Chapter 6: Domain Controller and Active Directory

Filtered attribute set

A collection of attribute data configured on the schema master, used to specify domain objects that aren't replicated to RODCs

PDC Emulator

A domain-wide FSMO role that processes password changes for older Windows clients and is used during logon authentications (shouldn't be placed on global catalog)

RID Master

A domain-wide FSMO role that's responsible for issuing unique pools of RIDs (Relative identifier) to each DC

Infrastructure Master

A domain-wide FSMO role that's responsible for making sure changes made to object names in one domain are updated in references to these objects in other domains. (Should not be global catalog, but should be in the same site as one)

Domain Naming Master

A forest-wide FSMO role that manages adding, removing, and renaming domains in the forest (when possible it should be a direct replication partner w/another DC that's also a global catalog server in the same site or be a global catalog server)

Schema Master

A forest-wide FSMO role that's responsible for replicating the schema directory partition to all other DCs in the forest when changes occur

Nonauthoritative restore

A method of restoring Active Directory data from a backup that restores the database, or portions of it, and allows the data to be updated through replication by other domain controllers.

authoritative restore

A method of restoring Active Directory data from a backup to ensure that restored objects aren't overwritten by changes from other domain controllers through replication.

tombstone lifetime

A period of time in which deleted Active Directory objects are marked for deletion but left in the database.

Unidirectional replication

A replication method used w/ RODCs in which AD data is replicated to the RODC, but the RODSC doesn't replicate the data to other domain controllers

relative identifier (RID)

A unique value combined w/ a domain identifier to form the security identifier (SID) for an AD object

AD Sites and Services

AD Sites are created with

Read Only DNS

All Active Directory-integrated DNS zones if DNS installed on an RODC

Active Directory snapshot

An exact replica of the Active Directory database at a specific moment, can be imported w/ ldifde

Read Only Domain Controllers

Are DC configurations where Active Directory objects changes can't be written, maintains a current copy of AD information through replication

Domain controllers (DCs)

Are severs tht have Windows Server OS intstalled w/ an Active Directory Domain Services sercer role installed and configured, depen on DNS as part of the Active Directory (AD) infrastructure and there must be at least one DNS server in a domain. One is required per domain, but two are recommended. They maintain data consistency in AD w/ other DCs in the domain by using multimaster replication

Place new domain controller in correct site, automatically placed in the site corresponding w/ its assigned IP address When a client requests a domain, the client request can be directed to a DC or member server in the same site.

Associating a subnet with an AD site, Active Directory uses the information to:

Windows Server Backup (registry, boot files, AD database, the SYSVOL folder, some system files, and other files) Wbadmin.exe (perform system state backup, must be a member of the Backup Operators or AD group) PowerShell

Backup methods in Windows Server 2016?

Create and mount the snapshot w/ ntdsutil Activate the snapshot w/ dsamain Browse the snapshot w/ AD Users and Computers Dismount the snapshot

Basic procedure for working w/ snapshots:

Create & Mount Snapshot Active a Snapshot Export a Snapshot Unmount and Delete a Snapshot

C:\Windows\system32>ntdsutil Ntdsutil: snapshot Active instance set to "ntds" Snapshot: create Creating snapshot.... Snapshot set {b9869340-a167-41b7-a664-5e90dad659b9} generated successfully. Snapshot: mount Error parsing Input - Invalid Syntax Snapshot: mount b9869340-a167-41b7-a664-5e90dad659b9 Snapshot {b9869340-a167-41b7-a664-5e90dad659b9} mounted as: C:\$SNAP_201705231941_VOLUMEC$\ Snapshot: quit Ntdsutil: quit

Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName RODC1 -DomainName csmtech.local -SiteName BranchOffice -DelegatedAdministratorAccountName BranchOFF-G

Command to create an RODC computer account name RODC1 in the csmtech.local.domain in a site named BranchOffice w/ a group named BranchOff-G as the delegated administrator account.

Install-ADDSDomainController -DomainName csmtech.local -UseExistingAccount -credential (get-credential) Prompted for the username and password of delegated account

Command to install AD DS server role (Staged RODC Installation on Target Server)

AD forest

Consist of one or more trees w/ domains that share a common trust relationship and schema yet allow independent policies and administration

AD Metadata

Data that describes the AD database, not the actual AD data, three methods to remove / clean up: AD Users & Computers, AD Sites & Services, and ntdsutil

Offline defragmentation

Defragmentation of the Active Directory database that also compacts the database to improve performance. The Active Directory service must be stopped before this can occur.

Tombstoned

Deleted objects that have not been removed

Forest-wide FSMO roles Domain-wide FSMO roles

FSMO roles are summarized as:

DC clone benefits

Fast deployment of new DCs in a new or existing domain Fast DC restoration during disaster recovery Easy deployment of new branch office DCs

Requirements to to verify to clone a DC

Hypervisor must support VM generation identifiers DC to be cloned must be running Windows Server 2012 or later PDC emulator FSMO role is running Windows Server 2012 or later GC server must be available Server roles must not be installed on source DC: DH CP, AD CS, and AD LDS

Bridgehead server

Inter-site Topology Generator designates to replicate a directory partition w/ other sites

DC clone

Is a replica of an existing DC and has the benefits

Cost field

Is an administrator-assigned value that represents the bandwidth of the connection b/w sites (alter this value to influence which path is chosen when more than one path exists)

AD tree

Made up of one or more domains that share a common top-level and second-level domain name

In ADAC Use the Restore-ADObject PowerShell cmdlet Use the ntdsutil.exe command

Methods to restore objects:

Transferring Operations Master Roles

Moving the role's function from one DC to another while the original DC is still in operation

Domain-wide FSMO (forest single master operation) roles

Only one DC per domain performs these roles PDC emulator, RID master, & infrastructure master

Forest-wide FSMO (forest single master operation) roles

Only one DC per forest performs these roles: domain naming master and schema master

AD site

Physical location in which DCs communicate and replicate information frequently, where DC's are placed and group policies can be applied. Linked to an IP subnet that reflects the IP addressing scheme used at the physical location the site represents.

Enable-ADOptionalFeature -Identity "cn=Recycle Bin Feature,cn=Optional Features,cn=Windows NT,cn=Services,cn=Configuration,dc=mcsa2016,dc=local" -Scope ForestOrConfigurationSet -Target "mcsa2016.local"

PowerShell cmdlet to enable Recycle Bin on the mcsa2016.local forest

Online defragmentation

Removes deleted objects and frees up space in the AD database but doesn't compact the database, occurs automatically when AD performs garbage collection.

Garbage Collection

Runs every 12 hours and removes objects that have been deleted for more than 180 days

Flexible Single Master Operation (FSMO)

Severs that keep some critical information that is subject to a single master replication scheme to avoid the possibility of the information becoming unsynchronized are assigned this role. Should transfer some operations master roles from the 1st DC installed in the forest to other DC's b/c these roles require a lot of resources

Subnet Site Links Bridgehead servers

Sites and connections b/w sites are defined by what components?

The Password Replication Policy

Specify accounts for which passwords will be replicated When account password is replicated (retrieved from a writeable DC the first time, then it is retrieved from the RODC) Password replication is controlled by the Password Replication Policy (PRP) PRP lists users and groups along w/ a settings of Allow or Deny PRP contains groups named: allowed RODC password replication group, denied RODC password replication group

Universal Group Membership Caching (UGMC)

Stores universal group membership, so the global catalog server doesn't have to be contracted for each user logon

Authentication efficiency Replication efficiency Application efficiency

Three main reason for multiple sites

NTDS folder is located in %systemroot% -contains the ntds.dit file, which is the AD database -holds a log of AD transactions in edb.log -stores information about the last committed transaction in edb.chk SYSVOL folder is located in %systemroot% -contains group policy templates, logon/logoff scripts, and DFS synchronization data

Two folders that hold most of the components of Active Directory:

DEFAULTIPSITELINK

When AD is installed, a default site link is crated, until new site links are created, all sites that are added use this site link.

perform a full backup of a DC Back up the volumes containing system recovery information Perform a system state backup

When is an AD backed up?

Site Link

a component of a site that is needed to connect two or more sites for replication purposes

Restartable Active Directory

enables administrators to place the NTDS.DIT file in an offline mode without rebooting the domain controller outright. This feature was introduced in Windows Server 2008.

Global Catalog (GC) Server

is a DC configured to hold the global catalog, is the only place where universal group membership information is maintained (also contains a partial replica of all domain objects) Replication traffic is increased in sites w/ these