reset MachineName /domain DomainName
/UserO UserName /PasswordO {Password | *}
NLTest
nltest /server:ServerName
/sc_reset:DOMAIN\DomainController
Rename a Computer
Use System Properties of computer itself to rename computer
NetDom
103
3/11/2014
DSMod
Computers
dsrm ObjectDN
104
3/11/2014
Life cycle
Exercise 2: Administer and Troubleshooting Computer
Accounts
Logon information
Virtual machine
6425B-HQDC01-A
Pat.Coleman
6425B-SERVER01-B
Pat.Coleman
Pat.Coleman_Admin
Administrator
Password
Pa$$w0rd
Pa$$w0rd
Scenario
You are an administrator for Contoso, Ltd. During a
105
3/11/2014
Lab Review
What did you learn about the "pros" and "cons" of various
Module 6
Implement a Group Policy
Infrastructure
106
3/11/2014
Module Overview
Understand Group Policy
Implement GPOs
A Deeper Look at Settings and GPOs
Manage Group Policy Scope
Group Policy Processing
Troubleshoot Policy Application
107
3/11/2014
management in an AD DS domain
Setting
Scope
Application
108
3/11/2014
Divided between
Computer Configuration
("computer policies")
Define a setting
Enabled
Disabled
(GPMC)
(GPME)
109
3/11/2014
GPO Scope
Scope. Definition of objects (users or computers) to which
GPO applies
GPO link. GPO can be linked to site, domain, or
WMI filtering
Preference targeting
Improves performance
110
3/11/2014
Startup
User Configuration
Logon
111
3/11/2014
Scope
Application
Tools
112
3/11/2014
Local GPOs
Apply before domain-based GPOs
Local GPO
Domain-Based GPOs
Created in Active Directory, stored on domain controllers
Two default GPOs
113
3/11/2014
Creation
Linking
Editing
114
3/11/2014
GPO Storage
Group Policy Container (GPC)
Stored in AD DS
Friendly name, globally unique
identifier (GUID)
Version
Separate replication
mechanisms
GPOTool
115
3/11/2014
Logon information
Virtual machine
6425B-HQDC01-A
6425B-Desktop101-A
Pat.Coleman
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
Pa$$w0rd
Lab Scenario
You are responsible for managing change and
116
3/11/2014
Lab Review
What policy settings are already being deployed using
117
3/11/2014
Windows\CurrentVersion\
Policies\System
DisableRegeditMode
UI not locked
Preferences
Effects vary
118
3/11/2014
Administrative Templates
.ADMX
.ADML
Registry
.ADMX/.ADML files
Central Store
Remotely: \\contoso.com\SYSVOL\contoso.com\Policies\
PolicyDefinitions
Locally: %SystemRoot%\SYSVOL\contoso.com\
Policies\PolicyDefinitions
119
3/11/2014
Templates
Add comments to a policy setting
Add comments to a GPO
Create a new GPO from a starter GPO
Create a new GPO by copying an existing GPO
Create a new GPO by importing settings that were
120
3/11/2014
Save Report
Delete
Rename
121
3/11/2014
Logon information
Virtual machine
6425B-HQDC01-A
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
You were recently hired as the domain administrator for
122
3/11/2014
Lab Review
Describe the relationship between administrative template
123
3/11/2014
GPO Links
GPO link
124
3/11/2014
Local Group
GPO2
Site
GPO3
GPO4
Domain
GPO5
OU
OU
Computer D
User D
OU
Domain
Business
OU
Computer B
User B
Computer
User E
Employees
Computer C
User C
Groups
Clients
Computer D+B+C
User D+B+E
125
3/11/2014
Computer D
User D
Domain
Block
Inheritance
Business
OU
Computer B
User B
Computer
User E
Employees
Computer C
User C
Groups
Clients
Computer B+C
User B+E
Security
Computer D
Computer S
User D
User S
Domain
Block
Inheritance
Business
OU
Enforced
Computer B
User B
Computer
User E
Employees
Computer C
User C
Groups
Clients
Computer B+C+S
User B+E+S
126
3/11/2014
WMI Filters
Windows Management Instrumentation (WMI)
WMI Query Language (WQL)
Similar to T-SQL
127
3/11/2014
Target Preferences
Targeting within a GPO
Scope =
scope of GPO
x
scope of targeting
impact
128
3/11/2014
Computer Configuration\Policies\Administrative
Templates\System\Group Policy
Replace mode
The user gets none of the User settings that are scoped to the
user only the User settings that are scoped to computer.
Merge mode
The user gets the User settings scoped to the user, but those
settings are overlaid with User settings scoped to the
computer. The computer wins.
Business
OU
Computer
User E
Employees
Computer B
User B
Loopback
Computer K
User K
Computer C
User
Groups
Clients
Computer B+C
User B+E
Replace
Computer B+K
User B+K
Kiosks
Merge
Computer B+K
User E+B+K
129
3/11/2014
Logon information
Virtual machine
6425B-HQDC01-A
6425B-DESKTOP101-A
Pat.Coleman
Do not Logon
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
You are an administrator of the contoso.com domain. The
130
3/11/2014
Lab Review
Many organizations rely heavily on security group filtering
131
3/11/2014
User logs on
Process repeats for user settings
Every 90-120 minutes after startup, computer refresh
Every 90-120 minutes after logon, user refresh
Disconnected
Connected
132
3/11/2014
Wizard
Examine Policy Event Logs
133
3/11/2014
RSoP analysis
GPResult.exe
Requirements
RSoP report
Can be saved
134
3/11/2014
Application log
135
3/11/2014
Logon information
Virtual machine
6425B-HQDC01-A
6425B-DESKTOP101-A
Pat.Coleman
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
Pa$$w0rd
Lab Scenario
You are responsible for administering and troubleshooting
136
3/11/2014
Lab Review
In what situations have you used RSoP reports to
Module 7
Manage Enterprise Security
and Configuration with
Group Policy Settings
137
3/11/2014
Module Overview
Delegate the Support of Computers
Manage Security Settings
Manage Software with GPSI
Auditing
138
3/11/2014
membership of groups.
Member Of
Policy is for a domain group
Specify its membership in a
local group
Cumulative
Members
Policy is for a local group
Specify its members
(groups and users)
Authoritative
139
3/11/2014
140
3/11/2014
Logon information
Virtual machine
6425B-HQDC01-A
6425B-DESKTOP101-A
Pat.Coleman
Do not Logon
Administrative user
name
Pat.Coleman_Admin
Password
Pa$$w0rd
141
3/11/2014
Lab Scenario
You have been asked by the corporate security team to lock down
Lab Review
If you wanted to ensure that the only members of the local
142
Slide 284
K1
3/11/2014
security configuration
settings
Manage security configuration
Tools
143
3/11/2014
Secedit.exe
144
3/11/2014
Modify
Database
Create a database
Import template(s)
Import
Template
Analyze computer
Correct discrepancies
Configure computer
Export as template
Secedit.exe
Export
Template
Analyze
Computer
Import
Policy
Group
Policy
145
3/11/2014
Registry values
Audit policy
Security policies
146
3/11/2014
Logon information
Virtual machine
6425B-HQDC01-A
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
You are an administrator of the contoso.com domain. As part of
147
3/11/2014
Lab Review
Describe the relationship between security settings on a
148
3/11/2014
No feedback
Assign to computers
Install at startup
149
3/11/2014
150
3/11/2014
151
3/11/2014
Upgrade application
Remove application
Dont delete or unlink GPO until all clients have applied setting
whether to process
152
3/11/2014
Logon information
Virtual machine
6425B-HQDC01-A
6425B-DESKTOP101-A 6425B-SERVER01-A
Pat.Coleman
Pat.Coleman
Administrative user
name
Pat.Coleman_Admin
Password
Pa$$w0rd
Do not Logon
Pa$$w0rd
Lab Scenario
You are an administrator at Contoso, Ltd. Your developers
153
3/11/2014
Lab Review
Consider the NTFS permissions you applied to the
Lesson 4: Auditing
An Overview of Audit Policies
Specify Auditing Settings on a File or Folder
Enable Audit Policy
Evaluate Events in the Security Log
154
3/11/2014
of activities
Logon
Assignment or use of
user rights
and reality
Over-auditing: logs are too big to find the events that matter
Tools that help you consolidate and crunch logs can be helpful
Properties
Advanced
Auditing
Edit
155
3/11/2014
settings (success/failure)
Summary
156
3/11/2014
Logon information
Virtual machine
6425B-HQDC01-A
6425B-DESKTOP101-A 6425B-SERVER01-A
Pat.Coleman
Pat.Coleman and
Mike.Danseglio
Administrative user
name
Pat.Coleman_Admin
Password
Pa$$w0rd
Pat.Coleman
Pat.Coleman_Admin
Pa$$w0rd
Pa$$w0rd
Lab Scenario
In this Lab, you will configure auditing settings, enable
157
3/11/2014
Lab Review
What are the three major steps required to configure
Module 8
Secure Administration
158
3/11/2014
Module Overview
Delegate Administrative Permissions
Audit Active Directory Administration
159
3/11/2014
Understand Delegation
Simple example
The ACL also contains the system access control list (SACL)
160
3/11/2014
property
Allow Reset Password: Enter new password (do not need old)
161
3/11/2014
effects of inheritance:
162
3/11/2014
Reset passwords
dsacls ObjectDN
Example:
dsacls "ou=User Accounts,dc=contoso,dc=com"
163
3/11/2014
and Computers
Applies default ACL defined in the schema for the object class
dsacls ObjectDN /s /t
Example:
dsacls "ou=User Accounts,dc=contoso,dc=com" /s /t
Manual analysis
Third-party tools
Role-based management
164
3/11/2014
2.Then
3.Then,
165
3/11/2014
user accounts
Exercise 2: View delegated permissions
Exercise 3: Remove and reset permissions
Logon information
Virtual machine
6425B-HQDC01-A
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
166
3/11/2014
Lab Scenario
The enterprise security team at Contoso has asked you to
Lab Review
How does Active Directory Users and Computers indicate
167
3/11/2014
168
3/11/2014
Event log entry says "a change was made to this object"
Advanced
2. Click the Auditing tab
3. Click Add to add an audit entry
4. Specify the group you want to audit (often, Everyone)
5. Select to audit Success or Failure events for one or
169
3/11/2014
Success/Failure
Time
Object accessed
Task category
Logon information
Virtual machine
6425B-HQDC01-A
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
170
3/11/2014
Lab Scenario
The enterprise security team at Contoso has asked you to
Lab Review
What details are captured by Directory Services Changes
171
3/11/2014
Module 9
Improve the Security of
Authentication in an
Active Directory Domain
Services (AD DS) Domain
Module Overview
Configure Password and Lockout Policies
Audit Authentication
Configure Read-Only Domain Controllers
172
3/11/2014
173
3/11/2014
accounts
Unlock
Best practices:
Do not use the Default Domain GPO to deploy any other policy
settings
174
3/11/2014
175
3/11/2014
Administrative
accounts
Service
Accounts
Length: 15
Max age: 45
Lockout: 5 in 60 min
Reset: 1 day
Finance users
Length: 15
Max age: 60
Lockout: 5 in 30 min
Reset: 30 min
176
3/11/2014
177
3/11/2014
178
3/11/2014
Policies
Exercise 2: Configure Fine-Grained Password Policy
Logon information
Virtual machine
6425B-HQDC01-A
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
179
3/11/2014
Lab Scenario
Contosos security team has tasked you with increasing the
180
3/11/2014
Account Logon
Event
Logon events
Logon
Event
Logon
Event
181
3/11/2014
Default
Domain
Controllers
Policy
Custom
GPO
Logon
Events
Account
Logon
Events
Domain
Controllers
Remote
Desktop
Servers
HR Clients
182
3/11/2014
Logon information
Virtual machine
6425B-HQDC01-A
6425B-SERVER01-A
Pat.Coleman
Pat.Coleman
Administrative user
name
Pat.Coleman_Admin
Pat.Coleman_Admin
Password
Pa$$w0rd
Pa$$w0rd
183
3/11/2014
Lab Scenario
Contosos security team has tasked you with increasing the
184
3/11/2014
Branch Office
Read-Only Domain Controllers
Deploy an RODC
Demonstration: Password Replication Policy
Demonstration: Password RODC Credentials Caching
Administrative Role Separation
Data center
Branch
Office
Personnel
Secure facilities
Authentication of branch
users subject to availability
and performance of WAN
Improved authentication
Security: Exposure of AD
database
Directory Service
Integrity: Corruption at
branch replicating to other
DCs
Administration:
Administration requires
domain Administrators
membership
?
185
3/11/2014
Data Center
Writeable Windows
Server 2008 DC
Password Replication
Policy (PRP)
Specifies which user (and
computer) passwords can
be cached by the RODC
Branch office
RODC
All objects
Subset of attributes
No "secrets"
Not writeable
Users log on
RODC forwards
authentication
Password is cached
If PRP allows
Has a local
Administrators group
Deploy an RODC
1. Ensure the forest functional level is Windows Server 2003 or
higher
2. If the forest has any DCs running Windows Server 2003, run
adprep /rodcprep
186
3/11/2014
187
3/11/2014
Resultant Policy
Prepopulating credentials in the RODC cache
188
3/11/2014
dsmgmt [enter]
Logon information
Virtual machine
6425B-HQDC01-A
6425B-BRANCHDC01-A
Pat.Coleman
Administrative user
name
Pat.Coleman_Admin
Administrator
Password
Pa$$w0rd
Pa$$w0rd
189
3/11/2014
Lab Scenario
Contosos security team has tasked you with increasing the
Lab Review
Why should you ensure that the PRP for a branch office
RODC has, in its Allow list, the accounts for the computers
in the branch office as well as the users?
What would be the most manageable way to ensure that
190
3/11/2014
Module 10
Configure Domain Name
System (DNS)
191
3/11/2014
Module Overview
Review of DNS Concepts, Components, and Processes
Install and Configure DNS in an AD DS Domain
AD DS, DNS, and Windows
Advanced DNS Configuration and Administration
192
3/11/2014
Why DNS?
Computers connect using IP addresses
Humans prefer names
DNS resolves names to IP addresses
technet.microsoft.com?
207.46.16.252
Client
technet.microsoft.com
207.46.16.252
DNS Server
.com
contoso.com
microsoft.com
.microsoft.co.uk
193
3/11/2014
Zones
A database stored on a DNS server
Supports resolution for a portion of the DNS namespace
domain
DNS Server
Name: hqdc01
Data: 10.0.0.11
Name: ftp
Data: internetserver.contoso.com
Data: exchange.contoso.com
Name: contoso.com
Data: nameserver01.contoso.com
194
3/11/2014
Zone Replication
File-based zone
Incremental updates
195
3/11/2014
Subdomains
A zone supports resolution for a portion of the DNS
Subdomain
Delegation
Stub zone
196
3/11/2014
ipconfig /flushdns
technet.microsoft.com?
DNS Client Service
DNS Resolver
Cache
nslookup.exe
HOSTS File
Ensure that each DNS server is able to resolve all client queries
DNS Server
197
3/11/2014
If no resolution found
technet.microsoft.com?
DNS Client
Service
Clients DNS Server
DNS
Server
Cache
Recursion
Iterative query to root DNS servers
technet.microsoft.com?
198
3/11/2014
Server Manager
dnscmd.exe
199
3/11/2014
Create a Zone
Right-click
(Active Directory
integrated zones only)
200
3/11/2014
Master server
The server from which the zone
will be copied
Need not be the primary server
Allow Zone Transfers
Secondary server
Create a new forward lookup zone
Choose a secondary zone
Configure the master server
201
3/11/2014
Configure Forwarders
Right-click DNS server Properties Forwarders
For all names not in your domain, resolve using your
root hints
Client Configuration
IP configuration of client
202
3/11/2014
Records
Logon information
Virtual machine
6425B-HQDC01-B
6425B-HQDC02-B
Do not log on
Pat.Coleman
Administrative user
name
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
You are an administrator of Contoso, Ltd. You recently
203
3/11/2014
Lab Review
If you did not configure forwarders on HQDC02, what
Domain Controllers
204
3/11/2014
domain controllers
Windows clients can update their own DNS records
Active Directory can load large Active Directoryintegrated
contoso.com
contoso.com
ad.contoso.com
contoso.net
205
3/11/2014
Split-Brain DNS
The zone that supports AD DS
Secured from Internet exposure
Dynamic
Fully populated with AD DS client, server, and service records
such as www
contoso.com
206
3/11/2014
partitions
Schema
DomainDNSZone
ForestDNSZones
Custom Partition
To all domain controllers in the
replication scope for the
application partition
207
3/11/2014
Properties of zone
General Change replication
Dynamic Updates
DHCP Client service registers
records for client
During client startup
If new/changed IP address
(fixed/DHCP) on any network
connection
If ipconfig /registerdns is run
3
1
DNS Server
Resource
Records
sends secured
7 Client
update to DNS server
208
3/11/2014
port target
209
3/11/2014
statically
View %systemroot%\system32\config\netlogon.dns
210
3/11/2014
Local DNS
Server
MIA-DC1
NYC-DC1
Miami Site
NYC Site
the site
3. First DC to respond
7. First DC to respond
Authenticates client
8. Subsequently
211
3/11/2014
zones
RODC can resolve client queries
Changes not allowed on the read-only DNS zone
212
3/11/2014
or
DNS suffix search order
- Manage with Group Policy
2.
WINS
12 seconds = timeout!
Server-side resolution
Forwarders
Root hints
Conditional forwarders
Stub zone
213
3/11/2014
IP address: 10.0.1.34
Query: 34.1.0.10.in-addr.arpa
Pointer (PTR) record with name (IP octet) and data (hostname)
34.1.0.10.in-addr.arpa
file34.contoso.com
Services/applications use
reverse lookup as a
security check: Who is this
request coming from?
Client
DNS Server
Scavenging
214
3/11/2014
Debug logging
dcdiag.exe /test:DNS
record
cache
ipconfig /flushdns : purge client DNS resolver cache
ipconfig /registerdns : register client DNS records
215
3/11/2014
Logon information
Virtual
machine
6425B-HQDC01-B
6425B-HQDC02-B
6425B-TSTDC01-A
6425B-BRANCHDC01-B
Logon user
name
Do not Logon
Pat.Coleman
Sara.Davis
Do not Logon
Administrative
user name
Pat.Coleman_Admin Sara.Davis_Admin
Password
Pa$$w0rd
Pa$$w0rd
Lab Scenario
You are the DNS administrator at Contoso, Ltd. You want
216
3/11/2014
Lab Review
In this lab, you used a stub zone and a conditional
Module 11
Administer
Active Directory
Domain Services (AD DS)
Domain Controllers (DCs)
217
3/11/2014
Module Overview
Domain Controller Installation Options
Install a Server Core DC
Manage Operations Masters
Configure DFS-R Replication of SYSVOL
218
3/11/2014
DCPROMO.exe
[DCINSTALL]
NewDomainDNSName=contoso.com
219
3/11/2014
dcpromo.exe
/unattend:path
dcpromo.exe /unattend
/installDNS:yes /dnsOnNetwork:yes
/replicaOrNewDomain:domain
/newDomain:forest
/newDomainDnsName:contoso.com
/DomainNetbiosName:contoso
/databasePath:"e:\ntds"
/logPath:"f:\ntdslogs"
/sysvolpath:"g:\sysvol"
/safeModeAdminPassword:password
/forestLevel:3 /domainLevel:3
/rebootOnCompletion:yes
DVD:\sources folder
adprep /forestprep
adprep /rodcprep
220
3/11/2014
dcpromo.exe
/unattend:path
dcpromo.exe /unattend
/replicaOrNewDomain:replica
/replicaDomainDNSName:contoso.com
/installDNS:yes /confirmGC:yes
/databasePath:"e:\ntds"
/logPath:"f:\ntdslogs"
/sysvolpath:"g:\sysvol"
/safeModeAdminPassword:password
/rebootOnCompletion:yes
[DCINSTALL]
221
3/11/2014
dcpromo.exe
/unattend:path
ReplicaOrNewDomain=domain
NewDomain=tree
NewDomainDNSName=fqdn
DomainNetBiosName=name
UserDomain=fqdn
UserName= DOMAIN\username*
dcpromo.exe /unattend
Password=password*
/installDNS:yes
DomainLevel={0,2,3}*
/replicaOrNewDomain:domain
InstallDNS=yes
/newDomain:tree
CreateDNSDelegation=yes
/newDomainDnsName:tailspintoys.com
DNSDelegationUserName=DOMAIN\user
/DomainNetbiosName:tailspintoys
name
/databasePath:"e:\ntds"
DNSDelegationPassword=password*
/logPath:"f:\ntdslogs"
DatabasePath="path"
/sysvolpath:"g:\sysvol"
LogPath="path"
/safeModeAdminPassword:password
SYSVOLPath="path"
/domainLevel:2
SafeModeAdminPassword=pwd
/rebootOnCompletion:yes
RebootOnCompletion=yes
Delegate to a group
dcpromo /UseExistingAccount:attach
222
3/11/2014
[DCINSTALL]
ReplicaDomainDNSName=fqdn
UserDomain=fqdn
UserName= DOMAIN\username*
Password=password*
InstallDNS=yes
ConfirmGC=yes
DatabasePath="path"
LogPath="path"
SYSVOLPath="path"
SafeModeAdminPassword=pwd
RebootOnCompletion=yes
GUI Active Directory
dcpromo.exe /unattend
/UseExistingAccount:Attach
/ReplicaDomainDNSName:contoso.com
/UserDomain:contoso.com
/UserName:contoso\dan
/password:*
/databasePath:"e:\ntds"
/logPath:"f:\ntdslogs"
/sysvolpath:"g:\sysvol"
/safeModeAdminPassword:password
/rebootOnCompletion:yes
ReplicationSourcePath option/switch
223
3/11/2014
[DCINSTALL]
dcpromo.exe /uninstallbinaries
If DC cannot contact the domain
dcpromo /forceremoval
Line
Exercise 3: Remove a Domain Controller
Exercise 4: Create a Domain Controller from Installation
Media
Logon information
Virtual machine
6425B-HQDC01-A
6425B-HQDC02-A
Pat.Coleman
Administrator
Pat.Coleman_Admin
Pat.Coleman_Admin
Password
Pa$$w0rd
Pa$$w0rd
224
3/11/2014
Lab Scenario
You have been hired to replace the former administrator at
Lab Review
Why would you choose to use an answer file, or a
225
3/11/2014
Features
DHCP Server
DNS Server
Windows Backup
File Services
Multipath I/O
Print Server
SNMP
Hyper-V
WINS
Telnet client
226
3/11/2014
Command
Join a domain
Netdom
Oclist.exe
Configure DFS
227
3/11/2014
Server Core
Exercise 2: Create a Domain Controller with Server Core
Logon information
Virtual machine
6425B-HQDC01-A
6425B-HQDC03-A
Do not log on
Administrator
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
You are a domain administrator for Contoso, Ltd., and you
228
3/11/2014
Lab Review
Did you find the configuration of Server Core to be
particularly difficult?
What are the advantages of using Server Core for domain
controllers?
229
3/11/2014
Operations tokens
Roles
Forest
Domain naming
Schema
Domain
Relative identifier (RID)
Infrastructure
PDC Emulator
Domain-wide
RID: provides pools of RIDs to DCs, which use them for SIDs
230
3/11/2014
NTDSUtil
DCDiag
231
3/11/2014
Procedure
232
3/11/2014
Logon information
Virtual machine
6425B-HQDC01-B
6425B-HQDC02-B
Pat.Coleman
Do not log on
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
You are a domain administrator at Contoso, Ltd. One of
233
3/11/2014
Lab Review
If you transfer all roles before taking a domain controller
234
3/11/2014
1 (prepared)
2 (redirected)
DFSRMig (dfsrmig.exe)
235
3/11/2014
3. dfsrmig /setglobalstate 2
4. dfsrmig /setglobalstate 3
Logon information
Virtual machine
6425B-HQDC01-B
6425B-HQDC02-B
Pat.Coleman
Pat.Coleman
Pat.Coleman_Admin
Pat.Coleman_Admin
Password
Pa$$w0rd
Pa$$w0rd
236
3/11/2014
Lab Scenario
You are an administrator at Tailspin Toys. You have
Lab Review
What would you expect to be different between two
237
3/11/2014
Module 12
Manage Sites and
Active Directory
Replication
238
3/11/2014
Module Overview
Configure Sites and Subnets
Configure the Global Catalog and Application Partitions
Configure Replication
239
3/11/2014
Understand Sites
Loosely related to network sites
Replication
Service localization
DFS
Plan Sites
Active Directory sites may not map one-to-one with
network sites
Criteria
240
3/11/2014
Create Sites
Active Directory Sites and Services
Default-First-Site-Name
Should be renamed
Create a site
Create a subnet
Assign to site
Add a DC to a site
241
3/11/2014
the site
3. First DC to respond
7. First DC to respond
Authenticates client
8. Subsequently
242
3/11/2014
Logon information
Virtual machine 6425B-HQDC01-B
6425-HQDC02-B
6425B-HQDC03-B
6425B-BRANCHDC01-B
Logon user
name
Pat.Coleman
Do not log on
Do not log on
Do not log on
Administrative
user name
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
You are an administrator for Contoso, Ltd. You are preparing to
243
3/11/2014
Lab Review
If you have a site with 50 subnets, each with a subnet
244
3/11/2014
Schema
Forest
Configuration
Information about domainspecific objects
Domain
Domain
Full replica (DC)
Active Directory
Database
Domain A
Configuration
Domain B
Domain B
Global Catalog
Server
Schema
Configuration
Domain B
245
3/11/2014
Schema
Configuration
Configuration
Domain A
Domain A
Make a GC?
Domain B
HEADQUARTERS
Domain B
BRANCHA
246
3/11/2014
DNS
Schema
demoting a DC
Configuration
Schema
Domain A
Configuration
Domain B
Domain B
DNS
Schema
Configuration
Domain B
247
3/11/2014
Caching
Exercise 3: Examine DNS and Application Directory
Partitions
Logon information
Virtual
machine
6425B-HQDC01-B
6425-HQDC02-B
6425B-HQDC03-B
6425B-BRANCHDC01-B
Logon user
name
Pat.Coleman
Do not log on
Do not log on
Do not log on
Administrative
user name
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
You are the administrator of Contoso, Ltd. In your
248
3/11/2014
Lab Review
Describe the relationship between the records you viewed
249
3/11/2014
Accuracy (integrity)
Consistency (convergence)
Multimaster replication
Pull replication
Store-and-forward
Partitions
Intrasite Replication
Connection object: inbound replication to a DC
Knowledge consistency checker (KCC) creates topology
Replication
DC1
DC3
DC2
250
3/11/2014
Site Links
Intersite topology generator (ISTG) builds replication
Contain sites
(ISM-SMTP)
251
3/11/2014
Bridgehead Servers
Replicates changes from bridgeheads in all other sites
Polled for changes by bridgeheads in all other sites
Selected automatically by ISTG
Or you can configure preferred bridgehead servers
Firewall considerations
Performance considerations
252
3/11/2014
Replication
Default: 3 hours
Minimum: 15 minutes
Recommended: 15 minutes
Replication schedules
24 hours a day
Can be scheduled
300
100
Whiteboard: Replication
RODC
BH
Branch
IP Subnet
Site D
IP Subnet
IP Subnet
IP Subnet
BH
IP Subnet
Site B
BH
Site A
IP Subnet
BH
Site C
IP Subnet
253
3/11/2014
repadmin /kcc
DCDiag /test:testName
FrsEvent or DFSREvent
Intersite
KccEvent
Replications
Topology
Logon information
Virtual machine
6425B-HQDC01-B
6425-HQDC02-B
6425B-HQDC03-B
6425B-BRANCHDC01-B
Logon user
name
Pat.Coleman
Do not log on
Do not log on
Do not log on
Administrative
user name
Pat.Coleman_Admin
Password
Pa$$w0rd
254
3/11/2014
Lab Scenario
You are the administrator of Contoso, Ltd. You want to
Lab Review
Explain the warning message that appeared when you designated
255
3/11/2014
Module 13
Directory Service
Continuity
Module Overview
Monitor Active Directory
Manage the Active Directory Database
Back Up and Restore AD DS and Domain Controllers
256
3/11/2014
CPU
Disk
Memory
Network
Task Manager
Event Viewer
Resource Monitor
Reliability Monitor
Performance Monitor
257
3/11/2014
Task Manager
Starting taskmgr.exe
CTRL+SHIFT+ESC
CTRL+ALT+DEL
Right-click taskbar
Start taskmgr.exe
Real-time performance
Applications
Processes
Services
Performance
No disk counters
Logged-on users
Resource Monitor
Full view of key system components
258
3/11/2014
Event Viewer
What you see
Role-based views in
Server Managers
Subscribe to events
from other computers
Directory Service
Event Viewer
259
3/11/2014
Custom Views
Aggregate events from multiple logs
Filter
Reuse
Export for import to other computers
Event 1
Security log
Event 2
System log
Event Viewer
Event 3
DFS log
Subscriptions
Collect events from one or
more computers
Store the events locally
Use Windows Remote
Management (WinRM)
Require WinRM exceptions
in firewall
260
3/11/2014
domain controllers
(Performance Monitor)
Generate alerts
Generate reports
261
3/11/2014
(WRPM)
Reliability Monitor
Tracks system changes
Software install/uninstall
Application failures
Windows failures
Hardware failures
262
3/11/2014
Performance Monitor
Useful counters in any server baseline
Memory \ Pages/sec
Performance counters
Use to
Create
263
3/11/2014
Demonstration: Monitor AD DS
In this demonstration, we will:
Configure AD DS monitoring by using Data Collector Sets
Include server and role-related counters during idle and busy times
before a meltdown
4. Capture appropriately
Dont overcapture
Degrades performance
264
3/11/2014
Event Subscriptions
Exercise 4: Attach Tasks to Event Logs and Events
Exercise 5: Monitor AD DS with Performance Monitor
Exercise 6: Work with Data Collector Sets
Logon information
Virtual machine
6425B-HQDC01-B
Pat.Coleman
Pat.Coleman
Pat.Coleman_Admin
Pat.Coleman_Admin
Password
Pa$$w0rd
Pa$$w0rd
6425B-HQDC02-B
Lab Scenario
Last month, the only domain controller in the branch office
265
3/11/2014
Lab Review
In what situations do you currently use, or can you
266
3/11/2014
Description
The AD DS database file
NTDS.dit All AD DS partitions and objects on the domain
controller
Default location: systemroot\NTDS
Transaction log
EDB*.log Default transaction log: EDB.log
Overflow logs: Edb000x.log
Checkpoint file
EDB.chk Pointer into transaction log: which transactions
have or have not been committed
ebdres00001.jrs
ebdres00002.jrs
Update the
checkpoint
Write Request
Commit the
transaction
Transaction
is initiated
Write to the
transaction
buffer
Write to the
transaction
log file
Write to the
database
on disk
NTDS.dit on Disk
EDB.log
267
3/11/2014
NTDSUtil
Manage and control single master operations (Module 11)
Perform AD DS database maintenance (Module 13)
set dsrm
Defragmentation
Use NTDSUtil
Restartable AD DS
268
3/11/2014
NTDSUtil
NTDSUtil
Enter serverFQDN:port
Recover data
269
3/11/2014
objects when
Steps
LDP.exe
Modify isDeleted
270
3/11/2014
Deleted User
Logon information
Virtual machine
6425B-HQDC01-B
6425B-HQDC02-B
Pat.Coleman
Pat.Coleman
Pat.Coleman_Admin
Pat.Coleman_Admin
Password
Pa$$w0rd
Pa$$w0rd
Lab Scenario
You are the administrator of Contoso, Ltd., an online
271
3/11/2014
Lab Review
In what other situations might it be useful to mount a
272
3/11/2014
wbadmin.exe
Perform manual or automated backup
Back up to CD/DVD/HDD
No tape!
273
3/11/2014
Demonstration: Backing Up AD DS
In this demonstration we will:
Back up a domain controller
274
3/11/2014
Authoritative restore
Nonauthoritative Restore
Restart the domain controller in DSRM
Restart: shutdown -t 0 -r
Restart
Restart: shutdown -t 0 -r
275
3/11/2014
Authoritative Restore
Restart the domain controller in DSRM
Log on with the Administrator account and the DSRM password
Perform the nonauthoritative restore
Restart
Restored domain controller replicates changes since date of
backup
Partners see authoritative changes with high version numbers
Logon information
Virtual machine
6425B-HQDC01-B
6425B-HQDC02-B
Pat.Coleman
Pat.Coleman
Pat.Coleman_Admin
Pat.Coleman_Admin
Password
Pa$$w0rd
Pa$$w0rd
276
3/11/2014
Lab Scenario
As administrator of Contoso, is your responsibility to
Lab Review
What type of domain controller and directory service
277
3/11/2014
Module 14
Manage Multiple Domains
and Forests
Module Overview
Configure Domain and Forest Functional Levels
Manage Multiple Domains and Trust Relationships
278
3/11/2014
Windows 2000
279
3/11/2014
lastLogonTimestamp attribute
Advanced Encryption Services (AES 128 and AES 256) for Kerberos
280
3/11/2014
Server 2003
Exercise 2: Raise the Forest Functional Level to Windows
Server 2003
Exercise 3: Raise the Domain Functional Level to Windows
Server 2008
Logon information
Virtual machine
6425B-TSTDC01-A
Sara.Davis
Sara.Davis_Admin
Password
Pa$$w0rd
Lab Scenario
You are the domain administrator of Tailspin Toys. A
281
3/11/2014
Lab Review
Can you raise the domain functional level to Windows
282
3/11/2014
Multiple-domain forest
Multiple trees
Multiple forests
sIDHistory
Group membership
283
3/11/2014
TrustingTrusted
DomainDomain
284
3/11/2014
Trusting domain
Trusting Trusted
domain domain
Trusted domain
Forest Root
Domain
Tree Root
Domain
tailspintoys.com
wingtiptoys.com
europe.tailspintoys.com
usa.wingtiptoys.com
asia.wingtiptoys.com
285
3/11/2014
Shortcut Trusts
tailspintoys.com
wingtiptoys.com
europe.tailspintoys.com
usa.wingtiptoys.com
asia.wingtiptoys.com
286
3/11/2014
tailspintoys.com
worldwideimporters.com
asia.tailspintoys.com
europe.tailspintoys.com
sales.worldwideimporters.com
Forest Trusts
tailspintoys.com
worldwideimporters.com
asia.tailspintoys.com
europe.tailspintoys.com
sales.worldwideimporters.com
287
3/11/2014
Domain Quarantine
Filters out trusted user SIDs that come from a domain other
User account may have SIDs from users previous domain in the
sIDHistory attribute
domains/forests
Disable if necessary
netdom trust TrustingDomainName /domain:TrustedDomainName
/quarantine:[Yes|No]
288
3/11/2014
Authenticated Users
Selective authentication
Logon information
Virtual machine
6425B-HQDC01-A
6425B-TSTDC01-A
Pat.Coleman
Sara.Davis
Pat.Coleman_Admin
Sara.Davis_Admin
Password
Pa$$w0rd
Pa$$w0rd
289
3/11/2014
Lab Scenario
Contoso, Ltd. is forming a partnership with Tailspin Toys.
Lab Review
You have given the Research and Development group from
290