Chapter 6: Domain Controller and Active Directory
Filtered attribute set
A collection of attribute data configured on the schema master, used to specify domain objects that aren't replicated to RODCs
PDC Emulator
A domain-wide FSMO role that processes password changes for older Windows clients and is used during logon authentications (shouldn't be placed on global catalog)
RID Master
A domain-wide FSMO role that's responsible for issuing unique pools of RIDs (Relative identifier) to each DC
Infrastructure Master
A domain-wide FSMO role that's responsible for making sure changes made to object names in one domain are updated in references to these objects in other domains. (Should not be global catalog, but should be in the same site as one)
Domain Naming Master
A forest-wide FSMO role that manages adding, removing, and renaming domains in the forest (when possible it should be a direct replication partner w/another DC that's also a global catalog server in the same site or be a global catalog server)
Schema Master
A forest-wide FSMO role that's responsible for replicating the schema directory partition to all other DCs in the forest when changes occur
Nonauthoritative restore
A method of restoring Active Directory data from a backup that restores the database, or portions of it, and allows the data to be updated through replication by other domain controllers.
authoritative restore
A method of restoring Active Directory data from a backup to ensure that restored objects aren't overwritten by changes from other domain controllers through replication.
tombstone lifetime
A period of time in which deleted Active Directory objects are marked for deletion but left in the database.
Unidirectional replication
A replication method used w/ RODCs in which AD data is replicated to the RODC, but the RODSC doesn't replicate the data to other domain controllers
relative identifier (RID)
A unique value combined w/ a domain identifier to form the security identifier (SID) for an AD object
AD Sites and Services
AD Sites are created with
Read Only DNS
All Active Directory-integrated DNS zones if DNS installed on an RODC
Active Directory snapshot
An exact replica of the Active Directory database at a specific moment, can be imported w/ ldifde
Read Only Domain Controllers
Are DC configurations where Active Directory objects changes can't be written, maintains a current copy of AD information through replication
Domain controllers (DCs)
Are severs tht have Windows Server OS intstalled w/ an Active Directory Domain Services sercer role installed and configured, depen on DNS as part of the Active Directory (AD) infrastructure and there must be at least one DNS server in a domain. One is required per domain, but two are recommended. They maintain data consistency in AD w/ other DCs in the domain by using multimaster replication
Place new domain controller in correct site, automatically placed in the site corresponding w/ its assigned IP address When a client requests a domain, the client request can be directed to a DC or member server in the same site.
Associating a subnet with an AD site, Active Directory uses the information to:
Windows Server Backup (registry, boot files, AD database, the SYSVOL folder, some system files, and other files) Wbadmin.exe (perform system state backup, must be a member of the Backup Operators or AD group) PowerShell
Backup methods in Windows Server 2016?
Create and mount the snapshot w/ ntdsutil Activate the snapshot w/ dsamain Browse the snapshot w/ AD Users and Computers Dismount the snapshot
Basic procedure for working w/ snapshots:
Create & Mount Snapshot Active a Snapshot Export a Snapshot Unmount and Delete a Snapshot
C:\Windows\system32>ntdsutil Ntdsutil: snapshot Active instance set to "ntds" Snapshot: create Creating snapshot.... Snapshot set {b9869340-a167-41b7-a664-5e90dad659b9} generated successfully. Snapshot: mount Error parsing Input - Invalid Syntax Snapshot: mount b9869340-a167-41b7-a664-5e90dad659b9 Snapshot {b9869340-a167-41b7-a664-5e90dad659b9} mounted as: C:\$SNAP_201705231941_VOLUMEC$\ Snapshot: quit Ntdsutil: quit
Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName RODC1 -DomainName csmtech.local -SiteName BranchOffice -DelegatedAdministratorAccountName BranchOFF-G
Command to create an RODC computer account name RODC1 in the csmtech.local.domain in a site named BranchOffice w/ a group named BranchOff-G as the delegated administrator account.
Install-ADDSDomainController -DomainName csmtech.local -UseExistingAccount -credential (get-credential) Prompted for the username and password of delegated account
Command to install AD DS server role (Staged RODC Installation on Target Server)
AD forest
Consist of one or more trees w/ domains that share a common trust relationship and schema yet allow independent policies and administration
AD Metadata
Data that describes the AD database, not the actual AD data, three methods to remove / clean up: AD Users & Computers, AD Sites & Services, and ntdsutil
Offline defragmentation
Defragmentation of the Active Directory database that also compacts the database to improve performance. The Active Directory service must be stopped before this can occur.
Tombstoned
Deleted objects that have not been removed
Forest-wide FSMO roles Domain-wide FSMO roles
FSMO roles are summarized as:
DC clone benefits
Fast deployment of new DCs in a new or existing domain Fast DC restoration during disaster recovery Easy deployment of new branch office DCs
Requirements to to verify to clone a DC
Hypervisor must support VM generation identifiers DC to be cloned must be running Windows Server 2012 or later PDC emulator FSMO role is running Windows Server 2012 or later GC server must be available Server roles must not be installed on source DC: DH CP, AD CS, and AD LDS
Bridgehead server
Inter-site Topology Generator designates to replicate a directory partition w/ other sites
DC clone
Is a replica of an existing DC and has the benefits
Cost field
Is an administrator-assigned value that represents the bandwidth of the connection b/w sites (alter this value to influence which path is chosen when more than one path exists)
AD tree
Made up of one or more domains that share a common top-level and second-level domain name
In ADAC Use the Restore-ADObject PowerShell cmdlet Use the ntdsutil.exe command
Methods to restore objects:
Transferring Operations Master Roles
Moving the role's function from one DC to another while the original DC is still in operation
Domain-wide FSMO (forest single master operation) roles
Only one DC per domain performs these roles PDC emulator, RID master, & infrastructure master
Forest-wide FSMO (forest single master operation) roles
Only one DC per forest performs these roles: domain naming master and schema master
AD site
Physical location in which DCs communicate and replicate information frequently, where DC's are placed and group policies can be applied. Linked to an IP subnet that reflects the IP addressing scheme used at the physical location the site represents.
Enable-ADOptionalFeature -Identity "cn=Recycle Bin Feature,cn=Optional Features,cn=Windows NT,cn=Services,cn=Configuration,dc=mcsa2016,dc=local" -Scope ForestOrConfigurationSet -Target "mcsa2016.local"
PowerShell cmdlet to enable Recycle Bin on the mcsa2016.local forest
Online defragmentation
Removes deleted objects and frees up space in the AD database but doesn't compact the database, occurs automatically when AD performs garbage collection.
Garbage Collection
Runs every 12 hours and removes objects that have been deleted for more than 180 days
Flexible Single Master Operation (FSMO)
Severs that keep some critical information that is subject to a single master replication scheme to avoid the possibility of the information becoming unsynchronized are assigned this role. Should transfer some operations master roles from the 1st DC installed in the forest to other DC's b/c these roles require a lot of resources
Subnet Site Links Bridgehead servers
Sites and connections b/w sites are defined by what components?
The Password Replication Policy
Specify accounts for which passwords will be replicated When account password is replicated (retrieved from a writeable DC the first time, then it is retrieved from the RODC) Password replication is controlled by the Password Replication Policy (PRP) PRP lists users and groups along w/ a settings of Allow or Deny PRP contains groups named: allowed RODC password replication group, denied RODC password replication group
Universal Group Membership Caching (UGMC)
Stores universal group membership, so the global catalog server doesn't have to be contracted for each user logon
Authentication efficiency Replication efficiency Application efficiency
Three main reason for multiple sites
NTDS folder is located in %systemroot% -contains the ntds.dit file, which is the AD database -holds a log of AD transactions in edb.log -stores information about the last committed transaction in edb.chk SYSVOL folder is located in %systemroot% -contains group policy templates, logon/logoff scripts, and DFS synchronization data
Two folders that hold most of the components of Active Directory:
DEFAULTIPSITELINK
When AD is installed, a default site link is crated, until new site links are created, all sites that are added use this site link.
perform a full backup of a DC Back up the volumes containing system recovery information Perform a system state backup
When is an AD backed up?
Site Link
a component of a site that is needed to connect two or more sites for replication purposes
Restartable Active Directory
enables administrators to place the NTDS.DIT file in an offline mode without rebooting the domain controller outright. This feature was introduced in Windows Server 2008.
Global Catalog (GC) Server
is a DC configured to hold the global catalog, is the only place where universal group membership information is maintained (also contains a partial replica of all domain objects) Replication traffic is increased in sites w/ these