This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Visit us at w w w. s y n g r e s s . c o m Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our customers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site.
SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you may find an assortment of valueadded features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s).
ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few.
DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably.
SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings.
SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations. Contact us at [email protected] for more information.
CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use. Contact us at [email protected] for more information.use. Contact us at [email protected] for more information.
This page intentionally left blank
Tony Piltzecker
Technical Editor
Robert J. Shimonski Naomi Alpern Tariq Azad Laura Hunter
Technical Reviewer
John Karnay Jeffery Martin Gene Whitley
Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media® and Syngress® are registered trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY 001 002 003 004 005 006 007 008 009 010
SERIAL NUMBER HJIRTCV764 PO9873D5FG 829KM8NJH2 BPOQ48722D CVPLQ6WQ23 VBP965T5T5 HJJJ863WD3E 2987GVTWMK 629MP5SDJT IMWQ295T6T
PUBLISHED BY Syngress Publishing, Inc. Elsevier, Inc. 30 Corporate Drive Burlington, MA 01803 The Real MCTS/MCITP Exam 70-640 Prep Kit
Page Layout and Art: SPI Copy Editors: Audrey Doyle, Mike McGee Indexer: Ed Rush Cover Designer: Michael Kavish
For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email [email protected].
Technical Editor Tony Piltzecker (CISSP, MCSE, CCNA, CCVP, Check Point CCSA, Citrix CCA), author and technical editor of Syngress Publishing’s MCSE Exam 70-296 Study Guide and DVD Training System and How to Cheat at Managing Microsoft Operations Manager 2005, is an independent consultant based in Boston, MA. Tony’s specialties include network security design, Microsoft operating system and applications architecture, and Cisco IP Telephony implementations. Tony’s background includes positions as systems practice manager for Presidio Networked Solutions, IT manager for SynQor Inc, network architect for Planning Systems, Inc., and senior networking consultant with Integrated Information Systems. Along with his various certifications, Tony holds a bachelor’s degree in business administration. Tony currently resides in Leominster, MA, with his wife, Melanie, and his daughters, Kaitlyn and Noelle.
v
Technical Reviewer Robert J. Shimonski (MCSE, etc) is an entrepreneur, a technology consultant, and a published author with more than 20 years of experience in business and technology. Robert’s specialties include designing, deploying, and managing networks, systems, virtualization, storage-based technologies, and security analysis. Robert also has many years of diverse experience deploying and engineering mainframes and Linux- and UNIX-based systems such as Red Hat and Sun Solaris. Robert has in-depth work-related experience with and deep practical knowledge of globally deployed Microsoft- and Cisco-based systems and stays current on the latest industry trends. Robert consults with business clients to help forge their designs, as well as to optimize their networks and keep them highly available, secure, and disaster free. Robert is the author of many information technology-related articles and published books, including the best-selling Sniffer Network Optimization and Troubleshooting Handbook, Syngress (ISBN: 1931836574). Robert is also the author of other best-selling titles, including Security+ Study Guide and DVD Training System (ISBN: 1931836728), Network+ Study Guide & Practice Exams: Exam N10-003 (ISBN: 1931836426), and Building DMZs for Enterprise Networks (ISBN: 1931836884) also from Syngress. His current book offerings include the newly published Vista for IT Security Professionals, Syngress (978-1-59749-139-6), as well as being a series editor on the new Windows Server 2008 MCITP series from Syngress publishing.
vi
Contributing Authors Naomi J. Alpern currently works for Microsoft as a consultant specializing in Unified Communications. She holds many Microsoft certifications, including an MCSE and MCT, as well as additional industry certifications such as Citrix Certified Enterprise Administrator, Security+, Network+, and A+. Since the start of her technical career, she has worked in many facets of the technology world, including IT administration, technical training, and, most recently, full-time consulting. She likes to spend her time reading cheesy horror and mystery novels when she isn’t browsing the Web. She is also the mother of two fabulous boys, Darien & Justin, who mostly keep her running around like a headless chicken. Tariq Bin Azad is the principal consultant and founder of NetSoft Communications Inc., a consulting company located in Toronto, Canada. He is considered a top IT professional by his peers, coworkers, colleagues, and customers. He obtained this status by continuously learning and improving his knowledge and information in the field of information technology. Currently, he holds more than 100 certifications, including MCSA, MCSE, MCTS, MCITP (Vista, Mobile 5.0, Microsoft Communications Server 2007, Windows 2008, and Microsoft Exchange Server 2007), MCT, CIW-CI, CCA, CCSP, CCEA, CCI,VCP, CCNA, CCDA, CCNP, CCDP, CSE, and many more. Most recently, Tariq has been concentrating on Microsoft Windows 2000/2003/2008, Exchange 2000/2003/2007, Active Directory, and Citrix implementations. He is a professional speaker and has trained architects, consultants, and engineers on topics such as Windows 2008 Active Directory, Citrix Presentation Server, and Microsoft Exchange 2007. In addition to owning and operating an independent consulting company, Tariq works as a senior consultant and has utilized his training skills in numerous workshops, corporate trainings, and presentations. Tariq holds a Bachelor of Science in Information Technology from Capella University, USA, a bachelor’s vii
degree in Commerce from University of Karachi, Pakistan, and is working on his ALMIT (Masters of Liberal Arts in Information Technology) from Harvard University. Tariq has been a coauthor on multiple books, including the best-selling MCITP: Microsoft Exchange Server 2007 Messaging Design and Deployment Study Guide: Exams 70-237 and 70-238 (ISBN: 047018146X) and The Real MCTS/ MCITP Exam 640 Preparation Kit (ISBN: 978-1-59749-235-5). Tariq has worked on projects or trained for major companies and organizations, including Rogers Communications Inc. Flynn Canada, Cap Gemini, HP, Direct Energy, Toyota Motors, Comaq, IBM, Citrix Systems Inc., Unicom Technologies, and Amica Insurance Company. He lives in Toronto, Canada, and would like to thank his father, Azad Bin Haider, and his mother, Sitara Begum, for his lifetime of guidance for their understanding and support to give him the skills that have allowed him to excel in work and life. Laura E. Hunter (CISSP, MCSE, MCT, MCDBA, MCP, MCP+I, CCNA, A+, Network+, iNet+, Security+, CNE-4, CNE-5) is a senior it specialist with the University of Pennsylvania, where she provides network planning, implementation, and troubleshooting services for various business units and schools within the university. Her specialties include Microsoft Windows 2000/2003 design and implementation, troubleshooting, and security topics. As an “MCSE Early Achiever” on Windows 2000, Laura was one of the first in the country to renew her Microsoft credentials under the Windows 2000 certification structure. Laura’s previous experience includes a position as the director of computer services for the Salvation Army and as the LAN administrator for a medical supply firm. She also operates as an independent consultant for small businesses in the Philadelphia metropolitan area and is a regular contributor to the TechTarget family of Web sites. Laura has previously contributed to Syngress Publishing’s Configuring Symantec Antivirus, Corporate Edition (ISBN 1-931836-81-7). She has also contributed to several other exam guides in the Syngress Windows Server 2003 MCSE/MCSA DVD Guide and Training System series as a DVD presenter, contributing author, and technical reviewer. viii
Laura holds a bachelor’s degree from the University of Pennsylvania and is a member of the Network of Women in Computer Technology, the Information Systems Security Association, and InfraGard, a cooperative undertaking between the U.S. Government other participants dedicated to increasing the security of United States critical infrastructures. John Karnay is a freelance writer, editor, and book author living in Queens, NY. John specializes in Windows server and desktop deployments utilizing Microsoft and Apple products and technology. John has been working with Microsoft products since Windows 95 and NT 4.0 and consults for many clients in New York City and Long Island, helping them plan migrations to XP/Vista and Windows Server 2003/2008. When not working and writing, John enjoys recording and writing music as well as spending quality time with his wife, Gloria, and daughter, Aurora. Jeffery A. Martin MS/IT, MS/M (MCSE, MCSE:Security, MCSE: Messaging, MCDBA, MCT, MCSA, MCSA:Security, MCSE:Messaging, MCP+I, MCNE, CNE, CNA, CCA, CTT, A+, Network+, I-Net+, Project+, Linux+, CIW, ADPM) has been working with computer networks for more than 20 years. He is an editor, coeditor, author, or coauthor of more than 15 books and enjoys training others in the use of technology. Gene Whitley (MBA, MCSE, MCSA, MCTS, MCP, Six Sigma Green Belt) is a senior systems engineer with Nucentric Solutions (www.nucentric.com), a technology integration firm in Davidson, NC. Gene started his IT career in 1992 with Microsoft, earning his MCP in 1993 and MCSE in 1994. He has been the lead consultant and project manager on numerous Active Directory and Exchange migration projects for companies throughout the U.S. Gene has been a contributing author on such books as How To Cheat At IIS 7 Server Administration, How To Cheat At Microsoft Vista Administration, and Microsoft Forefront Security Administration Guide.When not working, he spends his time with his wife and best friend, Samantha. Gene holds an MBA from Winthrop University and a BSBA in Management Information Systems from The University of North Carolina at Charlotte. ix
This book’s primary goal is to help you prepare to take and pass Microsoft’s Exam 70-640, Windows Server 2008 Active Directory, Configuring. Our secondary purpose in writing this book is to provide exam candidates with knowledge and skills that go beyond the minimum requirements for passing the exam and help to prepare them to work in the real world of Microsoft computer networking.
What Is MCTS Exam 70-640? Microsoft Certified Technology Specialist (MCTS) Exam 70-640 is both a standalone test for those wishing to master Active Directory technology and a requirement for those pursuing certification as a Microsoft Certified Information Technology Professional (MCITP) for Windows Server 2008. Microsoft’s stated target audience consists of IT professionals with at least one year of work experience on a mediumsized or large company network. This means a multisite network with at least three domain controllers running typical network services such as file and print services, messaging, database, firewall services, proxy services, remote access services, an intranet, and Internet connectivity. However, not everyone who takes Exam 70-640 will have this ideal background. Many people will take this exam after classroom instruction or self-study as an entry into the networking field. Many of those who do have job experience in IT will not have had the opportunity to work with all of the technologies covered by the exam. In this book, our goal is to provide background information that will help you to understand the concepts and procedures described even if you don’t have the requisite experience, while keeping our focus on the exam objectives. xxi
xxii
Foreword
Exam 70-640 covers the basics of managing and maintaining a network environment that is built around Microsoft’s Windows Server 2008. The book includes the following task-oriented objectives: ■
Configuring Domain Name System (DNS) for Active Directory This objective includes configuring zones, configuring DNS server settings, and configuring zone transfers and replication.
■
Configuring the Active Directory Infrastructure This objective includes configuring a forest or domain, configuring trusts, configuring sites, configuring Active Directory replication, configuring the global catalog, and configuring operations masters.
■
Configuring Additional Active Directory Server Roles This objective includes configuring Active Directory Lightweight Directory Service (AD LDS), configuring Active Directory Rights Management Service (AD RMS), configuring the read-only domain controller (RODC), and configuring Active Directory Federation Services (AD FS).
■
Creating and Maintaining Active Directory Objects This objective includes automating the creation of Active Directory accounts, maintaining Active Directory accounts, creating and applying Group Policy Objects (GPOs), configuring GPO templates, configuring software deployment GPOs, configuring account policies, and configuring audit policies using GPOs.
■
Configuring Active Directory Certificate Services This objective includes installing Active Directory certificate services, configuring certificate authority (CA) server settings, managing certificate templates, managing enrollments, and managing certificate revocations.
Path to MCTS/MCITP/MS Certified Architect Microsoft certification is recognized throughout the IT industry as a way to demonstrate mastery of basic concepts and skills required to perform the tasks involved in implementing and maintaining Windows-based networks. The certification program is constantly evaluated and improved, while the nature of information technology is changing rapidly; consequently, requirements and specifications for
www.syngress.com
Foreword xxiii
certification can also change rapidly. This book is based on the exam objectives as stated by Microsoft at the time of writing; however, Microsoft reserves the right to make changes to the objectives and to the exam itself at any time. Exam candidates should regularly visit the Certification and Training Web site at www.microsoft. com/learning/mcp/default.mspx for the most updated information on each Microsoft exam. Microsoft currently offers three basic levels of certification on the technology level, professional level, and architect level: ■
Technology Series This level of certification is the most basic, and it includes the Microsoft Certified Technology Specialist (MCTS) certification. The MCTS certification is focused on one particular Microsoft technology. There are 19 MCTS exams at the time of this writing. Each MCTS certification consists of one to three exams, does not include job-role skills, and will be retired when the technology is retired. Microsoft Certified Technology Specialists will be proficient in implementing, building, troubleshooting, and debugging a specific Microsoft technology.
■
Professional Series This is the second level of Microsoft certification, and it includes the Microsoft Certified Information Technology Professional (MCITP) and Microsoft Certified Professional Developer (MCPD) certifications. These certifications consist of one to three exams, have prerequisites from the Technology Series, focus on a specific job role, and require an exam refresh to remain current. The MCITP certification offers nine separate tracks as of the time of this writing. There are two Windows Server 2008 tracks, Server Administrator and Enterprise Administrator. To achieve the Server Administrator MCITP for Windows Server 2008, you must successfully complete one Technology Series exam and one Professional Series exam. To achieve the Enterprise Administrator MCITP for Windows Server 2008, you must successfully complete four Technology Series exams and one Professional Series exam.
■
Architect Series This is the highest level of Microsoft certification, and it requires the candidate to have at least 10 years’ industry experience. Candidates must pass a rigorous review by a review board of existing architects, and they must work with an architect mentor for a period of time before taking the exam.
www.syngress.com
xxiv Foreword
NOTE Those who already hold the MCSA or MCSE in Windows 2003 can upgrade their certifications to MCITP Server Administrator by passing one upgrade exam and one Professional Series exam. Those who already hold the MCSA or MCSE in Windows 2003 can upgrade their certifications to MCITP Enterprise Administrator by passing one upgrade exam, two Technology Series exams, and one Professional Series exam.
Prerequisites and Preparation There are no mandatory prerequisites for taking Exam 70-640, although Microsoft recommends that you meet the target audience profile described earlier. Exam 70-640 is the logical choice for the first step in completing the requirements for the MCITP. Preparation for this exam should include the following: ■
Visit the Web site at www.microsoft.com/learning/exams/70-640.mspx to review the updated exam objectives.
■
Work your way through this book, studying the material thoroughly and marking any items you don’t understand.
■
Answer all practice exam questions at the end of each chapter.
■
Complete all hands-on exercises in each chapter.
■
Review any topics that you don’t thoroughly understand
■
Consult Microsoft online resources such as TechNet (www.microsoft.com/ technet/), white papers on the Microsoft Web site, and so forth, for better understanding of difficult topics.
■
Participate in Microsoft’s product-specific and training and certification newsgroups if you have specific questions that you still need answered.
■
Take at least one practice exam, such as the one included on the Syngress/ Elsevier certification Web site, www.syngress.com/certification.
Exam Overview In this book, we have tried to follow Microsoft’s exam objectives as closely as possible. However, we have rearranged the order of some topics for a better flow and included background material to help you understand the concepts and procedures that are www.syngress.com
Foreword
xxv
included in the objectives. Here is a brief synopsis of the exam topics covered in each chapter: ■
Configuring Server Roles in Windows 2008 In this chapter you will learn about the new server roles in Windows Server 2008, including RODCs, AD LDS, AD RMS, and AD FS. We begin with a discussion of Server Manager and Server Core, and configuring the Active Directory Role in Server Core. We then discuss Read-Only Domain Controllers (RODCs), and their purpose. We show you the features of RODCs, and then we show you how to install, configure, and remove them. Active Directory Lightweight Directory Service (AD LDS) is discussed next and how it differs from ADAM. We show you how to install and work with AD LDS. Next, we show you how to install and work with Active Directory Rights Management Service (AD RMS) and how it differs from DRMS in Windows Vista. Finally, we discuss Active Directory Federation Services (AD FS), including defining what it is, explaining why and how to use it, and describing how to configure it.
■
Configuring Network Services Chapter 2 presents the Network Services used in Windows Server 2008. We begin by presenting the Domain Name System (DNS), discussing its requirements, explaining how to install and configure it, and describing how it is used with Server Core. You’ll also learn how to configure zones and zone resolution. Next, we discuss the Dynamic Host Configuration Protocol (DHCP). We cover DHCP design principles, installing and configuring DHCP, using DHCP with Server Core, and configuring DHCP for DNS. The third network service covered in the chapter is Windows Internet Naming Service (WINS), including installation and configuration, using WINS with Server Core, and configuring WINS for DNS.
■
Working with Users, Groups, and Computers This chapter provides information about creating and modifying user accounts, creating and modifying computer accounts, creating and modifying groups, and delegation of tasks. Creating users, groups, and computers is discussed in the context of individual, manual creation, as well as creating each from scripts and modifying each using AD Users and Computers.
■
Configuring the Active Directory Infrastructure In this chapter you will learn about creating the organizational structure of your network. We begin with a discussion of forests and domains, understanding forests, forest functional levels and operations masters, domain functional levels www.syngress.com
xxvi Foreword
and operations masters, and domain migrations. We next cover topics such as subnets, site links, replication, and the global catalog. Finally, we cover trusts, including forest trusts, authentication, transitive, external, and shortcut trusts, and SID filtering. ■
Understanding Group Policy Group policy is presented in two chapters—the first of which covers group policy basics, and the second of which covers how to configure group policies. In this chapter, you learn about user group policies and computer group policies, site domain and OU group policy hierarchy, how to create and link group policy objects (GPOs), both new and existing, controlling the application of group policies, and using GPO templates.
■
Configuring Group Policy The second Group Policy chapter discusses configuration. We begin by explaining how to configure software deployment and publishing and assigning to users and computers. Next, we talk about configuring account policies, including domain password policy, account lockout policy, and fine-grain password policies. The last part of the chapter talks about configuring audit policies.
■
Configuring Certificate Services and PKI We look at Public Key Infrastructure, its components, how it works, and how certificates work. Next, we talk about working with certificate services, configuring a certificate authority, the different types of certificate authorities, backing up and restoring, assigning roles, enrollments, and revocation. In the last part of the chapter, we discuss working with templates, including types of templates, securing permissions, versioning, and key recovery agents.
■
Maintaining an Active Directory Environment In the last chapter of the book, we discuss how to maintain an Active Directory environment. We begin by discussing backup and recovery, including using Windows Server Backup, performing authoritative and nonauthoritative restores, linked value replication, directory services restore mode, and how to backup and restore group policy objects. Next, you’ll learn about offline maintenance, including offline defragmentation and compaction, restartable Active Directory, and storage allocation. Finally, you’ll learn how to monitor Active Directory. Discussed here are the various tools used, including network monitor, task manager, event viewer, replmon, repadmin, systems resource manager, reliability and performance manager, and server performance monitor.
www.syngress.com
Foreword xxvii
Exam Day Experience Taking the exam is a relatively straightforward process. Prometric testing centers administer the Microsoft 70-640 exam.You can register for, reschedule or cancel an exam through the Prometric Web site at www.register.prometric.com. You’ll find listings of testing center locations on these sites. Accommodations are made for those with disabilities; contact the individual testing center for more information. Exam price varies depending on the country in which you take the exam.
Exam Format Exams are timed. At the end of the exam, you will find out your score and whether you passed or failed. You will not be allowed to take any notes or other written materials with you into the exam room. You will be provided with a pencil and paper, however, for making notes during the exam or doing calculations. In addition to the traditional multiple choice questions and the select and drag, simulation and case study questions, you might see some or all of the following types of questions: ■
Hot area questions, in which you are asked to select an element or elements in a graphic to indicate the correct answer. You click an element to select or deselect it.
■
Active screen questions, in which you change elements in a dialog box (for example, by dragging the appropriate text element into a text box or selecting an option button or checkbox in a dialog box).
■
Drag and drop questions, in which you arrange various elements in a target area.
Test-Taking Tips Different people work best using different methods. However, there are some common methods of preparation and approach to the exam that are helpful to many test-takers. In this section, we provide some tips that other exam candidates have found useful in preparing for and actually taking the exam. ■
Exam preparation begins before exam day. Ensure that you know the concepts and terms well and feel confident about each of the exam objectives. Many test-takers find it helpful to make flash cards or review notes to study on the way to the testing center. A sheet listing acronyms and abbreviations
www.syngress.com
xxviii Foreword
can be helpful, as the number of acronyms (and the similarity of different acronyms) when studying IT topics can be overwhelming. The process of writing the material down, rather than just reading it, will help to reinforce your knowledge. ■
Many test-takers find it especially helpful to take practice exams that are available on the Internet and with books such as this one. Taking the practice exams can help you become used to the computerized examtaking experience, and the practice exams can also be used as a learning tool. The best practice tests include detailed explanations of why the correct answer is correct and why the incorrect answers are wrong.
■
When preparing and studying, you should try to identify the main points of each objective section. Set aside enough time to focus on the material and lodge it into your memory. On the day of the exam, you should be at the point where you don’t have to learn any new facts or concepts; instead, you’ll need simply to review the information already learned.
■
The value of hands-on experience cannot be stressed enough. Exam questions are based on test writers’ experiences in the field. Working with the products on a regular basis—whether in your job environment or in a test network that you’ve set up at home—will make you much more comfortable with these questions.
■
Know your own learning style and use study methods that take advantage of it. If you’re primarily a visual learner, reading, making diagrams, watching video files on CD, etc., may be your best study methods. If you’re primarily auditory, classroom lectures, audiotapes you can play in the car as you drive, and repeating key concepts to yourself aloud may be more effective. If you’re a kinesthetic learner, you’ll need to actually do the exercises, implement the security measures on your own systems, and otherwise perform hands-on tasks to best absorb the information. Most of us can learn from all of these methods, but have a primary style that works best for us.
■
Although it may seem obvious, many exam-takers ignore the physical aspects of exam preparation.You are likely to score better if you’ve had sufficient sleep the night before the exam, and if you are not hungry, thirsty, hot/cold or otherwise distracted by physical discomfort. Eat prior to going to the testing center (but don’t indulge in a huge meal that will leave you uncomfortable), stay away from alcohol for 24 hours prior to the test, and dress appropriately for the temperature in the testing center (if you don’t
www.syngress.com
Foreword xxix
know how hot/cold the testing environment tends to be, you may want to wear light clothes with a sweater or jacket that can be taken off ). ■
Before you go to the testing center to take the exam, be sure to allow time to arrive on time, take care of any physical needs, and step back to take a deep breath and relax. Try to arrive slightly early, but not so far in advance that you spend a lot of time worrying and getting nervous about the testing process. You may want to do a quick last-minute review of notes, but don’t try to “cram” everything the morning of the exam. Many testtakers find it helpful to take a short walk or do a few calisthenics shortly before the exam to get oxygen flowing to the brain.
■
Before you begin to answer questions, use the pencil and paper provided to you to write down terms, concepts and other items that you think you may have difficulty remembering as the exam goes on. Then you can refer back to these notes as you progress through the test. You won’t have to worry about forgetting the concepts and terms you have trouble with later in the exam.
■
Sometimes the information in a question will remind you of another concept or term that you might need in a later question. Use your pen and paper to make note of this in case it comes up later on the exam.
■
It is often easier to discern the answer to scenario questions if you can visualize the situation. Use your pen and paper to draw a diagram of the network that is described to help you see the relationships between devices, IP addressing schemes, and so forth.
■
When appropriate, review the answers you weren’t sure of. However, you should change your answer only if you’re sure that your original answer was incorrect. Experience has shown that more often than not, when testtakers start second-guessing their answers, they end up changing correct answers to the incorrect. Don’t “read into” the question (that is, don’t fill in or assume information that isn’t there); this is a frequent cause of incorrect responses.
■
As you go through this book, pay special attention to the Exam Warnings, as these highlight concepts that are likely to be tested. You may find it useful to go through and copy these into a notebook (remembering that writing something down reinforces your ability to remember it) and/or go through and review the Exam Warnings in each chapter just prior to taking the exam. www.syngress.com
xxx
Foreword ■
Use as many little mnemonic tricks as possible to help you remember facts and concepts. For example, to remember which of the two IPsec protocols (AH and ESP) encrypts data for confidentiality, you can associate the “E” in encryption with the “E” in ESP.
Pedagogical Elements In this book, you’ll find a number of different types of sidebars and other elements designed to supplement the main text. These include the following: ■
Exam Warning These sidebars focus on specific elements on which the reader needs to focus in order to pass the exam (for example, “Be sure you know the difference between symmetric and asymmetric encryption”).
■
Test Day Tip These sidebars are short tips that will help you in organizing and remembering information for the exam (for example, “When preparing for the exam on test day, it may be helpful to have a sheet with definitions of these abbreviations and acronyms handy for a quick last-minute review”).
■
Configuring & Implementing These sidebars contain background information that goes beyond what you need to know from the exam, but provide a “deep” foundation for understanding the concepts discussed in the text.
■
New & Noteworthy These sidebars point out changes in Windows Server 2008 from Windows Server 2003 as they will apply to readers taking the exam. These may be elements that users of Windows Server 2003 would be very familiar with that have changed significantly in Windows Server 2008 or totally new features that they would not be familiar with at all.
■
Head of the Class These sidebars are discussions of concepts and facts as they might be presented in the classroom, regarding issues and questions that most commonly are raised by students during study of a particular topic.
Each chapter of the book also includes hands-on exercises in planning and configuring the features discussed. It is essential that you read through and, if possible, perform the steps of these exercises to familiarize yourself with the processes they cover. You will find a number of helpful elements at the end of each chapter. For example, each chapter contains a Summary of Exam Objectives that ties the topics discussed in that chapter to the published objectives. Each chapter also contains an www.syngress.com
Foreword xxxi
Exam Objectives Fast Track, which boils all exam objectives down to manageable summaries that are perfect for last-minute review. The Exam Objectives Frequently Asked Questions section answers those questions that most often arise from readers and students regarding the topics covered in the chapter. Finally, in the Self Test section, you will find a set of practice questions written in a multiple-choice format that will assist you in your exam preparation These questions are designed to assess your mastery of the exam objectives and provide thorough remediation, as opposed to simulating the variety of question formats you may encounter in the actual exam. You can use the Self Test Quick Answer Key that follows the Self Test questions to quickly determine what information you need to review again. The Self Test Appendix at the end of the book provides detailed explanations of both the correct and incorrect answers.
Additional Resources There are two other important exam preparation tools included with this study guide. One is the DVD included in the back of this book. The other is the concept review test available from our Web site. ■
A DVD that provides book content in multiple electronic formats for exam-day review Review major concepts, test day tips, and exam warnings in PDF, PPT, MP3, and HTML formats. Here, you’ll cut through all of the noise to prepare you for exactly what to expect when you take the exam for the first time. You will want to watch this DVD just before you head out to the testing center!
■
Web-based practice exams Just visit us at www.syngress.com/ certification to access a complete Windows Server 2008 concept multiplechoice review. These remediation tools are written to test you on all of the published certification objectives. The exam runs in both “live” and “practice” mode. Use “live” mode first to get an accurate gauge of your knowledge and skills, and then use practice mode to launch an extensive review of the questions that gave you trouble.
www.syngress.com
This page intentionally left blank
Chapter 1
MCTS/MCITP Exam 640 Configuring Server Roles in Windows 2008 Exam objectives in this chapter: ■
New Roles in 2008
■
Read-Only Domain Controllers (RODCs)
■
Active Directory Lightweight Directory Service (LDS)
■
Active Directory Rights Management Service (RMS)
■
Active Directory Federation Services (ADFS)
Exam objectives review: ˛ Summary of Exam Objectives ˛ Exam Objectives Fast Track ˛ Exam Objectives Frequently Asked Questions ˛ Self Test ˛ Self Test Quick Answer Key 1
2
Chapter 1 • Configuring Server Roles in Windows 2008
Introduction With the introduction of new revisions to Microsoft products—be it Windows, Exchange, Communications Server, or others—we have seen a trend toward “roles” within each product, as opposed to the various products being an all-in-one type of solution (as with Exchange 2007), or being additional features that work as a snap-in, such as DNS in Windows 2003. With earlier versions of Windows Server 2000 or 2003, an Active Directory server was just that—an Active Directory server. What we are trying to say here is that it was more-or-less an “all-or-nothing” deal when creating a domain controller in Windows 2003. Very little flexibility existed in the way a domain controller could be installed, with the exception of whether a domain controller would also be a global catalog server or flexible single master operation (FSMO) server. With the release of Windows Server 2008, we have several new ways to deploy an Active Directory domain controller. In this chapter, we will discuss the new roles available in Windows Server 2008, how to create a domain controller, and how to implement and manage server roles.
New Roles in 2008 Windows Server 2008 offers many new ways to “skin the Active Directory cat,” if you will. With the introduction of these new roles is a new way to determine how they are implemented, configured, and managed within an Active Directory domain or forest. We will be discussing each of these Active Directory roles in depth later in this chapter, but the new roles (and the official Microsoft definitions) are as follows: ■
Read-only domain controller (RODC): This new type of domain controller, as its name implies, hosts read-only partitions of the Active Directory database. An RODC makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.
■
Active Directory Lightweight Directory Service (ADLDS): Formerly known as Windows Server 2003 Active Directory Application Mode (ADAM), ADLDS is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directoryenabled applications, without the dependencies required for Active
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Directory Domain Services (ADDS). ADLDS provides much of the same functionality as ADDS, but does not require the deployment of domains or domain controllers. ■
Active Directory Rights Management Service (ADRMS): Active Directory Rights Management Services (ADRMS), a format and application-agnostic technology, provides services to enable the creation of information-protection solutions. ADRMS includes several new features that were available in Active Directory Rights Management Services (ADRMS). Essentially, ADRMS adds the ability to secure objects. For example, an e-mail can be restricted to read-only, meaning it cannot be printed, copied (using Ctrl + C, and so on), or forwarded.
■
Active Directory Federation Services (ADFS): You can use Active Directory Federation Services (ADFS) to create a highly extensible, Internet-scalable, and secure identity access solution that can operate across multiple platforms, including both Windows and non-Windows environments. Essentially, this allows cross-forest authentication to external resources—such as another company’s Active Directory. ADFS was originally introduced in Windows Server 2003 R2, but lacked much of its now-available functionality.
So, these are the roles themselves, but as also mentioned, they can be managed in a number of new ways: ■
Server Manager: This is likely to be a familiar tool to engineers who have worked with earlier versions of Windows. It is a single-screen solution that helps manage a Windows server, but is much more advanced than the previous version.
■
Server Core: Server Core brings not only a new way to manage roles, but an entirely new way to deploy a Windows Server. With Server Core, we can say goodbye to unnecessary GUIs, applications, services, and many more commonly attacked features.
Discussing Server Core is going to take considerably longer, so let’s start with Server Manager.
Using Server Manager to Implement Roles Although we will be discussing Server Manager (Figure 1.1) as an Active Directory Management tool, it’s actually much more than just that. www.syngress.com
3
4
Chapter 1 • Configuring Server Roles in Windows 2008
Figure 1.1 Server Manager
In fact, Server Manager is a single solution (technically, a Microsoft Management Console [MMC]) snap-in that is used as a single source for managing system identity (as well as other key system information), identifying problems with servers, displaying server status, enabled roles and features, and general options such as server updates and feedback. Table 1.1 outlines some of the additional roles and features Server Manager can be used to control:
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Table 1.1 Partial List of Additional Server Manager Features Role/Feature
Description
Active Directory Certificate Services
Management of Public Key Infrastructure (PKI)
Dynamic Host Configuration Server
Dynamic assignment of IP addresses to clients
Domain Name Service
Provides name/IP address resolution
File Services
Storage management, replication, searching
Print Services
Management of printers and print servers
Terminal Services
Remote access to a Windows desktop or application
Internet Information Server
Web server services
Hyper-V
Server virtualization
BitLocker Drive Encryption
Whole-disk encryption security feature
Group Policy Management
Management of Group Policy Objects
SMTP Server
E-mail services
Failover Clustering
Teaming multiple servers to provide high availability
WINS Server Legacy NetBIOS name resolution Wireless LAN Service
Enumerates and manages wireless connections
Server Manager is enabled by default when a Windows 2008 server is installed (with the exception of Server Core). However, Server Manager can be shut off via the system Registry and can be re-opened at any time by selecting Start | Administrative Tools | Server Manager, or right-clicking Computer under the Start menu, and choosing Manage (Figure 1.2).
www.syngress.com
5
6
Chapter 1 • Configuring Server Roles in Windows 2008
Figure 1.2 Opening Server Manager
So, those are the basics of Server Manager. Now let’s take a look at how we use Server Manager to implement a role. Since we will be discussing the four Active Directory roles in depth later in this chapter, let’s take the IIS role and talk about using the Add Role Wizard to install Internet Information Services (IIS).
EXERCISE 1.1 USING
THE
ADD ROLE WIZARD
Notice in Figure 1.1 that the Server Manager window is broken into three different sections: ■
Provide Computer Information
■
Update This Server
■
Customize This Server
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Under the Customize This Server section, click the Add Role icon. When the wizard opens, complete the following steps to install IIS onto the server. 1. Click the Add Roles icon. 2. At the Before You Begin window, read the information provided, and then click Next. 3. From the list of server roles (Figure 1.3), click the check box next to Web Server (IIS) and then click Next.
Figure 1.3 List of Server Roles
4. If you are prompted to add additional required features, read and understand the features, and then click Add Required Features. 5. When you return to the Select Server Roles screen, click Next. www.syngress.com
7
8
Chapter 1 • Configuring Server Roles in Windows 2008
6. Read the information listed in the Introduction to Web Server (IIS) window, and then click Next. 7. For purposes of this exercise, we will select all of the default Role Services, and then click Next. 8. Review the Installation Summary Confirmation screen (Figure 1.4), and then click Install.
Figure 1.4 The Installation Summary Confirmation Screen
9. When installation is complete, click Close. 10. Notice that on the Server Manager screen, Web Server (IIS) is now listed as an installed role.
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Configuring & Implementing… Scripting vs. GUI Sure, you can always use a wizard to implement a role, but you also have the option of using a script. Realistically speaking, it’s generally not the most efficient way to deploy a role for a single server, however. Unless you are going to copy and paste the script, the chance of error is high in typing out the commands required. For example, take the following IIS script syntax: start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-Common HttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing; IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASPNET; IIS-NetFxExtensibility;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter; IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IISLoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IISODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication; IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IISRequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic; IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IISManagementConsole;IIS-ManagementScriptingTools;IIS-ManagementService;IIS-IIS6ManagementCompatibility;IIS-Metabase;IISWMICompatibility;IIS-LegacyScripts;IIS-LegacySnapIn;IIS-FTP PublishingService;IIS-FTPServer;IIS-FTPManagement;WAS-Windows ActivationService;WAS-ProcessModel;WAS-NetFxEnvironment; WAS-ConfigurationAPI This script installs ALL of the IIS features, which may not be the preferred installation for your environment, and within the time it took to type it out, you may have already completed the GUI install!
Using Server Core and Active Directory For years, Microsoft engineers have been told that Windows would never stand up to Linux in terms of security simply because it was too darn “heavy” (too much) code, loaded too many modules (services, startup applications, and so on), and was generally too GUI heavy. With Windows Server 2008, Microsoft engineers can stand tall, thanks to the introduction of Server Core. www.syngress.com
9
10
Chapter 1 • Configuring Server Roles in Windows 2008
What Is Server Core? What is Server Core, you ask? It’s the “just the facts, ma’am” version of Windows 2008. Microsoft defines Server Core as “a minimal server installation option for Windows Server 2008 that contains a subset of executable files, and five server roles.” Essentially, Server Core provides only the binaries needed to support the role and the base operating systems. By default, fewer processes are generally running. Server Core is so drastically different from what we have come to know from Windows Server NT, Windows Server 2000, or even Windows Server 2003 over the past decade-plus, that it looks more like MS-DOS than anything else (Figure 1.5). With Server Core, you won’t find Windows Explorer, Internet Explorer, a Start menu, or even a clock! Becoming familiar with Server Core will take some time. In fact, most administrators will likely need a cheat sheet for a while. To help with it all, you can find some very useful tools on Microsoft TechNet at http://technet2.microsoft .com/windowsserver2008/en/library/e7e522ac-b32f-42e1-b914-53ccc78d18161033 .mspx?mfr=true. This provides command and syntax lists that can be used with Server Core. The good news is, for those of you who want the security and features of Server Core with the ease-of-use of a GUI, you have the ability to manage a Server Core installation using remote administration tools. Figure 1.5 The Server Core Console
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Before going any further, we should discuss exactly what will run on a Server Core installation. Server Core is capable of running the following server roles: ■
Active Directory Domain Services Role
■
Active Directory Lightweight Directory Services Role
■
Dynamic Host Configuration Protocol (DHCP)
■
Domain Name System (DNS) Services Role
■
File Services Role
■
Hyper-V (Virtualization) Role
■
Print Services Role
■
Streaming Media Services Role
■
Web Services (IIS) Role
NOTE Internet Information Server is Microsoft’s brand of Web server software, utilizing Hypertext Transfer Protocol to deliver World Wide Web documents. It incorporates various functions for security, allows for CGI programs, and also provides for Gopher and FTP servers.
Although these are the roles Server Core supports, it can also support additional features, such as: ■
Backup
■
BitLocker
■
Failover Clustering
■
Multipath I/O
■
Network Time Protocol (NTP)
■
Removable Storage Management
■
Simple Network Management Protocol (SNMP)
■
Subsystem for Unix-based applications
■
Telnet Client
■
Windows Internet Naming Service (WINS) www.syngress.com
11
12
Chapter 1 • Configuring Server Roles in Windows 2008
NOTE BitLocker Drive Encryption is an integral new security feature in Windows Server 2008 that protects servers at locations, such as branch offices, as well as mobile computers for all those roaming users out there. BitLocker provides offline data and operating system protection by ensuring that data stored on the computer is not revealed if the machine is tampered with when the installed operating system is offline.
The concept behind the design Server Core is to truly provide a minimal server installation. The belief is that rather than installing all the application, components, services, and features by default, it is up to the implementer to determine what will be turned on or off. Installation of Windows 2008 Server Core is fairly simple. During the installation process, you have the option of performing a Standard Installation or a Server Core installation. Once you have selected the hard drive configuration, license key activation, and End User License Agreement (EULA), you simply let the automatic installation continue to take place. When installation is done and the system has rebooted, you will be prompted with the traditional Windows challenge/response screen, and the Server Core console will appear.
EXERCISE 1.2 CONFIGURING THE DIRECTORY SERVICES ROLE IN SERVER CORE So let’s put Server Core into action and use it to install Active Directory Domain Services. To install the Active Directory Domain Services Role, perform the following steps: 1. The first thing we need to do is set the IP information for the server. To do this, we first need to identify the network adapter. In the console window, type netsh interface ipv4 show interfaces and record the number shown under the Idx column. 2. Set the IP address, Subnet Mask, and Default Gateway for the server. To do this, type netsh interface ipv4 set address name= “” source=static address=<StaticIP> mask=<SubnetMask>
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
gateway=. ID represents the number from step 1, <StaticIP> represents the IP address we will assign, <SubnetMask> represents the subnet mask, and represents the IP address of the server’s default gateway. See Figure 1.6 for our sample configuration.
Figure 1.6 Setting an IP Address in Server Core
3. Assign the IP address of the DNS server. Since this will be an Active Directory Domain Controller, we will set the DNS settings to point to the DNS server. From the console, type netsh interface ipv4 add dnsserver name=“” address= index=1. >. ID represents the number from step 1, and <StaticIP> represents the IP address of the DNS server (in this case, the same IP address from step 2). So, here is where things get a little tricky. When installing the Directory Services role in a full server installation, we would simply open up a Run window (or a command line) and type in DCPromo. Then, we would follow the prompts for configuration (domain name, file location, level of forest/domain security), and then restart the system. Installing the role in
www.syngress.com
13
14
Chapter 1 • Configuring Server Roles in Windows 2008
Server Core isn’t so simple, yet it’s not exactly rocket science. In order to make this installation happen, we are going to need to configure an unattended installation file. An unattended installation file (see Figure 1.7) s nothing more than a text file that answers the questions that would have been answered during the DCPromo installation. So, let’s assume you have created the unattended file and placed it on a floppy disk, CD, or other medium, and then inserted it into the Server Core server. Let’s go ahead and install Directory Services: 1. Sign in to the server. 2. In the console, change drives to the removable media. In our example, we will be using drive E:, our DVD drive. 3. Once you have changed drives, type dcpromo answer:\answer.txt. Answer.txt is the name of our unattended file (see Figure 1.7).
Figure 1.7 Installing Directory Services in Server Core
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
4. Follow the installation process as it configures directory services. Once the server has completed the installation process, it will reboot automatically. When the server reboots, you will have a fully functional Active Directory implementation!
Read-Only Domain Controllers (RODCs) One of the biggest mistakes IT organizations make is underestimating the security risk presented by remote offices. As a consultant, I have seen many organizations (big and small) make major investments in their corporate IT security strategy, and then turn around and place a domain controller on top of a desk in a small/remote office—right next to an exit. Several times during the course of the day, employees, delivery people, solicitors, and more walk by this door—and often the server itself. Typically, little exists to stop these people from walking out the door and selling their newly found (stolen) hardware on eBay. And this is probably a best-case scenario. What would happen if the information on this server actually ended up in the wrong hands?
Introduction to RODC Read-only domain controllers were designed to combat this very problem. Let’s take a scenario where a corporation has a remote office with ten employees. On a daily basis, these ten people are always in the office, while another five to ten “float” in and out and sometimes aren’t there for weeks at a time. Overall, the company has about 1,000 employees. In a Windows 2000 Server or Windows Server 2003 Active Directory environment (or, pity you, a Windows NT 4.0 domain), if you have placed a domain controller in this remote office, all information for every user account in the organization is copied to this server. Right now, there’s probably a light bulb going off above your head (we can see it all the way from here) as to why this is a problem just waiting to happen.
Its Purpose in Life The purpose of the read-only domain controller (RODC) is to deal directly with this type of issue, and many issues like it. RODCs are one component in the Microsoft initiative to secure a branch office. Along with RODCs, you may also want to consider implementing BitLocker (whole-disk encryption), Server Core, as well as
www.syngress.com
15
16
Chapter 1 • Configuring Server Roles in Windows 2008
Role Distribution—the ability to assign local administrator rights to an RODC without granting a user full domain administrator rights.
Its Features A number of features come with a RODC, which focus on providing heightened security without limiting functionality to the remote office users. Some of the key points here are: ■
Read-only replicas of the domain database: Clients are not allowed to write changes directly to an RODC (much like a Windows NT BDC). RODC holds all the Active Directory Domain Services (AD DS) objects and attributes that a writable domain controller holds, with the exception of account passwords. Clients, however, are not able to write changes directly to the RODC.
■
Filtered Attribute Sets: The ability to prevent certain AD attributes from being replicated to RODCs.
■
Unidirectional Replication: Since clients cannot write changes to an RODC, there is no need to replicate from an RODC to a full domain controller. This prevents potentially corrupt (or hijacked) data from being disbursed, and also reduces unnecessary bandwidth usage.
■
Read-only DNS: Allows one-way replication of application directory partitions, including ForestDNSZones and DomainDNSZones.
■
Cached accounts: By caching accounts, if the RODC were ever compromised, only the accounts that have been compromised need to be reset. The full DCs are aware of which accounts are cached, and a report can be generated for auditing purposes.
So these are the key features of a read-only domain controller. Now let’s step through the installation process.
Configuring RODC Configuring an RODC isn’t all that different from adding a traditional domain controller. The most important thing to remember about an RODC is that a writable domain controller must exist somewhere in the domain. Once this prerequisite is met, we can go ahead and configure our RODC. Let’s assume that our writable DC is in place, using the domain information from the previous exercise.
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Head of the class ... Adding an RODC to an Existing Forest A read-only domain controller can be added to a preexisting forest, but this will require that schema changes be made to the forest for this to work properly. The process is fairly simple. Using the adprep tool with the /rodcprep switch (the actual syntax would be adprep /rodcprep), we can add the necessary schema changes to support our RODC.
EXERCISE 1.3 CONFIGURING
A
READ-ONLY DOMAIN CONTROLLER
Let’s begin configuring our RODC: 1. Click Start | Administrative Tools | Server Manager. 2. Scroll down to Role Summary, click Add roles. 3. When the Before You Begin page opens, click Next. 4. On the Select Server Roles page, choose Active Directory Domain Services, and then click Next. 5. Click Next again on the Active Directory Domain Services page. 6. On the Confirm Installation Selections page (Figure 1.8), click Install.
www.syngress.com
17
18
Chapter 1 • Configuring Server Roles in Windows 2008
Figure 1.8 Confirming Installation Selections
7. When installation is complete, click Close. 8. If the Server Manager window has closed, re-open it. 9. Expand Roles, and then click Active Directory Domain Services. 10. Under Summary (Figure 1.9), click the link to Run The Active Directory Domain Services Installation Wizard.
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Figure 1.9 The Summary Page
11. Click Next on the Welcome To The Active Directory Domain Services Installation Wizard page. 12. On the Operating System Compatibility page, click Next. 13. On the Choose A Deployment Configuration page, click Existing Forest. 14. Ensure Add A Domain Controller To An Existing Domain is selected, and then click Next. 15. On the Network Credentials page, verify that your domain is listed, and click Set. 16. In the User Name field, type <domain>\administrator. 17. In the Password field, type your administrator password, and then click OK (see Figure 1.10).
www.syngress.com
19
20
Chapter 1 • Configuring Server Roles in Windows 2008
Figure 1.10 Setting Account Credentials
18. Click Next. 19. On the Select a Domain page, click Next. 20. On the Select a Site page (if you have Sites and Services configured), you can choose to which site to add this RODC. In this case, we are using the default site, click Next. Select DNS Server and Read-Only Domain Controller on the Additional Domain Controller Options page and then click Next. 21. In the Group Or User field, type <domain>\administrator, and then click Next. 22. Verify the file locations, and click Next. 23. On the Active Directory Domain Services Restore Mode Administrator Password page, type and confirm a restore mode password, and then click Next. 24. On the Summary page, click Next. 25. The Active Directory Domain Services Installation Wizard dialog box appears. After installation, reboot the server.
EXAM TIP It is possible to “stage” an RODC and delegate rights to complete an RODC installation to a user or group. In order to do this, you must first create an account in Active Directory for the RODC in Active Directory www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Users and Computers. Once inside of ADU&C, you must right-click the Domain Controllers OU container, and select Pre-create Read-Only Domain Controller Account. From here, you can set the alternate credential for a user who can then finish the installation. On the server itself, the user must type dcpromo /UseExistingAccount:Attach in order to complete the process.
Removing an RODC There may come a time when you need to remove an RODC from your forest or domain. Like anything in this world, there is a right way and a wrong way to go about doing this. For the exam, you’ll want to make sure you know the right way. Removing a read-only domain controller is almost as simple as adding an RODC. One important thing to remember with an RODC is that it cannot be the first—or the last—domain controller in a domain. Therefore, all RODCs must be detached before removing a final writable domain controller. Fewer steps make up the removal process. Let’s take a look at how this is done. 1. Choose Start | Run. 2. In the Run window, type dcpromo.exe. 3. At the Welcome To Active Directory Domain Services Installation Wizard screen, click Next. 4. On the Delete The Domain window, make sure the check box is not checked, and then click Next. 5. Enter your administrator password, and then click Next. 6. Click Next in the Summary window, and then click Next again. 7. When removal is complete, reboot the server. 8. When the server reboots, sign back in. 9. Select Start | Administrative Tools | Server Manager. 10. Scroll down to Role Summary. 11. Expand Roles, and then click Remove Roles.
www.syngress.com
21
22
Chapter 1 • Configuring Server Roles in Windows 2008
12. On the Before You Begin page, click Next. 13. Remove the checkmark from Active Directory Domain Services and DNS Server and click Next. 14. Review the confirmation details, and then click Remove. 15. Review the results page, and click Close. 16. Restart the server if necessary.
Active Directory Lightweight Directory Service (LDS) As mentioned earlier, Active Directory Lightweight Directory Service is a slimmeddown version of AD. The concept of LDS is not new. In fact, it has been around for several years. However, to date it is probably not as widely known or recognized as the full ADS installation. Now that AD LDS is a part of the Windows Server 2008 media, you can expect to see many more deployments of the product.
When to Use AD LDS So, when should you use AD LDS? Well, there are many situations when this is a more viable option. Typically, LDS is used when directory-aware applications need directory services, but there is no need for the overhead of a complete forest or domain structure. Demilitarized Zones (DMZs) are a great example of this. If you are not familiar with DMZs, Wikipedia defines a DMZ as a physical or logical subnetwork that contains an organization’s external services to a larger untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN).You may be hosting an application or Web site in a DMZ where you want to have the added security of challenge/response using a directory services model. Since this is in a DMZ, you probably have no need for organizational units, Group Policy, and so on. By using LDS, you can eliminate these unnecessary functions and focus on what really is important: authentication and access control. The other popular option for using LDS is in a situation where you want to provide authentication services in a DMZ or extranet for internal corporate users. In this scenario, account credentials can be synchronized between the full internal domain controller and the LDS instances within the DMZ. This option provides a single sign-on solution, as opposed to the end user being required to remember multiple usernames and passwords.
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Changes from Active Directory Application Mode (ADAM) As mentioned earlier, the LDS concept has been around since Windows Server 2003 R2, but many improvements and new features have been introduced since the previous release. Some of the key changes between ADAM and LDS are listed next: ■
Auditing: Directory Service changes can now be audited for when changes are made to objects and their attributes. In this situation, both old and new values are logged.
■
Server Core Support: AD LDS is now a supported role for installation in a Server Core implementation of Windows Server 2008. This makes it ideal for DMZ-type situations.
■
Support for Active Directory Sites and Services: This makes it possible for management of LDS instance replication using the morefamiliar ADS&S tool.
■
Database Mounting Tool: Provides a means to compare data as it exists in database backups that are taken at different times to help the process of deciding which backup instance to restore.
These are the “key” improvements from ADAM in Windows Server 2003 R2 to AD LDS in Windows Server 2008, but the fact that the product has had more time to be “baked in” will greatly improve the functionality and usage of this technology.
Configuring AD LDS By now, you’re probably beginning to see a trend in how things are accomplished in Windows Server 2008. Everything is done with the use of server roles. Active Directory Lightweight Directory Services are no different. In our example, we are going to walk through the process of installing a clean LDS implementation.
EXERCISE 1.4 CONFIGURING LDS 1. Choose Start | Administrative Tools | Server Manager. 2. Scroll down to Role Summary, and then click Add Roles. 3. When the Before You Begin page opens, click Next. www.syngress.com
23
24
Chapter 1 • Configuring Server Roles in Windows 2008
4. On the Select Server Roles page, select the Active Directory Lightweight Directory Services option, and then click Next. 5. The installation steps for the role are very straightforward, follow the prompts and then click Install. After the role installation is complete, move on to creating an LDS instance. 6. Select Start | Administrative Tools | Active Directory Lightweight Directory Services Setup Wizard. 7. On the Welcome page, click Next. 8. On the page, select A Unique Instance, and then click Next. 9. On the Instance Name page (Figure 1.11), provide a name for the AD LDS instance and click Next.
Figure 1.11 The Instance Name Page
10. On the Ports page, we can specify the ports the AD LDS instance uses to communicate. Accept the default values of 389 and 636, and then click Next. www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
11. On the Application Directory Partition (Figure 1.12) page, we will create an application directory partition by clicking Yes.
Figure 1.12 The Application Directory Partition Page
12. On this page, we will also need to specify the distinguished name of our partition. Follow the format in Figure 1.12, and then click Next. 13. On the File Locations page, review the file locations and click Next to accept the default locations. 14. On the Service Account Selection page, select an account to be used as the service account. By default, the Network Service account is used. Click Next to accept the default option. 15. On the AD LDS Administrators page (Figure 1.13), select a user (or group to) that will be used as the default administrator for this instance. Click the default value (Currently Logged On User) and then click Next. www.syngress.com
25
26
Chapter 1 • Configuring Server Roles in Windows 2008
Figure 1.13 The AD LDS Administrators Page
16. Select particular LDIF files to work with our LDS implementation. We will use the MS-ADLDS-DisplaySpecifiers file later in this section, so check this option off, and then click Next. 17. Review the Ready To Install page and click Next to begin the installation process. When setup is complete, click Finish.
Working with AD LDS Several tools can be used to manage an LDS instance. In this book, we will work with two of these tools. The first is the ADSI Edit tool. ADSI stands for Active Directory Service Interfaces, and is used to access the features of directory services from different network providers. ADSI can also be used to automate tasks such as adding users and groups and setting permissions on network resources. While making changes to LDS (or Active Directory) is outside the scope of this book, we will show you how to use ADSI Edit to connect to an LDS instance. www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
1. Choose Start |Administrative Tools | ADSI Edit. 2. In the console tree, click ADSI Edit. 3. On the Action menu, click Connect to. 4. In the Name field, type a recognizable name for this connection. This name will appear in the console tree of ADSI Edit. 5. In Select Or Type A Domain Or Server, enter the fully qualified domain name (or IP address) of the computer running the AD LDS instance, followed by a colon and 389—representing the port of the LDS instance. 6. Under Connection point, click Select and choose your distinguished name, then click OK. 7. In the console tree of the ADSI Edit snap-in, double-click the name you created in step 4, and then double-click the distinguished name of your LDS instance. 8. Navigate around the containers to view the partition configuration. The second tool we will discuss is the Active Directory Sites and Services snap-in. As mentioned earlier in this section, you can use the ADS&S snap-in to manage replication of directory information between sites in an LDS implementation. This is useful when LDS may be implemented in a geographically disbursed environment. For example, a server farm that may be collocated in a company datacenter and a disaster recovery location may require replication, and the easiest way to perform this is via this snap-in. However, it’s important to note that we must import the MS-ADLDS-DisplaySpecifiers.ldf file during the instance configuration (earlier in this section) in order to use ADS&S. Let’s review how to use ADS&S to connect to an LDS instance. 1. Choose Start |Administrative Tools | Active Directory Sites & Services. 2. Right-click Active Directory Sites and Services, and then click Change Domain Controller. 3. In the Change Directory Server window, type the FQDN or IP address of the server running the LDS instance, followed by :389. 4. Navigate the containers to view information about the LDS instance.
www.syngress.com
27
28
Chapter 1 • Configuring Server Roles in Windows 2008
Active Directory Rights Management Service (RMS) If you were to poll 100 corporations, you would probably find out that 99 out of 100 companies have probably had a confidential e-mail or document leave their environment and fall into the hands of someone it was not originally intended. Microsoft recognized this issue several years back and began working on a product named Rights Management Server (RMS). RMS is a great product and is in use at many companies, but the price of the product often put it out of reach for many companies. With Windows Server 2008, Microsoft has rebranded and incorporated the product in the operating system itself. As industry and governmental restrictions continue to increase, as well as the penalties for mishandling information, providing a technology such as RMS (or AD RMS in 2008) essentially became a demand on the part of customers. Although Microsoft is including the server portion in Windows Server 2008, don’t be fooled—there is still a Client Access License (CAL) for Rights management. The three main functions of AD RMS are: ■
Creating rights-protected files and templates: Trusted users can create and manage protection-enhanced files using common authoring tools (including Office products such as Word, Excel, and Outlook), as well as templates from AD RMS-enabled applications.
■
Licensing rights-protected information: Certainly, the key component of RMS. Issues a special certificate, known as a rights account certificate, used to identify trusted objects, such as users and groups, which have the authority to generate rights-protected content.
■
Acquiring licenses to decrypt rights-protected content and applying usage policies: As the name implies, RMS works with Active Directory to determine if users have a required rights account certificate in order to access rights-protected content.
As stated earlier, RMS has been around for some time, but there have been a number of advancements since the product was released. Let’s take a look at some of these features.
What’s New in RMS We mentioned early on that probably the most substantial change from earlier versions of RMS is the fact that it is no longer a separate product from Windows Server. Besides
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
the fact that this significantly reduces the barrier to entry to use such a technology, it has also improved the installation and management of the product. At this stage, you should be familiar with how we install roles. In fact, the RMS installation also takes care of the prerequisites—such as IIS, Message Queuing—during the installation process. Isn’t it exciting to know that installing the RMS role is just as simple? We will get to the installation and configuration of RMS later in this section. First though, let’s look at three other areas where improvements have been made over the older product: ■
Self-Enrollment: In previous versions of RMS, an RMS server was forced to connect (via the Internet) to the Microsoft Enrollment Service in order to receive a server licensor certificate (SLC), which gives RMS the rights to issue licenses (and its own certificates). In Windows Server 2008, Microsoft has eliminated this need by bundling a self-enrollment certificate into Windows Server 2008, which signs the SLC itself.
■
Delegation of Roles: AD RMS now gives you the flexibility to delegate certain RMS roles out to other users/administrators. There are four RMS roles: AD RMS Service Group, AD RMS Enterprise Administrators, AD RMS Template Administrators, and AD RMS Auditors. The RMS Service Group essentially holds the service account used by RMS. Enterprise Administrators has full control of all settings and policies—much like an Active Directory Enterprise Administrator. As the name implies, a Template Administrator has rights to create, modify, read, and export templates. Auditors have rights to only view RMS information, as well as logs and report generation.
■
Integration with Federation Services: We will be covering AD FS in the next section, but this allows for the ability to share rights-protected documents with external entities.
RMS vs. DRMS in Vista Digital Rights Management (DRM) is a tricky topic, particularly when couched in the common terms of the movie makers versus the general public. Since that discussion is intensely personal and very controversial, I want to steer clear of making any statements that endorse or condemn DRM—it is your decision whether or not to use it. The key differentiator between RMS and DRM is that DRM is generally used by content manufacturers (music companies, movie companies, and so on), whereas RMS is intended more for corporations that want to protect company-sensitive data.
www.syngress.com
29
30
Chapter 1 • Configuring Server Roles in Windows 2008
With DRM, content consumers intend to make sure their wishes are met when producing and distributing content—and it’s hard to argue with that goal. If you write the next Great American Novel, or you’ve painted “What the Mona Lisa Did Next,” you’re justified in releasing it only for what you consider to be appropriate recompense, or withholding it from the public until you are satisfied with your remuneration. The objection to DRM (except from those who insist that all information, all art, and all content “wants to be free”) comes from putative content consumers who are concerned that their own ability to consume the content is unnecessarily restricted—they may want to view the movie they purchased on a different screen, or add subtitles to it so that they can watch it with a deaf relative. Too much DRM protection on content means that the content is no longer acceptably usable by your targeted consumers—if your goal is to sell content to those consumers, clearly this is a losing proposition. You don’t make money by killing piracy, unless you make money by selling more products as a result. For publicly available content, however, some protection may remind otherwisehonest consumers that the content they are viewing is not completely licensed to them, distribution rights have not been granted, and the content is only intended to be accessed through the method or media purchased. Disappointing for the consumer who bought a DVD, intending to watch it on a remote device, but not totally unsurprising. (If there is a market for watching movies on remote devices, maybe a smart company will come along and exploit it by licensing content for distribution in that way.)
Configuring RMS Another day, another role. As you can imagine, we’re going to be using Server Manager to deploy Rights Management Server. In order to make this work, a number of things will be in play. During the installation process, we will need to configure a certificate (via IIS), and install and complete the configuration of the RMS server role. Let’s begin by configuring the certificate.
NOTE Exercise 1.5 will require the use of a certificate authority. You may want to wait on this exercise until you review Chapter 6, which covers CAs. We can understand how you may be too excited to wait, but rather than making you go through the CA process twice, bookmark this section and come back to it once you have completed that chapter.
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
EXERCISE 1.5 CONFIGURING RIGHTS MANAGEMENT SERVER 1. Select Start | Administrative Tools | Internet Information Services (IIS) Manager. We installed the IIS role earlier in this chapter. 2. Double-click the server name. 3. In the details pane, double-click Server Certificates. 4. Click Create Domain Certificate. 5. In the Common name field, type the FQDN name of your server (Figure 1.14).
Figure 1.14 Creating a Domain Certificate
6. In the Organization field, enter a company name. 7. In the Organization Unit field, enter a division. www.syngress.com
31
32
Chapter 1 • Configuring Server Roles in Windows 2008
8. In the City/locality field, enter your city. 9. In the State/province field, enter your state, and then click Next. 10. Review the Online Certification Authority page, and click Select. 11. Select your Certificate Authority (Figure 1.15), and then click OK.
Figure 1.15 Selecting a Certificate Authority
12. In the Friendly name field, enter the NetBIOS name of this server (Figure 1.16), and click Finish.
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Figure 1.16 Entering a Friendly Name
Now, let’s install the role. 1. Choose Start | Administrative Tools | Server Manager. 2. Scroll down to Role Summary, click Add Roles. 3. When the Before You Begin page opens, click Next. 4. On the Select Server Roles page, click Active Directory Rights Management Services. 5. In the Add Roles Wizard, click Add Required Role Services, and then click Next. 6. Click Next on the Active Directory Rights Management Services page. 7. Click Next on the Select Role Services page. 8. Click Next on the Create Or Join An AD RMS Cluster page. www.syngress.com
33
34
Chapter 1 • Configuring Server Roles in Windows 2008
9. Click Next on the Set Up Configuration Database page. 10. On the Specify Service Account page, click Specify to choose an account, and then click Next. This cannot be the same account you are using to install RMS. 11. Click Next on the Set Up Key Management page. 12. On the Specify Password for AD RMS Encryption page (Figure 1.17), enter a password and then click Next.
Figure 1.17 The AD RMS Encryption Page
13. Click Next on the Select Web Site page. 14. Review the information on the Specify Cluster Address page (Figure 1.18), click Validate, and then click Next. www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Figure 1.18 Specifying a Cluster Address
15. Verify that Choose An Existing Certificate For Secure Socket Layer (SSL) Encryption is selected on the Choose A Server Authentication Certificate For SSL Encryption page (Figure 1.19), choose your server name, and then click Next. SSL provides secure communications on the Internet for such things as Web browsing, e-mail, Internet faxing, instant messaging, and other data transfers.
www.syngress.com
35
36
Chapter 1 • Configuring Server Roles in Windows 2008
Figure 1.19 Setting SSL Encryption
16. Click Next on the Specify a Friendly Name for the Licensor Certificate. 17. Click Next on the Set up Revocation page. 18. Click Next on the Register This AD RMS Server In Active Directory page. 19. Click Next on the Web Server page. 20. Click Next on the Select Role Services page. 21. Review the confirmation page, and then click Install. 22. When the installation is complete, click Close. Next, we need to set up the RMS cluster settings. In this case, clusters are used as a single server—or set of servers—that share AD RMS publishing and licensing requests. Let’s walk through configuring the cluster settings. www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
1. Choose Start | Administrative Tools | Active Directory Rights Management Services. 2. Select your server. 3. Right-click the server and choose Properties. 4. Move to the SCP tab and select Change SCP. Click OK. The SCP is the service connection point that identifies the connection URL for the service to the clients. 5. Click Yes in the Active Directory Rights Management Services dialog. 6. Right-click the server name, and then click Refresh. 7. Close the window. At this stage, the server setup is complete. If you wanted to test the RMS functionality, you could create a document in Word or Excel 2007 and set the permissions by clicking the Office ribbon and preparing access restrictions.
Active Directory Federation Services (ADFS) Federation Services were originally introduced in Windows Server 2003 R2. F provides an identity access solution, and AD Federation Services provides authenticated access to users inside (and outside) an organization to publicly (via the Internet) accessible applications. Federation Services provides an identity management solution that interoperates with WS-∗ Web Services Architecture–enabled security products. WS-Federation Passive Requestor Profile (WS-F PRP) also makes it possible for federation to work with solutions that do not use the Microsoft standard of identity management. The WS-Federation specification defines an integrated model for federating identity, authentication, and authorization across different trust realms and protocols. This specification defines how the WS-Federation model is applied to passive requestors such as Web browsers that support the HTTP protocol. WS-Federation Passive Requestor Profile was created in conjunction with some pretty large companies, including IBM, BEA Systems, Microsoft, VeriSign, and RSA Security.
What Is Federation? As we described earlier in this chapter, federation is a technology solution that makes it possible for two entities to collaborate in a variety of ways. When servers www.syngress.com
37
38
Chapter 1 • Configuring Server Roles in Windows 2008
are deployed in multiple organizations for federation, it is possible for corporations to share resources and account management in a trusted manner. Earlier in this chapter, we were discussing Active Directory Rights Management Server. This is just one way companies can take advantage of FS. With ADFS, partners can include external third parties, other departments, or subsidiaries in the same organization.
Why and When to Use Federation Federation can be used in multiple ways. One product that has been using federation for quite some time is Microsoft Communication Server (previously, Live Communication Server 2005, now rebranded as Office Communication Server 2007). Federation is slightly different in this model, where two companies can federate their environments for the purposes of sharing presence information. This makes it possible for two companies to securely communicate via IM, Live Meeting, Voice, and Video. It also makes it possible to add “presence awareness” to many applications, including the Office suite, as well as Office SharePoint Server. If you want to know more about OCS and how federation works for presence, we recommend How to Cheat at Administering Office Communication Server 2007, also by Elsevier. A little closer to home, Federation Services can also be used in a variety of ways. Let’s take an extranet solution where a company in the financial service business shares information with its partners. The company hosts a Windows SharePoint Services (WSS) site in their DMZ for the purposes of sharing revenue information with investment companies that sell their products. Prior to Active Directory Federation Services, these partners would be required to use a customer ID and password in order to access this data. For years, technology companies have been touting the ability to provide and use single sign-on (SSO) solutions. These worked great inside an organization, where you may have several different systems (Active Directory, IBM Tivoli, and Solaris), but tend to fail once you get outside the enterprise walls. With AD FS, this company can federate their DMZ domain (or, their internal AD) with their partner Active Directory infrastructures. Now, rather than creating a username and password for employees at these partners, they can simply add the users (or groups) to the appropriate security groups in their own Active Directory (see Figure 1.20). It is also important to note that AD FS requires either Windows Server 2008 Enterprise edition or Datacenter edition.
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Figure 1.20 The Active Directory Federation Services Structure
Configuring ADFS In this exercise, we are going to create the account side of the ADFS structure. The resource is the other half of the ADFS configuration, which is the provider of the service that will be provided to an account domain. To put it in real-world terms, the resource would provide the extranet application to the partner company (the account domain).
EXERCISE 1.6 CONFIGURING FEDERATION SERVICES 1. Click Start | Administrative Tools | Server Manager. 2. Scroll down to Role Summary, and then click Add Roles. 3. When the Before You Begin page opens, click Next. 4. On the Select Server Roles page, select Active Directory Federation Services (see Figure 1.21) from the list and click Next.
www.syngress.com
39
40
Chapter 1 • Configuring Server Roles in Windows 2008
Figure 1.21 Selecting the Role
5. Click Next on the Active Directory Federation Services page. 6. In the Select Role Services window, select Federation Service, and then click Next. If prompted, add the additional prerequisite applications. 7. Click Create A Self-Signed Certificate For SSL Encryption (Figure 1.22), and then click Next.
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Figure 1.22 Creating a Self-Signed Token-Signing Certificate
8. Click Create A Self-Signed Token-Signing Certificate, and then click Next. 9. Click Next on the Select Trust Policy page. 10. If prompted, click Next on the Web Server (IIS) page. 11. If prompted, click Next on the Select Role Services page. 12. On the Confirm Installation Selections page, click Install. 13. When the installation is complete, click Close. The next step in configuring AD FS is to configure IIS to require SSL certificates on the Federation server: 1. Choose Start | Administrative Tools | Internet Information Services (IIS) Manager. 2. Double-click the server name.
www.syngress.com
41
42
Chapter 1 • Configuring Server Roles in Windows 2008
3. Drill down the left pane to the Default Web Site and double-click it. 4. Double-click SSL Settings and select Require SSL. 5. Go to Client Certificates and click Accept. Then, click Apply (Figure 1.23).
Figure 1.23 Requiring Client Certificates
6. Click Application Pools. 7. Right-click AD FS AppPool, and click Set Application Pool Defaults. 8. In the Identity pane (Figure 1.24), click LocalSystem, and then click OK.
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Figure 1.24 Setting Application Pool Defaults
9. Click OK again. 10. Before we close IIS, we need to create a self-signed certificate. Double-click the server name again. 11. Double-click Server Certificates. 12. Click Create Self-Signed Certificate. 13. In the Specify Friendly Name field, enter the NetBIOS name of the server and click OK. www.syngress.com
43
44
Chapter 1 • Configuring Server Roles in Windows 2008
Next, we need to configure a resource for use with AD FS. In this case, we are going to use the same domain controller to double as a Web server. What we will be doing is installing the AD FS Web Agent, essentially adding an additional role to the server, as part of the AD FS architecture. This will allow us to use our federated services within a Web application. 1. Choose Start | Administrative Tools | Server Manager. Scroll down to Role Summary, and then click Add Roles. 2. When the Before You Begin page opens, click Active Directory Federation Services. 3. Scroll down to Role Services and click Add Role Services. 4. In the Select Role Services window, select Claims-aware Agent (Figure 1.25), and then click Next.
Figure 1.25 Setting Services
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
5. Confirm the installation selections (Figure 1.26), and then click Install.
Figure 1.26 Confirming the Installation
6. When installation is complete, click Close. Now we need to configure the trust policy which would be responsible for federation with the resource domain. 1. Choose Start | Administrative Tools | Active Directory Federation Services. 2. Expand Federation Service by clicking the + symbol (see Figure 1.27).
www.syngress.com
45
46
Chapter 1 • Configuring Server Roles in Windows 2008
Figure 1.27 AD FS MMC
3. Right-click Trust Policy, and then choose Properties. 4. Verify the information in Figure 1.28 matches your configuration (with the exception of the FQDN server name), and then click OK.
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Figure 1.28 Trust Policies
5. When you return to the AD FS MMC, expand Trust Policy and open My Organization. 6. Right-click Organization Claims, and then click New | Organization Claim. 7. This is where you enter the information about the resource domain. A claim is a statement made by both partners and is used for authentication within applications. We will be using a Group Claim, which indicates membership in a group or role. Groups would generally follow business groups, such as accounting and IT. 8. Enter a claim name (we will use PrepGuide Claim). Verify that Group Claim is checked as well before clicking OK. 9. Create a new account store. Account stores are used by AD FS to log on users and extract claims for those users. AD FS supports www.syngress.com
47
48
Chapter 1 • Configuring Server Roles in Windows 2008
two types of account stores: Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). This makes it possible to provide AD FS for full Active Directory Domains and AD LDS domains. 10. Right-click Account Store and choose New | Account Store. 11. When the Welcome window opens, click Next. 12. Since we have a full AD DS in place, select Active Directory Domain Services (AD DS) from the Account Store Type window (Figure 1.29), and then click Next.
Figure 1.29 The Account Store Type Window
13. Click Next on the Enable This Account Store window. 14. Click Finish on the completion page. www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Now, we need to add Active Directory groups into the Account Store. 1. Expand Account Stores. 2. Right-click Active Directory, and then click New | Group Claim Extraction. 3. In the Create A New Group Claim Extraction window (Figure 1.30), click Add and click Advanced.
Figure 1.30 The Create A New Group Claim Extraction Window
4. Click Object Types, remove the checkmarks from everything except Groups, and then click OK. 5. Click Find Now. 6. Select Domain Admins from the list of groups by double-clicking. 7. Click OK. 8. The Map To This Organization Claim field should show the claim we created earlier. Click OK to close the window. Finally, we will work to create the partner information of our resource partner, which is prepguides.ads. 1. Expand Partner Organizations. 2. Right-click Resource Partners, and then select New | Resource Partner. www.syngress.com
49
50
Chapter 1 • Configuring Server Roles in Windows 2008
3. Click Next on the Welcome window. 4. We will not be importing a policy file, so click Next. 5. In the Resource Partner Details window (Figure 1.31), enter a friendly name for the partner, and the URI and URL information of the partner. Note it is identical to what we entered earlier in Figure 1.28. When the information is complete, click Next.
Figure 1.31 Resource Partner Details
6. Click Next on the Federation Scenario page. This is the default selection, which is used for two partners from different organizations when there’s no forest trust. 7. On the Resource Partner Identity Claims page, check UPN Claim and click Next. A UPN Claim is based on the domain name of your Active Directory structure. In our case, the UPN is uccentral.ads.
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
8. Set the UPN suffix. Verify that Replace All UPN Suffixes With The Following: is selected and then enter your server’s domain name. This is how all suffixes will be sent to the resource partner. Click Next. 9. Click Next to enable the partner. 10. Click Finish to close the wizard. We’re almost at the end of our account partner configuration. The last thing we need to do is create an outgoing claim mapping. This is part of a claim set. On the resource side, we would create an identical incoming claim mapping. 1. Expand Resource Partners. 2. Right-click your resource partner, and then choose New | Outgoing Group Claim Mapping. 3. Select the claim we created earlier, enter PrepGuide Mapping, and then click OK.
As you can imagine, this process would be duplicated on the resource domain, with the exception that the outgoing claim mapping would be replaced with an incoming mapping.
www.syngress.com
51
52
Chapter 1 • Configuring Server Roles in Windows 2008
Summary of Exam Objectives As you can see, Windows 2008 includes a number of amazing advancements in Windows 2008, in particular those concerning Active Directory services. Each of these roles provides new layers of features, functions, and security options that were either not available in previous versions of the product or were not quite “baked in” enough, often being included in Version 1.0 of the solution. When you factor in the additional security of the Server Core installation, Active Directory has come a long way from its original release in Windows 2000. As you will find throughout the rest of this book, you can apply Active Directory roles, and Server Core, in many ways.
Exam Objectives Fast Track New Roles in 2008 ˛ With the release of Windows Server 2008, an Active Directory domain
controller can be deployed in several new ways. ˛ Server Manager is a single solution that is used as a single source for
managing identity and system information. ˛ Server Manager is enabled by default when a Windows 2008 server
is installed. ˛ Server Core is a minimal server installation option for Windows Server
2008 that contains a subset of executable files, as well as five server roles.
Read-Only Domain Controllers ˛ RODC holds all of the Active Directory Domain Services (AD DS)
objects and attributes that a writable domain controller holds, with the exception of account passwords. ˛ Unidirectional replication prevents RODCs from replicating information
to a writable domain controller. ˛ The installation of read-only domain controllers can be delegated to
other users.
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Active Directory Lightweight Directory Service ˛ Active Directory Lightweight Director Service is a slimmed-down version
of AD. ˛ LDS is used when directory-aware applications need directory services, but
there is no need for the overhead of a complete forest or domain structure. ˛ LDS has many new features over ADAM, including Auditing, Server Core
Support, Support for Active Directory Sites and Services, and a Database Mounting Tool.
Active Directory Rights Management Services ˛ RMS does require a Client Access License. ˛ The three main functions of AD RMS are creating rights-protected
files and templates, licensing rights-protected information, and acquiring licenses to decrypt rights-protected content and apply usage policies. ˛ The three new features of AD RMS are delegation of roles, integration
with Federation Services, and self-enrollment.
Active Directory Federation Services ˛ Federation Services were first available in Windows Server 2003 R2. ˛ Federation Services provides an identity management solution that
interoperates with WS-∗ Web Services Architecture-enabled security products. ˛ WS-Federation Passive Requestor Profile (WS-F PRP) also makes it
possible for federation to work with solutions that do not use the Microsoft standard of identity management. ˛ The WS-Federation specification defines an integrated model for federating
identity, authentication, and authorization across different trust realms and protocols. ˛ WS-Federation Passive Requestor Profile was created in conjunction
between IBM, BEA Systems, Microsoft, VeriSign, and RSA Security.
www.syngress.com
53
54
Chapter 1 • Configuring Server Roles in Windows 2008
Exam Objectives Frequently Asked Questions Q: Can an RODC replicate to another RODC? A: No. RODCs can only replicate with full domain controllers. This is a feature of the RODC, which is meant to be—as the name implies—a read-only server. Since neither RODC would have write capabilities in this example, it would be pointless to have them replicate to one another.
Q: Can I federate with a Windows Server 2003 R2 forest? A: Yes, you can, but keep in mind that they will not have all of the same functionality. Federation was introduced in Windows Server 2003 R2 to allow IT organizations to take advantage of the basics of federation. However, features such as integration with other applications like AD RMS and Office Sharepoint Server 2007 are not available.
Q: Can an RODC exist in a mixed-mode (Windows 2003 and Windows 2008) domain?
A: Yes, but you must run adprep with the proper switches in order for it to succeed. If the domain is not prepped for this new Windows Server 2008 role, the RODC installation will fail almost immediately. adprep is required to add the appropriate schema modifications for RODC.
Q: LDS sounds pretty cool. Can I just run that for my AD environment? A: The short answer is yes, but if you are running AD internally, you would probably want the full functionality of Domain Services. LDS is meant for smaller environments, such as a DMZ, where additional functionality—in particular, management—is not a requirement.
Q: Does Rights Management work with mobile devices? A: Yes, there is a mobile module for Rights Management Services. However, only Windows Mobile devices are supported with Rights Management. Check with your wireless vendor or mobile manufacturer for support and availability on particular models.
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Q: I’ve heard that Server Core is only supported in 64-bit edition. Is that true? A: No. Server Core works in both 32-bit and 64-bit editions, Hyper-V (virtualization) only runs on 64-bit. It should be noted that as of the writing of this book, Windows Server 2008 is expected to be the final 32-bit server operating system released by Microsoft.
Q: Do I have to use Server Manager for role deployment? A: No. You can also use scripting tools to deploy roles. Also, depending on the role, role “bits” (the actual files that make up the role) can sometimes be added automatically. For example, if you forget to add the Directory Services role prior to running dcpromo.exe, dcpromo will add the role for you. However, this is not the case with all roles.
www.syngress.com
55
56
Chapter 1 • Configuring Server Roles in Windows 2008
Self Test 1. You are the administrator for a nationwide company with over 5,000 employees. Your main office has approximately 4,500 employees, while the company’s ten remote offices have 50 users residing in each.You are often unaware of the physical security in place at these offices. However, since there is a fairly sizable amount of users at each office, you must provide them with directory services. What is the BEST option to use for directory services when security is often an unknown? A. Lightweight Directory Services B. Read-only domain controllers C. Active Directory Federation Services D. Active Director Rights Management Services 2.
is a format and application-agnostic technology, which provides services to enable the creation of information-protection solutions. A. Lightweight Directory Services B. Read-only domain controllers C. Active Directory Federation Services D. Active Director Rights Management Services
3. You are the administrator for a nationwide company with over 5,000 employees. Your director tells you your company has just signed into a partnership with another organization, and that you will be responsible for ensuring that authentication can occur between both organizations without the need for additional sign-on accounts.Your boss mentions that the partner has a variety of Directory Services installed throughout their organizations. Which of the following can Active Directory Federation Services NOT connect to? A. Lightweight Directory Services B. Windows Server 2003 Directory Services C. Windows Server 2003 R2 Directory Services D. All of the above 4. You are the administrator for a nationwide company with over 5,000 employees. Your main office has approximately 4,500 employees, while your company’s ten remote offices have 50 users each residing in them. You are often unaware of the physical security in place at these offices. However, since www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
there is a fairly sizable amount of users at each office, you need to provide them with directory services. What is the BEST option to use for directory services when security is often an unknown? A. Lightweight Directory Services B. Read-only domain controllers C. Active Directory Federation Services D. Active Director Rights Management Services 5. The Web development team has requested that you implement a new Web server in a DMZ that will be used for presenting Web sites to customers. Which of the following is NOT a reason for using Windows Server 2008 Core Server? A. A Core installation does not require a Windows Server 2008 license. B. A Core installation does not provide GUIs, which limits console access. C. Core Server installs fewer services than a full installation of Windows Server 2008. D. Core Server uses fewer resources than a full installation of Windows Server 2008. 6. You have a Windows Server 2003 R2 domain currently running in your organization. You would like to install a read-only domain controller into your Directory Services structure, but you do not want to completely upgrade your domain to Windows Server 2008 Directory Services just yet. What do you need to do in order to add an RODC? A. Change the domain functional level to Windows Server 2008 mixed mode. B. Change the forest functional level to Windows Server 2008 mixed mode. C. Run adprep on a Windows Server 2003 R2 domain controller. D. An RODC cannot be added until the entire domain is a Windows Server 2008 Directory Services domain. 7. You are looking to upgrade your environment to Windows Server 2008, and you are explaining the new Server Manager console to your boss. Which three of the following answers correctly describe ways that Server Manager can be used? A. Server Manager can be used to add new server roles. B. Server Manager can be used to add new server features. C. Server Manager can be used to configure server failover. D. Server Manager can be used for scripting commands. www.syngress.com
57
58
Chapter 1 • Configuring Server Roles in Windows 2008
8. You are attempting to install Directory Services on a Windows Server 2008 Server Core installation.You type dcpromo at the command prompt, but the server fails to install Directory Services. What is the MOST LIKELY reason for this? A. Directory Services are not supported on a Server Core installation, only read-only domain controllers. B. You must use an unattended file to complete the Directory Services installation. C. You must use the Server Manager from another Windows Server 2008 system to complete the installation. D. Your server’s chipset does not support Directory Services in a Server Core installation. 9. Which of the following Directory Services administration tools can be used in a Windows Server 2008 Lightweight Directory Services installation? A. Active Directory Users and Computers B. Active Directory Sites and Services C. Active Directory Domains and Trusts D. Active Directory Licensing Manager 10. BitLocker is a new technology that is available in Windows Server 2008 as well as Windows Vista. Which is NOT an advantage of using BitLocker? A. BitLocker can be used to prevent a hacker from detecting my password. B. BitLocker prevents someone from removing a hard drive from a system and reading it by installing it on another system. C. BitLocker prevents someone from loading another operating system onto the server and reading the contents of the disk using this additional operating system. D. All of the above selections are an advantage of using BitLocker.
www.syngress.com
Configuring Server Roles in Windows 2008 • Chapter 1
Self Test Quick Answer Key 1.
B
6.
2.
D
7. A, B, and C
3.
B
8.
B
4.
B
9.
B
5. A
C
10. A
www.syngress.com
59
This page intentionally left blank
Chapter 2
MCTS/MCITP Exam 640 Configuring Network Services Exam objectives in this chapter: ■
Configuring Windows Internet Naming Service (WINS)
Exam objectives review: ˛ Summary of Exam Objectives ˛ Exam Objectives Fast Track ˛ Exam Objectives Frequently Asked Questions ˛ Self Test ˛ Self Test Quick Answer Key 61
62
Chapter 2 • Configuring Network Services
Introduction When internetworking was first conceived and implemented in the 1960s and 1970s, the Internet Protocol (IP) addressing scheme was also devised. It uses four sets of 8 bits (octets) to identify a unique address, which is comprised of a network address and a unique host address. This provided enormous flexibility because the scheme allowed for millions of addresses. The original inventors of this system probably didn’t envision the networking world as it is today—with millions of computers spanning the globe, many connected to one worldwide network, the Internet. Network Services are to Active Directory what gasoline is to a combustion engine—without them, Active Directory would simply be a shiny piece of metal that sat there and looked pretty. As a matter of fact, network services are not only crucial to Active Directory, but are equally important to networking on a much larger scale. Imagine watching television at home and hearing the voice-over for a Microsoft commercial say “Come visit us today at 207.46.19.190!” instead of “Come visit us today at www.microsoft.com!” Networking services make networking much easier to understand for the end user, but they also go well beyond that in terms of what they provide for a networking architecture. In this chapter, we will explore the Domain Name System (DNS), a method of creating hierarchical names that can be resolved to IP addresses (which, in turn, are resolved to MAC addresses). We explain the basis of DNS and compare it to alternative naming systems. We also explain how the DNS namespace is created and resolved to an IP address throughout the Internet or within a single organization. Once you have a solid understanding of DNS, you will learn about Windows Server 2008 DNS servers, including the different roles DNS servers can play, the ways DNS Servers resolve names and replicate data, and how Windows Server 2008 Active Directory integrates with DNS. By the end of this chapter, you’ll have a detailed understanding of DNS on the Internet, as well as how DNS works within a Windows Server 2008 network. We will also discuss two additional services: Windows Internet Naming Service (WINS) and Dynamic Host Configuration Protocol (DHCP), two common services used on Transmission Control Protocol/Internet Protocol (TCP/IP) networks. Each of these services plays an important role in your environment, ultimately assisting IT professionals in their quest to automate much of the mundane tasks that would otherwise need to be managed manually.
www.syngress.com
Configuring Network Services • Chapter 2
Configuring Domain Name System (DNS) Microsoft defines the Domain Name System (DNS) as a hierarchical distributed database that contains mappings of fully qualified domain names (FQDNs) to IP addresses. DNS enables finding the locations of computers and services through user-friendly names and also enables the discovery of other types of records used for additional resources (which we will discuss later) in the DNS database. A much broader definition comes from the original Request For Comment (RFC), which was first released way back in November of 1983. RFC 882 (http://tools.ietf.org/html/rfc882) describes DNS conceptually, explaining how various components (domain name space, name servers, resolvers) come together to provide a domain name system. As you can imagine, a number of changes have been made to the original RFC. In fact, there have been three major RFC releases since the original debuted 25 years ago: RFC 883, RFC 1034, and RFC 1035. As you probably came to realize by looking at the date of the original DNS RFC, Microsoft was certainly not the first company to develop DNS services. In fact, the first Unix-based DNS service was written by four college students way back in 1984. Later, the code was rewritten by an engineer at Digital Equipment Corporation (DEC) and renamed Berkeley Internet Name Domain, or BIND, as it is more commonly known. Since the original DNS code was written, it has been rewritten by several companies, including Microsoft, Novell, Red Hat, and many others. Now that you’ve had a little history lesson on DNS, let’s discuss some of the various record types that can be held inside a DNS database. The record type will determine what information is provided to a DNS client requesting data. For instance, if the DNS server is configured to use an “A” record (a naming resource record), it converts an IP address to a hostname. As an example, consider using 207.46.19.190 as the IP address, and www.microsoft.com as the hostname. This would be a good example of how DNS resolution works. Another example of a record in use is the MX record. This record type is used when an e-mail server is trying to determine the IP address of another e-mail server. Table 2.1 outlines the types of records that can exist in a Windows Server 2008 DNS.
www.syngress.com
63
64
Chapter 2 • Configuring Network Services
Table 2.1 Common DNS Record Types Type
Description
Host (A)
Maps a domain name (such as.www.microsoft.com) to an IP address
Canonical Name (CNAME) Maps an alias domain name to another server name Mail exchanger (MX)
Maps a domain name to a system that controls mail flow
Pointer (PTR)
Reverses the mapping process; used to convert domain names to IP addresses
Service location (SRV)
Used to map domain names to a specific service
Regardless of the type of DNS you’re using—Microsoft, Linux, or another vendor—the DNS database holds a nearly identical format. Several components make up a DNS database. Figure 2.1 provides an example of a primary zone database (we will discuss the various types of zones later in this chapter). Figure 2.1 A DNS Database File
www.syngress.com
Configuring Network Services • Chapter 2
Let’s take a moment to discuss some of the other information held in the database file. ■
IN – Internet Name This calls out that the information preceding the IN is the common name of the server. In the first line of the preceding database file, it indicates that the name at the top-left is the domain name this server supports. The names shown after the IN are the actual names of the server.
■
SOA – Start of Authority This indicates that the server shown in Figure 2.1 is authoritative over this particular domain. Thus, it has rights to add, remove, and change records for the domain.
■
1 – Serial number Each time a change is made to a DNS database, a new serial number is assigned. Other servers—known as secondary servers—can copy DNS databases for local storage. If this serial number changes, the secondary servers know they need to update their copy.
■
900 – Refresh Rate How often—in seconds—the secondary computer checks to see if it needs to update its database.
■
600 – Retry How long a secondary DNS server should wait before requesting another update, should an update fail.
■
86400 – Expire How long a secondary server can hold a database— without update—before it must purge its records.
■
3600 – Time to Live (TTL) How long a client machine can store a requested record before it must request a refreshed record.
Thus far, we’ve been focusing on how an individual DNS server is configured. However, we must also look at DNS structures on a much higher level as well. The first thing to understand is that the worldwide DNS structure is just incredibly massive—and continues to grow on a daily basis as new domains are brought online. As large as it is, the general structure behind it is relatively simple. DNS is based on a “tree” format—and an upside-down tree, at that. At the top of the tree is the root—the root is the beginning of all DNS naming conventions and has total authority over all naming conventions beneath it. DNS Root is essentially a period—yes, a period. Technically speaking, if you decide to shop online at Elsevier’s Web site, you are shopping at “www.elsevier.com.” If that doesn’t make sense, let’s break it down. Basically, domains (and domain server names) are really read from right-to-left in the computer world. The “.” is assumed in any DNS resolution, but is still the highest level. Com would be the second-highest level, followed by another period for separation, and then Elsevier. So, in regards to DNS hierarchy, the top level domain would be “.”, followed by the second-highest level domain, www.syngress.com
65
66
Chapter 2 • Configuring Network Services
which would be com, followed by the third-highest level domain, Elsevier. When combined to form an FQDN, the result would be “Elsevier.com.” WWW represents nothing more than the name of a server that exists in the Elsevier.com domain. WWW has become commonplace for World Wide Web services, but it could just as easily be supercalafragalisticexpialidotious.elsevier. com—though I doubt it would get as many hits. If you are still confused by how DNS naming structures work, take a look at Figure 2.2, which shows a sample of how a DNS tree looks. Figure 2.2 A Sample DNS Tree
The summit of the DNS namespace hierarchy is the root, which has several servers managed by the Internet Name Registration Authority (INRA). Immediately below the root are the COM, NET, EDU, and other top-level domains listed in Table 2.2. Each of these domains is further divided into namespaces that are managed by the organizations that register them. For example, syngress.com is managed by a different organization than umich.edu. Table 2.2 Domain Suffixes Used on the Internet Domain Suffix
Typical Usage
.mil
United States military
.edu
Educational facilities
.com
Commercial organizations
.net
Networks
.org
Nonprofit organizations
.gov
United States government—nonmilitary Continued
www.syngress.com
Configuring Network Services • Chapter 2
Table 2.2 Continued. Domain Suffixes Used on the Internet Domain Suffix
Typical Usage
.us
United States
.uk
United Kingdom
.au
Australia
.de
Germany
Other two-letter abbreviations (.xx)
Other countries
NOTE In addition to the domain suffixes shown in Table 2.2, you will also find the occasional privately used domain suffix .local. The .local suffix is not managed by a DNS root server, so the namespace cannot be published on the Internet when you design the namespace for an Active Directory network, you can choose to use the .local suffix for domains that will not have any hosts on the Internet. Keep in mind that using the .local namespace internally will not prevent an organization from using Internet resources, such as browsing the Web.
Organizations often split the ownership of their DNS namespace. One team might be responsible for everything inside the firewall, while another team may be responsible for the namespace that faces the public. Since Active Directory often replaces Windows NT as an upgrade, the team responsible for Windows NT will often take over the DNS namespace management for Active Directory domains. Since Active Directory DNS design and implementation does differ somewhat from the standard DNS design and implementation, you can often find the two types of tasks split between two different groups in the same organization. Those are the basics on how Domain Name Services function on a much grander scale. In the coming sections of this chapter, we will discuss how to use DNS within a Windows Server 2008 environment. First, though, let’s discuss how to install and perform the initial configuration of a DNS on Windows Server 2008. www.syngress.com
67
68
Chapter 2 • Configuring Network Services
EXAM WARNING Check for conflicts when asked questions regarding DNS namespace designs. For example, if the scenario states that a particular namespace is already being used for another purpose, it is likely not going to be the first choice for an Active Directory root domain namespace.
Identifying DNS Record Requirements A Resource Record (RR) is to DNS what a table is to a database. A Resource Record is part of DNS’s database structure that contains the name information for a particular host or zone. Table 2.3 contains an aggregation of the most popular RR types that have been collected from the various RFCs that define their usage: Table 2.3 RR Types Record Type
Common Name
Function
Address record
Maps FQDN to 32-bit IPv4 addresses.
IPv6 address record
Maps FQDN to 128-bit IPv6 addresses.
Andrews file system
Maps a DNS domain name to a server subtype that is either an AFS Version 3 volume or an authenticated name server using DCE or NCA.
Asynchronous Transfer Mode address
Maps a DNS domain name in the owner field to an ATM address referenced in the atm_address field.
RFC A RFC1035 AAAA RFC1886 AFSDB
RFC1183 ATMA
Continued
www.syngress.com
Configuring Network Services • Chapter 2
Table 2.3 Continued. RR Types Record Type
Common Name
Function
CNAME
Canonical name or alias name
Maps a virtual domain name (alias) to a real domain name.
Host info record
Specifies the CPU and operating system type for the host.
ISDN info record
Maps an FQDN to an ISDN telephone number.
KEY
Public key resource record
Contains a public key that is associated with a zone. In full DNSSEC (defined later in this chapter) implementation, resolvers and servers use KEY resource records to authenticate SIG resource records received from signed zones. KEY resource records are signed by the parent zone, allowing a server that knows a parent zone’s public key to discover and verify the child zone’s key. Name servers or resolvers receiving resource records from a signed zone obtain the corresponding SIG record, and then retrieve the zone’s KEY record.
MB
Mailbox name record
Maps a domain mail server name to the host name of the mail server.
Mail group record
Maps a domain mailing group to the mailbox resource records.
RFC1035 HINFO RFC1700 ISDN RFC1183
RFC1035 MG
Continued
www.syngress.com
69
70
Chapter 2 • Configuring Network Services
Table 2.3 Continued. RR Types Record Type
Common Name
Function
Mailbox info record
Specifies a mailbox for the person who maintains the mailbox.
Mailbox renamed record
Maps an old mailbox name to a new mailbox name for forwarding purposes.
Mail exchange record
Provides routing info to reach a given mailbox.
Name server record
Specifies that the listed name server has a zone starting with the owner name. Identify servers other than SOA servers that contain zone information files.
NXT
Next resource record
Indicates the nonexistence of a name in a zone by creating a chain of all of the literal owner names in that zone. It also indicates which resource record types are present for an existing name.
OPT
Option resource record
One OPT resource record can be added to the additional data section of either a DNS request or response. An OPT resource record belongs to a particular transport level message, such as UDP, and not to actual DNS data. Only one OPT resource record is allowed, but not required, per message.
RFC1035 MINFO RFC1035 MR
RFC1035 MX RFC974 NS
RFC1035
Continued
www.syngress.com
Configuring Network Services • Chapter 2
Table 2.3 Continued. RR Types Record Type
Common Name
Function
PTR
Pointer resource record
Points to another DNS resource record. Used for reverse lookup to point to A records.
Responsible person info record
Provides info about the server admin.
Route-through record
Provides routing info for hosts lacking a direct WAN address.
SIG
Signature resource record
Encrypts an RRset to a signer’s (the RRset’s zone owner) domain name and a validity interval.
SOA
Start of Authority resource record
Indicates the name of origin for the zone and contains the name of the server that is the primary source for information about the zone. It also indicates other basic properties of the zone. The SOA resource record is always first in any standard zone. It indicates the DNS server that either originally created it or is now the primary server for the zone. It is also used to store other properties such as version information and timings that affect zone renewal or expiration. These properties affect how often transfers of the zone are done between servers that are authoritative for the zone.
Service locator record
Provides a way of locating multiple servers that provide similar TCP/IP services.
RFC1035 RP RFC1183 RT RFC1183
RFC1537 SRV
Continued
www.syngress.com
71
72
Chapter 2 • Configuring Network Services
Table 2.3 Continued. RR Types Record Type
Common Name
Function
Text record
Maps a DNS name to a string of descriptive text.
Well-known services record
Describes the most popular TCP/ IP services supported by a protocol on a specific IP address.
X.25 info record
Maps a DNS address to a public switched data network (PSDN) address number.
RFC2052 TXT RFC1035 WKS
RFC1035 X25
RFC1183
The official IANA (Internet Assigned Numbers Authority) list of DNS parameters can be found at www.iana.org/assignments/dns-parameters, and a really good DNS glossary is available at www.menandmice.com/online_docs_and_faq/glossary/ glossarytoc.htm.
Installing and Configuring DNS DNS can be installed and configured on any version of Windows Server 2008— Web Edition, Standard Edition, Enterprise Edition, or Datacenter Edition. It is a network service that can be integrated with Active Directory (for security and replication purposes), or as a stand-alone service. A Windows Server 2008 DNS can manage not only internal namespaces, but external (Internet-facing) namespaces as well. In the following examples, we will be installing DNS on a Windows Server 2008 Standard Server. 1. Choose Start | Administrative Tools | Server Manager. 2. Scroll down to Role Summary and click Add Roles. 3. When the Before You Begin page opens, click Next.
www.syngress.com
Configuring Network Services • Chapter 2
4. On the Select Server Roles page, select DNS Server (see Figure 2.3), and then click Next. Figure 2.3 Selecting the DNS Server Role
5. At the DNS Server window, read the overview, and then click Next. 6. Confirm your selections, and then click Install. 7. When installation is complete, click Close. Next, we will configure some basic server settings: 1. Choose Start | Administrative Tools | DNS. 2. Find your server name in the left pane and double-click it. This will open the DNS configuration for this server (see Figure 2.4).
www.syngress.com
73
74
Chapter 2 • Configuring Network Services
Figure 2.4 The Opening DNS Configuration Data
3. Look at the DNS properties of this server. Right-click the server name and select Properties from the drop-down menu. 4. The first tab that opens is the Interfaces tab. This tab can be adjusted if you have additional NICs in your server. This is particularly useful if you only want DNS queries to be answered by systems on a particular subnet. In general, you will likely leave it at the default of All IP Addresses. 5. Click the Root Hints tab. Notice there are multiple name servers with different IP addresses (Figure 2.5). With root hints, any queries that cannot be answered locally are forwarded to one of these root servers. Optionally, we can clear our root hints by selecting them and clicking Remove. Remove all of the servers, and click Forwarders.
www.syngress.com
Configuring Network Services • Chapter 2
Figure 2.5 DNS Root Hints
6. On the Forwarders tab, we can specify where DNS queries that are not resolved locally will be resolved. As opposed to Root Hints, this gives us much more control over where our queries are sent. For example, we can click Edit… and enter 4.2.2.1—a well-known DNS server. After you enter the IP address, click OK. 7. Look through the other tabs in the Properties dialog box. In particular, take a look at the Advanced tab (Figure 2.6). Notice the check box for BIND Secondaries—this makes it possible for BIND servers to make local copies of DNS databases. Also, look at the Enable Automatic Scavenging Of Stale Records option. With this option, you can specify the period before which DNS will perform a cleanup of old records. www.syngress.com
75
76
Chapter 2 • Configuring Network Services
Figure 2.6 Advanced DNS Settings
8. Click Apply to save the changes we made, and then click OK to close the window. We still have a lot to do with configuring a DNS server, but before we move on to configuring zones, let’s walk through the process of installing DNS on a Windows Server 2008 Core Installation.
Using Server Core and DNS As we discussed in Chapter 1, a Windows Server 2008 Core Server Installation can be used for multiple purposes. One of the ways Server Core can be used is to provide a minimal installation for DNS. In the coming sections, we will discuss the various ways you can manipulate, manage, and configure DNS servers through the various Windows Server 2008 DNS Graphical User Interfaces (GUIs): DNS Manager and the Server Manager tool.
www.syngress.com
Configuring Network Services • Chapter 2
However, as you will recall, no GUIs are provided with Windows Server 2008 Core Server. A number of advantages to running DNS within Server Core include: ■
Smaller Footprint: Reduces the amount of CPU, memory, and hard disk needed.
■
More Secure: Fewer components and services running unnecessarily.
■
No GUI: No GUI means that users cannot make modifications to the DNS databases (or any other system functions) using common/user-friendly tools.
If you are planning to run DNS within a Server Core install, several steps must be performed prior to installation. The first step is to set the IP information of the server. To configure the IP addressing information of the server, do the following: 1. Identify the network adapter. To do this, in the console window, type netsh interface ipv4 show interfaces and record the number shown under the Idx column. 2. Set the IP address, Subnet Mask, and Default Gateway for the server. To do so, type netsh interface ipv4 set address name=“” source= static address=<StaticIP> mask=<SubnetMask> gateway= . ID represents the interface number from step 1, <StaticIP> represents the IP address we will assign, <SubnetMask> represents the subnet mask, and represents the IP address of the server’s default gateway. See Figure 2.7 for our sample configuration. Figure 2.7 Setting an IP Address in Server Core
www.syngress.com
77
78
Chapter 2 • Configuring Network Services
3. Assign the IP address of the DNS server. If this server is part of an Active Directory domain and is replicating Active Directory–integrated zones (we will discuss those next), we would likely point this server to another AD-integrated DNS server. If it is not, we would point it to another external DNS server—usually the Internet provider of your company. From the console, type netsh interface ipv4 add dnsserver name=“” address= index=1. >. ID represents the number from step 1, while <StaticIP> represents the IP address of the DNS server. Once the IP address settings are completed—you can verify this by typing ipconfig /all—we can install the DNS role onto the Core Server installation: 4. To do this, from the command line, type start /w ocsetup DNSServer-Core-Role. 5. To verify that the DNS Server service is installed and started, type NET START. This will return a list of running services. 6. Use the dnscmd command-line utility to manipulate the DNS settings. For example, you can type dnscmd /enumzones to list the zones hosted on this DNS server. 7. We can also change all of the configuration options we modified in the GUI section earlier by using the dnscmd /config option. For example, we can enable BIND secondaries by typing dnscmd <servername> /config /bindsecondaries 1. You can see the results in Figure 2.8. Figure 2.8 Using the dnscmd Utility
www.syngress.com
Configuring Network Services • Chapter 2
There are many, many more things you can do with the dnscmd utility. For more information on the dnscmd syntax, visit http://technet2.microsoft.com/ WindowsServer/en/library/d652a163-279f-4047-b3e0-0c468a4d69f31033.mspx. So far, you have learned how to install and configure the DNS server, now we will discuss how to configure DNS zones.
Configuring Zones We’ve mentioned “zones” several times already in this chapter. Simply put, a zone is the namespace allocated for a particular server. Each “level” of the DNS hierarchy represents a particular zone within DNS. For the actual DNS database, a zone is a contiguous portion of the domain tree that is administered as a single separate entity by a DNS server. The zone contains resource records for all of the names within the zone. If Active Directory–integrated zones are not being used, some zone files will contain the DNS database resource records required to define the zone. If DNS data is Active Directory–integrated, the data is stored in Active Directory, not in zone files. ■
Primary Zone With a primary zone, the server hosting this zone is authoritative for the domain name. It stores the master copy of the domain information locally. When the zone is created, a file with the suffix .dns is created in the %windir%\System32\dns subdirectory of the DNS server.
■
Secondary Zone This is a secondary source—essentially a copy—of the primary DNS zone, with read-only capabilities.
■
Stub Zone Only stores information about the authoritative name servers for a particular zone.
Primary and secondary zones are standard (that is, non-Active Directory– integrated) forward lookup zones. The principal difference between the two is the ability to add records. A standard primary zone is hosted on the master servers in a zone replication scheme. Primary zones are the only zones that can be edited, whereas secondary zones are read-only and are updated only through zone transfer. DNS master servers replicate a copy of their zones to one or more servers that host secondary zones, thereby providing fault tolerance for your DNS servers. DNS standard zones are the types of zones you should use if you do not plan on integrating Active Directory with your DNS servers. An Active Directory–integrated zone is basically an enhanced primary DNS zone stored in Active Directory and thus can, unlike all other zone types, use multimaster replication and Active Directory security features. It is an authoritative primary zone www.syngress.com
79
80
Chapter 2 • Configuring Network Services
in which all of the zone data is stored in Active Directory. As mentioned previously, zone files are not used nor necessary. Integrating DNS with Active Directory produces the following additional benefits: ■
Speed Directory replication is much faster when DNS and Active Directory are integrated. This is because Active Directory replication is performed on a per-property basis, meaning that only changes that apply to particular zones are replicated. Because only the relevant information is to be replicated, the time required to transfer data between zones is greatly reduced. On top of this, a separate DNS replication topology is eliminated because Active Directory replication topology is used for both ADI zones and AD itself.
■
Reduced Administrative Overhead Any time you can reduce the number of management consoles you have to work with, you can reduce the amount of time needed to manage information. Without the advantage of consolidating the management of DNS and Active Directory in the same console, you would have to manage your Active Directory domains and DNS namespaces separately. Moreover, your DNS domain structure mirrors your Active Directory domains. Any deviation between Active Directory and DNS makes management more time-consuming and creates more opportunity for mistakes. As your network continues to grow and become more complex, managing two separate entities becomes more involved. Integrating Active Directory and DNS provides you with the ability to view and manage them as a single entity.
■
Automatic Synchronization When a new domain controller is brought online, networks that have integrated DNS and Active Directory have the advantage of automatic synchronization. Even if a domain controller will not be used to host the DNS service, the ADI zones will still be replicated, synchronized, and stored on the new domain controllers.
■
Secure Dynamic DNS Additional features have been added that enhance the security of secure dynamic updates. These features will be discussed in the “DNS Security Guidelines” section later in this chapter.
A reverse lookup zone is an authoritative DNS zone that is used primarily to resolve IP addresses to network resource names. This zone type can be primary, secondary or Active Directory–integrated. Reverse lookups traverse the DNS hierarchy in exactly the same way as the more common forward lookups. Stub zones are a new feature introduced in Windows Server 2008. They contain a partial copy of a zone that can be hosted by a DNS server and used to resolve www.syngress.com
Configuring Network Services • Chapter 2
recursive or iterative queries. A recursive query is a request from a host to a resolver to find data on other name servers. An s query is a request, usually made by a resolver, for any information a server already has in memory for a certain domain name. Stub zones contain the Start of Authority (SOA) resource records of the zone, the DNS resource records that list the zone’s authoritative servers, and the glue address (A) resource records that are required for contacting the zone’s authoritative servers. Stub zones are useful for reducing the number of DNS queries on a network, and consequently the resource consumption on the primary DNS servers for that particular namespace. Basically, stub zones are used to find other zones and can be created in the middle of a large DNS hierarchy to prevent a query for a distant zone within the same namespace from having to ascend, traverse, and return over a multitude of zones. Windows Server 2008 also allows for a special type of Primary Zone—known as an AD-integrated zone—which basically means that the data is stored within Active Directory Domain Services, and is replicated to other DNS servers during normal AD replication periods. AD-integrated zones offer a number of benefits, including: ■
Secure Dynamic Updates Systems that are authenticated by Active Directory can update their DNS records. This allows name resolution for clients and servers while eliminating DNS poisoning by rogue systems that create DNS records.
■
Automatic Synchronization Zones are created and synchronized to new domain controllers (with DNS installed) automatically.
■
Efficient Replication Less data is replicated since only relevant changes are propagated.
TEST DAY TIP Don’t underestimate the importance of Secure Dynamic Updates on the exam. They are essential to providing security when using dynamic updates in two different ways. First, they provide enhanced security, which prevents “guests” (computers that are not part of Active Directory) from being able to update DNS independently. The second important feature ties directly to application-push and client management technologies, such as System Center Configuration Manager. By having a constantly refreshed (and accurate) database of clients, it makes technologies such as client management tools much more accurate and useful.
www.syngress.com
81
82
Chapter 2 • Configuring Network Services
Zone Transfer Zone transfer is the process of copying the contents of the zone file on a primary DNS server to a secondary DNS server. Using zone transfer provides fault tolerance by synchronizing the zone file in a primary DNS server with the zone file in a secondary DNS server. The secondary DNS server can continue performing name resolution if the primary DNS server fails. Furthermore, secondary DNS servers can transfer to other secondary DNS servers in the same hierarchical fashion, which makes the higher-level secondary DNS server a master to other secondary servers. Three transfer modes are used in a Windows Server 2008 DNS configuration: ■
Full Transfer When you bring a new DNS server online and configure it to be a secondary server for an existing zone in your environment, it will perform a full transfer of all the zone information in order to replicate all the existing resource records for that zone. Older implementations of the DNS service also used full transfers whenever updates to a DNS database needed to be propagated. Full zone transfers can be very time-consuming and resource-intensive, especially in situations where there isn’t sufficient bandwidth between primary and secondary DNS servers. For this reason, incremental DNS transfers were developed.
■
Incremental Transfer When you are using incremental zone transfers, the secondary server retrieves only resource records that have changed within a zone, so that it remains synchronized with the primary DNS server. When incremental transfers are used, the databases on the primary server and the secondary server are compared to see if any differences exist. If the zones are identified as the same (based on the serial number of the Start of Authority resource record), no zone transfer is performed. If, however, the serial number on the primary server database is higher than the serial number on the secondary server, a transfer of the delta resource records commences. Because of this configuration, incremental zone transfers require much less bandwidth and create less network traffic, allowing them to finish faster. Incremental zone transfers are often ideal for DNS servers that must communicate over low-bandwidth connections.
■
DNS Notify The third method for transferring DNS zone records isn’t actually a transfer method at all. To avoid the constant polling of primary DNS servers from secondary DNS servers, DNS Notify was
www.syngress.com
Configuring Network Services • Chapter 2
developed as a networking standard (RFC 1996) and has since been implemented into the Windows operating system. DNS Notify allows a primary DNS server to utilize a “push” mechanism for notifying secondary servers that it has been updated with records that need to be replicated. Servers that are notified can then initiate a zone transfer (either full or incremental) to “pull” zone changes from their primary servers as they normally would. In a DNS Notify configuration, the IP addresses for all secondary DNS servers in a DNS configuration must be entered into the notify list of the primary DNS server to pull, or request, zone updates. Each of the three methods has its own purpose and functionality. How you handle zone transfers between your DNS servers depends on your individual circumstances.
TEST DAY TIP Remember that full and incremental transfers actually transfer the data between the DNS servers, and that DNS Notify is not a mechanism for transferring zone data. It is used in conjunction with AXFR (Full Transfer) and IXFR (Incremental Transfer) to notify a secondary server that new records are available for transfer.
Let’s take a look at how to create a new DNS zone: 1. Choose Start |Administrative Tools | DNS. 2. In the console tree, double-click your server, and then click Forward Lookup Zones. 3. Right-click Forward Lookup Zones, and then select New Zone. 4. The New Zone Wizard appears. Click Next (see Figure 2.9).
www.syngress.com
83
84
Chapter 2 • Configuring Network Services
Figure 2.9 The New Zone Wizard
5. On the Zone Type page, click Primary zone and then click Next. 6. On the Active Directory Zone Replication Scope page, click Next. 7. On the Zone Name page, in the Name field, type a name for a test zone (Figure 2.10), and then click Next. Figure 2.10 The Zone Name Page
www.syngress.com
Configuring Network Services • Chapter 2
8. On the Zone File page, click Next. 9. On the Dynamic Update page, choose Allow Both Nonsecure And Secure Dynamic Updates and click Next.
NOTE Normally, when configuring Dynamic Updates, you should choose the Secure Only option. For lab purposes in this book, however, you can choose Allow Both Nonsecure And Secure Dynamic Updates.
10. On the Completing The New Zone Wizard page, click Finish.
Active Directory Records If you turned on dynamic updates in the previous exercise, and you have Active Directory loaded on your server, reboot your system. After your system reboots, notice the following new records in your zone. ■
_ldap._tcp. Enables a client to locate a domain controller in the domain named by . A client searching for a domain controller in the domain uccentral.ads would query the DNS server for _ldap._uccentral.ads.
■
_ldap._tcp.<SiteName>._sites. Enables a client to find a domain controller in the domain and site specified (such as _ldap._tcp.lab._sites.uccentral.ads for a domain controller in the Lab site of uccentral.ads).
■
_ldap._tcp.pdc._msdcs. Enables a client to find the PDC Emulator flexible single master operations (FSMO) role holder of a mixed- or native-mode domain. Only the PDC of the domain registers this record.
■
_ldap._tcp.gc._msdcs. Found in the zone associated with the root domain of the forest, this enables a client to find a Global Catalog (GC) server. Only domain controllers serving as GC servers for the forest will register this name. If a server ceases to be a GC server, the server will deregister the record. www.syngress.com
85
86
Chapter 2 • Configuring Network Services ■
_ldap._tcp. ._sites.gc._msdcs. Enables a client to find a GC server in the specified site (such as _ldap._tcp.lab._sites.gc._ msdcs.uccentral.ads).
■
_ldap._tcp..domains._msdcs. Enables a client to find a domain controller in a domain based on the domain controller’s globally unique ID (GUID). A GUID is a 128-bit (8 byte) number that is generated automatically for the purpose of referencing Active Directory objects. This mechanism and these records are used by domain controllers to locate other domain controllers when they need to replicate, for example.
■
Enables a client to find a domain controller via a normal Host (A) record.
Special records specifically associated with Active Directory allow servers and clients to interact with Active Directory services in a meaningful way.
Reverse Lookup Zones As mentioned earlier, a reverse lookup zone is an authoritative DNS zone that is used primarily to resolve IP addresses to network resource names. This zone type can be primary, secondary, or Active Directory–integrated. Reverse lookups traverse the DNS hierarchy in exactly the same way as the more common forward lookups. To handle reverse lookups, a special root domain called in-addr.arpa was created. Subdomains within the in-addr.arpa domain are created using the reverse ordering of the octets that form an IP address. For example, the reverse lookup domain for the 192.168.100.0/24 network would be 100.168.192.in-addr.arpa. The reason the IP addresses are inverted is that IP addresses, when read from left to right, get more specific; the IP address starts with the more general information first. FQDNs, in contrast, get more general when read from left to right; the FQDN starts with a specific host name. In order for reverse lookup zones to work properly, they use a special RR called a PTR record that provides the mapping of the IP address in the zone to the FQDN. Reverse lookup zones are used by certain applications, such as NSLookup (an important diagnostic tool that should be part of every DNS administrator’s arsenal). If a reverse lookup zone is not configured on the server to which NSLookup is pointing, you will get an error message when you invoke the nslookup command. www.syngress.com
Configuring Network Services • Chapter 2
Head of the class ... Security Considerations for the Presence of a Reverse Lookup Zone Being able to make NSLookup work against your DNS servers is not the only, or most important, reason why you should configure reverse lookup zones. Applications on your internal network, such as DNS clients that are trying to register PTR records in a reverse lookup zone, can “leak” information about your internal network out to the Internet if they cannot find a reverse lookup zone on the intranet. To prevent this information from leaking from your network, you should configure reverse lookup zones for the addresses in use on your network.
Configuring Reverse Lookup Zones Now, we need to create a matching reverse lookup zone. This will handle reverse resolution for our subnet. In this case, it is 192.168.1.x. 1. Choose Start |Administrative Tools | DNS. 2. In the console tree, click Reverse Lookup Zones. 3. Right-click Reverse Lookup Zones, and then click New Zone. 4. When the New Zone Wizard appears, click Next. 5. On the Zone Type page, select Primary Zone, and then click Next. 6. On the Reverse Lookup Zone Name page, make sure IPv4 is selected, and then click Next. 7. On the Reverse Lookup Zone Name page (Figure 2.11), in the Network ID field, type the start of the subnet range of your network (in this case, 192.168.1.x), and then click Next.
www.syngress.com
87
88
Chapter 2 • Configuring Network Services
Figure 2.11 The Reverse Lookup Zone Name Page
8. On the Zone File page, click Next. 9. On the Dynamic Update page, click Next. 10. On the Completing The New Zone Wizard page, click Finish. Now we need to enable IPv6 so we can offer domain name resolution for clients who may use IPv6 as opposed to IPv4. We’re also going to need it if we want to enable IPv6 DHCP addressing later in this chapter. First, we need to set an IPv6 address for our server. To do so, perform the following steps: 1. Choose Start and right-click Network. 2. Select Properties from the drop-down menu. 3. Click Manage Network Connections.
www.syngress.com
Configuring Network Services • Chapter 2
4. Right-click the Network connection and choose Properties. 5. Double-click Internet Protocol Version 6 (TCP/IPv6). 6. Click the radio button for Use The Following IPv6 Address. If you are not familiar with IP addressing, you can use 2001:0db8:29cd:1a0f:857b:455 b:b4ec:7403. 7. Enter a Subnet prefix length of 64. 8. Your preferred DNS server would be the same as that mentioned earlier (your IPv6 address). 9. Close the Network Connections window and re-open the DNS administrator console. 10. In the console tree, click Reverse Lookup Zones. 11. Right-click Reverse Lookup Zones, and then click New Zone. 12. When the New Zone Wizard appears, click Next. 13. On the Zone Type page, select Primary Zone, and then click Next. 14. On the Reverse Lookup Zone Name page, make sure IPv6 is selected, and then click Next. 15. In the Reverse Lookup Zone Name field, type in the prefix 2001:0db8: 29cd:1a0f::/64, and then click Next. 16. On the Dynamic Update page, choose Allow Both Nonsecure And Secure Dynamic Updates (for testing purposes in this book only— normally, you should use Secure Only), and click Next. 17. Click Finish to create the New Zone. 18. To create an IPv6 record, right-click the Primary Lookup Zone for your domain (in our lab, it is uccentral.ads), and then click New Host. 19. In the Name field, enter the name of your server. Our server name is dc1. 20. In the IP address field, enter the IPv6 address we set for the server. 21. Verify that Create Associated Pointer (PTR) Record is checked, and click Add Host. You should now see a new AAAA record for the server, as well as a new PTR record in the Reverse Lookup Zone we created.
www.syngress.com
89
90
Chapter 2 • Configuring Network Services
Configuring & Implementing … Developing the DNS Design for Your Network There are few limitations to developing DNS designs and deploying the service thereafter. You should consider the following points during your design process: ■
Each domain contains a set of resource records. Resource records map names to IP addresses or vice versa depending on which type of record it is. Special resource records exist to identify types of servers on the networks. For example, an MX resource record identifies a mail server.
■
If the organization has a large number of hosts, use subdomains to speed up the DNS response.
■
The only limitation to using subdomains on a single DNS server is the server’s own memory and disk capacity.
■
A zone contains one or more domains and their resource records. Zones can contain multiple domains if they have a parent and child relationship.
■
A DNS server with a primary zone is authoritative for the zone, and updates can be made on that server. There can only be one primary zone for each zone defined.
■
A DNS server with a secondary zone contains a read-only copy of the zone. Secondary zones provide redundancy and speed up query responses by being placed near the computers that place DNS queries.
■
DNS servers can use primary and secondary zones whether they are running Windows Server 2008 or are a third-party DNS server.
Now you can double-click the Forward Lookup Zones and Reverse Lookup Zones and view the zones you have created. The zones will be displayed in the console pane under the appropriate zone type. From here, you can add records by right-clicking the zone and selecting the type of record you want www.syngress.com
Configuring Network Services • Chapter 2
to create. Likewise, you can right-click the zone and select Properties to modify the properties of the zone. Some of the properties you can modify include: ■
Dynamic Updates: The ability for clients to automatically update DNS records.
■
Zone Type: You can change a zone type from Primary, to Secondary, or to Stub Zone. If Active Directory is installed, you can also make the zone Active Directory–integrated.
■
WINS integration: We will discuss this later in the chapter, but this is where you can involve WINS resolution with DNS resolution.
■
Name Servers: You can add the names and IP addresses of servers that have the rights to create copies of the DNS zone.
■
Zone Transfer: Here, you can specify whether the zone can be transferred to another DNS server.You can also specify whether it can be transferred to any server, only the servers in the Name Servers tab (discussed earlier), or to only specific DNS servers by IP address or FQDN.
Configuring Zone Resolution There is a new name resolution available with the release of Windows Server 2008: GlobalNames Zones. The GlobalNames zone was introduced to help phase out the Windows Internet Naming Service (WINS), which we will discuss later. However, it is important to note that the GlobalNames zone is not intended to support the same type of name resolution provided in WINS, records which typically are not managed by IT administrators. After the configuration of the GlobalNames zone, you are responsible for management of all records in the zone, as there are no dynamic updates. So, where this is really relevant is within organizations that have multiple domain names. Without single-label names (also known as NetBIOS names), Windows-based computers will append DNS suffixes based on the order provided, either via the individual TCP/IP settings of the client, DHCP settings, or Group Policy settings. Again, the key here is that if there are MULTIPLE domain names an organization must manage, they may find it easier to use the GlobalNames zone since the GlobalNames zone records can be configured globally for the single-label names. Records that are contained within the GlobalNames zone are known as global names. Several prerequisites must be met before using the GlobalNames zone: ■
No existing DNS zone can be named GlobalNames.
■
All authoritative DNS servers must be running Windows Server 2008. www.syngress.com
91
92
Chapter 2 • Configuring Network Services ■
All DNS servers running on Windows Server 2008 must store a local copy of the GlobalNames zone or must be able to remotely communicate with a server that does.
■
The GlobalNames Zone Registry setting must be enabled on the server. This can be done by typing dnscmd /config /enableglobalnamessupport 1.
Let’s walk through the steps in configuring a GlobalNames zone: 1. Choose Start. 2. Right-click Command Prompt and select Run As Administrator. 3. At the command prompt, type dnscmd /config /enableglobalnamessupport 1. 4. Close the command-line prompt. 5. Select Start | Administrative Tools | DNS. 6. Right-click your DNS server, and then click New Zone to open the New Zone Wizard. 7. Create a new zone and give it the name GlobalNames (see Figure 2.12). Figure 2.12 Creating a GlobalNames Zone
www.syngress.com
Configuring Network Services • Chapter 2
8. Complete the remaining configuration options as we have done previously, and then click Finish to complete the process. Next, we will create a CNAME record for use with the GlobalNames zone: 1. Right-click the GlobalNames zone now available under the Forward Lookup Zones. 2. Select New Alias (CNAME). 3. Enter the alias of the server. For example, we can name it widgetserver. 4. Enter the FQDN of the target host. In this case, it will be our DNS server for testing purposes: dc1.uccentral.ads. If you do not have a record for your server, you may need to stop the CNAME process, and create an A record in the primary zone for your domain. 5. Click OK. To test the GlobalNames zone record, simply go to the command prompt of a client PC and type ping gnztest. This will return the IP address as expected.
Configuring Dynamic Host Configuration Protocol (DHCP) The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows administrators to manage and automate the assignment of IP addresses in a centralized console. Without DHCP, the IP address must be “statically” configured on each computer. This isn’t such a big deal in a small (ten client-or-less) environment, but when you get into significantly larger environments, static IP address management can become a nightmare. Factor in the mobility of using laptops, and the need to be able to connect to other networks dynamically, and you’ll find it’s almost impossible in today’s world not to use DHCP.
TEST DAY TIP Review the way in which DHCP traffic is affected by placement of DHCP servers. For example, when servers are placed locally, the traffic remains on the subnet. You should also understand how subnetting works when designing DHCP scopes. For more information on DHCP placement, you should visit the following Microsoft TechNet site: http://technet2. microsoft.com/WindowsServer/en/library/3040afd1-e82b-4ded-8fcdaa8fe021fcc11033.mspx?mfr=true. www.syngress.com
93
94
Chapter 2 • Configuring Network Services
The way DHCP works is fairly simple. Using a client/server model, a DHCP server maintains a pool of IP addresses. DHCP clients request and obtain leases for IP addresses during the boot process. DHCP was derived from the Bootstrap Protocol (BOOTP), which was a protocol typically used to allow clients to boot from the network rather than from a hard drive. Through this boot process, BOOTP assigned an IP address dynamically to the client computer. Some benefits of using a Windows Server 2008 DHCP server include: ■
DNS integration Windows Server 2008 DHCP integrates directly with DDNS. When a computer obtains a lease for an IP address, the DHCP server can then register or update the computer’s Address (A) records and pointer (PTR) records in the DNS database via Dynamic DNS on behalf of the client computer. The result of the two—DHCP used with DDNS—is true dynamic IP address management. Any computer can start up on the network and receive an IP address that is further registered in the DNS name server.
■
Multicast address allocation The Windows Server 2008 DHCP can assign IP addresses to multicast groups in addition to the standard individual hosts. Multicast addresses are used to communicate with groups such as server clusters using network load balancing.
■
Detection of unauthorized DHCP servers By restricting DHCP servers to those that are authorized, you can prevent conflicts and problems on the network. An administrator must configure Active Directory to recognize the DHCP server before it begins functioning on the network. The Windows Server 2008 DHCP service contacts Active Directory to determine whether it is an authorized DHCP server. Active Directory also enables you to configure which clients a DHCP server can service.
■
Enhanced monitoring With the Windows Server 2008 DHCP service, you have the ability to monitor the pool of IP addresses and receive notification when the address pool is utilized at a threshold level. For example, you might monitor for a threshold of 90 percent or above.
■
Vendor and user classes Vendor and user classes enable you to distinguish the types of machines that are obtaining DHCP leases. For example, you can use a predefined class to determine which users are remote access clients.
■
Clustering Windows Server 2008 DHCP services support clustering. Through a cluster, you can ensure a higher reliability and availability of DHCP services to clients.
www.syngress.com
Configuring Network Services • Chapter 2
The negotiation process consists of only four messages, two from the client and two from the server. The first message is the DHCP Discover message from the client to the server. This message looks to a DHCP server and asks for an IP address lease. The second message is the DHCP Offer message responding from the server to the client. A DHCP Offer tells the client that the server has an IP address available. The third message is a DHCP Request message from the client to the server. In this message, the client accepts the offer and requests the IP address for lease. The fourth and final message is the DHCP Acknowledge message from the server to the client. With the DHCP Acknowledge message, the server officially assigns the IP address lease to the client. Each DHCP server requires a statically applied IP address DHCP was originally introduced in RFC 2131 back in March of 1997 (http:// www.rfc-editor.org/rfc/rfc2131.txt). Since the inception of DHCP, a number of addon DHCP options have made it possible to disburse even more IP-related information to clients, making IP management much more flexible for IT administrators.
DHCP Design Principles DHCP is heavily reliant on network topology, and is heavily relied upon by the hosts within a network. For DHCP to function at an optimal level, client computers must be able to access at least one DHCP server at all times. When developing a DHCP approach for your network, you must consider several things first: ■
How many clients will be using DHCP for IP addresses?
■
Where are these clients located and what roles do they have?
■
What does the network topology look like?
■
Are there any unstable WAN links that might cause a network outage if DHCP clients cannot contact a DHCP server for an IP address lease?
■
Are there any clients that cannot use DHCP?
■
Are there any clients that will be using BOOTP?
■
Which IP addresses are dedicated and must be held outside the IP address pool?
■
Will you be using Dynamic DNS?
DHCP clients do not wait for the DHCP lease to be over before beginning renewal. Instead, they begin the renewal at the point when 50 percent of the lease is up. For example, when a client has a ten-day lease, then after five days, the client www.syngress.com
95
96
Chapter 2 • Configuring Network Services
sends the DHCP Request message to the DHCP server. If the server agrees to renew the lease, it responds with a DHCP Acknowledge message. If the client does not receive the DHCP Acknowledge response, the client waits for 50 percent of the remaining time (7.5 days after the original lease was made) before sending another DHCP Request message. This is repeated at 50 percent that remaining time (8.75 days after the original IP address lease). If the client cannot renew the address, or if the DHCP server sends a DHCP Not Acknowledged response, the client must begin a new lease process. DHCP has only a couple of design requirements: ■
You should have at least two DHCP servers to ensure redundancy. You can use clustering to ensure availability, but also keep in mind that two separate DHCP servers at different locations in the network can prevent DHCP problems resulting from a network link failure.
■
You must either provide a DHCP server on each network segment or configure routers in between those segments to forward the DHCP messages.
When planning the DHCP servers, the network topology comes into play. It is critical you place DHCP servers at locations most available to the computers that need IP addresses.
DHCP Servers and Placement The number of DHCP servers you need on a network is driven by the number of clients, availability requirements for the DHCP server, and the network topology. The number of clients a DHCP server can serve varies based on the hardware of the server and whether it provides multiple roles or is strictly a DHCP server. Most can provide IP addresses to thousands of hosts. Server hardware that will have the greatest impact on DHCP performance includes the network interface and hard disk. The faster the network interface card (NIC) and disk access, the better. In addition, multiple NICs will greatly improve performance, since NIC speed in no way compares to the speed of the internal PC hardware, and adding NICs literally relieves a bottleneck. The availability of the DHCP services to the network drives multiple DHCP servers. You must have at least two DHCP servers. You might want to cluster the server if you have a large scope of addresses that are provided to a network segment. The network topology will drive additional servers as well. This is something that must be reviewed and then planned. Ideally, a network should have a DHCP server on each segment, although this becomes impractical. Because you can configure www.syngress.com
Configuring Network Services • Chapter 2
routers to forward DHCP requests using a DHCP Relay Agent, you can place DHCP servers at any location on the network. Therefore, you should probably look at the unstable WAN links as the deciding factors for additional DHCP servers. A network that has a highly unstable satellite link to a location that has thousands of clients will require its own DHCP server. However, a network with a highly unstable satellite link to a location that has only a few clients will probably be better served by a statically applied IP address or alternate IP configuration used with DHCP from across the link.
Installing and Configuring DHCP Installing DHCP in Windows Server 2008 is as simple as adding another role to a server. Some additional steps must be taken, however, to authorize the DHCP server. Back in Windows 2000 Server, Microsoft introduced the concept of authorizing a DHCP server. Microsoft did this because of the problem of “rogue” DHCP servers—servers that users would install on the network, and configure to hand out IP addresses, thus causing problems with production DNS servers. The problem with rogue DHCP servers was that IP addresses that were handed out would either: ■
Overlap with existing IP addresses in the network, causing a conflict
■
Hand out correct IP addresses, but possibly hand out other incorrect information, such as DNS, WINS, Subnet Mask, and Gateway information
■
Hand out a completely incorrect range of IP addresses
■
Create unnecessary traffic on the network
During the installation process, we will walk through installing the DHCP role, configuring DHCP settings, and authorizing the DHCP server. Let’s begin. 1. Choose Start | Administrative Tools | Server Manager. 2. Scroll down to Role Summary and click Add Roles. 3. When the Before You Begin page opens, click Next. 4. On the Select Server Roles page, select DHCP Server, and then click Next. 5. Click Next to get through the DNS Server settings. This screen is verifying the IP address of our DNS server, which will be passed to clients. 6. Click Next again to skip the WINS settings. If WINS was running (we will discuss WINS later), we could select the WINS server here. www.syngress.com
97
98
Chapter 2 • Configuring Network Services
Next, we need to configure a DHCP scope. A DHCP scope is a range of IP addresses (as well as additional IP options, such as gateway, DNS servers, and WINS servers) that can be handed out by a DHCP server. In the first example, we are going to configure both an IPv4 and IPv6 scope.
TEST DAY TIP You should understand the 80/20 rule for DHCP. The 80/20 rule means that IP scopes should be split between two DHCP servers, so server A can distribute 80 percent of IP addresses, while server B can hand out the remaining 20 percent of IP addresses. In this scenario, you would now have fault tolerance for your subnets. The idea behind the 80/20 rule is that during the period in which server A is unavailable, the other server can service requests for addresses.
Now, let’s configure our scope: 1. Click Add… to add a new DHCP Scope. 2. In the Scope Name field, type Internal Scope. 3. In the Starting IP Address field, type 192.168.1.200, or any IP range you have available on your network. 4. In the Ending IP Address field, type the end of your scope. We will use 192.168.1.220. 5. In the Subnet Mask field, enter the subnet mask of your network. Our subnet mask is 255.255.255.0. 6. Skip the default gateway for now, we will add this later. 7. Choose Wired as the Subnet type, but click the down arrow to see the Wireless option. 8. Verify that Activate This Scope is checked (see Figure 2.13), and then click OK.
www.syngress.com
Configuring Network Services • Chapter 2
Figure 2.13 Scope Settings for DHCP
9. Click Next once your scope is added. 10. Determine what to do with IPv6 clients. We want to manage IPv6 clients through DHCP when necessary. To do this, select Disable DHCPv6 Stateless Mode For This Server and click Next. 11. Specify the IP address of an IPv6-enabled DNS server. To do this, enter the IP address of this server. If you recall, we set IPv6 options in the DNS section. Verify that our server’s IPv6 settings appear in the Preferred DNS Server IPv6 Address, validate it, and then click Next. 12. On the Authorize DHCP Server, you can specify the credentials of an authorized user, or just click Next. 13. Click Install to begin the installation. 14. When installation is complete, click Close.
www.syngress.com
99
100
Chapter 2 • Configuring Network Services
Using Server Core and DHCP DHCP is also a role that is supported in a Windows Server 2008 Core installation. DHCP installation is handled via the command line of the Server Core installation. However, management of the DHCP server (as well as the DHCP scopes) can be controlled from a remote Windows Server 2008 system. In this section, we will install the DHCP role and configure a DHCP scope using the Server Core command line. Let’s begin by installing the role: 1. Sign in to your Windows Server 2008 Core Server system. 2. Install the DHCP bits. To do this, type in start /w ocsetup DHCPServerCore (Figure 2.14).
Figure 2.14 Installing the DHCP Role
3. Start the DHCP service and set it to start automatically. To do this, type in sc config dhcpserver start= auto. 4. Type sc query dhcpserver. If the service is not running, start it by typing sc start dhcpserver. You can see the command syntax in Figure 2.15.
www.syngress.com
Configuring Network Services • Chapter 2
Figure 2.15 Starting the DHCP Role
5. Next, we need to configure our DHCP server by adding the DHCP scope. To do this, we must first start the netsh application. At the command prompt, type netsh. 6. At the netsh> prompt, type dhcp server. 7. Add the DHCP Scope at the dhcp server> prompt by typing in initiate auth. 8. Add the scope by typing in add scope 10.0.0.0 255.0.0.0 BackupScope. 10.0.0.0 indicates the network leased by the DHCP server, while 255.0.0.0 represents the subnet mask. BackupScope is the name we’ve given to the scope. 9. Type in scope 10.0.0.0. This allows us to begin adjusting the scope options. 10. Configure the start and end of the lease range. To set the start of the range, type set optionvalue 003 IPAddress 10.0.0.1. 11. To set the end of the range, type set optionvalue 006 IPAddress 10.0.0.50. 12. Enable the scope by typing in set state 1. 13. Type exit to close the netsh application. The preceding syntax can be seen in Figure 2.16. www.syngress.com
101
102
Chapter 2 • Configuring Network Services
Figure 2.16 The netsh Syntax for DHCP
Configuring DHCP for DNS We discussed dynamic updates earlier in this chapter, but it is important to note that, by default, DHCP does not automatically update DNS servers. Instead, DHCP can update DNS in two different ways—it can either pass fully qualified domain name (FQDN) information to client computers running Windows Server or Workstation 2000 (or later), which can in turn update DNS themselves, or DHCP can be configured to update DNS for legacy (or non-Windows) clients. Non-legacy Windows clients can update DNS when: ■
Static IP address information is updated
■
An IP address lease period ends and a new address is given to a client
■
When the ipconfig /registerdns command is entered at a command prompt. This re-registers a client within DNS.
In order for clients to update automatically, we must adjust the properties of our DHCP scope appropriately by performing the following steps: 1. Choose Start | Administrative Tools | DHCP. 2. Right-click your IPv4 scope. 3. Click the DNS tab. 4. Notice that, by default, dynamic updates are set for DHCP to control updates only when requested by the client. www.syngress.com
Configuring Network Services • Chapter 2
5. We need to set DHCP to also dynamically update clients (such as Windows NT 4.0) that cannot update automatically. Place a checkmark next to the Dynamically Update DNS A And PTR Records For DHCP Clients That Do Not Request Updates option. 6. Click Apply and then OK. This is not required for IPv6 scopes since IPv6 was not available in these older operating systems.
Configuring Windows Internet Naming Service (WINS) Windows Internet Naming Service (WINS) was originally developed by Microsoft as a part of Windows NT. Similar to DNS, WINS adds an IP address-to-system name mapping in a server-side database. Unlike DNS, WINS focused solely on the hostname and does not offer a complete naming structure. WINS is a service that has been “going away” since Windows 2000 Server, and yet it remains part of Windows even today. Many problems existed with WINS, particularly in terms of scalability. Over the years, the need for WINS and NetBIOS name resolution has been greatly reduced. However, some applications (legacy versions of Outlook, for example) still require NetBIOS resolution. In certain situations, LMHOST files can be used in the absence of a WINS server. LMHOST files have their own problems and limitations as well—most specifically, the fact that LMHOST files can become outdated and contain incorrect data. They require constant updating and maintenance. Similar to DHCP, once the need for NetBIOS name resolution goes beyond a handful of systems, using WINS is a much more reasonable solution since it allows for dynamic updates. Interestingly enough, WINS has become such an afterthought that the TechNet site for WINS under Windows Server 2008 simply refers you to the documents for Windows Server 2003. Your first task in developing a WINS design is to determine whether you need WINS at all. One thing you need to test for is whether NetBIOS over TCP/IP is being used to communicate across the network.You can do this through the Performance. Once you determine whether NetBIOS naming is currently needed, your next task is to determine whether the network can function without NetBIOS naming at all. This will require you to test applications and services on a test network in a lab without using NetBIOS, LMHOSTS, or WINS.
www.syngress.com
103
104
Chapter 2 • Configuring Network Services
The design of a WINS topology should take into account how WINS servers replicate. Each WINS server pushes or pulls the database from its replication partners. If you configure the replication partners so they replicate in a domino fashion, it will take several steps for any change to be updated across the network. The time for replication to fully synchronize across all WINS servers is called convergence time. The longer convergence takes, the higher the likelihood of errors. To reduce convergence time, you can create a hub and spoke topology in which all WINS servers replicate with a central WINS server. In this topology, you will have the result of a two-step replication process at any point in time when an update is made on any WINS server in the network. Windows Server 2008 DNS is compatible with WINS. You can use both in a network environment that has WINS clients and DNS clients. We will discuss this a little later in the chapter. Keep in mind that WINS is a flat file database. All names are considered equal, and as such, must be unique. This means you can only have one computer named Ned and one computer named Joe. When there are two computers configured with the same NetBIOS name, only the first will be able to access the network. Older Microsoft networks not only used WINS, but also transmitted data across NetBEUI, a protocol that does not incorporate a network layer. Without a network layer, NetBEUI is not routable. However, NetBIOS can be routed over TCP/IP or even over IPX. In the Windows Server 2003 and Windows Server 2008 operating systems, NetBIOS is only routed over TCP/IP, if it is used at all. If you determine that you will install or upgrade an existing WINS network, you must first determine whether the hardware of your server will be sufficient for WINS. WINS servers use their hard disks quite heavily, so you should make certain you have sufficient hard disk performance. You should also determine how many WINS servers you should deploy. A single WINS server with sufficient hardware and network performance can provide services to 10,000 clients.You should always plan for at least two WINS servers for redundancy. WINS has the ability to integrate with DNS so DNS clients can use DNS to look up records in the WINS database. This helps in case a network has client computers running non-Microsoft operating systems, such as Unix or Linux. To use the WINS Lookup Integration feature, you must add a special WINS resource record for the WINS servers on the network. From the client perspective, you should be aware of how the node types will affect the communication preferences of the client computer. Node types affect the type of WINS traffic that traverses the network. For example, if you want to avoid all broadcast traffic, you would configure WINS clients to be p-nodes because they
www.syngress.com
Configuring Network Services • Chapter 2
do not invoke broadcasts to resolve NetBIOS names.You can then configure DHCP to tell a computer what type of WINS node it will be. The options you have are: ■
b-node A b-node depends on broadcasts to register and resolve names. If there are no WINS servers configured, this is the default node type used.
■
h-node An h-node will search the configured WINS server first, and then resort to broadcasts, followed by LMHOSTS, and then DNS to register and resolve names.
■
m-node The m-node is the opposite of an h-node. It will broadcast first, and then search the configured WINS server.
■
p-node A p-node only uses point-to-point connections with a configured WINS server.
Understanding WINS Replication If WINS is a network service that you will require in your organization, it will be important to understand how WINS handles redundancy and partnerships. In order for WINS servers to replicate WINS records with each other, a replication partnership must be configured between them. Three possible kinds of replication partnerships can be configured between WINS servers: push/pull (also known as full ), push-only, and pull-only (also known as limited).You can set up a replication partnership manually or implement it automatically.
Automatic Partner Configuration Automatic partner configuration is an option that can be implemented on small networks to eliminate the administrative effort of configuring replication partnerships between WINS servers. When the automatic partner configuration is enabled, the WINS server will send announcements using the multicast Internet Group Messaging Protocol (IGMP) address at 224.0.1.24, which is the well-known multicast address for WINS servers. When the WINS server discovers other WINS servers that are announcing themselves, the WINS server will automatically configure a partnership agreement between itself and the discovered WINS server. (Both must be enabled for automatic partner configuration.) When the WINS server discovers another WINS server, it will add the server to its list of replication partners, configure push/ pull replication between the servers, and set the pull replication interval for every two hours. Normally, routers do not forward IGMP traffic, so this configuration is best used on small unsegmented LANs. However, it is possible to configure routers to forward this traffic, allowing automatic partner configuration to be used in a routed www.syngress.com
105
106
Chapter 2 • Configuring Network Services
environment. If the environment has only a few routers, the amount of multicast broadcast traffic should be minimal.
Push Partnerships As the name implies, when a push partnership is configured, changes in the WINS database are pushed to the remote WINS server. More accurately, a WINS server with records to replicate sends a push notification to target servers (those configured to use it as a pull partner), alerting them that it has records to update on the target WINS servers. The push notification includes an owner table that lists the owner IDs and the highest version ID for each owner. The target servers compare this information with their own owner tables to determine which records to replicate. The target servers reply to the push notification with a pull request, and the transfer of records takes place. Accordingly, since a transfer of records will not take place until a pull request has been received by the server that sent the push notification, pull replication is the single mechanism for replication. The process for push replication occurs as follows: 1. The source WINS server receives updates to its database and, based on a configurable threshold, sends a push notification to the destination WINS server (its push partner), indicating it has updates to replicate. 2. The destination WINS server for the notification (the push partner) responds by initiating a pull request to its pull partner (the WINS server that sent the notification), and the replication is initiated between the replication partners. Push replication is not schedulable according to an interval of time. Rather, the WINS administrator configures an update threshold that will trigger a push notification. For example, the WINS server could be configured to send a notification to its push partner after it has received 100 updates. It is also possible to manually initiate the push notification. When you manually initiate the push notification, you can choose to push the notification to the replication partner or trigger the replication to send a notification to all its partners as well. As an example, consider a replication topology where three WINS servers are configured as push replication partners. WINS-A replicates to WINS-B, which replicates to WINS-C. So, if you manually sent a push notification from WINS-A to its replication partner, WINS-B, you could force WINS-B to also send a push notification to its other replication partner, WINS-C. In certain rare situations, it might be desirable to use a push-only replication partnership for one-way replication—for instance, from a head office to a branch office. As an example, suppose WINS-A in the head office configures WINS-B in www.syngress.com
Configuring Network Services • Chapter 2
the branch office as its push-only partner. (WINS-B should also configure WINS-A as its pull-only partner.) When WINS-A receives updates to its records, it notifies WINS-B, which sends an update (pull) request to WINS-A for the changed records since the last replication cycle. In this scenario, WINS-B never sends its updated records to WINS-A. Push partnerships are generally configured in LAN environments where bandwidth is not an issue, and it is not necessary to schedule replication to occur during off-peak hours. In general, you should use push replication partnerships in the following situations: ■
There is ample bandwidth over LAN or WAN connections.
■
There is a need to ensure that updates are replicated as soon as possible and the frequency of replication traffic is not a consideration.
Pull Partnerships Pull replication differs from push replication in that the replication frequency is defined as an interval of time. At regularly scheduled intervals, a pull partner requests updates from other WINS servers (those configured to use it as a push partner) for updated records that have a higher version ID than the ones it currently has in its database. Pull replication is configured similarly to push replication. The primary difference is that the WINS administrator schedules the times that the pull replication will take place. In some situations, it might be desirable to configure pull-only replication between replication partners. Usually, this configuration is implemented where WAN links are operating close to capacity and there is a need to schedule WINS replication during off-peak hours. Pull-only replication has an advantage over push-only replication in that the replication schedule can be known in advance. With push-only replication, replication is triggered by reaching a configured threshold of updates, and you can only estimate when this would occur based on experience with the network. However, a disadvantage of pull-only replication is that the WINS server could potentially have acquired a large number of updates to replicate between cycles. In general, you should use pull replication partnerships in the following situations: ■
There is limited bandwidth between WINS servers that requires replication to be scheduled during off hours.
■
There is a need to consolidate updates and reduce the frequency and amount of replication traffic.
■
There is a need to exercise finer control over the timing and frequency of replication traffic. www.syngress.com
107
108
Chapter 2 • Configuring Network Services
Push/Pull Partnerships A push/pull partnership is the default when you configure replication between WINS servers. In fact, Microsoft recommends a push/pull partnership as a best practice and it further recommends that all WINS partnerships be set up this way, unless there is an overriding need to implement a limited partnership. The only need that Microsoft cites for a limited partnership is the presence of a large network connected by relatively slow WAN links. Microsoft often stresses the need for simplicity in a WINS environment. With a push/pull partnership, a WINS server will be configured both to send push notifications and to make pull requests to its replication partner. The replication partner will also be configured in a similar way. Such a configuration helps ensure that synchronization among WINS servers is optimal, depending on the pull schedule and the configured threshold for push notifications, among other factors. For example, suppose a WINS server suddenly experiences a large number of updates and immediately sends a push notification to its push partner. The push partner would immediately request these updates, without waiting for the request to be triggered by its pull schedule. Conversely, a WINS server always pulls up-to-date records from its pull partner according to the replication schedule, regardless of how few records have been updated on the pull partner WIN server. You should always try to deploy a push/pull partnership, unless there is an overriding concern that requires the implementation of a limited partnership.
Replication Models As we mentioned earlier, the replication model you design will have an effect on the convergence time for replicated WINS records and fault tolerance for replicated records. A replication model that is appropriate for your network topology will ensure the shortest convergence time for replicated WINS records. Where possible, it is recommended your replication model mirror your network topology and that you keep this model as simple as possible. In WINS environments where there are three or more WINS servers, you can employ either a ring replication model or a hub-and-spoke replication model. In more complex environments, these models can be combined to ensure optimal convergence time and fault tolerance for a given network topology. In the following sections, we will discuss each of these models in more detail.
www.syngress.com
Configuring Network Services • Chapter 2
Ring Models In a ring model, three or more WINS servers are configured to replicate with one another in a circular fashion. The ring model provides for good convergence times for all replication partners when there are no more than four WINS servers. In this model, fault tolerance for replication of WINS records is given priority. Imagine that a record is updated on WINS-A. The record must travel through either WINS-A or WINS-B before it is replicated to WINS-C. However, suppose that the WAN link connecting WINS-A and WINS-D fails. The updated record can still arrive at WINS-C and WINS-D (via WINS-C). Conversely, a record created on WINS-D can still be replicated to WINS-A via WINS-C and WINS-B.
Hub-and-Spoke Models In a hub-and-spoke model, all WINS servers replicate with a centrally located hub WIN server. The hub-and-spoke model provides for the shortest convergence time in a replication environment that comprises five or more WINS servers, because it provides for the shortest replication paths between any two WINS servers. Furthermore, by implementing a hub-and-spoke model, you reduce the number of replication partnership agreements that you need to maintain. Even though there are five WINS servers that replicate information, there are only four replication agreements to maintain. Furthermore, no server is more than two hops from any other server, regardless of the number of servers added to the topology. A disadvantage of this model is that it is not as fault tolerant as the ring model. If WINS-A fails, no WINS server will be able to replicate its records to other WINS servers. Furthermore, depending on the average number of records the spoke WINS servers need to replicate and the settings for the push and pull triggers, WINS-A can be continuously replicating with other servers and processing updates. It should be well connected to the other WINS servers and have the capacity to handle the load. To enhance fault tolerance in this situation, you could set up a backup WINS server in the same location as WINS-A and configure a replication partnership agreement between them. This solution, however, increases administrative complexity for the maintenance of replication partnerships. An alternative solution that still provides a high degree of availability is to use Windows clustering for the hub WINS server. A Windows cluster gives you the ability to set up separate WINS servers, known as cluster nodes, that use the same database located in a shared SCSI or Fibre Channel device. When the WINS server that is the active node in the cluster fails, the services
www.syngress.com
109
110
Chapter 2 • Configuring Network Services
will failover to another node. Failover is the process of taking resources offline in one node and bringing them online in a new node. The primary advantage of using a Windows cluster is that in the event of a failure of a WINS server, no subsequent replication needs to occur to synchronize records when the failed server is brought online, because only a single database is used.
Hybrid Replication Models In many situations, it is desirable to combine replication models. As an example, consider a large organization that has three divisions in different geographic locations. Each of these divisions has a number of branch offices that are connected to their respective divisional offices. It might be advantageous to use a ring model of WINS replication among the divisional offices and use hub-and-spoke replication for replication between the divisional offices and their respective branch offices. Many other variations are possible. A hybrid replication model can employ any mixture of full and limited replication partnerships, driven by the contingencies of the network topology.
Static WINS Entries One of the advantages of using WINS is that it provides a way to dynamically register NetBIOS names, eliminating the need for static entries in LMHOSTS files. However, certain situations require the use of static mappings in the WINS server database. For example, if you have non-WINS clients that are running NetBIOS applications, you might find it desirable to have entries for these clients in the WINS database so you can allow WINS clients to resolve the NetBIOS names of those clients. Static mappings are superior to entries in an LMHOSTS file because they can be replicated throughout the WINS infrastructure. The use of static mappings can create problems on your network. Unlike dynamic mappings, static mappings stay in the WINS database until they are manually removed. (The expiration date for the static mapping entry in the WINS database is labeled as infinite.) Furthermore, unless the migrate on setting is enabled, static mappings are not overwritten by dynamic mappings. For example, a client computer might be given a static mapping in the WINS database, or an LMHOSTS file might be imported to the WINS database, creating a number of static WINS entries. If the clients associated with the static mappings are later configured as WINS clients, they would not be able to perform dynamic registration of their NetBIOS names, unless the migrate on setting was enabled.
www.syngress.com
Configuring Network Services • Chapter 2
NOTE Even though the migrate on setting can prevent a number of problems associated with the ability to overwrite static entries, this setting does not affect all NetBIOS record types. For example, the domain [1Ch] record type is never overwritten, regardless of this setting.
In general, static entries should never be created for WINS-capable client computers. However, it is sometimes desirable for security purposes to use static entries for mission-critical servers to prevent redirection. Now that you understand the purpose of WINS design fundamentals, as well as some of the history behind it, let’s take a look at how to configure WINS in Windows Server 2008.
Installing and Configuring Unlike DNS and DHCP, WINS is a feature of Windows Server 2008, not a role. Features in Windows Server 2008 simply augment the functionality of roles. In this scenario, WINS is a feature used to add functionality to name resolution as a whole. That said, we will discuss how to integrate WINS with DNS later in this section. Let’s install our WINS feature: 1. Choose Start | Administrative Tools | Server Manager. 2. Scroll down to the Features Summary section and click Add Features. 3. At the Select Features window, scroll down and click WINS Server and then click Next. 4. Click Install to begin the installation process. 5. Click Close once the installation is complete. As mentioned, WINS is a legacy technology. As such, you can expect that there won’t be an abundance of questions on the exam. However, you should still familiarize yourself with the console, which is available under Administrative Tools.
Using Server Core for WINS Installing a feature in Windows Server 2008 Server Core is basically the same as adding a role. In this section, we are going to walk though the setup of the feature, as well as set the role to start automatically. www.syngress.com
111
112
Chapter 2 • Configuring Network Services
As you know from Chapter 1 of this book, very few roles can be installed as part of Windows Server 2008 Server Core. However, many features can be installed, including: ■
Failover Cluster
■
Network Load Balancing
■
Subsystem for Unix-based applications
■
Multipath IO
■
Removable Storage Management
■
BitLocker Drive Encryption
■
Backup
■
Simple Network Management Protocol (SNMP)
■
WINS
Obviously, at this point in this book, we are only focusing on WINS. So, let’s take a look at how to install the WINS feature and start the service: 1. At the command line, type start /w ocsetup WINS-SC. 2. When installation completes, type sc query WINS or NET START to verify that the WINS service is running. 3. If the service is not running, type sc start WINS. 4. We can also verify that the service will start automatically by typing sc config WINS start= auto. Generally speaking, management of WINS will occur via the GUI from another Windows Server. However, a number of command-line management options exist for WINS. Essentially, most of the management will be through the netsh tool, which we used earlier for setting IP information. To learn more about these commands, visit http://technet2.microsoft.com/WindowsServer/en/library/430701f0-743a4af5-9dd6-95c5c2f956531033.mspx.
Configuring WINS for DNS As mentioned, WINS has become less relevant in organizations that are running the latest operating systems and applications. However, there are situations where WINS is still necessary. One way we can improve name resolution is to tie WINS to DNS so the two are aware of one another, thereby increasing response time to name www.syngress.com
Configuring Network Services • Chapter 2
requests and reducing complexity in name resolution scenarios. Let’s look at how we configure DNS to use WINS as a secondary resource for naming: 1. Choose Start | Administrative Tools | DNS. 2. Find your server name in the left pane and double-click it. This will open the DNS configuration for this server. 3. Right-click your domain name and select Properties. 4. Select the WINS tab. 5. Place a checkmark next to the Use WINS Forward Lookup option. 6. Enter the IP address of the WINS server and click Add. 7. Click Apply and OK to save your changes. DNS will now be able to forward requests to WINS to resolve names not found within its own namespace.
EXAM WARNING Watch out for any questions that may involve WINS integration with DNS and IPv6. WINS integration with DNS only supports IPv4 addresses.
www.syngress.com
113
114
Chapter 2 • Configuring Network Services
Summary of Exam Objectives Having the proper network services installed on your server can make the difference between a functional Active Directory environment, and one that is infested with various errors and latency. Microsoft focused on the Core Infrastructure Optimization model—taking IT organizations from a “basic” approach to infrastructure design to a more dynamic one. DNS, DHCP, and even WINS are steps that move IT professionals from the basic model. Imagine the time (and pain) involved in updating spreadsheets with client IP addresses, HOSTS, and LMHOSTS files on client machines for a 500-PC organization! DNS truly is the backbone of the Windows network. Without DNS, Active Directory would cease to function. When it comes to Active Directory, DNS does much more than simple name resolution. It stores information about our LDAP resources, Global Catalog resources, as well as other resources (such as SIP servers) within our environment. If a client or server is unable to find these resource records, having Active Directory in place does us very little good. As an IT professional, you will also be required to understand the different types of Resource Records (RRs) that can be used as part of DNS. There are traditional—or more common— Resource Records such as A and PTR records, but you should also familiarize yourself with special records such as SIP records, since the demand for these types of records is becoming more and more common. DHCP is another crucial piece of the network services puzzle. Again, trying to maintain static addresses for hundreds of systems is not only impractical, it is quite foolish. Trying to maintain IP ranges for IPv4 systems is cumbersome enough, but trying to do it with the extended IPv6 addresses will likely become impossible! Add in the additional information we can push out to our DHCP clients (such as gateways, Trivial File Transfer Protocol [TFTP] servers, time clock servers, and domain suffixes, for example) and it makes this a crucial tool in the IT professional’s toolbox. Anyone who is familiar with the Microsoft management consoles can probably create and authorize a DHCP scope, but it takes a skilled professional to correctly design and implement a DHCP strategy. In order to do this, you need to understand not only fundamental IP principles, but also network topologies and common requirements, such as the 80/20 rule. Lastly, we have WINS. Although it is going away, there are still places in certain organizations where it is necessary. Older Microsoft networks not only used WINS, but also transmitted data across NetBEUI, a protocol that does not incorporate a network layer. Without a network layer, NetBEUI is not routable. However, NetBIOS can be routed over TCP/IP or even over IPX. In the Windows Server 2003 and www.syngress.com
Configuring Network Services • Chapter 2
Windows Server 2008 operating systems, NetBIOS is only routed over TCP/IP, if it is used at all. The replication model you design will have an effect on the convergence time for replicated WINS records and fault tolerance for replicated records. A replication model that is appropriate for your network topology will ensure the shortest convergence time for replicated WINS records. Where possible, it is recommended that your replication model mirror your network topology and that you keep this model as simple as possible. If NetBIOS resolution is only necessary for a few systems, you should consider using GlobalNames zone as an alternative. Will we still see WINS in the next version of Windows? Only time will tell.
Exam Objectives Fast Track Configuring Domain Name System (DNS) ˛ DNS in Windows Server 2008 supports primary zones (including Active
Directory–integrated zones), secondary zones, and stub zones. ˛ Active Directory–integrated zones provide additional functionality,
including secure dynamic updates and Active Directory–integrated replication. ˛ The GlobalNames zone was introduced to help phase out the Windows
Internet Naming Service. The GlobalNames zone requires the creation of a zone named GlobalNames.
Configuring Dynamic Host Configuration Protocol (DHCP) ˛ Since the inception of DHCP, there have been a number of add-on
DHCP options that make it possible to disburse even more IP-related information to clients, which makes IP management much more flexible for IT administrators. ˛ DHCP works by “leasing” IP addresses for a period of time to a specific
computer. The lease time can be adjusted based on the need for a client to maintain the address for a period of time. ˛ DHCP can also be used to “reserve” addresses for systems that would
otherwise need a static address, such as departmental servers and some client machines where it is required by third-party applications.
www.syngress.com
115
116
Chapter 2 • Configuring Network Services
˛ The 80/20 rule means that IP scopes should be split between DHCP
servers, and that server A can distribute 80 percent of IP addresses, while server B can hand out the remaining 20 percent of IP addresses.
Configuring Windows Internet Naming Service (WINS) ˛ WINS was originally introduced by Microsoft as part of Windows NT
Server and was intended to be the de facto name resolution solution. ˛ WINS is still required for the NetBIOS name resolution of legacy operating
systems and applications. ˛ WINS can be incorporated into DNS to provide seamless name resolution.
www.syngress.com
Configuring Network Services • Chapter 2
Exam Objectives Frequently Asked Questions Q: Is the GlobalNames zone intended to replace WINS? A: No. In fact, Microsoft has gone out of its way to stress the fact that the GlobalNames Zone is not a replacement for WINS. The GlobalNames zone is simply intended to assist in the retirement of WINS. As companies upgrade their legacy operations systems and legacy applications, the need for both GlobalNames zones and WINS will eventually go away.
Q: I have seen several examples where non-Internet standard DNS names are used. Is it better to use a standard DNS name (such as .com, .net, or .edu) or to use a private nonstandard name (for example, .ads or .internal)?
A: This really is a matter of preference—and in some cases, a bit of a “religious war.” Separation of name spaces is common in organizations that do not want their external namespace (for example, uccentral.com) to match their internal namespace. This can be beneficial when you want to use similar server names both internally and externally. Separating namespaces can, however, create confusion at times when you try to tell someone to go to a server. For example, you may have a server called “mail,” which could be an internal or external server, and if someone doesn’t specify “mail.uccentral.ads,” you may end up on the wrong server!
Q: Why did Microsoft make WINS a feature and not a role? A: Simply put, WINS is a solution that is end-of-life. WINS alone cannot provide an enterprisewide solution for name resolution. In today’s environment, we need DNS in order for Active Directory to function properly—we don’t need WINS.
Q: I have a mixed Unix/Windows environment. Some of my DNS zones are hosted on BIND, and some on Windows Server 2008. Is there any way to integrate the two?
A: Yes, there are a few ways. First, you can create “secondary zones” on each of the DNS servers that stores a local copy of the other’s zones. Second, you create “DNS Forwarders” on the Windows Servers, which will forward any requests for these zones to the BIND servers. Lastly, you can delegate DNS zones to the BIND or Windows servers for control over a particular zone. www.syngress.com
117
118
Chapter 2 • Configuring Network Services
Q: I like the idea of being able to implement DNS, WINS, and DHCP on a Windows Server 2008 Core Server installation. However, I’m not much of a command-line person. Is there any way I can manage these roles and features from a GUI?
A: Yes, however you must use the MMC from another Windows Server 2008 (full installation) server to manage these roles and features. If you recall, no GUIs are provided with Windows Server 2008 Core Server, even after a role has been installed.
Q: In the past when I’ve installed DNS with Active Directory onto a Windows Server, a domain called “.” was created. Because of this, I couldn’t get to external servers. Why does this happen?
A: Depending on how DNS was installed, it is possible for the “.” (root) domain to be installed within your DNS. Because “.” is the top-level DNS zone, if installed, it assumes that there are no other domains except those listed on the server itself. To fix this, you simply need to remove the “.” from DNS.
Q: I see there are numerous options that I can push out via DHCP to client machines. What is the bare minimum I need in order to offer networking services?
A: The absolute bare minimum would be the IP address and subnet mask to communicate with a directly connected host on the same subnet. However, this will severely limit the resources that a client can contact outside of that subnet. Realistically, you need the IP address, subnet mask, gateway (called the router in the DHCP options), and at least one DNS server to at least be able to connect to and use the Internet through your Internet service provider (ISP) or to communicate with other hosts on remote subnetworks.
Q: I want to use Active Directory–integrated zones for my DNS servers, but I need to be able to create secondary copies of the zones to non-Microsoft servers. Is this possible?
A: Yes, but it couldn’t be a live/replicated copy of the zone. In this scenario, you can only create a secondary copy of the DNS zone. This means that DNS clients of this non-Microsoft server will have the ability to resolve records, but the zone cannot be updated (either manually or via dynamic update).
www.syngress.com
Configuring Network Services • Chapter 2
Self Test 1. You are the administrator for a nationwide company that currently runs Windows Server 2008 DNS and are reviewing the resource records in your Active Directory–integrated DNS zone. You notice there are hostnames that do not meet your company’s naming convention and verify that the computers are not members of your Active Directory domain. What must you do to ensure these hosts cannot create records in your DNS zone? A. Disable DNS and enable DHCP. B. Configure your zone to enable secure dynamic updates. C. Disable dynamic updates in your zone. D. You cannot prevent this from occurring in DNS. 2. You are creating a new standard primary zone for the company you work for, Name Resolution University, using the domain nru.corp. You create the zone through the DNS management console, and now you want to view the corresponding DNS zone file, nru.corp.dns. Where do you need to look in order to find this file? A. You cannot view the zone file because it is stored in Active Directory. B. You can look in the %systemroot%\system32\dns folder. C. You cannot view the DNS file except by using the DNS management console. D. The DNS zone file is actually just a key in the Windows Registry. You need to use the Registry Editor if you want to view the file. 3. You have removed WINS from your environment, but still have at least one legacy PC and application that requires NetBIOS resolution. What solution can you use in place of WINS to address NetBIOS resolution? A. GlobalNames zones. B. Reverse zones. C. Dynamic updates. D. None of the above. You need WINS for NetBIOS.
www.syngress.com
119
120
Chapter 2 • Configuring Network Services
4. You’ve just created a new zone in DNS on a Windows Server 20083–based computer. You check the zone and notice that the only records in it are the SOA and NS RRs. Checking the configuration, you see that the zone is configured to accept dynamic updates. What should you do next? A. Manually add all RRs for the zone, including A, CNAME, PTR, and SRV records. B. Manually add A records for all hosts that cannot use dynamic updating. C. Manually add A RRs and PTR RRs for all hosts that will be using dynamic updating. D. Manually initiate a zone transfer to replicate all the needed RR to the new zone. 5. A DNS server, Aspen, has been successfully resolving queries but with the wrong information.You use the Monitoring function in the DNS Management Console for Aspen and test the simple and recursive queries. Both work fine. What is the most likely cause of the problem? A. Aspen is not authoritative for the zone in which the wrong information is being returned. B. Aspen is not configured to perform iterative queries. C. Some clients do not support dynamic updates, or manually entered RRs have errors. D. The clients that received the wrong information do not support the OPT record type. 6. Your company has recently migrated from Windows NT 4.0 to Windows Server 2008 on all of its networked servers, including those running the DHCP and DNS server services. During the migration, you implemented Active Directory–integrated zones. A colleague says you cannot do this because the zones converted from non-AD-aware operating systems will not allow secure updates, creating a significant security risk to the organization. What is your response? A. When any zone is integrated into AD, it takes on the security features of AD. B. If the zone is created outside of the AD, it will be configured for no secure updates and must be re-created to allow for secure updates. C. If the zone is created outside of AD, it will not be configured for secure updates but can be modified via the DNS Management Console. www.syngress.com
Configuring Network Services • Chapter 2
D. When any zone created before Windows 2000 is integrated into AD, it will use whatever update type other zones are configured to use. 7. You have been tasked with designing a new Windows Server 2008 Active Directory forest. The network is currently a combination of Windows 2000 Professional, Windows XP, Windows Vista, and Macintosh clients.You want to reduce the administration of IP addresses. Which of the following services would you implement to accomplish this? A. DHCP B. DNS C. WINS D. DDNS 8. Your company has a Windows Server 2008 domain. All of your servers run Windows Server 2008 and all of your workstations run Windows Vista Business. Your DHCP server is configured with the default settings and all of your Windows Vista machines are configured as DHCP clients with the default DHCP client settings.You want to use DNS dynamic updates to automatically register the host record and PTR record for all of your workstations. Which of the following must you do to accomplish your goal? A. None. The default settings are sufficient. B. Configure the DHCP server to always Dynamically Update DNS And PTR Records. C. Configure the DHCP server to Dynamically Update DNS And PTR Records Only If Requested By The DHCP Clients. D. Configure the workstation to use dynamic updates. 9. Your network contains a mix of Windows 2003 and Windows Server 2008. You have three domain controllers running Windows Server 2003. Your file server, print server, and Exchange server are running Windows 2000 Server. Your DNS, DHCP, and WINS servers are running Windows Server 2008. All of your clients are running Windows XP Professional with Service Pack 2. All machines, other than the servers that require a static IP address, are configured as DHCP clients with the default settings. Your DNS server has been configured to allow dynamic updates. Which of the following records will be registered in DNS automatically? (Choose all that apply.)
www.syngress.com
121
122
Chapter 2 • Configuring Network Services
A. MX B. Host (A) C. SRV D. PTR 10. You have implemented DNS on a Windows Server 2008 Core Server installation. You want to list the DNS zones on this server. What command-line utility would you use to accomplish this? A. ocsetup. B. netsh. C. dnscmd. D. None of the above. You must use the GUI from another Windows Server 2008 host.
www.syngress.com
Configuring Network Services • Chapter 2
Self Test Quick Answer Key 1.
B
6.
2.
B
7. A
3. A
8. A
4.
B
9.
5.
C
10.
C
B, C, and D C
www.syngress.com
123
This page intentionally left blank
Chapter 3
MCTS/MCITP Exam 640 Working with Users, Groups, and Computers Exam objectives in this chapter: ■
Navigating Active Directory Users and Computers
■
Creating and Modifying User Accounts
■
Creating and Modifying Computer Accounts
■
Creating and Modifying Groups
■
Delegation of Tasks
Exam objectives review: ˛ Exam Objectives Fast Track ˛ Exam Objectives Frequently Asked Questions ˛ Self Test ˛ Self Test Quick Answer Key 125
126
Chapter 3 • Working with Users, Groups, and Computers
Introduction The network administrator’s daily tasks can be made easier—or more difficult—by the number and quality of administrative tools available to perform those tasks. In Windows Server 2008, Microsoft has provided administrators with a wealth of graphical and command-line utilities for carrying out their job duties. The Administrative Tools menu is the place to start, and there you’ll find predefined management consoles for configuring and managing most of Windows Server 2008 services and components, including Active Directory tools, DNS, Security policies, Licensing, Routing and Remote Access, Terminal Services, Media Services, and more. Also, you can use Server Manager to access all or most of these tools to perform day-to-day administration tasks from a central console. As an administrator, one of your major responsibilities is to create and manage users, groups, computer accounts, OUs, and group policies. Like Active Directory in Windows 2000 Server and Windows Server 2003, Windows Server 2008 Active Directory also uses the Active Directory Users and Computers MMC snap-in to manage user, computer, and group accounts. We will be spending a great amount of time working with this tool to perform day-to-day activities involving users and computers. This Active Directory Users and Computers MMC snap-in is one of thethree most used Active Directory snap-ins employed to manage Active Directory. From this interface, you not only can manage user, group, and computer accounts, but you can also use it to manage other aspects of Active Directory, including group policies, domain controllers, domain security policies, and others. This chapter focuses on creating users, groups, and computers, and you’ll learn different tips and techniques here that will help you manage your Active Directory along the way.
Navigating Active Directory Users and Computers The powerful Active Directory Users and Computers administration tool is still included with Windows Server 2008 to manage Active Directory objects. The Active Directory Users and Computers administrative console enables you to perform day-to-day administration tasks, including adding, modifying, deleting, and organizing Windows Server 2008 user accounts, groups, computer accounts, share resources, printers, and others. It also allows you to manage domain controllers, organizational units (OUs), group policies, and domain security policies. To manage Active Directory users, a number of tools are available, including ADSIEdit.msc, LDIFDE, CSVDE, command-line utilities, and many more. www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
TEST DAY TIP Attribute Editor is available in the Active Directory Users and Computers MMC snap-in with advanced features enabled. It is easier to use and navigate the Active Directory Users and Computers snap-in than ADSIEdit.msc.
So many administrative tools are available that it can be bit challenging knowing which one to use. The solution is to practice, practice, practice. With the passage of time, experience brings familiarity—and suddenly it won’t seem nearly as difficult finding the right tool, command, or switch to manage a particular object or perform bulk user management. You can access Active Directory Users and Computers snap-ins by selecting (a) Start | Programs | Administrative Tools | Active Directory Users and Computers; (b) Start | Control Panel | Administrative Tools | Active Directory Users and Computers; or (c) Start | Run and then typing MMC in the Run dialog box to open an empty MMC. Choose File | Add/Remove Snap-in … | Active Directory Users and Computers | Add>, and then click OK.
NOTE The Active Directory administrative console is installed automatically on Windows Server 2008 domain controllers.
Now that you’re familiar with how to access and open Active Directory Users and Computers, it’s time to understand the default containers and OUs. After you install and configure a domain controller, you will see several built-in containers and OUs within the Active Directory Users and Computers snap-in, as shown in Figure 3.1.
www.syngress.com
127
128
Chapter 3 • Working with Users, Groups, and Computers
Figure 3.1 Default Containers and OUs in the Domain
■
Built-In The Built-In container includes all of the standard groups that are created automatically when you install a domain controller. These groups have standard permissions on different objects in the Active Directory domain. Examples include the Account Operators group, Administrators, Backup Operators, Server Operators, Replicators, Users, Remote Desktop Users, and Print Operators.
■
Computers The Built-In Computers container contains the workstations in your domain. By default, there is no workstation in the container; however, you will see a list of computers over a period of time as you install and join workstations within your domain.
■
Domain Controllers The Built-In Domain Controllers OU contains domain controllers for the domain.
■
Foreign Security Principals The Built-In Foreign Security Principals container holds objects that are not part of the current domain to which permissions can be applied.
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3 ■
Users The Built-In Users container holds security accounts that are part of the domain. Several groups are held in this container, and are created automatically during the installation of the domain controller. For example, this container holds the default Administrator account and other groups, including Domain Admins, Enterprise Admins, Domain Controllers, Domain Guests, Domain Users, Schema Admins, Guests, and many others in the domain.
Creating and Modifying User Accounts Now that you are familiar with the default containers and OU structure, it is time to understand the types of user accounts and the information needed to create them. In the following section, we will discuss various types of user accounts, built-in accounts, and how to create and manage user accounts. It is important you understand that the process involved in creating and managing user accounts, because user accounts are one of the most frequently used types of objects in Active Directory. A user account is a record in the Active Directory database that consists of all the information that defines a user to Windows Active Directory. This information includes the username, password, logon hours, profile location, group membership information, and the password required for the user to log on. User account enables the user to prove his user’s identity, authenticate to the network and log on to a local computer or a network to access resources. In the Windows Active Directory environment, authentication for domain users is based on user accounts in Active Directory. Authentication confirms the identity of a domain user and allows them to access network resources. Once logged on, users can access all network resources. This is known as the single sign-on process, which helps users log on to the client computer once, using a single user ID and password, and then authenticate to any computer in the domain.
User Account Types Three types of user accounts exist in the Windows Server 2008 environment: built-in user accounts, local user accounts, and domain user accounts. Built-in user accounts are created automatically during the installation of Windows Server 2008 and Active Directory. Built-in accounts have pre-assigned permissions and are used to perform specific administrative tasks like managing printers, backing up files, remote access, and so on. Examples of two common built-in accounts are Administrator and Guest. With a local user account, a user authenticates locally from a specific computer to gain access to a local resource on that computer. Local user accounts are created www.syngress.com
129
130
Chapter 3 • Working with Users, Groups, and Computers
only in the computer’s local security database, and do not replicate with the domain controllers in Active Directory domain. In the Active Directory domain, if your users need to access domain resources, then you should create domain user accounts instead of local user accounts since the domain will not recognize local user accounts. Local accounts are used in Workgroup environments instead of in Domain environments. With a domain user account, a user authenticates from a domain controller in a domain to gain access to domain resources anywhere on the network. At the time of authentication, the user provides his logon information to authenticate from the domain controller, which in turn authenticates the user and creates an access token containing user information and security settings. This access token identifies the user and helps him access domain resources without reentering his credentials. All domain controllers in the Active Directory domain replicate the user account information so the user is able to authenticate from any domain controller. This chapter focuses on domain user accounts.
Creating a New Account Like Windows 2000 Server and Windows Server 2003 Active Directory, domain users are created and managed in the Windows Server 2008 Active Directory environment by using the Active Directory Users and Computers MMC snap-in. Creating and managing a user account in Windows Server 2008 is really no different than Windows 2000 Server and Windows Server 2003. If you are an experienced Windows 2000 Server and/or Windows Server 2003 Administrator, you can skip this section and move on to the next section, because most of the information here will seem repetitive. Before I start discussing the user account creation process in detail, I would like to explain the two built-in accounts on Windows Server 2008 computers: the Administrator and Guest accounts. The built-in administrator account uses the password you specified during operating system installation and has full permissions to the local machine as well as on a domain controller to administer the domain. It is used to create and modify user accounts, group accounts, manage account and security policies, group policies, create published printers and sharing, assign rights to users, change domain policies, and so on. As this account has full permissions on the Active Directory domain, you must secure this account from hackers and intruders. This account can be secured in multiple ways, including: ■
Rename this account to hide it from hackers and intruders. Since you cannot delete this account or remove it from the Administrator account, renaming it makes it difficult for unauthorized users to guess the administrative account’s logon name.
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3 ■
Create a dummy administrator account with no permissions and disable that account to make it difficult for hackers to crack the administrative account.
■
Choose a long and complex password and change your password on a regular basis. Make sure your password is a combination of alphabets, numbers, and special characters, which makes it difficult to guess and/or crack.
■
If you are responsible for managing the Active Directory domain, you should create a separate user account to perform other day-to-day activities and use the built-in Administrator account only when you perform administrative tasks.
The built-in Guest account allows your users who do not have an Active Directory account to log on to the domain and access network resources. For example, a contractor or a partner who needs to access domain resources for a very short time may use this account to access network resources. By default, this account is disabled; however, you can enable this account. The Guest account can use a blank password; however, it is recommended that you assign it a password and use it only in low-security environments where you have limited resources or where there is no threat. Like with built-in Administrator account, it is recommended you rename this account to make it difficult for unauthorized users to guess the Guest account’s logon name. You can further secure this account by using a long and complex password. As with the built-in Administrator account, you cannot delete the Guest account, but you can rename and disable it.
Domain User Account Considerations Before you create any user accounts, be aware of user account creation rules and practices. These are mentioned next for your reference: 1. The user account must be unique to other user names in your Active Directory domain. 2. The user logon name and SAM name must be unique in your Active Directory domain. 3. User account names can be from 1 to 20 characters in length. 4. You can choose to use any combination of letters, symbols, and numbers except /\ [ ] :; | = ,+∗?<> @ ”. 5. The New User window displays both the Active Directory username, such as [email protected], and the NetBIOS name, such as Shannon. 6. User logon names are not case-sensitive. www.syngress.com
131
132
Chapter 3 • Working with Users, Groups, and Computers
7. Some organizations use best practices to create standardized usernames, such as using the user’s first and last name (Demi.Starr), while others use first name and last initial (ShannonS). This is just an administrative best practice to minimize administrative headaches in managing users. Also, if you have two users with the same name—for example, Shannon DiSouza—you can use the first name and last initial for the first user, and then for the second user add additional letters from the last name to differentiate the duplicate accounts—for example, ShannonD for the first user, and ShannonDi for the second user. 8. Some organizations also use different letters and best practices to identify full-time and part-time employees, contractors, and vendors. To identify fulltime employees, you can use parentheses in the name after the user’s logon name—for example, Elanda DiSouza (Full Time) and Demi Starr (Temp).
Password Considerations To protect user accounts from hackers and intruders, you must assign a strong password to every user account in your Active Directory domain. As an administrator, you can assign a password when you create a user account or assign a default password and then ask users to change the password during logon. To make sure your users use a strong password, you may have to educate them about how to create passwords that are actually strong.You may have to remind them from time to time that a strong password provides an effective defense against unauthorized access and protects your resources from intruders and unauthorized users. In addition to educating your users, you may want to implement group policies to enforce strong password policy settings by enabling password meets complexity requirements to force users to create complex passwords. Please keep in mind that a strong password: ■
Does not contain dictionary words.
■
Does not contain a username, real name, pet name, family member’s name, or company name.
■
Is between 7 and 14 characters long.
■
Will be different from previous passwords.
■
Is a combination of uppercase, lowercase, numbers, and special characters. An example of a strong password is Sh4$$n0n87r67}D.
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Creating a New Account Using Active Directory Users and Computers The Active Directory Users and Computers console is used to create a new domain user account. You can create User accounts by performing the steps outlined in Exercise 3.1.
EXERCISE 3.1 CREATING A NEW USER ACCOUNT BY USING ACTIVE DIRECTORY USERS
AND
COMPUTERS
1. Log on to the Active Directory domain controller using administrative privileges. 2. Choose Start | Programs | Administrative Tools and then click Active Directory Users and Computers. 3. Select the appropriate Active Directory container or organizational unit to house the new user account. Right-click the container, click New, and then click User to create the new user account. This will bring up the New Object—User window (see Figure 3.2). 4. Enter the user’s first and last names in the First Name and Last Name boxes, respectively. Windows Server 2008 automatically enters the full name. Enter a username in the box under User Logon Name. The logon name is required and, in combination with the domain name on the right (such as [email protected]), uniquely identifies a user in a domain, tree, or forest. Based on your naming environment, you may have to choose different domains for which you have appropriate permissions. Once you enter the user logon name information, click Next to continue. 5. Enter a password for the user in the Password box. Retype the password in the Confirm Password box. Check the appropriate boxes for the various password options, as shown in Figure 3.3. Table 3.1 lists several password options.
www.syngress.com
133
134
Chapter 3 • Working with Users, Groups, and Computers
NOTE You don’t have to enter any information in the User Logon Name area (pre-Windows 2000 Server) as this information is entered automatically. The entry is the user’s unique logon name that is used to log on from earlier versions of Windows, such as Microsoft Windows NT 4.0. This information is required and must be unique within the domain.
Figure 3.2 Examining the New Object – User Window
Table 3.1 Password Options Option
Action
User must change password at next logon
Select this option to force the user to change their password the first time they log on. This provides a higher level of security by ensuring that the user is the only person who knows the password.
User cannot change password
Select this option if you have more than one person using the same domain user account (such as Guest). Choosing this option also makes sure the account’s password can only be changed with Administrator privileges, which means it will prevent the user from creating a new password or altering an existing password. Continued
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Table 3.1 Continued. Password Options Option
Action
Password never expires
Select this option if the user is not required to change his or her password periodically or if you don’t want to force any time restrictions on the life of the password—for example, for a domain user account that is used by a Windows Server 2008 service.
Account is disabled
Select this option to deactivate an account so it cannot be used to log on to the network. This option is useful when a user doesn’t need it and leaves for an extended period or in the case of a new employee who has not yet started.
Figure 3.3 Examining the Password Options
6. Click Next to bring up the User Account Confirmation screen. This verifies the user’s full name, logon name, and any password restrictions. Click Finish to finalize the new account and view the new user within the Active Directory container from the Active Directory Users and Computers snap-in. www.syngress.com
135
136
Chapter 3 • Working with Users, Groups, and Computers
Modifying a Domain User Account Using Active Directory Users and Computers Like all Windows Server 2008 objects, there is a set of default properties or attributes associated with the domain user account. Once the domain user account has been created, these properties can be modified to search for users in the Active Directory. For example, you can set the office location in the office property and other sections so you can locate users from a particular office. In Exercise 3.2, we will examine several user attributes and values. An explanation of each tab setting is provided to help you understand the various attributes and values.
EXERCISE 3.2 MODIFYING A NEW USER ACCOUNT BY USING ACTIVE DIRECTORY USERS
AND
COMPUTERS
1. Log on to the Active Directory domain controller with administrative privileges. 2. Click Start | Programs | Administrative Tools and then click Active Directory Users and Computers. 3. Select the appropriate Active Directory container or organizational unit where the user account is residing. Right-click the desired user and then select Properties. 4. The General tab contains the user’s first name, initials, last name, display name, description (usually a job title—for example, Sr. Manager—that will appear on the management console), office location, telephone number(s), e-mail address, and Web page(s). Type in the appropriate information, as shown in Figure 3.4.
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Figure 3.4 The General Tab
5. Click the Address tab. This tab contains the user’s street address, P.O. Box, city, state/province, ZIP/postal code, and country/region information, as shown in Figure 3.5. It’s helpful to have this information if you want to retrieve it later to locate a user and mail them any packages or information.
www.syngress.com
137
138
Chapter 3 • Working with Users, Groups, and Computers
Figure 3.5 The Address Tab
6. Click the Accounts tab. This tab contains the user’s logon name, domain, the user’s pre-Windows 2000 logon, their logon hours, the computers they’re permitted to log on to, their unlock account settings, account options, and account expiration date settings (see Figure 3.6).
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Figure 3.6 The Accounts Tab
7. Set the account properties by clicking the appropriate boxes for the Account options, as explained in Table 3.2.
Table 3.2 Password Options Option
Action
User must change password at next logon
Select this option to force user to change his or her password the first time that he or she logs on. This provides higher level of security by ensuring that the user is the only person who knows the password. Continued
www.syngress.com
139
140
Chapter 3 • Working with Users, Groups, and Computers
Table 3.2 Continued. Password Options Option
Action
User cannot change password
Select this option if you have more than one person using the same domain user account (such as Guest). Choosing this option also enforces account’s password can be changed only with Administrator privileges, which means that it will prevent the user from creating a new password or altering an existing password.
Password never expires
Select this option if user is not required to change his or her password periodically or if you don’t want to force any time restriction on the life of the password — For example, for a domain user account that is used by a Windows Server 2008 services.
Store password using reversible encryption
This option is use to enhance security of password by using reversible encryption to store the password.
Account is disabled
This option is use to deactivate an account, so it cannot be used to logon to the network – This option is useful when a user doesn’t need it and leaves for an extended leaves or in a case of new employee who has not yet started.
Smart card is required for interactive logon
This option enables you to use smart card in the network if you would like to enhance domain logon security by using Smart cards and PIN instead of using a user name and password.
Account is sensitive and cannot be delegated
This option enables you to disable account delegation. This is an additional security level to delegate/not to delegate user account. Ideally, you should enable this option for domain service accounts.
Use Kerberos DES encryption This option enables you to use DES encryption types for this account for this account instead of standard Kerberos encryption. This account supports Kerberos AES 128-bit encryption
This option enables you to use AES 128 bit encryption for this account instead of standard Kerberos encryption. Continued
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Table 3.2 Continued. Password Options Option
Action
This account supports Kerberos AES 256-bit encryption
This option enables you to use AES 256 bit encryption for this account instead of standard Kerberos encryption.
Do not require Kerberos preauthentication
This option allows user to log on from a computer that supports Kerberos, but does not support the preauthentication feature of Kerberos.
8. Click Logon Hours … to allow the user to only log on at certain days and times of the week (Figure 3.7), which is useful in forcing employees to log on to the domain only during their allowed working hours. This will help you increase your domain security by reducing the amount of time the account is vulnerable to unauthorized access. In the Logon Hours For User, shown in Figure 3.7, select the days and hours for which you want to allow or deny access. By default, Windows Server 2008 permits access for all hours on all days. Two settings control logon hours: ■
Logon Permitted is used to control the hours during which a user is permitted to log on. The days and hours within which the user has allowed access appear in blue.
■
Logon Denied is used to designate the hours during which a user is denied logon. The days and hours within which the user is denied access appear in white.
Figure 3.7 The Logon Hours Dialog Box
www.syngress.com
141
142
Chapter 3 • Working with Users, Groups, and Computers
NOTE Changing the logon hours setting would apply to the user’s next attempted connection. It wouldn’t affect a user currently logged on to the system. 9. Click OK to continue. 10. Click Log On To … lets the user log on to only certain workstations (Figure 3.8). This will help you increase your domain security by forcing employees to log on to the domain only from their allowed workstations, thus preventing users from accessing another user’s data (accidentally or intentionally) that is stored on that user’s computer. By default, Windows Server 2008 lets users access all workstations in the domain. In the Logon Workstations dialog box, as shown in Figure 3.8, select The Following Computers, and then type in the NETBIOS name of the computer from which a user is permitted to log on in the Computer name box (for example, WORKSTATION01), and then click Add to add the computer. The main point to remember here is that the computer name must be the NetBIOS name, and the NetBIOS protocol must be installed and enabled on all machines that use this account policy. Repeat this step to add other computers to the list.
Figure 3.8 The Logon Workstations Dialog Box
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
NOTE You can also edit an existing list and remove computers from an existing list by clicking the Edit and Remove buttons. 11. Click OK to continue. 12. In addition to logon hours and logon workstations, you can use an account expiration date, shown in Figure 3.9, to increase domain security. You can choose either of the following settings: ■
Never is used if you do not want the user account to expire. Generally, you may want to choose this setting for service accounts and Domain Admin accounts.
■
End of (date) is used to disable the user account automatically on the date you specify. You may want to use this setting to force to expire temporary employees and contractors’ accounts.
Figure 3.9 The Accounts Tab
www.syngress.com
143
144
Chapter 3 • Working with Users, Groups, and Computers
13. Click the Profile tab to define the profile path, logon script, home folder local path, and shared folder location, shown in Figure 3.10. You can choose one of the following settings: ■
Profile path contains the path where a user’s profile will be stored. If no directory location is entered, the default location is \Documents and Settings\username. It is important to define the user profile path because user profiles are used to provide consistency to each user by saving and retrieving the user’s desktop environment. User profiles come in four different types: local user profiles, roaming user profiles, temporary user profiles, and mandatory user profiles.
Figure 3.10 The Profile Tab
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
NOTE Local user profiles are available only at the local computer. They are created in the user’s profile directory on each system where the user logs on. When the user logs on to a system for the first time, and if there is no profile defined, the system will use the \Document and Settings\Default User profile to create the new local user profile in the Document and Settings\username directory. If the user logs on to many different systems in your domain, he will be unable to maintain one profile, and may end up with many profiles on many different systems. Roaming user profiles allow users to maintain one profile while they log on at multiple computers and move from system to system. A roaming profile is a shared folder on a server, which allows a user to access a roaming profile from any system in the domain. Whenever a user starts a session, the profile is copied from the shared network folder to the local computer. Once copied to the local system, all the user’s settings will be updated locally on the local profile and will be copied to the shared folder on a server when the user logs off. Mandatory user profiles are read-only roaming profiles that are used to maintain desktop consistency. No modifications will ever be saved on the user’s profile. Users will be able to modify desktop settings and several other settings, but they won’t be saved when the user logs off. Like roaming profiles, the mandatory profile is also a shared network folder, which allows the user to access mandatory profiles from any system in the domain. No user should be allowed to make changes to mandatory user profiles except system administrators. Temporary User Profiles are used only if a user’s profile is unable to load due to errors. At the end of each session, temporary user profiles are deleted. Therefore, all changes made during the session will be lost when the user logs off the system.
■
Logon script contains the path to optional traditional MS-DOS command scripts (.exe, .bat, and .com) for downlevel operating systems, or Visual Basic Scripting (.vbs) for operating systems that support Windows Scripting Host (WSH).
■
Home folder local path contains the home directory path on the local machine. www.syngress.com
145
146
Chapter 3 • Working with Users, Groups, and Computers ■
Home folder connect contains the home directory path targeted on a shared network folder. This option requires you to choose a network drive letter from the pull-down menu, which will be used to reference the remote connection from the local machine. Also, the To field should contain the UNC name of the remote directory—for example, \\Servername\Sharename\Directory.
Test Day Tip Home Folder Overview Home folder is an additional folder that can be used to centralize a user’s documents on a networked server for easy access from any client computer, central backup/restore, and version control. As home folder is not a part of a user’s profile, its size can vary to meet the user’s need. It is not uncommon to find you have a home folder that is in the hundreds of megabytes.
14. Click the Telephones tab to store home, pager, mobile, FAX, and IP phone info for quick reference (as shown in Figure 3.11) on where to contact the user. Entering information in this tab is optional.
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Figure 3.11 The Telephones Tab
15. Click the Organization tab to enter information regarding a user’s relations with an organization, such as job title, department, company, and manager name (as shown in Figure 3.12).
www.syngress.com
147
148
Chapter 3 • Working with Users, Groups, and Computers
Figure 3.12 The Organization Tab
16. Click the Member Of tab to add a user to different security groups and to assign permissions on domain resource (see Figure 3.13). By default, each computer is a member of the Domain Users groups. You can make a user account a member of different groups; however, the best practice is to give group memberships that are necessary, but not assign excessive memberships to either users or computers. By default, each user is a member of the Domain Users groups. Windows allows a user to belong to many groups, one of which is the user’s primary group. You can set the user’s Primary Group in the Member Of tab by clicking Set Primary Group. The selected group becomes the primary group and is displayed in bold; the group that was previously the primary group is no longer in bold. To add the user into a different security group, click Add, type in the group name, and then click Check Names. Click OK to add the user to the particular group. Click OK to return to Active Directory Users and Computers snap-ins. www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Figure 3.13 The Member Of Tab
17. Click the Dial-in tab to configure the user account for use with remote access (as shown in Figure 3.14). Many different settings included here can be used individually or in combination with other settings to control user dial-in permissions. Network Access Permissions is the first section, which allows you to control a user’s access by choosing Allow Access and Deny Access and also control his access through NAP by clicking Control Access Through NPS Network Policy. In addition to NAP policies and NAP server, you can also decide to use Callback as a security feature. Three different options control callback: ■
No Callback is the first and default choice, which allows users to directly dial into the domain to gain access to the network. www.syngress.com
149
150
Chapter 3 • Working with Users, Groups, and Computers ■
Set by Caller (Routing And Remote Access Service Only) is used to allow users to specify callback telephone numbers during an initial connection. This is a good choice for traveling professionals, such as executives, sales, and IT staff, since it prevents long-distance telephone bills.
■
Always Callback to is where you enter a specific telephone number to restrict users from establishing remote connections from a specific location / telephone number.
In addition to the preceding settings, you can also choose Assign Static IP Addresses and Apply Static Routes to define a static IP address and a default route.
Figure 3.14 The Dial-in Tab
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
18. Click the Environment tab to configure the user account for use with the Terminal Services startup environment. The Starting Program lets you specify the program that will open whenever the user connects and logs on to a terminal server, whereas Client Devices allows you to specify whether the user’s local drives and printers will be available in the terminal services session (as shown in Figure 3.15).
Figure 3.15 The Environment Tab
19. Click the Sessions tab (as shown in Figure 3.16) to configure the Terminal Services session timeout, active session limit, the idle session limit, and reconnection settings, as explained in Table 3.3. www.syngress.com
151
152
Chapter 3 • Working with Users, Groups, and Computers
Figure 3.16 The Sessions Tab
Table 3.3 The Sessions Tab Setting
Description
End a disconnected session
Select this option to specify the amount of time that terminal services will keep user’s session active even though user is no longer actively connected. This takes memory space on the terminal server, but it is useful if your user gets disconnected because of network connectivity issues. Continued
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Table 3.3 Continued. The Sessions Tab Setting
Description
Active session limit
Select this option to specify the maximum amount of time that the user’s Terminal Services session can be active before the session is automatically disconnected. Users will receive a warning message two minutes before a Terminal Services session disconnects. This will allow users to move mouse or press any key on the keyboard to keep the session active and running.
Idle session limit
Select this option to specify the maximum amount of time that an active Terminal Services session can be idle before the session is discon nected. Users will receive a warning message two minutes before a Terminal Services session disconnects. This will allow users to move mouse or press any key on the keyboard to keep the session active and running.
When a session limit is reached or connection is broken
Select this option to specify the session limits including whether to disconnect or end the user’s Terminal Services session when an active session limit or an idle session limit is reached.
Allow reconnection
Select this option to specify if the user can reconnect from any client to a disconnected session on a terminal server. From originating client only is use for Citrix clients only.
20. Click the Remote Control tab (as shown in Figure 3.17) to configure the Terminal Services remote control settings that will allow the user to observe or actively control the user’s Terminal Services session, including being able to input keyboard and mouse actions to the session.
www.syngress.com
153
154
Chapter 3 • Working with Users, Groups, and Computers
Figure 3.17 The Remote Control Tab
21. The Terminal Service Profile tab (as shown in Figure 3.18) allows you to specify the location of the Terminal Service profile and home folder. Settings in this tab will apply to Terminal Services only.
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Figure 3.18 The Terminal Services Profile Tab
22. The COM+ tab (Figure 3.19) lets you specify the Partition Set.
www.syngress.com
155
156
Chapter 3 • Working with Users, Groups, and Computers
Figure 3.19 The COM+ Tab
23. Click Apply, and then click OK to finalize the account changes and view the user within the Active Directory container from the Active Directory Users and Computers snap-in.
Common User Management Options Aside from creating and configuring user accounts, you may be responsible for performing a number of different management tasks. Table 3.4 lists different management actions you can take on the user account. www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Table 3.4 Common User Management Options Tasks
Description
Copy
The option enables you to create a new user account by copying an existing user account.
Disable Account
This option disables the user account and prevents the account from being used.
Enable Account
This option enables the user account, so that you will be able to use it in a network.
Reset Password
This option enables you to assign / reset a new password in case if a user forgets his/her password.
Move
This option enables you to move the user account between different containers and OUs.
Delete
This option deletes the user account for users who do not belong to your company or has left the company.
Rename
This option enables you to rename a user account in case of any Name change.
Creating a New User Account Using Script To create users by using script, you can use VBScript or the built-in dsadd command. I’ve found the dsadd command useful because it allows you to use command lines in batch files for day-to-day user administrative tasks. The following is an example of the VBScript used to create a user in Active Directory: ′ This code creates a single user named Joanna DiSouza Const ADS_UF_NORMAL_ACCOUNT = 512 set objParent = GetObject(“LDAP://<ParentDN>”) set objUser = objParent.Create(“user”, “cn=<UserName>”) ′ e.g. Joanna objUser.Put “sAMAccountName”, “<UserName>” ′ e.g. Joanna objUser.Put “userPrincipalName”, “<UserUPN>” ′ e.g. [email protected] objUser.Put “givenName”, “<UserFirstName>” ′ e.g. Joanna objUser.Put “sn”, “<UserLastName>” ′ e.g. DiSouza
www.syngress.com
157
158
Chapter 3 • Working with Users, Groups, and Computers objUser.Put “displayName”, “<UserFirstName> <UserLastName>” ′ e.g. Joanna DiSouza objUser.Put “userAccountControl”, ADS_UF_NORMAL_ACCOUNT objUser.SetInfo objUser.SetPassword(“<Pa$$w0rd>”) objUser.AccountDisabled = FALSE objUser.SetInfo
Creating User Template As you know, templates simplify the creation of a large number of user accounts. In a template, you can define all the account parameters you need to define for your users. You can then use this template to create user accounts by simply filling in the Name, Full Name and Description Password, and Confirm Password fields. Make sure this template account is disabled and has all the desired properties you need for most of your users. During creation of a new user account, you will get the same wizard and dialog pages as when creating any new user; however, the new user object will have most of the attributes the template user has. Templates help you create users more quickly than creating them individually. Creating and managing user templates in Windows Server 2008 is really no different than Windows 2000 and Windows 2003. If you are an experienced Windows 2000 and/or Windows 2003 administrator, you can skip this section and move on to the next. In Exercise 3.3, we will use an existing user account of Shannon Forever to create a new user account for a different user by utilizing the copy process.
EXERCISE 3.3 CREATING A NEW USER ACCOUNT BY USING AN EXISTING USER ACCOUNT IN ACTIVE DIRECTORY USERS AND COMPUTERS 1. Log on to the Active Directory domain controller with administrative privileges. 2. Click Start | Programs | Administrative Tools and then click Active Directory Users and Computers.
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
3. Right-click the desired user (in our case, it’s Shannon Forever), and then select Copy. 4. Enter the name information of the new user (Demi), and then click Next. 5. Enter a password, select any appropriate account options you want enabled, and then click Next. 6. Click Finish.
Configuring User Principal Names Like Windows 2000 and Windows 2003 Active Directory, every domain user account in Windows Server 2008 Active Directory is given a friendly name, known as the user principal name (UPN), in order to help a user log on to the domain. UPN is an Internet-style logon name, which is shorter than the distinguished name, making it easy to remember. The UPN is made up of a prefix and suffix, composed of the user’s logon name and the domain DNS name, such as admastering.com. In large enterprise environments, some organizations may want to map an additional UPN suffix to the e-mail address to provide additional security and simplify the logon process. This can provide an additional layer of security without revealing your Active Directory infrastructure information to your users during the logon process. Some organizations may have several domain trees and domains, which can confuse users. For example, the user objects, Joanna DiSouza in the Toronto.Ontario.Canada. admastering.com domain may have to log on as [email protected]. admastering.com. This may not only confuse users, but some users may find this longer DNS hard to remember and difficult to type in. If this is the case or if you are looking to map the user logon name to the e-mail address, you may want to add an additional UPN suffix by using the Active Directory Domains and Trusts tool. For example, Toronto.Ontario.Canada.admastering.com may have an alternate DNS suffix of admasteringcanada.com, which can help users logon to Toronto.Ontario. Canada.admastering.com domain as [email protected] instead of [email protected]. The UPN suffix serves as an alias or substitute for the real domain name. In the following section, we will add an additional UPN suffix to map a user’s logon name to their e-mail address. In Exercise 3.4, we are assuming that the AD forest is rooted at a different domain name (for example, admastering.com) than the e-mail domain name (for instance, admasteringcorp.com).
www.syngress.com
159
160
Chapter 3 • Working with Users, Groups, and Computers
EXERCISE 3.4 ADDING
AN
ALTERNATE UPN SUFFIX
1. Log on to the Active Directory domain controller with administrative privileges. 2. Click Start | Programs | Administrative Tools and then click Active Directory Domains and Trusts. 3. Click Action | Properties. The UPN Suffixes tab appears 4. To add an alternative suffix, just type the suffix in the box (for example, admasteringcorp.com) and then click the Add button. 5. Repeat step 4 to add other suffixes from the list. 6. To remove an alternative suffix, just select the suffix in the box and click the Remove button. 7. Repeat step 6 to remove other suffixes from the list. 8. Close the Active Directory Domains and Trusts console.
Creating and Modifying Computer Accounts All computers in your Active Directory domain must have computer accounts in the Active Directory. Just like how an Active Directory user account represents a person; computer accounts represent computers. To access domain resources securely, every computer in your domain needs to access domain controllers by establishing a secure channel to a domain controller. This secure channel is an authenticated channel in which a computer presents a password to a domain controller (which is verified against the password stored in Active Directory with the computer’s account) so that later on computers will be able to use this secure channel to securely transfer encrypted data to and from the domain controller. Computer accounts are also utilized to force domain permissions and group policies. Computer accounts are inherited directly from the user object class and inherit all or most of the attributes of user objects with the addition of some additional attributes.You can create a computer account manually in an Active Directory domain by using Active Directory Users and Computers; however, the computer accounts are created
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
automatically when an administrator joins a computer to a domain. Just like Active Directory user accounts, you can access computer account properties by using the Active Directory Users and Computers console, where you would see some/most of the same generic tabs you have seen earlier in this chapter when configuring user accounts.
Creating a New Computer Account Using Active Directory Users and Computers The Active Directory Users and Computers console is used to create a new computer account. The process of creating a computer account in Active Directory is the same as creating a user account—by right-clicking the appropriate container, choosing New, and then clicking Computer to create the computer account. You can create computer accounts by performing the steps outlined in Exercise 3.5.
EXERCISE 3.5 CREATING A NEW COMPUTER ACCOUNT BY USING ACTIVE DIRECTORY USERS AND COMPUTERS 1. Log on to the Active Directory domain controller with administrative privileges. 2. Click Start | Programs | Administrative Tools and then click Active Directory Users and Computers. 3. Select the appropriate Active Directory container or organizational unit to house the new computer account. Right-click the container, click New, and then click Computer to create the new computer account. This will bring up the New Object—Computer window. 4. Enter the computer name, as shown in Figure 3.20. Creating a computer account is a one-step process, which prompts you to enter a computer name and pre-Windows 2000 name to identify the computer (Windows Server 2008, Windows 2003, Windows 2000, member server, or domain controller). Notice the User Or Group: option, which is used to change the group that can join the computer to the domain. By default, Domain Admins have an authority to join new computers with the domain. Depending on your environment, you may have to change this group to allow desktop deployment groups to join computers with the domain.
www.syngress.com
161
162
Chapter 3 • Working with Users, Groups, and Computers
Figure 3.20 The New Object – Computer Window
5. If yours is a pre-Windows 2000 computer, you may want to click the Assign This Computer Account As A Pre-Windows 2000 Computer check box (as shown in Figure 3.20) at the bottom of the dialog box. This option is used to create computer accounts for computers running legacy operating systems. 6. Click OK. Close the Active Directory Users and Computers console.
Modifying a Computer Account Using Active Directory Users and Computers Like all Windows Server 2008 objects, a set of default properties or attributes is associated with the computer account. Once the computer account has been created, these properties can be modified to search for computers in Active Directory. For example, you can set the office location in the location property so you’re able to locate computers belonging to a particular office. In Exercise 3.6, we will examine several computer attributes and values. An explanation of each tab setting is provided to help you understand these attributes and values. www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
EXERCISE 3.6 MODIFYING A COMPUTER ACCOUNT BY USING ACTIVE DIRECTORY USERS
AND
COMPUTERS
1. Log on to the Active Directory domain controller with administrative privileges. 2. Click Start | Programs | Administrative Tools and then click Active Directory Users and Computers. 3. Select the appropriate Active Directory container or organizational unit where the computer account is residing. Right-click the desired computer account and then click Properties. The General tab contains the Computer Name (pre-Windows 2000 name), DNS Name, DC Type, Site, and Description fields. Type in the description of the computer, as shown in Figure 3.21.
Figure 3.21 The General Tab
www.syngress.com
163
164
Chapter 3 • Working with Users, Groups, and Computers
NOTE In Windows 2000 and after, all earlier versions of Windows, such as Windows NT and Windows 9x are referred as pre-Windows 2000 computers, which use NetBIOS names to establish connections. In Windows 2000 and later versions, DNS is the primary name resolution method, so in a mixed environment, both the NetBIOS and DNS names are often displayed for objects.
4. Click the Operating System tab. This tab contains the operating system name and version running on the machine, as well as any operating system service packs that have been applied to the machine. 5. Click the Member Of tab. As shown in Figure 3.22, this tab contains the Active Directory security group information of which this computer is a member. Just as we can organize users into security groups to assign permissions about domain resources, we can also organize computers into groups to assign permissions. For example, you can put certain computers into a group and then assign permission to the group to access a certain printer. This way, no matter which user is logged on to the computer, that user will be able to access the printer for that group unless he was assigned denied permissions. By default, each computer is a member of the Domain Computers groups. You can make a computer account a member of different groups; however, the best practice is to give group memberships that are necessary, but to not assign excessive memberships since managing permissions may get confusing in your environment when a user logs on to that computer and he/she effectively has membership to the groups to which the computer is assigned. Like user accounts, group membership with computer accounts is of utmost importance. To add a computer into a different security group, click Add, type in the group name, and then click Check Names. Click OK to return to the computer properties. Repeat this process to add a computer to multiple groups.
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Windows allows a computer to belong to many groups, one of which is the computer’s primary group. You can also set the computer’s Primary Group in the Member Of tab by clicking Set Primary Group. The selected group becomes the primary group and is displayed in bold; the group that was previously the primary group is no longer in bold.
Figure 3.22 The Member Of Tab
www.syngress.com
165
166
Chapter 3 • Working with Users, Groups, and Computers
6. Click the Location tab. This tab contains the physical location of the computer. 7. Click the Managed By tab. As shown in Figure 3.23, this tab contains the contact information for the person responsible for this computer. To add an appropriate person, click the Change … button, type in an appropriate person’s name, and then click Check Names. Click OK to return to the Managed By screen.
Figure 3.23 The Managed By Tab
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
8. Click the Dial-in tab. This tab contains the dial-in settings used to control whether this computer is allowed to utilize dial-in services. 9. Click OK. Close the Active Directory Users and Computers console.
Creating a New Computer Account Using a Script To create a computer account using script, you can either use VBScript or the built-in dsadd command. I have found the dsadd command useful because it lets you use command lines in batch files for day-to-day administrative tasks. The following is an example of VBScript used to create a computer account in Active Directory: ′ This code creates a computer account named JOANNAWKS ′ ------ SCRIPT CONFIGURATION -----strBase = “<ParentComputerDN>” ′ e.g. cn=Computers,dc=admastering,dc=com strComp = “” ′ e.g. JOANNAWKS strDescr = “” ′ e.g. Joanna’s workstation ′ ------ END CONFIGURATION -----′ ADS_USER_FLAG_ENUM Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &h1000 set objCont = GetObject(“LDAP://” & strBase) set objComp = objCont.Create(“computer”, “cn=” & strComp) objComp.Put “sAMAccountName”, strComp & “$” objComp.Put “description”, strDesc objComp.Put “userAccountControl”, ADS_UF_WORKSTATION_TRUST_ACCOUNT objComp.SetInfo
Resetting a Computer Account Using Active Directory Users and Computers As explained in the previous section, every computer in your domain establishes a secure channel of communication with the domain controller to transfer data securely. This requires each computer to provide a password at the time of logon. This randomly selected password is stored on the domain controllers for authentication purposes and is updated automatically every 30 days. It is possible that the computer’s password and the domain controller’s password don’t match, and so communication between the two www.syngress.com
167
168
Chapter 3 • Working with Users, Groups, and Computers
machines fails. If that is a case, you may want to reset a computer account in Active Directory so that computer will be able to reestablish the connection. In Exercise 3.7, we will reset a computer account.
EXERCISE 3.7 RESETTING A COMPUTER ACCOUNT BY USING ACTIVE DIRECTORY USERS
AND
COMPUTERS
1. Log on to the Active Directory domain controller with administrative privileges. 2. Click Start | Programs | Administrative Tools and then click Active Directory Users and Computers. 3. Select the appropriate Active Directory container or organizational unit where the computer account is residing. Right-click the desired computer account and then click Reset Account. 4. Click Yes in the Active Directory Domain Services dialog box, confirming that the computer account be reset. 5. You will receive a confirmation box, as shown in Figure 3.24, indicating that the computer account (computer name) was successfully reset. 6. Click OK to continue.
Figure 3.24 Active Directory Domain Services
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Creating and Modifying Groups As an Active Directory administrator, you will be working with groups in order to minimize and simplify administrative efforts by assigning permissions and rights to a group of users rather than individual users. In generic terms, a group is just a collection of objects. Groups are used most frequently in a security context, whereby you set up a group of users and apply certain permissions or rights to that group. Using a group is much easier, quicker, and fun when applying security than when using individual users. In an Active Directory environment, you can use these groups for many different purposes, including controlling access to resources (such as shared folders, files, printers, and so on), e-mail distribution lists, and defining a filter for the application of group policies. A group is not a new concept in Active Directory and the Windows environment. As an administrator, it is important you understand these different types of groups, and how to create, delete, and modify these groups, as well as perform other common tasks, such as adding to groups, changing a group’s scope, and assigning permissions to a group rather than an individual user. In Active Directory, groups are flexible objects, given that they can contain any other type of Active Directory object as a member. For example, besides creating groups of users, you can also create groups of computers, contacts, and other types of groups. The type and scope of the group will determine their usage in Active Directory. Active Directory allows you to create security and distribution groups. Security groups are mostly used to assign permission to resources, whereas distribution groups are used for e-mail distribution. Most of your management should be done through the groups. You can also use Security groups for e-mail distribution groups; however, it is recommended you use Distribution groups rather than Security groups. The scope, or area of influence, for a group determines where members of the group can be located in the forest and where in the forest you can use the group to assign permissions. This lesson introduces you to the various types of groups along with common administrative tasks you can perform on them.You will also learn about the various categories of default groups, and at the end I’ll share with you how to plan a group strategy.
Creating a Group Groups are created in Active Directory using the Active Directory Users and Computers MMC snap-in or via the script using a command-line utility like dsadd. However, before we get into the business of creating and managing groups, we must understand group types, the scope of groups, and their relationship with other objects in Active Directory. www.syngress.com
169
170
Chapter 3 • Working with Users, Groups, and Computers
The Active Directory environment includes several built-in groups. I’ll describe them over the course of the next few pages to make sure you understand their scope and usage before you attempt to create your own custom groups (as well as built-in groups) to meet the needs of your organization.
Types of Groups As discussed before, the purpose of groups is to control user permissions by grouping users according to similar permissions or job functions. This simplifies our work as an Active Directory administrator because we can manage users at a group level instead of giving them permissions at an individual user level. If you worked at all with Windows 2000 and Windows 2003, you are certainly familiar with local, global, and universal groups, and how they are employed to organize users so they can access resources. Not many changes have occurred with these groups except that in Windows Server 2008 there are few new built-in groups. In the next few pages, we will get into the details of groups and their various types. In Active Directory, you can either create groups to assign permissions or to distribute e-mail messages. To facilitate this, Active Directory uses two types of groups: the security group and the distribution group. All group details and membership information are stored in the Active Directory database. ■
Security Groups Windows Server 2000/2003/2008 uses security groups to assign permissions to resources like folders, files, printers, and applications. Technically, security groups can be used to distribute e-mails also, but it is recommended security groups only be used for one purpose: to assign permissions to resources.
■
Distribution Groups Distribution groups cannot be used to assign permissions. They are used only for nonsecurity-related functions, such as sending e-mail messages to a group of users. Programs like Microsoft Exchange are designed to use distribution groups as distribution lists for sending e-mail messages to multiple users.
Group Scopes Now that we understand groups, it’s time to discuss group scopes. When we create a group, we must select a group scope along with group types. The scope of a group determines the boundaries of the group, such as where in the network you’re able to use the group to assign permissions to it. The three group scopes are domain local, global, and universal. Table 3.5 lists different group scopes. www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Table 3.5 Group Scopes Group Scope
Description
Domain local
■
Limited to a single domain only.
■
Members can come from any domain in a forest.
■
Members access resources only in the local domain.
■
Domain local groups are not visible outside their own domain.
■
Members can come only from local domains.
■
Members can access resources in any domain in a forest.
■
Domain global groups are visible to all trusted domains.
■
Domain global groups can have members’ users and groups within their own domain.
■
Global groups can be nested.
■
Members can come from any domain in a forest.
■
Members can access resources in any domain in a forest.
■
Universal groups are visible to all trusted domains.
■
Universal groups can have members’ users and groups from any trusted domain.
Global
Universal
Universal Groups Replication Concerns Before we get into more details about group membership and the step-by-step procedure to create these groups, it is time to understand one critical factor: the universal group replication impact. Universal security groups get members information from a global catalog server. Universal groups continuously communicate with a global catalog server to get information about members from the other domains. In case of any changes, such as adding/removing a user from a universal group, changes are replicated to other global catalogs in the forest.
Group Strategies If you have used Windows NT 4.0, Windows 2000, and Windows 2003, then you might be familiar with the term “group nesting,” which refers to adding groups to other groups (known as nesting) to reduce the number of times permissions need www.syngress.com
171
172
Chapter 3 • Working with Users, Groups, and Computers
to be assigned. In Windows Server 2008, you can add unlimited levels of nesting in domains. Let me give you a quick example to clarify and explain group nesting. For instance, your organization may have offices in diverse geographical locations and have a number of sales people working in each geographical region. You can create a group for all salespeople in your region and add them to their own regional group, such as East Sales, West Sales, North Sales, and Central Sales.You can then later add each regional group into another group called Worldwide Sales Team. If you need to assign permissions to access regional resources, use regional groups. When all the salespeople in the network need access to a resource, you assign permissions only to the Worldwide Sales Team. This group strategy allows for the easy assignment of permissions. The following are general guidelines for group nesting: ■
Minimize the level of nesting. If you have multiple groups nested within each other, it will be harder for you to troubleshoot permissions issues.
■
Document group membership to keep track of group memberships and permission assignments.
Microsoft has introduced a concept of AGDLP and AGGUDLP in order to manage domain resources. AGDLP stands for Accounts > Global > Domain Local > Permissions, while AGGUDLP stands for Accounts > Global Groups > Global Groups > Universal Groups > Domain Local Groups and is applied when planning and implementing the construction groups as well as assigning permissions on resources. Here is how AGDLP is used to describe the practice: ■
A: Create a user account(s).
■
G: Create a global group and add the user account(s) in the global group as members.
■
DL: Create a domain local group in the domain that contains the resource, and then add the global group as a member of this domain local group.
■
P: Assign permissions on the resource using the domain local group.
Creating a New Group Using Active Directory Users and Computers The Active Directory Users and Computers console is used to create new groups and add members to those groups. You can create groups by performing the steps outlined in Exercise 3.8. www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
EXERCISE 3.8 CREATING A NEW GROUP BY USING ACTIVE DIRECTORY USERS AND COMPUTERS 1. Log on to the Active Directory domain controller with administrative privileges. 2. Click Start | Programs | Administrative Tools and then click Active Directory Users and Computers. 3. Select the appropriate Active Directory container or organizational unit to house the new group. Right-click the container, click New, and then click Group to create the new group. This will bring up the New Object—Group window. 4. Enter the name of the group and select the group scope (Domain Local, Global, or Universal) and the group type (Security or Distribution). Once you enter the group information, click OK to continue.
Modifying a Group Using Active Directory Users and Computers Like all Windows Server 2008 objects, a set of default properties or attributes are associated with the group. Once the group has been created, these properties can be modified. For example, you can add the description of the group and define the group manager. Once you have created the group, you can manage the group by double-clicking the group object in the Active Directory Users and Computers MMC snap-in tool. In Exercise 3.9, we will examine several group attributes and values. An explanation of each tab setting is provided to help you understand these attributes and values.
EXERCISE 3.9 MODIFYING A NEW GROUP BY USING ACTIVE DIRECTORY USERS AND COMPUTERS 1. Log on to the Active Directory domain controller with administrative privileges. www.syngress.com
173
174
Chapter 3 • Working with Users, Groups, and Computers
2. Click Start | Programs | Administrative Tools and then click Active Directory Users and Computers. 3. Select the appropriate Active Directory container or organizational unit where the group resides. Right-click the desired group and then select Properties. 4. The General tab contains the group name, description, e-mail, group scope, group types, and notes. Type in the appropriate information, as shown in Figure 3.25.
Figure 3.25 The General Tab
5. Click the Members tab. This tab contains the group members, as shown in Figure 3.26. By default, there are no users in the newly created groups. You can add a user account, a member, or a group by clicking Add, typing in the username, and then clicking Check Names. Click OK to add the user to the particular group. www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Figure 3.26 The Members Tab
6. Click the Member Of tab to add groups to different security groups, and to assign permissions to domain resources. To add a group into a different security group, click Add, type in the group name, and then click Check Names. Click OK to add the group to a particular group. 7. Click the Managed By tab. As shown in Figure 3.27, this tab contains the contact information of a person who is responsible for this group. To add an appropriate person, click the Change … button, type in an appropriate person name, and then click Check Names. Click OK to return to the Managed By screen.
www.syngress.com
175
176
Chapter 3 • Working with Users, Groups, and Computers
Figure 3.27 The Managed By Tab
8. Click Apply, and then click OK to finalize the account changes and view the user within the Active Directory container from the Active Directory Users and Computers snap-in.
Creating a New Group Using Script To create a group using script, you can use VBScript or the built-in dsadd command. I’ve found the dsadd command useful since it allows you to use command lines in batch files for day-to-day user administrative tasks. The following is an example of VBScript used to create a group in Active Directory: ′ This code creates a single group named Sales ′ ------ SCRIPT CONFIGURATION -----strGroupParentDN = “” ′ e.g. ou=Users,dc=admastering,dc=com strGroupName = “” ′ e.g. Sales
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3 strGroupDescr = “” ′ e.g. Sales group ′ ------ END CONFIGURATION -----′ Constants taken from ADS_GROUP_TYPE_ENUM Const ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 1 Const ADS_GROUP_TYPE_GLOBAL_GROUP = 2 Const ADS_GROUP_TYPE_LOCAL_GROUP = 4 Const ADS_GROUP_TYPE_SECURITY_ENABLED = -2147483648 Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = 8 set objOU = GetObject(“LDAP://” & strGroupParentDN) set objGroup = objDomain.Create(“group”,“cn=” & strGroupName) objGroup.Put “groupType”, ADS_GROUP_TYPE_GLOBAL_GROUP _ Or ADS_GROUP_TYPE_SECURITY_ENABLED objOU.Put “description”, strGroupDescr objOU.SetInfo
The Delegation of Tasks One reason to create multiple OUs is to delegate administrative responsibilities and divide the administrative workload between different administrators. Delegation is a powerful concept and a tool in Active Directory. As a concept, it’s been around for a while, thus Windows 2000 and Windows 2003 administrators may find information in this section little repetitive—but hey, you can either skip the section or take a quick glance to review the information. In this lesson, we’ll learn how to use the Delegation Of Control Wizard and will delegate administrative control of domains, OUs, and containers to other administrators, groups, or users within your organization so they will be able to perform certain administrative functions according to their requirements. Delegation lets you set up decentralized administration (to share a workload) while still maintaining control of your overall Enterprise network. Delegation is easy to configure, but you must establish a careful plan before implementing delegation. Though the delegation wizard is simple and straightforward, you still need to be aware of how permissions and permission inheritance work in the AD structure. In a small or medium-sized organization, a few administrators would be responsible for managing Active Directory objects. However, in any large organization, the administration is divided between different administrators. To ensure these administrators receive appropriate permissions, you must run the delegation wizard to set up permissions on the domain, OU, and container levels. Consider an example. If Khalid is an administrator of the domain, he can assign permissions to a new trainee www.syngress.com
177
178
Chapter 3 • Working with Users, Groups, and Computers
or group of users and assign them permissions on a particular container in Active Directory—therefore, a trainee or a group of users will have Full Control in every container below North America. Depending on your requirements, Khalid can assign users a full control or give them granular level permissions, such as resetting passwords or creating new users only, so that they will be able to perform limited tasks. In other words, as an administrator, you can delegate some responsibilities, but not necessarily all of them. With Delegation of Control, you can still keep your “administrative hand” over an enterprise and all the tasks performed in an enterprise, while delegating easier tasks to other people. Delegation of Control is an excellent tool that allows you to divide your workload to new or inexperienced administrators without creating any challenges for yourself or anyone else. You can use Delegation of Control in many different ways, but make sure that whichever method you choose fits in your administrative model. In most cases, we delegate permissions on OU and container levels rather than the domain level. You can further fine-tune your permissions by controlling the inheritance to take effect for all objects and child and grandchild OUs within that OU. In the following section, we will delegate task responsibilities to several inexperienced administrators. An explanation of each step is provided to help you understand these values.
EXERCISE 3.10 DELEGATING PERMISSIONS ON AN OU TO NEW USERS BY USING ACTIVE DIRECTORY USERS AND COMPUTERS 1. Log on to the Active Directory domain controller with administrative privileges. 2. Click Start | Programs | Administrative Tools and then click Active Directory Users and Computers. 3. Select the appropriate Active Directory container or organizational unit where you want to delegate control, click the Action menu, and then click Delegate Control. 4. The Delegation of Control Wizard begins with a Welcome screen, shown in Figure 3.28. Click the Next button to continue.
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Figure 3.28 The Delegation of Control Wizard
5. The Users Or Groups window appears (Figure 3.29). Click the Add button and type in the user(s) or group(s) name to which you want to delegate control. Click Check Names to verify your names, and then click OK to add a group to a particular group. Use the Remove button if you need to remove a user or group from the list. Click the Next button on the Users Or Groups page.
www.syngress.com
179
180
Chapter 3 • Working with Users, Groups, and Computers
Figure 3.29 The Users Or Groups Screen
6. On the Tasks To Delegate page, as shown in Figure 3.30, you have two radio button options. You can either choose to Delegate The Following Common Tasks, in which you select the desired options, or you can choose to Create A Custom Task To Delegate. The first option has many predefined tasks, while the custom option allows you to have more granular control and delegation. Most organizations may find that delegating the following common tasks is sufficient for their needs. This section is focused only on delegating common tasks instead of creating a custom task. If you decide to delegate common tasks, you have the following check box list from which to select.
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Figure 3.30 Tasks to Delegate
■
Create, delete, and manage user accounts: This option enables you to delegate the right to create, delete, and configure user accounts.
■
Reset user passwords and force password changes at the next logon: This option enables you to delegate the right to permit the resetting of passwords only. This option is helpful if you would give a particular user or group, such as help desk users, the right to reset passwords when users forget their passwords or need to be assigned a new password.
■
Read all user information: This option enables you to delegate the right to read all user information.
■
Create, delete, and manage groups: This option lets you delegate the right to permit the user or group to create, delete, and configure group accounts.
www.syngress.com
181
182
Chapter 3 • Working with Users, Groups, and Computers ■
Modify the membership of a group: This option lets you delegate the right to the user or group to modify the membership of an existing group, but not to create, delete, or configure group accounts.
■
Manage Group Policy links: This option enables you to delegate the user or group to manage Group Policy links and make changes to them.
■
Generate Resultant Set of Policy (Planning): This option enables you to delegate the user or group to manage and generate resultant sets of policies to plan any group policy implementation, but they won’t be able to perform any logging or manage group policy links.
■
Generate Resultant Set of Policy (Logging): This option lets you delegate to a user or group the right to generate a resultant set of policies (logging), but they won’t be able to perform any planning or manage any group policy links.
■
Create, delete, and manage inetOrgPerson accounts: This option enables you to delegate the right to create, delete, and manage inetOrgPerson accounts.
■
Reset inetOrgPerson passwords and force password change at next logon: This option lets you delegate the right to reset passwords and force password changes at the next logon.
■
Read all inetOrgPerson information: This option enables you to delegate the right to read all inetOrgPerson user information.
7. On the Completing The Delegation Of Control Wizard page, as shown in Figure 3.31, review your selections, and then click the Finish button if it is accurate. If it is not accurate, use the Back button to make changes and then click Finish.
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Figure 3.31 Completing the Delegation of Control Wizard
■
Verifying Delegated Permissions: Once you finish the delegation, you can verify permissions by right-clicking the container, and then clicking Properties. Click the Security tab. Here you will be able to verify your permissions.
■
Removing Delegating Permissions: The Delegation Of Control Wizard can be used only to grant administrative permissions. If you want to remove those privileges, you must do so manually in the Security tab in the Properties dialog box for the container and in the Advanced Security Settings dialog box for the container.
www.syngress.com
183
184
Chapter 3 • Working with Users, Groups, and Computers
RODC (Read-Only Domain Controller) A read-only domain controller (RODC) is a new type of domain controller in the Windows Server 2008 Active Directory environment that allows organizations to easily deploy a domain controller in locations where physical security cannot be guaranteed. Besides providing improved security, faster logon, unidirectional replication, credential caching, and more efficient resource access, one of the biggest advantages of RODC is Admin role separation. Instead of your remote administrators having access to the RODC remotely to perform administrative tasks on the server, the RODC allows you to assign a user local administrator rights to the RODC without giving that person domain administrative permissions. You can delegate local administrative permissions for an RODC to any domain user to perform day-to-day administrative tasks, such as stopping services, running backups, installing drivers, rebooting the server, and installing updates, patches, and service packs. This limits the RODC local administrator to have permissions on that particular branch office RODC without having any user rights for the domain or other domain controllers. In this way, the branch user performs certain tasks to manage the RODC without compromising security. Administrative separation on RODC has the potential to reduce the administrative burden on central administrators by delegating basic operation responsibilities to the branch office user. This option may require additional training for your branch office user; however, it is an excellent way to decentralize operation tasks. This option provides extensive security since the site administrator will log on using an administrative account that is local to the RODC rather than use their domain credentials. On the other hand, this option will produce more work for you as an administrator because you have to manage separate logons for each RODC in each remote location. Though it may add some extra challenges, the benefits are well worth it.
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Exam Objectives Fast Track Navigating Active Directory Users and Computers ˛ The Active Directory Users and Computers administration console allows
you to manage domain controllers, organizational units (OUs), group policies, and domain security policies. ˛ Attribute Editor is available in the Active Directory Users and Computers
MMC snap-in with advanced features enabled. It is easier to use and navigate the Active Directory Users and Computers snap-in than ADSIEdit.msc. ˛ The Active Directory administrative console is installed automatically on
Windows Server 2008 domain controllers.
Creating and Modifying User Accounts ˛ Local user profiles are available only at the local computer. They are
created in the user’s profile directory on each system where the user logs on. When the user logs on to a system for a first time, and if there is no profile defined, the system will use the \Document and Settings\Default User profile to create the new local user profile in the Document and Settings\username directory. If the user logs on to many different systems in your domain, he will be unable to maintain one profile, and may be ended up with many profiles on many different systems. ˛ Roaming user profiles allow users to maintain one profile while they log
on at multiple computers and move from system to system. A roaming profile is a shared folder on a server that allows a user to access a roaming profile from any system in the domain. Whenever a user starts a session, the profile is copied from the shared network folder to the local computer. Once copied to the local system, all the user’s settings will be updated locally on the local profile and will be copied over to the shared folder on a server when users logs off. ˛ Mandatory user profiles are read-only roaming profiles that are used to
maintain desktop consistency. No modifications will ever be saved on the user’s profile. Users will be able to modify desktop settings and several other settings, but these won’t be saved when the user logs off. Like roaming profiles, a mandatory profile is also a shared network folder that allows the user to access mandatory profiles from any system in the domain. No user www.syngress.com
185
186
Chapter 3 • Working with Users, Groups, and Computers
should be allowed to make changes to mandatory user profiles except system administrators. ˛ Temporary user profiles are used only if the user’s profile is unable to
load due to errors. At the end of each session, temporary user profiles are deleted, and therefore all changes made during the session will be lost when the user logs off from the system. ˛ Understand that users in your Active Directory domain must have a strong
password. A strong password is at least seven to nine characters long, does not contain the user’s account name, and consists at least three of the four following groups of characters: uppercase characters, lowercase characters, numbers, and special keyboard symbols, such as !, @, #, $, ∗.
Creating and Modifying Computer Accounts ˛ Each computer in your domain provides a password to the domain con-
troller at the time of logon. This randomly selected password is updated automatically every 30 days. It is possible that the computer’s password and the domain controller’s password don’t match, and communication between the two machines fails. If this is the case, you may want to reset a computer account in Active Directory so that computer will be able to reestablish the connection.
Creating and Managing Objects ˛ Many graphical management tools are built using the Microsoft
Management Console and snap-ins. ˛ You can create and manage an Active Directory object via MMC snap-ins,
scripts, and the power shell. ˛ Most graphical administration tools can be found as preconfigured
management consoles accessible via Start | Programs | Administrative Tools. Understand how Active Directory objects can be organized by using the Active Directory Users and Computers tool.
Creating and Modifying Groups ˛ Windows Server 2000/2003/2008 uses security groups to assign permissions
to resources like folders, files, printers, and applications. Technically, Security groups can also be used to distribute e-mails, but it is recommended you use www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Security groups only for one purpose: to assign permissions to resources. ˛ Understanding the purpose of local, global, and universal groups is essential
in Windows Server 2008. ˛ Domain Local groups are limited to a single domain only. Members can
come from any domain in a forest; members can access resources only in the local domain; and Domain Local groups are not visible outside their own domain. ˛ Global group members can come only from the local domain; members can
access resources in any domain in a forest; Domain Global groups are visible to all trusted domains and Domain Global groups can have members’ users and groups from within their own domain. Global groups can be nested. ˛ Universal group members can come from any domain in a forest; Members
can access resources in any domain in a forest. Universal groups are visible to all trusted domains and can include members’ users and groups from any trusted domain. ˛ Using groups can help you simplify administration by granting rights and
assigning permissions once to a group rather than multiple times to each individual member. ˛ The concepts of AGDLP and AGGUDLP are important in managing
domain resource. AGDLP stands for Accounts > Global > Domain Local > Permissions, while AGGUDLP stands for Accounts > Global Groups > Global Groups > Universal Groups > Domain Local Groups and is applied when planning and implementing the construction of groups, as well as the assigning of permissions on resources. ˛ Universal security group replication issues are important because universal
security groups get members information from a global catalog server. Universal groups continuously communicate with a global catalog server to get information about members from the other domain. In case of any changes, such as adding/removing a user from a universal group, changes are replicated to other global catalogs in the forest. ˛ Group deletion only deletes the group and removes the permissions associated
with it. Deleting a group does not delete user accounts that are members of the group. ˛ Members of groups may include user accounts, contacts, other groups, and
computers. www.syngress.com
187
188
Chapter 3 • Working with Users, Groups, and Computers
˛ Every domain user is given a friendly name, known as the user principal
name (UPN), in order to help users log on to the domain. UPN is an Internet-style logon name, which is shorter than the distinguished name and thus is easier to remember.
Delegation of Tasks ˛ The Delegation of Control Wizard is used to assign specific permissions to
specific users. It helps administrators distribute the load to system administrators and the regional administrator. ˛ RODC allows you to delegate local administrative permissions for an RODC
to any domain user to perform day-to-day administrative tasks such as stopping services, making backups, installing drivers, rebooting the server, and installing updates, patches, and service pack.
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Exam Objectives Frequently Asked Questions Q: What methods are available for me as an administrator to navigate Active Directory?
A: Administrators can use Active Directory Users and Computers, Power Shell, and ds commands to navigate Active Directory.
Q: Which tools can I use to edit attributes of objects in Active Directory? A: ADSIEdit.msc is a graphical console that is used to edit attributes of objects in Active Directory.
Q: What is the difference between Active Directory Users and Computers and ADSIEdit.msc?
A: Active Directory Users and Computers tool is used for day-to-day administration, whereas ADSIEdit.msc is another graphical tool, but allows you to modify object attributes and low-level object information.
Q: What is the difference between a local user account and a domain user account? A: Local user accounts are created only in the computer’s local security database and do not replicate with the domain controllers. They authenticate locally to gain access to local resources, whereas domain user accounts are used to gain access to domain resources.
Q: What is the purpose of renaming the Administrator user account? A: Renaming the Administrator account provides you with extra security against hackers and intruders, and makes it difficult for unauthorized users to guess the administrative account’s logon name.
Q: My organization does not wish to allow users to save their desktop settings in their profile. What can I do to prevent users from saving their desktop settings in their profile?
A: Use mandatory profiles since they are read-only profiles and allow you to maintain desktop consistency.
www.syngress.com
189
190
Chapter 3 • Working with Users, Groups, and Computers
Q: What is an example of a strong user password? A: A strong password: ■
Does not contain dictionary words.
■
Does not contain a username, real name, pet name, family member’s name, or company name.
■
Is between 7 and 14 characters long.
■
Is different from previous passwords.
■
Is a combination of uppercase, lowercase, numbers and special characters. An example of a strong password is Sh4$$n0n87r67}D.
Q: My organization is planning to create multiple users in Active Directory. Can I use scripting to achieve this?
A: Yes, you can use scripting and a combination of built-in tools like dsadd to add multiple users.
Q: What is the purpose of a computer account? A: Computer accounts are just like user accounts; however, user accounts are used to represent users, whereas computer accounts are used to represent computers.
Q: How long does a domain controller store computer account passwords? A: Thirty days. Q: Why does a domain controller store computer account passwords? A: To access domain resources securely, every computer in your domain needs to access domain controllers by establishing a secure channel to a domain controller. This secure channel is an authenticated channel in which a computer presents a password to a domain controller (which is verified against the password stored in Active Directory with the computer’s account) so that computers can later be able to use this secure channel to securely transfer encrypted data to and from the domain controller.
Q: Which group should I use to allow users to access resources? A: Windows Server 2000/2003/2008 uses security groups to assign permissions to resources like folders, files, printers, and applications. www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Q: Which group should I use to allow users to send e-mails? A: Both Security and Distribution groups can be used to allow users to send e-mails to multiple users; however, distribution groups are designed solely for distributing e-mails.You cannot use distribution groups to assign permissions. They used only for nonsecurity-related functions, such as sending e-mail messages to groups of users.
Q: Which group type should I use in my environment if I want to add users from different trees and forests in my domains?
A: Universal groups. Q: Is there any strategy recommended by Microsoft to create groups and users? A: Yes, Microsoft has created AGDLP and AGGUDLP to manage domain resources. AGDLP stands for Accounts > Global > Domain Local > Permissions, while AGGUDLP is short for Accounts > Global Groups > Global Groups > Universal Groups > Domain Local Groups and is applied when planning and implementing the construction of groups, as well as when assigning permissions on resources.
Q: Is there an easy way to configure delegation? A: Yes, you can use the delegation wizard to configure delegation in your environment. Q: What is the purpose of delegation? A: Delegation lets you set up decentralized administration (to share a workload) while still maintaining control of your overall Enterprise network. Delegation of Control is an excellent tool that allows you to divide your workload between new and/or inexperienced administrators without creating any challenges for yourself or them. You can use Delegation of Control in many different ways, but make sure that whichever method you choose fits with your administrative model. In most cases, we delegate permissions on the OU and container levels rather than the domain level. You can further fine-tune your permissions by controlling the inheritance so it takes effect for all objects.
Q: What is RODC and how is it different than regular Active Directory domain controllers?
A: RODC is a new type of domain controller in the Windows Server 2008 Active Directory environment. It allows organizations to easily deploy a domain controller in locations where physical security cannot be guaranteed. It provides improved security, faster logon, unidirectional replication, credential caching, and more efficient resource access, along with an Admin role separation. www.syngress.com
191
192
Chapter 3 • Working with Users, Groups, and Computers
Self Test 1. You have just installed a Windows Server 2008 domain controller in your environment. Which of the following default containers holds the default groups? A. Users B. Computers C. Built-in D. Default Groups 2. You tried to reset a password, but received a message that your password does not meet the password complexity requirements. What might be the problem? A. The user password is not complex enough. B. The user is accessing a domain from a Windows 98 workstation machine. C. The user is accessing a domain from a Windows MT workstation machine. D. The user is accessing a domain from a Windows NT 4.0 machine. 3. Your organization has one Active Directory domain in the Active Directory forest. You are responsible for creating accounts for all users in your domain. Your company just bought another company with 5000 user accounts, and you are required to create their new user accounts without using a third-party tool. Which of the following commands should be used to achieve this? A. dsadd B. dsuseradd C. adduser D. adduser.ps 4. You suspect that a user may be able to log on after office hours. From which tab on a user’s Properties dialog box can you set logon hours? A. The Account tab B. The Security tab C. The General tab D. The Profile tab 5. You are at a branch office of your company assisting a user on his PC. While assisting the user, you receive a phone call from your boss who wants to know www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
why all the users are required to change their passwords the first time they log on? What would be the best way to answer his question? A. It’s a default Active Directory group and domain policy to enforce user passwords set by the administrator. B. It’s a default Active Directory group policy and cannot be modified. C. This is a new feature in Active Directory 2008 to introduce extra security. D. This is just a check box for user account properties to force users to change the default passwords set by the administrator at the time of the creation of their account. This then forces users to pick their own password. 6. Lisa works as a branch office administrator for your organization. She receives a call from her manager, Dina, asking which of the following characteristics make up a strong password. Which one is correct? A. Contains a username or pet’s name. B. Contains dictionary words. C. Contains place names. D. Is a combination of letters and numbers. 7
Which of the following options require administrative privileges to change the password? A. User must change password at next logon. B. User cannot change password. C. Password never expires. D. Store password using reversible encryption.
8. You are attempting to describe the purpose of a template account to a co-worker. What should you tell them? A. A template account exists only for Novell users. B. A template account exists only for Unix users. C. A template account exists only for Windows NT 4.0 users. D. A template account simplifies the creation of a large number of user accounts. In a template, you can define all the account parameters you need to for your users. You can then use this template to create user accounts by simply filling in the Name, Full Name and Description Password, and Confirm Password fields. www.syngress.com
193
194
Chapter 3 • Working with Users, Groups, and Computers
9. Joanna is responsible for administering a small Active Directory domain. Recently, your company has acquired a small company where all the computers are installed in a workgroup. Which of the following operations must she perform in order to create the computer accounts? (Choose all that apply.) A. Select Start | Run, and then type in the joinallwks /user:administrator command. B. Select Start | Programs | Administrative Tools | Active Directory Users and Computers, and then right-click the computer container and create the computer objects. C. Rename the existing computers in a workgroup. D. Query for resources. 10. What is the purpose of resetting an account? A. Helps you reset a computer password stored in Active Directory so the computer can make a trusted connection with Active Directory. B. Helps you reboot the computer. C. Helps you restart netlogon services. D. Helps you change the authentication protocol from NTML to Kerberos.
www.syngress.com
Working with Users, Groups, and Computers • Chapter 3
Self Test Quick Answer Key C
6.
D
2. A
7.
B
3. A
8.
D
4. A
9.
B
1.
5.
D
10. A
www.syngress.com
195
This page intentionally left blank
Chapter 4
MCTS/MCITP Exam 640 Configuring the Active Directory Infrastructure
Exam objectives in this chapter: ■
Working with Forests and Domains
■
Working with Sites
■
Working with Trusts
Exam objectives review: ˛ Summary of Exam Objectives ˛ Exam Objectives Fast Track ˛ Exam Objectives Frequently Asked Questions ˛ Self Test ˛ Self Test Quick Answer Key 197
198
Chapter 4 • Configuring the Active Directory Infrastructure
Introduction A Microsoft Active Directory network has both a physical and a logical structure. Forests and domains define the logical structure of the network, with domains organized into domain trees in which subdomains (called child domains) can be created under parent domains in a branching structure. Domains are logical units that hold users, groups, computers, and organizational units (OUs, which in turn can contain users, groups, computers, and other OUs). Forests are collections of domain trees that have trust relationships with one another, but each domain tree has its own separate namespace. In order to allow Active Directory to support the physical structure of your network, we will also discuss the configuration of Active Directory sites, site links, and subnet objects. Active Directory sites and subnets define the physical structure of an Active Directory network. Sites are important in an enterprise-level multiple location network, for creating a topology that optimizes the process of replicating Active Directory information between domain controllers (DCs). Sites are used for replication and for optimizing the authentication process by reducing authentication traffic across slow, high-cost WAN links. Site and subnet information is also used by Active Directory-enabled services to help clients find the nearest service providers. In this chapter, you will learn all about the functions of forests and domains in the Windows Server 2008 Active Directory infrastructure, and we will walk you through the steps of creating a forest and domain structure for a network. You’ll learn to create the forest root domain and a child domain, as well as the importance of Flexible Single Manager Operation (FSMO) roles within an Active Directory domain and forest. We will also discuss the role of sites in the Active Directory infrastructure, and how replication, authentication, and distribution of services information work within and across sites. We will explain the relationship of sites with domains and subnets, and how to create sites and site links.You’ll also learn about site replication and how to plan, create, and manage a replication topology. We’ll walk you through the steps of configuring replication between sites, and discuss how to troubleshoot replication failures. In addition to these concepts, we will also discuss Active Directory trust relationships. Trust relationships define the ways in which users can access network
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
resources across domains and forests. Without a trust between the domain to which a user belongs and the domain in which a resource resides, the user won’t be able to access that file, folder, printer, or other resource. Hence, it is important for network administrators to understand how the built-in (implicit) trusts in the Active Directory network function, and how to create explicit trusts to provide access (or faster access) between domains.
Working with Forests and Domains Active Directory is composed of a number of components, each associated with a different type of Active Directory functionality; you should understand each component before making any changes to the network. Active Directory Domain Services is a distributed database, which means it can be spread across multiple computers within a domain or a forest. Among the major logical components that you need to be familiar with are: ■
Forests
■
Trees
■
Domains
■
The domain namespace
Administrative boundaries, network and directory performance, security, resource management, and basic functionality are all dependent on the proper design and placement of these elements. Figure 4.1 shows the logical view of a Windows Server 2008 Active Directory. Note that the differentiation between forests and trees is most obvious in the namespace. By its nature, a tree is one or more domains with a contiguous namespace. Each tree consists of one or more domains, and each forest consists of one or more trees. Because a forest can be composed of discrete multiple trees, a forest’s namespace can be discontiguous. By discontiguous, we mean that the namespaces anchor to different forest-root domain name system (DNS) domains, such as cats.com and dogs.com. Both are top-level domains and are considered two trees in a forest when combined into a single directory, as shown in Figure 4.1.
www.syngress.com
199
200
Chapter 4 • Configuring the Active Directory Infrastructure
Figure 4.1 The Logical View of a Windows Server 2008 Active Directory
Forest
Root Domain
Dogs.com
Cats.com Domain Child Labs.dogs.com Domain Tree Tree
Child Domain
Child Domain
Child Domain
Yellow.labs .dogs.com
Black.labs .dogs.com
Calico.cats.com
Understanding Forests An Active Directory always begins with a forest root domain, which is automatically the first domain you install. This root domain becomes the foundation for additional directory components. As the cornerstone of your enterprise-computing environment, you should protect it well. Fault tolerance and good backups are not optional—they are essential. If an administrative error or hardware failure results in the unrecoverable loss of this root structure, the entire forest becomes inoperable. Certain forest objects and services are present only at the root (e.g., the Enterprise Administrators and Schema Administrators groups, and the Schema Master and Domain Naming Master FSMO roles which we will discuss later in this chapter).
Understanding Domains The domain serves as the administrative boundary of Active Directory. It is the most basic component that can functionally host the directory. Simply put, Active Directory uses the domain as a container of computers, users, groups, and other object containers. Objects within the domain share a common directory database partition, replication boundaries and characteristics, security policies, and security relationships with other domains. Typically, administrative rights granted in one domain are valid only within that domain. This also applies to Group Policy Objects (GPOs), but not necessarily www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
to trust relationships, which you will learn more about later in the book. Security policies such as the password policy, account lockout policy, and Kerberos ticket policy are defined on a per-domain basis. The domain is also the primary boundary defining your DNS and NetBIOS namespaces. The DNS infrastructure is a requirement for an Active Directory domain, and should be defined before you create the domain. There are several good reasons for a multiple-domain model, although a significant number of Active Directory implementations rely on a single-domain forest model. In the early days of Windows 2000, the most common recommendation was for a so-called “empty forest root” model, in which the forest root domain contains only built-in objects, and all manually created objects reside in one or more child domains. Whatever the design decision reached by your organization, it is a good practice to avoid installing additional domains unless you have a specific reason for them, as each additional domain in a forest incurs additional administrative overhead in the form of managing additional DCs and replication traffic. Some of the more common reasons to create additional domains include: ■
Groups of users with different security policy requirements, such as strong authentication and strict access controls.
■
Groups of users requiring additional autonomy, or administrative separation for security reasons.
■
A requirement for decentralized administration due to political, budgetary, time zone, or policy pressures.
■
A requirement for unique namespaces.
■
Controlling excessive directory replication traffic by breaking the domain into smaller, more manageable pieces. This often occurs in an extremely large domain, or due to a combination of geographical separation and unreliable WAN links.
■
Maintaining a preexisting NT domain structure.
You can think of a domain tree as a DNS namespace composed of one or more domains. If you plan to create a forest with discontiguous namespaces, you must create more than one tree. Referring back to Figure 4.1, you see two trees in that forest, Cats.com and Dogs.com. Each has a contiguous namespace because each domain in the hierarchy is directly related to the domains above and below it in each tree. The forest has a discontiguous namespace because it contains two unrelated top-level domains. www.syngress.com
201
202
Chapter 4 • Configuring the Active Directory Infrastructure
The primary Active Directory partitions, also called naming contexts, are replicated among all DCs within a domain. These three partitions are the schema partition, the configuration partition, and the domain partition. ■
The schema partition contains the classSchema and the attributeSchema objects that make up the directory schema. These classes and attributes define all possible types of objects and object properties within the forest. Every DC in the entire forest has a replica of the schema partition.
■
The configuration partition, replicated identically on all DCs throughout the forest, contains Active Directory’s replication topology and other configuration data.
■
The domain partition contains the local domain objects, such as computers, users, and groups, which all share the same security policies and security relationships with other domains. If multiple DCs exist within a domain, they contain a replica of the same domain partition. If multiple domains exist within a forest, each domain contains a unique domain partition.
Because each domain contains unique principles and resources, there must be some way for other domains to locate them. Active Directory contains objects that adhere to a naming convention called the DN, or distinguished name. The DN contains enough detail to locate a replica of the partition that holds the object in question. Unfortunately, most users and applications do not know the DN, or what partition might contain it. To fulfill that role, Active Directory uses the Global Catalog (GC ), which can locate DNs based on one or more specific attributes of the needed object. (We will discuss the GC later in this chapter).
Forest and Domain Functional Levels Forest functional levels and domain functional levels are a mechanism that Microsoft uses to support backward compatibility with previous versions of Active Directory, and to expose more advanced functionality as functional levels are raised. Functional levels are a feature that helps improve performance and security. In Windows 2000, each domain had two functional levels (which were called “modes”), native mode and mixed mode, and the forest had only one functional level. Windows Server 2003 introduced two more functional levels to consider in both domains and forests. Windows Server 2008 drops support for two legacy functional levels that were designed to support Windows NT Backup Domain Controllers, and adds another forest and domain functional level to support pure Windows Server 2008 environments. To enable the Windows Server 2008 forest and domain-wide features, all DCs must be running Windows Server 2008 www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
and the functional levels must be set to Windows Server 2008. Table 4.1 summarizes the levels, DCs supported in each level, and each level’s primary purpose. Table 4.1 Domain and Forest Functional Levels Type
Functional Level
Supported DCs
Purpose
Domain Default
Windows 2000
2000, 2003, 2008
Supports upgrades from 2000 to 2008; no support for NT backup domain controllers (BDCs).
Domain
Windows Server 2003
2003, 2008
Supports upgrades from 2003 to 2008; all Windows Server 2003 domain-wide Active Directory features are enabled.
Domain
Windows Server 2008
2008
Provides support for all features of Windows Server 2008 Active Directory
Forest Default
Windows 2000
2000, 2003, 2008
Supports mixed environ ments during upgrade; lower security, high compatibility
Forest
Windows Server 2003
2003, 2008
Supports upgrades from 2003 to 2008; all Windows Server 2008 Active Directory features are enabled.
Forest
Windows Server 2008
2008
Provides support for all features of Windows Server 2008 Active Directory
Using Domain Functional Levels Active Directory technology debuted with Windows 2000. Now, with Windows Server 2008, it has been refined and enhanced. Active Directory is now easier to deploy, is more efficient at replication, has improved administration, and poses a better end-user experience. Some features are enabled right away, whereas others require www.syngress.com
203
204
Chapter 4 • Configuring the Active Directory Infrastructure
a complete migration of DCs to the new release before they become available. There are countless new features, the most significant of which we will discuss next.
Using the Windows 2000 Domain Functional Level The Windows 2000 domain functional level is the default domain functional level in Windows Server 2008, and is primarily intended to support an upgrade from Windows 2000 to Windows Server 2008. This domain functional level offers full compatibility with all down-level operating systems for Active Directory DCs, and is characterized by the following features: Microsoft Windows NT 4.0 DCs are not supported. The following Active Directory features are supported in this mode: ■
Universal Security Groups
■
Group nesting
■
Converting groups between distribution and security groups
■
SIDHistory
The following Active Directory features are not supported in this mode: ■
DC rename
■
Logon timestamp attribute updated and replicated
■
User password support on the InetOrgPerson objectClass
■
Constrained delegation
■
Users and Computers container redirection
■
Can be raised to the Windows Server 2003 or Windows Server 2008 domain functional level
Windows Server 2003 Domain Functional Level The Windows Server 2003 domain functional level supports both Windows Server 2003 and Windows Server 2008 DCs. This level does not allow for the presence of Windows NT or Windows 2000 DCs, and is designed to support an upgrade from 2003 to 2008. All 2003 Active Directory domain features are enabled at this level, providing a good balance between security and backward compatibility. DCs not supported at this level: ■
Windows NT 4.0 DCs
■
Windows 2000 DCs
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
The following Active Directory domain-wide functions are supported at both this level and the Windows 2000 domain functional level: ■
Universal Security Groups
■
Group nesting
■
Converting groups between distribution and security groups
■
SIDHistory
The following upgraded Active Directory domain-wide functionality is supported at this domain functional level: ■
DC rename
■
Logon timestamp attribute updated and replicated
■
User password support on the InetOrgPerson objectClass
■
Constrained delegation
■
Users and Computers container redirection
■
Can be raised to the Windows Server 2008 domain functional level
■
Can never be lowered to the Windows 2000 domain functional level
In the Windows Server 2003 domain functional level, only Windows Server 2003 and Windows Server 2008 DCs can exist.
Windows Server 2008 Domain Functional Level The Windows Server 2008 domain functional level supports only Windows Server 2008 DCs. This level does not allow for the presence of Windows NT, Windows 2000, or Windows Server 2003, and is designed to support the most advanced Active Directory feature set possible. All 2008 Active Directory domain features are enabled at this level, providing the highest level of security and functionality and the lowest level of backward compatibility. The following Windows Server 2008 domain-wide functions are supported only at this level: ■
Distributed File System (DFS) replication support for the Windows Server 2008 System Volume (SYSVOL) share, providing more robust and fault-tolerant replication of SYSVOL and its contents
■
Advanced Encryption Standard (AES 128 and AES 256) encryption support for the Kerberos protocol www.syngress.com
205
206
Chapter 4 • Configuring the Active Directory Infrastructure ■
Logging of Last Interactive Logon Information, including: ■
The time of the last successful interactive logon for a user
■
The name of the workstation from which the used logged on
■
The number of failed logon attempts since the last logon
■
Fine-grained password policies, which allow you to specify password and account lockout policies for individual users and groups within an Active Directory domain
■
Cannot be raised to any higher domain functional level, because no higher level exists at this time
■
Can never be lowered to the Windows 2000 or Windows Server 2003 domain functional level
In the Windows Server 2008 domain functional level, only Windows Server 2008 DCs can exist.
Configuring Forest Functional Levels The Windows Server 2008 forest functional levels are named similarly to the domain functional levels, and serve a similar purpose. Table 4.1 summarizes the levels, the DCs supported in each level, and each level’s primary purpose. As with domain functional levels, each forest functional level carries over the features from lower levels, and activates new features as well. These new features apply across every domain in your forest. After you raise the forest functional level, earlier OSs cannot be promoted to DCs. For example, Windows NT 4.0 BDCs are not supported by any forest functional level, and Windows 2000 DCs cannot be part of the forest except through external or forest trusts once the forest level has been raised to Windows Server 2003.
Windows 2000 Forest Functional Level (default) The Windows 2000 forest functional level is primarily designed to support mixed environments during the course of an upgrade. Typically, this applies to a transition from Windows 2000 to Windows Server 2003 or Windows Server 2008. It is also the default mode for a newly created Windows Server 2008 domain. It is characterized by relatively lower-security features and reduced efficiency, but maintains the highest compatibility level possible for Active Directory. In the Windows 2000 forest functional level:
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4 ■
Windows 2000, Windows Server 2003, and Windows Server 2008 DCs are supported
■
Windows NT 4.0 BDCs are not supported
A Windows Server 2008 forest at the Windows 2000 forest functional level can be raised to either the Windows 2003 or the Windows Server 2008 forest functional level.
Windows Server 2003 Forest Functional Level The Windows Server 2003 forest functional level enables a number of forest-wide features that were not available at the Windows 2000 forest functional level, and is designed to allow for a 2003 to 2008 upgrade process. This level does not allow for the presence of Windows NT or Windows 2000 DCs anywhere in the forest. All Windows Server 2003 Active Directory forest features are enabled at this level, as follows: ■
■
DCs not supported at this level: ■
Windows NT 4.0 DCs
■
Windows 2000 DCs
All new Active Directory forest features are supported at this level.
The following forest-wide improvements are available at this forest functional level: ■
Efficient group member replication using linked value replication
Attributes added to the GC, such as ms-DS-Entry-Time-To-Die, Message Queuing-Secured-Source, Message Queuing-Multicast-Address, Print-Memory, Print-Rate, and Print-Rate-Unit
■
Defunct schema objects
■
Cross-forest trust
■
Domain rename
■
Dynamic auxiliary classes
www.syngress.com
207
208
Chapter 4 • Configuring the Active Directory Infrastructure ■
InetOrgPerson objectClass change
■
Application groups
■
Reduced NTDS.DIT size
■
Improvements in intersite replication topology management
■
Can be raised to the Windows Server 2008 forest functional level
■
Cannot be downgraded to the Windows 2000 forest functional level without performing a full forest recovery
In the Windows Server 2003 forest functional level, both Windows Server 2003 and Windows Server 2008 DCs can exist.
Windows Server 2008 Forest Functional Level The Windows Server 2008 forest functional level is the highest forest functional level available in Windows Server 2008, and supports only Windows Server 2008 DCs in each domain within a forest. At present, this forest functional level does not expose any new functionality over and above the 2003 forest functional level. The primary advantage of the 2008 forest functional level at present is that, once you have raised the functional level to 2008, any domains that are subsequently added to the forest will be automatically created at the Windows Server 2008 domain functional level.
Raising Forest and Domain Functional Levels Before increasing a functional level, you should prepare for it by performing the following steps: 1. Inventory your domain or forest for DCs that are running any earlier versions of the Windows Server operating system. 2. Physically locate any down-level DCs in the domain or forest as needed, and either upgrade or remove them. 3. Verify that end-to-end replication is working in the forest using repadmin. exe and/or dcdiag.exe. 4. Verify the compatibility of your applications and services with the version of Windows that your DCs will be running, and specifically their compatibility with the target functional level. Use a lab environment to test for compatibility issues, and contact the appropriate vendors for compatibility information. www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
When you are considering raising the domain functionality level, remember that the new features will directly affect only the domain being raised. The two domain functional levels available to raise are: ■
Windows Server 2003
■
Windows Server 2008
Once the functional level of a particular domain has been raised, no prior version DCs can be added to the domain. In the case of the Windows Server 2003 domain functional level, no Windows 2000 servers can be promoted to DC status after the functionality has been raised. In the case of the Windows Server 2008 domain functional level, no Windows Server 2003 DCs can be added to the domain after the functional level has been raised to Windows Server 2008.
Raising the Domain Functional Level Before raising the functional level of a domain, all DCs must be upgraded to the minimum OS level as shown in Table 4.1. Remember that when you raise the domain functional level to Windows Server 2003 or Windows Server 2008, it can never be changed back to a previous domain functional level. Exercise 4.1 takes you systematically through the process of verifying the current domain functional level. Exercise 4.2 takes you through the process of raising the domain functional level. To raise the domain functional level, you must be a Domain Admin in the domain in question.
EXERCISE 4.1 VERIFYING
THE
DOMAIN FUNCTIONAL LEVEL
1. Log on as a Domain Admin of the domain you are checking. 2. Click on Start | Control Panel | Performance and Maintenance | Administrative Tools | Active Directory Users and Computers, or use the Microsoft Management Console (MMC) preconfigured with the Active Directory Users and Computers snap-in. 3. Locate the domain in the console tree that you are going to raise in functional level. Right-click the domain and select Raise Domain Functional Level. 4. In the Raise Domain Functional Level dialog box, the current domain functional level appears under Current domain functional level.
www.syngress.com
209
210
Chapter 4 • Configuring the Active Directory Infrastructure
EXERCISE 4.2 RAISING
THE
DOMAIN FUNCTIONAL LEVEL
1. Log on locally as a Domain Admin to the PDC or the PDC Emulator FSMO of the domain you are raising. 2. Click on Start | Administrative Tools | Active Directory Domains and Trusts, or use the MMC preconfigured with the Active Directory Domain and Trusts snap-in. 3. Locate the domain in the console tree that you are going to raise in functional level. Right-click the domain and select Raise Domain Functional Level. 4. A dialog box will appear titled Select an available domain functional level. There are only two possible choices, although both might not be available: ■
Select Windows Server 2003, and then click the Raise button to raise the domain functional level to Windows Server 2003.
■
Select Windows Server 2008, and then click the Raise button to raise the domain functional level to Windows Server 2008.
Understanding the Global Catalog Active Directory uses the Global Catalog (GC), which is a copy of all the Active Directory objects in the forest, to let users search for directory information across all the domains in the forest. The GC is also used to resolve user principal names (UPNs) when the DC that is authenticating logon isn’t aware of the account (because that account resides in a different domain). When the DC can’t find the user’s account in its own domain database, it then looks in the GC. The GC also stores information about membership in Universal Groups. The GC contains a portion of every naming context in the directory, including the schema and configuration partitions. To be able to find everything, the GC must contain a replica of every object in the Active Directory. Fortunately, it maintains only a small number of attributes for each object. These attributes are those most commonly used to search for objects, such as a user’s first, last, and logon names. The GC extends an umbrella of awareness throughout the discontiguous namespace of the enterprise. Although the GC can be modified and optimized, it typically requires infrequent attention. The Active Directory replication system automatically builds and maintains www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
the GC, generates its replication topology, and determines which attributes to include in its index. The GC is a vital part of Active Directory functionality. Given the size of enterpriselevel organizations, on many networks, there will be multiple domains and, at times, multiple forests. The GC helps in keeping a list of every object without holding all the details of those objects; this optimizes network traffic while still providing maximum accessibility.
NOTE The first DC in a domain becomes the GC server by default.
Whenever a user is searching for an object in the directory, the GC server is used in the querying process for multiple reasons. The GC server holds partial replicas of all the domains in a forest, other than its own (for which it holds a full replica). Thus, the GC server stores the following: ■
Copies of all the objects in the domain in which it resides
■
Partial copies of objects from other domains in the forest
NOTE When we say that the GC server holds a partial copy of an object, we mean that it includes only some of the object’s attributes in its database. Attributes are object properties, and each object has a number of attributes. For example, one attribute of a User Account object would be the username. You can customize the attributes of a particular object type by editing the schema, which we will discuss later in this chapter.
The key point is that the GC is designed to have the details that are most commonly used for searching for information. This allows for efficient response from a GC server. There is no need to try to find one item out of millions of attributes, because the GC has the important search-related items only. This makes for quick turnaround on queries. www.syngress.com
211
212
Chapter 4 • Configuring the Active Directory Infrastructure
The scope of Directory Services has changed from the days of Windows NT 4.0 Directory Services. With Active Directory, a user record holds more than just a username for an individual. The person’s telephone number, e-mail address, office location, and so forth can be stored in Active Directory. With this type of information available, users will search the directory on a regular basis. This is especially true when Microsoft Exchange is in the environment. Whether a person is looking for details on another user, looking for a printer, or simply trying to locate another resource, the GC will be involved in the final resolution of the object. As mentioned previously, the GC server holds a copy of every object in its own domain and a partial copy of objects in other domains in the forest. Therefore, users can search outside their own domains as well as within, something that could not be done with the old Windows NT Directory Services model.
UPN Authentication The UPN is meant to make logon and e-mail usage easier, because the two (your user account and your e-mail address) are the same. An example of a UPN is Brian@ syngress.com. The GC provides assistance when a user from a domain logs on and the DC doesn’t know about the account. When the DC doesn’t know the account, it generally means that the account exists in another domain. The GC will help in finding the user’s account in Active Directory. The GC server will help to resolve the user account so that the authenticating DC can finalize logon for the user.
EXAM WARNING With Windows Server 2008 and beyond, you will see more and more references to UPN use in single or multiple domain environments. Be sure to understand how the UPN works in relation to logon, and how the GC keeps this information available efficiently.
Directory Information Search With Active Directory, users have the ability to search for objects such as other users or printers. To help a user who is searching the database for an object, the GC answers requests for the entire forest. Because the complete copy of every object available is listed in the GC, searches can be completed quickly and with little use of network bandwidth. www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
When you search the entire directory, the request is directed to the default GC port 3268. The GC server is also known to other computers on the network because of SRV records in the DNS. That is how a node on the network can query for a GC server. There are SRV records specifically for GC services. These records are created when you create the domain. When users search for information in Active Directory, their queries can cross WAN links, depending on the network layout. Each organization is different. Figure 4.2 shows an example layout with GC servers in the corporate office in Chicago and a branch office in Seattle. The other two sites do not have GC servers. When queries are initiated at the Chicago branch office, the queries use the corporate office GC server. With a high-speed fiber connection, bandwidth isn’t an issue.
Figure 4.2 Example GC Search Query Branch Office 25 users
Fiber connection
Chicago
Corporate Headquarters
Branch Office 100 Users Seattle Global Catalog Server
T1 Global Catalog Server
56 K Frame
Branch Office <10 Users New York
The branch office in New York has a slow link but less than 10 users. These users will use the GC in Chicago as well. Even though the pipe between these locations is only 56K, the minimal number of users doesn’t warrant having a GC server in New York. The Seattle office has a T1, which is decent connectivity, but there are more than 100 users in this location. Considering that, searches will be more efficient with a GC server locally. We will look at sites later in the chapter, but Figure 4.2 will help you get a basic understanding of how the query process works. www.syngress.com
213
214
Chapter 4 • Configuring the Active Directory Infrastructure
EXAM WARNING Be prepared to see diagrams similar to Figure 4.2 that show network layouts and the various GC servers you have on your network. Part of being a successful network administrator is being able to determine whether the design is good. Because many Active Directory-integrated applications, such as Microsoft Exchange, need access to a GC for authentication, GCs should be placed in sites that support these applications, as well as sites that are connected over lower-speed WAN links.
Universal Group Membership Information When setting up your network, certain features will be available based on the forest functional level and domain functional level. Universal Groups is one of these features that will or will not be available depending on your functional level. If your domain functional level is set to at least Windows 2000 Native or later, you will have Universal Groups available on your network. Universal Groups can have members belonging to various domains in the forest. Without a GC server, Universal Groups could not exist. That is because Universal Group membership is stored in the GC only. This means that every DC will not have a copy of Universal Group membership; only the DCs serving as GC servers have this information. When a user logs on, his Universal Group membership is checked. The GC provides this information to the authenticating DC. Universal Group membership information is stored in all GC servers, so you need to consider the design of your GC server layout when adding to or changing the GC server configuration. The number of users at a location will help to determine when you need a GC server. A large number of queries of the GC information over slow links aren’t recommended; placing a GC at each site is a better design. With sites with a small number of users, you can get away with not having a GC server at each site. We discuss this in more detail later in this chapter, in the section “Placing GC Servers within Sites.”
Understanding GC Replication You know now that GC servers hold information for all of the objects in their own domains and a partial copy of the objects from other domains in the forest. For this to be possible, some type of replication has to happen between the GC servers. www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
The default attributes included in the GC make up the most commonly searched for items. These items are part of normal Active Directory replication. The Knowledge Consistency Checker (KCC) generates the GC replication topology. The GC is only replicated between DCs that are GC servers; the information is not replicated to other DCs. A few things can affect replication; for example, Universal Group membership, and the number of attributes included in the GC.
Universal Group Membership The GC holds the sole responsibility of maintaining Universal Group membership. The names of the Global Groups and Domain Local Groups are also in the GC, but their membership lists are not. This helps to keep the size of the database small enough to efficiently answer queries. For replication purposes, it is best to keep Universal Group membership relatively static. Every change made to a Universal Group is replicated to every GC server. Keeping these changes to a minimum will keep the GC replication traffic to a minimum.
TEST DAY TIP Universal Groups can exist only if the functional level of your network is Windows 2000 native or later. Universal Group information is replicated between GC servers. Replication traffic can consume bandwidth, which is why site topology is important; putting a GC at each site keeps replication traffic to a minimum.
Attributes in the Global Catalog When you first set up Active Directory, a series of default attributes from Active Directory are in the GC. Sometimes the default set of attributes is missing an item you would like to see. For example, perhaps you want to have a coworker’s department number as part of his user record; you can accomplish this by adding an attribute. You can use the Active Directory Schema snap-in to include additional attributes in the GC by placing a checkmark next to the Index this attribute checkbox, as shown in Figure 4.3. To get to this option, open the Schema snap-in, and expand the Attributes section. Right-click any attribute, and select Properties. www.syngress.com
215
216
Chapter 4 • Configuring the Active Directory Infrastructure
Figure 4.3 Adding Attributes to the GC
Prior to Windows Server 2003, each time the GC attribute set was extended, a full synchronization of all attributes stored in the GC was completed. In a large network, this often caused a serious amount of network traffic. With Windows Server 2003 and Windows Server 2008, only the additional attribute or attributes are replicated to other GC servers. This makes for more efficient use of network bandwidth.
Placing GC Servers within Sites Another consideration when it comes to replication is placement of your GC servers. In a small network with one physical location, GC server placement is easy. Your first DC that is configured will hold the GC role. If you have one site, but more than one DC, you can move the role to another DC if you want to or configure additional DCs as GCs. Most networks today consist of multiple physical locations, whether in the same city or across the country. If you have high-speed links connecting your branch offices you might be okay, but many branch office links use limited bandwidth connections. If the connection between locations is less than a T1, you might have limited bandwidth depending on what traffic is crossing the wire. As a network www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
administrator, you will have to work with your provider to gauge how much utilization there is across your WAN links. Another factor is reliability. If your WAN links are unreliable, replication traffic and synchronization traffic might not successfully cross the link. The less reliable the link, the more the need for setting up sites and site links between the locations. Without proper planning, replication traffic can cause problems in a large network. Sites help to control replication traffic. Making the most of available bandwidth is an important factor in having a network that allows your users to be productive. Logon and searching Active Directory are both affected by GC server placement. If users cannot find the information they need from Active Directory, they might not be able to log on or find the information or data they need.
Configuring & Implementing… GC in an Exchange Server Environment Now that Active Directory is the single directory used in Windows 2000, Windows Server 2003, and Windows Server 2008 networks, there is very tight integration with Microsoft Exchange. Prior to Exchange 2000, Exchange had its own directory and the domain had its own directory service. There were links between the two, but they were still technically separate directories. Because all user information (first name, last name, and contact information) is kept in Active Directory, users will be searching more and more throughout the directory. In previous versions of Exchange, there was a Global Address List that you could search to locate people within your organization. Information such as telephone numbers, fax numbers, and office locations can be part of your GC strategy with Windows Server 2003. It is important for administrators to ensure that users can reach the data for which they are searching as quickly and easily as possible. Proper planning and location of your GC information is important to successful queries of your directory information.
Bandwidth and Network Traffic Considerations Active Directory replication works differently depending on whether it is intersite or intrasite replication. DCs that are part of the same site (intrasite) replicate with one www.syngress.com
217
218
Chapter 4 • Configuring the Active Directory Infrastructure
another more often than DCs in different sites (intersite). If you have sites that are geographically dispersed, you need to be careful how you handle your GC server placement. The bandwidth between geographically dispersed offices is often minimal. The rule of thumb is to have GC servers in selected sites. In most cases, you do not want to have a GC server in every site because of the vast amount of replication that would occur. The following examples describe situations in which you should have a GC server within a site: ■
If you have a slow WAN link between geographic locations. If you have a DC at each location, a good rule is to also have a GC server at each location. If the WAN link supports traffic for normal DC traffic, it should also handle GC traffic.
■
If you have an application that relies heavily on GC queries across port 3268, you’ll want to have a GC server in the site in which the application runs. An example of this is Exchange 2000, which relies heavily on GC information.
■
You’ll want to have GCs in as many sites as possible to support Universal Group membership authentication. We look at caching of Universal Groups, which can reduce traffic related to this, in the next section.
TEST DAY TIP Microsoft’s documentation recommends that if you have 50 or more users at a given location, you should give that location a DC serving as a GC server. This will help to reduce the number of queries crossing the WAN for Active Directory object searches.
Data replicated between sites is compressed, which makes better use of available bandwidth. Because the data is compressed, more can be sent over a limited amount of bandwidth. This is how site placement and design can be critical to efficient network operation.
Universal Group Membership Caching The Windows Server 2003 Active Directory introduced Universal Group caching as a new feature, and this feature is also available in Windows Server 2008. When a user logs on to the network, his membership in Universal Groups is verified. For this to happen, the authenticating DC has to query the GC. If the GC is across a WAN link, the logon process will be slow every time. To alleviate this, the DC that queries www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
the GC can cache this information, which cuts down on the amount of data traveling across the WAN link for Universal Group information. The cache is loaded at the first user logon. Every eight hours by default, the DC will refresh the cache from the nearest GC server. Caching functionality is administered in Active Directory Sites and Services as shown in Figure 4.4, and can be turned off if desired.You can also designate the GC server from which you want the cache to refresh, giving you more control over traffic distribution on the network.
NOTE The NTDS Site Settings Properties box is not the same NTDS Settings Properties box you accessed to make a DC act as a GC. Instead of accessing the properties of NTDS settings under the DC node in the Servers container, you must access the properties of NTDS Site Settings in the right console pane when you select a site name (e.g., Default-FirstSite-Name). The similarity of these two settings can be confusing if you haven’t worked with the console much.
Figure 4.4 Configuring Universal Group Caching
www.syngress.com
219
220
Chapter 4 • Configuring the Active Directory Infrastructure
Prior to Windows Server 2003, Active Directory logon would immediately fail if a GC could not be located to check Universal Group membership. With Universal Group caching in Windows Server 2003 and Windows Server 2008, DCs cache complete group membership information, so even if a GC server cannot be reached, logon will still happen based on cached Universal Group information.
Working with Flexible Single Master Operation (FSMO) Roles In Windows NT 4.0, the domain had only one authoritative source for domainrelated information, the primary domain controller or PDC. With the implementation of Active Directory came the multimaster replication model, where objects and their properties can be modified on any DC and become authoritative through replication conflict resolution measures. This scalability effort came with a price in complexity, however, and Active Directory FSMO roles were introduced to control certain domain and forest-wide operations that are not well suited for a multimaster environment. Some operations such as modifying the Active Directory schema or adding or removing a domain or domain tree are sufficiently critical or sensitive that their functions need to reside on a single DC within the domain or forest. The advantage of using FSMOs is that conflicts cannot be introduced while a particular Operations Master is offline; the alternative would involve resolving conflicts later, possibly to significantly negative result. The disadvantage is that all Operations Masters must be available at all times to support all dependent activities within the domain or forest. Windows Server 2008 Active Directory requires five operational master roles: ■
Schema Master To update the schema of a forest, you must have access to the Schema Master DC, which controls all schema updates and modifications. There can be only one Schema Master in the forest.
■
Domain Naming Master The Domain Naming Master DC controls the addition or removal of domains in the forest as well as adding and removing any cross-references to domains in external Lightweight Directory Access Protocol (LDAP) directories. There can be only one Domain Naming Master in the forest.
■
Infrastructure Master The Infrastructure Master is responsible for updating references from objects in the local domain to objects in other domains. There can be only one Infrastructure Master DC in each domain.
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4 ■
Relative ID (RID) Master The RID Master processes RID pool requests from all DCs in the local domain. These relative identifiers are the unique part of the SID, which is a Security Identifier used to uniquely identify objects and group memberships. There can be only one RID Master DC in each domain.
■
PDC Emulator The PDC Emulator is a DC that advertises itself as the PDC to workstations, member servers, and BDCs running Windows NT. It is also the Domain Master Browser, and handles Active Directory password changes, maintenance of trust relationships, as well as time synchronization for servers and clients within a domain. There can be only one PDC Emulator in each domain.
Two of these operate at the forest level only, you will have a single Schema Master and Domain Naming Master within each Active Directory forest regardless of how many domains exist within the forest. Conversely, the RID Master, PDC Emulator, and Infrastructure Master operate at the domain level. To examine this role relationship between master roles and the required authorization for administering them in the forest and domains, refer to Table 4.2.
Table 4.2 Valid Authorization Levels for Viewing, Transferring, and Seizing Operations Master Roles Domain Administrator on the Local Domain
Domain Administrator on the Forest-Root Domain
Enterprise Administrator
Role
Task
Schema Master
Viewing, transferring, or seizing
X (Plus Schema X Admins membership)
Domain Naming Master Viewing, transferring, or seizing
X
X
Continued
www.syngress.com
221
222
Chapter 4 • Configuring the Active Directory Infrastructure
Table 4.2 Continued. Valid Authorization Levels for Viewing, Transferring, and Seizing Operations Master Roles Domain Administrator on the Local Domain
Domain Administrator on the Forest-Root Domain
Enterprise Administrator
Role
Task
Infrastructure Master
Viewing, X transferring, or seizing
X
RID Master
Viewing, X transferring, or seizing
X
PDC Emulator
Viewing, X transferring, or seizing
X
To illustrate, if you have a single Active Directory forest containing a parent domain and a child domain, you will have one each of the Schema Master and Domain Naming Master FSMO roles, and two each of the Infrastructure Master, RID Master, and PDC Emulator, with one of each domain-wide FSMO configured in each of the two domains. A single-domain forest, therefore, has five roles—one of each. Each domain added after the forest root domain has three additional masters. With that information, we can determine the number of operations master servers required in a given forest with the following formula: ( (Number of domains ∗ 3) + 2) Given the formula, we can determine that the forest depicted in Figure 4.5, with three domains, needs a maximum of 11 server platforms to support the 11 FSMO roles (3 ∗ 3 = 9, and 9 + 2 = 11), unless you assign multiple roles to a single DC. Often, small domains, empty root domains, or best practices will make combining several of these roles onto a single DC desirable. In the example shown in Figure 4.5, the following roles exist: ■
One Schema Master in Dogs.com
■
One Domain Naming Master in Dogs.com
■
Three PDC Emulators (one each in Dogs.com, Fish.com, and Cat.fish.com)
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4 ■
Three RID Masters (one each in Dogs.com, Fish.com, and Cat.fish.com)
■
Three Infrastructure Masters (one each in Dogs.com, Fish.com, and Cat.fish.com)
Figure 4.5 Creating a New Child Domain in an Existing Domain
Tr an Tr sitiv us e t
Dogs.com
Top-Level Domain Fish.com
Root Domain
Tr an Tr sitiv us e t
Implicit Trust
Domain Cat.fish.com
Placing, Transferring, and Seizing FSMO Role Holders The first DC that you install in the forest root will automatically host all five roles. The first DC that you install in any additional domains will automatically host the three roles of PDC Emulator, RID Master, and Infrastructure Master. You can use the ntdsutil.exe command-line utility to transfer FSMO roles, or you can use an MMC snap-in tool. Depending on which role you want to transfer, you can use one of the following three MMC snap-in tools: ■
Active Directory Schema snap-in (Schema Master role)
■
Active Directory Domains and Trusts snap-in (Domain Naming Master role)
■
Active Directory Users and Computers snap-in (RID Master, Infrastructure Master, and PDC Emulator roles)
To forcibly seize a role, you must use the ntdsutil utility. If a computer cannot be contacted due to a hardware malfunction or long-term network failure, the role must www.syngress.com
223
224
Chapter 4 • Configuring the Active Directory Infrastructure
be seized. If the PDC Emulator role holder fails, you can seize the PDC Emulator FSMO role to another DC and then return the role to the original role holder when it comes back online. In the case of other FSMO role holders, particularly the RID Master and Schema Master FSMO role holders, you must take significantly greater care if you need to seize the FSMO role due to a hardware or network failure. If you seize the Schema Master or RID Master FSMO role holder to another DC, the original role holder must never be returned to Active Directory; the original role holder must be reformatted before being returned to your production environment.
EXAM WARNING Remember this distinction between the GC and the Schema Master: The GC contains a limited set of attributes of all objects in the Active Directory. The Schema Master contains formal definitions of every object class that can exist in the forest and every object attribute that can exist within an object. In other words, the GC contains every object, whereas the schema contains every definition of every type of object.
Locating and Transferring the Schema Master Role The DC that hosts the Schema Master role controls each update or modification to the schema. You must have access to the Schema Master to update the schema of a forest.
NOTE You must be a member of the Schema Admins group to perform this operation. The built-in Administrator account in the forest root domain is automatically configured as a member of this group when the Active Directory forest is created.
Refer to Exercise 4.3 for instructions on how to identify the DC that is performing the Schema Master operations role for your forest using the command line or the GUI. Refer to Exercise 4.4 for instructions on how to transfer the Schema Master operations role for your forest to a different DC, and Exercise 4.9, later in this chapter, for steps to seize the role to another DC in case of a failure. www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Temporary loss of the Schema Master is not noticeable to domain users. Enterprise and domain administrators will not notice the loss either, unless they are trying to install an application that modifies the schema during installation or trying to modify the schema themselves. You should seize the schema FSMO role to the standby operations master only if your old Schema master will be permanently offline.
EXERCISE 4.3 LOCATING
THE
SCHEMA OPERATIONS MASTER
1. Log on as an Enterprise Administrator in the forest you are checking. 2. Click Start | Run. 3. Type regsvr32 schmmgmt.dll in the Open box, and click OK. This registers the Schmmgmt.dll. 4. Click OK in the dialog box showing that the operation succeeded. 5. Click Start | Run, type mmc, and then click OK. 6. On the menu bar, click File | Add/Remove Snap-in, click Add, double-click Active Directory Schema, click Close, and then click OK. 7. Expand and then right-click Active Directory Schema in the topleft pane, and then select Operations Masters to view the server holding the Schema Master role, as shown in Figure 4.6.
Figure 4.6 The Server Holding the Schema Master Role
www.syngress.com
225
226
Chapter 4 • Configuring the Active Directory Infrastructure
EXERCISE 4.4 TRANSFERRING THE SCHEMA OPERATIONS MASTER ROLE 1. Log on as an Enterprise Administrator in the forest where you want to transfer the Schema Master role. 2. Click Start | Run. 3. Type regsvr32 schmmgmt.dll in the Open box, and then click OK. This registers the Schmmgmt.dll. 4. Click OK in the dialog box showing that the operation succeeded. 5. Click Start | Run, type mmc, and then click OK. 6. On the menu bar, click File | Add/Remove Snap-in, click Add, double-click Active Directory Schema, click Close, and then click OK. 7. Right-click Active Directory Schema in the top-left pane, and then click Change Active Directory Domain Controller. 8. As shown in Figure 4.7, select the This Domain Controller or AD LDS instance, enter the name of the DC that will be the new role holder, and then click OK. 9. Right-click Active Directory Schema again, and then click Operations Master. 10. Click Change. 11. Click OK to confirm that you want to transfer the role, and then click Close.
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Figure 4.7 Changing an Active Directory Domain Controller
Locating and Transferring the Domain Naming Master Role The Domain Naming Master DC controls the addition or removal of domains in the forest, and adding and removing any cross-references to domains in external LDAP directories. There can be only one Domain Naming Master in the forest. Refer to Exercise 4.5 for instructions on how to identify the DC that is performing the Domain Naming Master operation role for your forest. Refer to Exercise 4.6 for instructions on how to transfer the Domain Naming Master operations role for your forest to a different DC.
EXERCISE 4.5 LOCATING THE DOMAIN NAMING OPERATIONS MASTER 1. Log on as an Enterprise Administrator in the forest you are checking. www.syngress.com
227
228
Chapter 4 • Configuring the Active Directory Infrastructure
2. Click Start | Run, type mmc, and then click OK. 3. On the menu bar, click File | Add/Remove Snap-in, click Add, double-click Active Directory Domains and Trusts, click Close, and then click OK. 4. Right-click Active Directory Domains and Trusts in the top-left pane, and then click Operations Masters to view the server holding the Domain Naming Master role.
EXERCISE 4.6 TRANSFERRING THE DOMAIN NAMING MASTER ROLE 1. Click Start | Administrative Tools | Active Directory Domains and Trusts. 2. Right-click Active Directory Domains and Trusts, and click Change Active Directory Domain Controller, unless you are already on the DC to which you are transferring the role. Select the This Domain Controller or AD LDS instance, enter the name of the DC that will be the new role holder, and then click OK. 3. In the console tree, right-click Active Directory Domains and Trusts, and then select Operations Master. Click Change. 4. Click OK for confirmation, and click Close.
Locating and Transferring the Infrastructure, RID, and PDC Operations Master Roles The Infrastructure Master is responsible for updating references from objects in the local domain to objects in other domains. There can be only one Infrastructure Master DC in each domain. The RID Master processes RID pool requests from all DCs in the local domain. There can be only one RID Master DC in each domain. The PDC Emulator is a DC that advertises itself as the PDC to workstations, member servers, and BDCs running Windows NT. It is also the Domain Master Browser, and handles Active Directory password collisions, or discrepancies. There can be only one PDC Emulator in each domain. Refer to Exercise 4.7 for instructions on how to identify the DCs that are performing the FSMO roles for your forest using the Active Directory Users and www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Computers GUI interface. Refer to Exercise 4.8 for instructions on how to transfer the Infrastructure, RID, and PDC Master operations roles for your domain to different DCs, and to Exercise 4.9 for instructions on how to seize the FSMO Master roles.
EXERCISE 4.7 LOCATING THE INFRASTRUCTURE, RID, AND PDC OPERATIONS MASTERS 1. Log on as an Enterprise Administrator in the forest you are checking. 2. Click Start | Run, type dsa.msc, and click OK. This is an alternative method for opening the Active Directory Users and Computers administrative tool. 3. Right-click the selected Domain Object in the top-left pane, and then click Operations Masters. 4. Click the Infrastructure tab to view the server holding the Infrastructure Master role. 5. Click the RID tab to view the server holding the RID Master role. 6. Click the PDC tab to view the server holding the PDC Master role.
EXERCISE 4.8 TRANSFERRING THE INFRASTRUCTURE, RID, AND PDC MASTER ROLES 1. Click Start | Administrative Tools | Active Directory Users and Computers. 2. Right-click Active Directory Users and Computers, and click Connect to Domain Controller unless you are already on the DC you are transferring to. Select the This Domain Controller or AD LDS instance, enter the name of the DC that will be the new role holder, and then click OK. 3. In the console tree, right-click Active Directory Users and Computers, and click All Tasks | Operations Master. www.syngress.com
229
230
Chapter 4 • Configuring the Active Directory Infrastructure
4. Take the appropriate action for the role you want to transfer: ■
Click the Infrastructure tab, and click Change.
■
Click the RID tab, and click Change.
■
Click the PDC tab, and click Change.
5. Click OK for confirmation, and click Close.
EXERCISE 4.9 SEIZING
THE
FSMO MASTER ROLES
1. Log on to any working DC. 2. Click Start | Run, type ntdsutil in the Open box, and then click OK. 3. Type activate instance ntds and press Enter. 3. Type roles, and press Enter. 4. In ntdsutil, type ? at any prompt to see a list of available commands, and press Enter. 5. Type connections, and press Enter. 6. Type connect to server servername, where servername is the name of the server that will receive the role, and press Enter. 7. At the Server connections: prompt, type q, and press Enter. 8. Type the appropriate seizing command, as shown next. See the example in Figure 4.8. If the FSMO role is available, ntdsutil.exe will perform a transfer instead. Respond to the Role Seizure Confirmation Dialog box, as shown in Figure 4.9. seize Sfrastructure master seize RID master seize PDC
Figure 4.8 Seizing the PDC Master Role D:\WINDOWS\system32\ntdsutil.exe: activate instance ntds Active instance set to “ntds”. ntdsutil: roles fsmo maintenance: connections server connections: connect to server DC4
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4 Binding to DC4 ... Connected to DC4 using credentials of locally logged on user. server connections: q fsmo maintenance: seize PDC Attempting safe transfer of PDC FSMO before seizure. FSMO transferred successfully - seizure not required. Server “DC4” knows about 5 roles Schema - CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-SiteName,CN=Sites, CN=Configuration,DC=Dogs,DC=com Domain - CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-SiteName,CN=Sites, CN=Configuration,DC=Dogs,DC=com PDC - CN=NTDS Settings,CN=DC4,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN= Configuration,DC=Dogs,DC=com RID - CN=NTDS Settings,CN=DC4,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN= Configuration,DC=Dogs,DC=com Infrastructure - CN=NTDS Settings,CN=DC4,CN=Servers,CN=Default-FirstSiteName,C N=Sites,CN=Configuration,DC=Dogs,DC=com fsmo maintenance:q
Figure 4.9 Seizing the Schema Operations Master Role
9. After you seize the role, type q, and then press Enter repeatedly until you quit the Ntdsutil tool. www.syngress.com
231
232
Chapter 4 • Configuring the Active Directory Infrastructure
Placing the FSMO Roles within an Active Directory Environment It is a good idea to place the RID and PDC Emulator roles on the same DC. Downlevel clients and applications target the PDC, making it a large consumer of RIDs. Good communication between these two roles is important. If performance demands it, place the RID and PDC Emulator roles on separate DCs, but make sure they stay in the same site and that they are direct replication partners with each other. As a general rule, you should place the Infrastructure Master on a DC that is not a GC server to maintain proper replication. There are two exceptions to this rule: ■
Single domain forest If your forest contains only one Active Directory domain, there can be no phantoms. The Infrastructure Master has no functionality in a single domain forest. In that case, you can place the Infrastructure Master on any DC.
■
Multidomain forest where every DC holds the GC Again, there can be no phantoms if every DC in the domain hosts a GC. There is no work for the Infrastructure Master to perform. In that case, you can place the Infrastructure Master on any DC.
Additionally, ensure that the Infrastructure Master has a direct connection object to a GC server somewhere in the forest, preferably in the same site. Considering the forest-wide FSMOs, the Schema Master and Domain Naming Master roles are rarely used and should be tightly controlled. For that reason, you can place them on the same DC. Another Microsoft-recommended practice is to place the Domain Naming Master FSMO on a GC server. Taking all of these practices together, a Microsoft-recommended best-practice empty root domain design might consist of two DCs with the following FSMO/GC placement: ■
■
DC 1: ■
Schema Master
■
Domain Naming Master
■
GC
DC 2: ■
RID Master
■
PDC Emulator
■
Infrastructure Master
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Working with Sites In today’s distributed network environment, the communication must always be rapid and reliable. Geographical and other restrictions resulted in the need to create smaller networks, known as subnets. These subnets provide rapid and reliable communication between locations, which can also be attained in larger networks by using Microsoft Windows Server 2008 Active Directory Sites. They ensure rapid and reliable communication by using the methods offered by Microsoft Windows Server 2008 Active Directory Sites to regulate inter-subnet traffic. A site defines the network structure of a Windows Server 2008 Active Directory. A site consists of multiple Internet Protocol (IP) subnets linked together by rapid and reliable connections. The primary role of sites is to increase the performance of a network by economic and rapid transmission of data. The other roles of sites are replication and authentication. The Active Directory physical structure manages when and how the authentication and replication must take place. The Active Directory physical structure allows the management of Active Directory replication scheduling between sites. The performance of a network is also based on the location of objects and logon authentication as users log on to the network.
TEST DAY TIP As a network administrator, you must be familiar with the various roles and services offered by the Active Directory Sites. You needn’t worry about memorizing every detail for this particular exam. What you do have to know are the basics of how each role and services of Active Directory Sites works, and how Active Directory Sites can be used efficiently in terms of data transmission as part of a large network.
Understanding Sites A site is as a collection of interconnected computers that operate over IP subnets. A site is also a place on a network having high-bandwidth connectivity. The relationship of sites to Active Directory components is based on the following network operations performed by sites: ■
Control of replication occurrences
■
Changes made with the sites
■
How efficiently DCs within a domain can communicate www.syngress.com
233
234
Chapter 4 • Configuring the Active Directory Infrastructure
A site can contain one or more domains, and a domain can be part of one or more sites. Sites and domains do not have to maintain the same namespace. Sites and domains are interrelated because sites control replication of the domain information.
Head of the Class… The Relationship between Sites and Domains Domains are also defined as units of replication. All the DCs present in a particular domain can receive changes and replicate those changes to all other DCs present in the domain of a network. A DNS server recognizes each domain that is present in a particular site. If your network requires more than one domain, you can easily create multiple domains. Figure 4.10 illustrates the relationship between sites and domains in a network, and helps us to understand that a site can have one or more domains, and a domain can have one or more sites.
Figure 4.10 The Relationship between the Sites and Domains Present in a Network
Domain
Site
Site
Site
Domain Domain
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
In Figure 4.10, we see how multiple sites reside in a single domain, and how a single site can consist of multiple domains. A domain provides the following benefits: ■
It organizes domain objects.
■
It publishes resources and information about domain objects.
■
It applies GPOs to the domain to perform resource and security management.
■
It delegates authority to eliminate the need for administrators with broad administrative authority.
■
Security policies and settings such as user rights and password policies do not change from one domain to another.
■
Each domain stores only the information about the objects located in that domain.
EXAM WARNING Make sure you are familiar with the benefits provided by a domain, and how a domain works to provide them for you.
The sites present in an Active Directory denote the physical structure of a network. The physical structure information is available as site and site link objects in the directory. This information is used to build the most efficient replication topology. Generally, Active Directory Sites and Services are used to define sites and site links. Whereas sites represent the physical structure of the network, domains represent the logical structure of the organization. This partitioning of physical and logical structures offers the following advantages: ■
You can develop and manage the logical and physical structures of your network independently.
■
You do not have to base domain namespaces on your physical network.
■
You can deploy DCs for multiple domains within the same site.
■
You can deploy DCs for the same domain in multiple sites. www.syngress.com
235
236
Chapter 4 • Configuring the Active Directory Infrastructure
TEST DAY TIP Make sure you know and understand the differences between the physical and logical structures of the network. Be aware of how each is used to build the most efficient replication topology.
Subnets In Active Directory, a site consists of a set of computers that are interconnected in a LAN. Computers within the same site typically exist in the same building, or on the same campus network. A single site consists of one or more IP subnets. These subnets are a section of an IP network, with each subnet having a unique network address. A subnet address consists of a cluster of neighboring computers in much the same way as the postal codes group neighboring postal addresses. Figure 4.11 shows one or more clients residing within a subnet that defines an Active Directory site. Figure 4.11 The Active Directory Site with One or More Client Computers within a Subnet Active Directory site
Client
The subnet created through Active Directory Sites and Services are sections of an IP network, with each subnet having a unique network address. In Figure 4.11, 231.01.01.0/19 is a unique network address of the Active Directory site. Sites and subnets are represented in Active Directory by site and subnet objects, which we create through the Active Directory Sites and Services administrative tool. Each site object is associated with one or more subnet objects. www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Site Planning You should plan thoroughly before creating and deploying an Active Directory. Site planning enables you to optimize the efficiency of the network and reduce administrative overhead. High-performance sites are developed based on the proper planning of the physical design of your network. Site planning enables you to determine exactly which sites you should create and how they can be linked using site links and site link bridges. Site information is stored in the configuration partition, which enables you to create sites and related information at any point in your deployment of Active Directory.
NOTE A configuration partition is a portion of a basic disk that can contain logical drives. A configuration partition is used if you want to have more than four volumes on your basic disk. A DC always stores the partitions for the schema and configuration. The schema and configuration are replicated to every DC in the domain tree or forest.
Site planning enables you to publish site information in the directory for use by applications and services. Generally, the Active Directory consumes the site information. You’ll see how replication impacts site planning later in this chapter.
Criteria for Establishing Separate Sites When you initially create a domain, a single default Active Directory site called Default-Site-First-Name is created. This site represents your entire network. A domain or forest consisting of a separate site can be highly efficient for a LAN connected by high-speed bandwidth.
NOTE A forest is defined as multiple Active Directory domains that share the same class, site, attribute definitions, and replication information (but not necessarily the same namespace). The domains present in the same forest are linked with two-way transitive trust relationships.
www.syngress.com
237
238
Chapter 4 • Configuring the Active Directory Infrastructure
If a single LAN consists of a separate subnet or if a network consists of multiple subnets connected by a high-speed connection, establishing a separate site topology offers the following advantages: ■
Simplified replication management
■
Regular directory updates between all DCs
Establishing separate site topology enables all replication to occur as intrasite replication, which requires no manual replication configuration. A separate site design enables DCs to receive updates with respect to directory changes.
NOTE Intrasite replication refers to replication among DCs within the same site. Intersite replication refers to replication among DCs located at different sites.
Creating a Site Sites are created using the Active Directory Sites and Services tool of Windows Server 2008. Exercise 4.10 walks you through the steps involved in creating a site. Active Directory Sites and Services is an MMC that you can use to administer the replication of directory data. You can also use this tool to create new sites, site links, subnets, and so forth.
EXERCISE 4.10 CREATING
A
NEW SITE
1. To open the Active Directory Sites and Services tool, click Start | Control Panel | Administrative Tools | Active Directory Sites and Services. The Active Directory Sites and Services console appears, as shown in Figure 4.12.
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Figure 4.12 The Active Directory Sites and Services Tool
2. Highlight the Sites folder in the left-hand tree pane of the Active Directory Sites and Services console. Right-click and select the Sites folder’s New Site option from the context menu, as shown in Figure 4.13.
www.syngress.com
239
240
Chapter 4 • Configuring the Active Directory Infrastructure
Figure 4.13 The New Site Option
3. Selecting the New Site option opens a New Object – Site dialog box, as shown in Figure 4.14.
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Figure 4.14 The New Object – Site Dialog Box
4. Type the name of the site in the Name box present in the New Object – Site dialog box, as shown in Figure 4.15.
www.syngress.com
241
242
Chapter 4 • Configuring the Active Directory Infrastructure
Figure 4.15 The Name of the Site
5. Select an initial site link object for the site from the New Object – Site dialog box. 6. Click OK. You will be presented with a pop-up box indicating the next steps that you should follow once the new site is created. Read this informational message and then click OK. This completes the process of creating a site using the Active Directory Sites and Services tool.
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Renaming a Site Renaming a site is one of the first tasks you should perform when administering a site structure. When you create a site initially, it is created with the default name Default-First-Site-Name. You can change this name based on the purpose of the site, such as the name of the physical location. A site is also renamed when a network of an organization is expanded by one or more sites. Even if an organization is located in a single location, it makes sense to rename the Default-First-Site-Name, because you never know when the network will expand. Renaming a site enables administrators to differentiate sites present in a network easily and perform administration tasks efficiently. When a DC becomes aware that its site has been renamed, it will update its DNS records appropriately. Because of issues with cached DNS lookups and client caching of site names that will lead to temporary delays in connectivity directly after a rename, it’s best to name and rename sites as early as possible in the deployment. After renaming a site, it’s advisable to manually force replication with other DCs in the same site. You rename a site using the Active Directory Sites and Services tool of Windows Server 2008. Exercise 4.11 walks you through the steps involved in renaming a new site.
EXERCISE 4.11 RENAMING
A
NEW SITE
1. To open the Active Directory Sites and Services tool, click Start | Control Panel | Administrative Tools. Double-click Active Directory Sites and Services. The Active Directory Sites and Services dialog box appears. 2. Expand the Sites folder in the left-hand tree pane of the Active Directory Sites and Services console. 3. Right-click the site you want to rename and select the Rename option from the context menu. 4. Type the new name of the site in the Name box in the left console pane. 5. Click OK. This completes the process of renaming a site using the Active Directory Sites and Services tool.
www.syngress.com
243
244
Chapter 4 • Configuring the Active Directory Infrastructure
NOTE The Windows Server 2008 Active Directory consists of the default site link, named DEFAULTIPSITELINK, which is created automatically when the first domain in the network is created. This link is assigned to the Default-First-Site-Name site. These are the names assigned automatically when you create the first site. You should change the default names to something more descriptive.
Creating Subnets Subnets are associated with the Active Directory sites to match client computers. The subnets are denoted by a range of IP addresses. The Active Directory Sites and Services user interface prevents you from having to provide the subnet names manually; instead, you are prompted for a network address. An example of a subnet name for an IP Version 4 network is 10.14.208.0/20. This IP address consists of two portions: The network address appears before the slash, and a representation of the subnet mask appears after the slash. Table 4.3 shows some common subnet masks and the corresponding slash notations. The number following the slash indicates the number of binary digits (bits) that make up the network partition of the IP address. The number 255 in decimal translates to 11111111 in binary (8 bits); thus, you can see how the subnet masks in Table 4.3 translate to the corresponding slash notations. Table 4.3 Subnet Masks and Slash Notation Subnet Mask
Slash Notation
255.0.0.0
/8
255.255.0.0
/16
255.255.255.0
/24
255.255.255.128
/25
255.255.255.192
/26
255.255.255.224
/27
255.255.255.240
/28 Continued
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Table 4.3 Continued. Subnet Masks and Slash Notation Subnet Mask
Slash Notation
255.255.255.248
/29
255.255.255.252
/30
255.255.255.254
/31
IP Version 6 (IPv6) is a new implementation of the Transmission Control Protocol/Internet Protocol (TCP/IP) that is increasing in prevalence, as it addresses a number of shortcomings that have appeared in IPv4 over time. Windows Server 2008 is the first version of the Windows operating system that has included support for IPv6 out of the box; IPv6 is one of the default protocols included in a fresh installation of the Windows Server 2008 operating system. IPv6 was developed to address a number of limitations of IPv4, the most notable being the limitations of the IPv4 address space, that is, the list of usable TCP/IP addresses provided by IPv4. When TCP/IP was developed in the 1960s, no one foresaw the Internet explosion of the 1990s that would threaten to exhaust the 4-billion-plus IP addresses available through IPv4. The useful lifespan of IPv4 has been extended through the use of private IP networks and the network address translator (NAT), but a longterm solution is still required. To this end, IPv6, the next generation of TCP/IP, was developed to provide a significantly larger address space for current and future implementations of TCP/IP networks. IPv6 uses 128 bits, or 16 bytes, for its addressing scheme, which provides 2128 (about 340 billion) IP addresses. IPv6 address notation is noticeably different from the dotted-decimal of IPv4, using eight groups of four hexadecimal digits, separated by colons. For example, 192.168.1.243 is an example of an IPv4 IP address, and 5ab1:0c12:63d7:0237:9175:bade:0370:7334 is an example of an IPv6 IP address. If an IPv6 address contains a series of sequential zeros, the address can be shortened to use a single zero in each group, or else the entire grouping can be represented using a double colon (::). So, the following three strings all represent the same IPv6 address: ■
5925:0000:0000:0000:0000:0000:0000:2742
■
5925:0:0:0:0:0:0:2742
■
5925::2742 www.syngress.com
245
246
Chapter 4 • Configuring the Active Directory Infrastructure
NOTE The loopback address in IPv6 is expressed as ::1.
IPv6 includes a few other enhancements for performance and security. Notably, IP security through the use of IPSec is an integral part of IPv6, whereas it was an optional feature under IPv4. You create subnets using the Active Directory Sites and Services tool of Windows Server 2008. Exercise 4.12 shows the steps involved in creating subnets.
EXERCISE 4.12 CREATING SUBNETS 1. To open the Active Directory Sites and Services tool, click Start | Control Panel | Administrative Tools, and then double-click Active Directory Sites and Services. The Active Directory Sites and Services console appears. 2. Highlight the Sites folder in the left-hand tree pane of the Active Directory Sites and Services console. Expand the Sites folder. 3. Right-click Subnets and select New Subnet from the context menu, as shown in Figure 4.16.
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Figure 4.16 The New Subnet Option
4. Selecting the New Subnet option opens a New Object – Subnet dialog box. Type the network address and subnet mask in the form of dotted-decimal notation in the text boxes present in the New Object – Subnet dialog box. 6. Select a site object for this subnet from the list provided in the New Object – Subnet dialog box. 7. Click OK. This completes the process of creating a subnet using the Active Directory Sites and Servi ces tool.
Associating Subnets with Sites After creating sites and subnets, the next step is to associate your subnets with sites. Computers on Active Directory networks communicate with each other using the TCP/IP assigned to sites based on their locations in a subnet. Remember that a site consists of one or more IP subnets. You specify the subnets associated with each www.syngress.com
247
248
Chapter 4 • Configuring the Active Directory Infrastructure
site on your network by creating subnet objects in the Active Directory Sites and Services console. The association of subnets with sites enables the computers on the Active Directory network to use the subnet information to find a DC in the same site so that authentication traffic will not cross over WAN links. Active Directory also uses subnets during the replication process to determine the best routes between DCs. You associate subnets with sites using the Active Directory Sites and Services tool of Windows Server 2008. Exercise 4.13 walks you through the steps involved in associating subnets with sites.
EXERCISE 4.13 ASSOCIATING SUBNETS
WITH
SITES
1. To open the Active Directory Sites and Services tool, click Start | Administrative Tools, and then click Active Directory Sites and Services. 2. Highlight the Subnet folder present in the left-hand tree pane of the Active Directory Sites and Services console (see Figure 4.17).
Figure 4.17 The Subnet Folder
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
3. Right-click the newly created subnet and select the Properties option; this will open a Properties dialog box, as shown in Figure 4.18.
Figure 4.18 Subnet Dialog Box for Associating/Changing the Site
4. Associate any site with this subnet by selecting the available site from the site drop-down menu, and click OK. This completes the process of associating a subnet with a site using the Active Directory Sites and Services tool.
Creating Site Links After creating and defining the scope of each site, the next step in the site configuration process is to establish connections between the sites. The physical connectivity between the sites is established between the Active Directory databases by site link objects. A site link object is an Active Directory object that embodies a set of sites that can communicate at uniform cost. A site link connects only two sites and www.syngress.com
249
250
Chapter 4 • Configuring the Active Directory Infrastructure
corresponds to a WAN link for an IP transport. A site link connecting more than two sites corresponds to Asynchronous Transfer Mode (ATM) and metropolitan area network (MAN) through leased lines and IP routers. Each site link is based these four components: ■
Transport The networking technology to move the replication traffic
■
Sites The sites that the site link connects
■
Cost The value to calculate the site links by comparing to others, in terms of speed and reliability charges
■
Schedule The times and frequency at which the replication will occur
You create site links using the Active Directory Sites and Services tool of Windows Server 2008. Exercise 4.14 walks you through the steps involved in creating sitae links.
EXERCISE 4.14 CREATING SITE LINKS 1. To open the Active Directory Sites and Services tool, click Start | Administrative Tools, and then click Active Directory Sites and Services. 2. Highlight the Inter-Site Transports folder in the left-hand tree pane of the Active Directory Sites and Services console. Expand the Inter-Site Transports folder, as shown in Figure 4.19.
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Figure 4.19 The Inter-Site Transports Folder
3. Right-click either the IP or the SMTP folder (depending on what protocol the network is based on) in the left-hand tree pane of the Active Directory Sites and Services console. Select New Site Link from the context menu, as shown in Figure 4.20.
www.syngress.com
251
252
Chapter 4 • Configuring the Active Directory Infrastructure
Figure 4.20 The New Site Link Option
4. Selecting the New Site Link option opens a New Object – Site Link dialog box. 5. Type the name of the new site link object in the Name box in the New Object – Site Link dialog box. 6. Select two or more sites for establishing connection from the Sites not in this site link box, and click Add. 7. Click OK. This completes the process of creating a new site link object using the Active Directory Sites and Services tool.
Configuring Site Link Cost Site link costs are calculated to determine how expensive an organization considers the network connection between two sites that the site link is connecting. Higher costs represent more expensive connections. If two site links are available between two sites, the lowest-cost site link will be chosen. Each site link is assigned www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
an IP or Simple Mail Transfer Protocol (SMTP) transport protocol, a cost, a replication frequency, and an availability schedule. All these parameters reflect the characteristics of the physical network connection. The cost assigned to a site link is a number on an arbitrary scale that should reflect, in some sense, the expense of transmitting traffic using that link. Cost can be in the range of 1 to 32,767, and lower costs are preferred. The cost of a link should be inversely proportional to the effective bandwidth of a network connection between sites. For example, if you assign a cost of 32,000 to a 64 kbps line, you should assign 16,000 to a 128 kbps line and 1,000 to a 2 Mbps line. It makes sense to use a high number for the slowest link in your organization. As technology improves and communication becomes cheaper, it’s likely that future WAN lines will be faster than today’s, so there’s little sense in assigning a cost of 2 for your current 128 kbps line and a cost of 1 for your 256 kbps line, because quicker links can’t be priced more cheaply. You configure site link costs using the Active Directory Sites and Services tool of Windows Server 2008. Exercise 4.15 illustrates the steps involved in creating site link costs.
EXERCISE 4.15 CONFIGURING SITE LINK COSTS 1. To open the Active Directory Sites and Services tool, click Start | Administrative Tools, and then click Active Directory Sites and Services. 2. Highlight the Sites folder in the left-hand tree pane of the Active Directory Sites and Services console and expand the Sites folder. 3. Highlight the Inter-Site Transports folder in the left-hand tree pane of the Active Directory Sites and Services console and expand the Inter-Site Transports folder. 4. Right-click the site link whose cost you want to configure in the left-hand tree pane of the Active Directory Sites and Services console, and select Properties. Selecting Properties opens a dialog box, as shown in Figure 4.21.
www.syngress.com
253
254
Chapter 4 • Configuring the Active Directory Infrastructure
Figure 4.21 The Properties Option
5. Type the value for the cost of replication of the site link object in the Cost box in the dialog box. 6. Click OK. This completes the process of configuring site link costs using the Active Directory Sites and Services tool.
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Understanding Replication Replication is defined as the practice of transferring data from a data store present on a source computer to an identical data store present on a destination computer to synchronize the data. In a network, the directory data must live in one or more places on the network to be equally available to all users. The Active Directory directory service manages a replica of directory data on one or more DCs, ensuring the availability of directory data to all users. The Active Directory works on the concept of sites to perform replication efficiently, and it uses the KCC to choose the best replication topology for the network automatically.
NOTE The KCC is a process that runs on a DC, and identifies the most efficient replication topology for the network automatically, based on the data provided by the network in Active Directory Sites and Services.
Replication is an essential process for any domain that has multiple DCs. Replication ensures that each copy of the domain data is up-to-date, and is done by sending information regarding changes from one DC to another. Earlier versions of NT were configured in a single-master environment where the PDC was used to maintain and manage the master copy of the domain database, and was also in charge of replicating changes to the BDCs. In a single-master environment, if for some reason the PDC is unavailable, no changes can be made to the database. In Windows Server 2008 domains, every writable DC has a complete copy of the Active Directory of its own domain. This is similar to the NT model, but the difference is that each Windows Server 2008 DC first accepts and makes changes to the database and then replicates those changes to other DCs. An environment in which multiple computers are used for managing changes is known as a multimaster environment.
www.syngress.com
255
256
Chapter 4 • Configuring the Active Directory Infrastructure
A multimaster environment has many advantages over the single-master configuration, including the following: ■
There are no single points of failure, as every DC can accept changes to the database.
■
DCs that accept changes to the database are distributed throughout the network. This allows administrators to make changes on local DCs and let the replication ensure that these changes are updated to all other DCs in an efficient manner.
Replication in a Windows Server 2008 environment is one of two types: ■
Intrasite replication Replication that occurs between DCs within a site
■
Intersite replication Replication that occurs between DCs in different sites
It is important to understand the differences between these methods when planning the site structure and replication.
Intrasite Replication Intrasite replication occurs between DCs within a site. The system implementing such replication uses high-speed, synchronous Remote Procedure Calls (RPCs). Within a site, a ring topology is created by the KCC between the DCs for replication (see Figure 4.22). The KCC is a built-in process that runs on all DCs and helps in creating replication topology. It runs every 15 minute by default and delegates the replication path between DCs based on the connection available. The KCC automatically creates replication connections between DCs within the site. The ring topology created by the KCC defines the path through which changes flow within the site. All the changes follow the ring until every DC receives them.
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Figure 4.22 Ring Topology for Replication
Server 2
Server 3
Server 1
Server 4
The KCC analyzes the replication topology within a site to ensure efficiency. If a DC is added or removed, it reconfigures the ring for maximum efficiency. It also configures the ring so that there will be no more than three hops between any two DCs within the site, which sometimes results in the creation of multiple rings (see Figure 4.23).
www.syngress.com
257
258
Chapter 4 • Configuring the Active Directory Infrastructure
Figure 4.23 The Three-Hop Rule of Intrasite Replication Server 5
Server 2
Server 1
Server 3
Server 6
Server 4
Intersite Replication Intersite replication takes place between DCs in different sites. The drawback of intersite communication is that you have to configure it manually. Active Directory builds an efficient intersite replication topology with the information provided by the user. The directory saves this information as site link objects. A DC running the ISTG service is used to build the topology. An Inter-site Topology Generator is an Active Directory process that runs on one DC in a site and considers the cost of intersite connections. It ensures that the previous DCs are no longer available, and checks to determine whether new DCs have been added. The KCC process updates the intersite replication topology. A least-cost spanning-tree algorithm is used to eliminate superfluous replication paths between sites. An intersite replication topology is updated regularly to respond to any changes that occur in the network. It would be useful if the traffic needs to cross a slower Internet link.
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Intersite replication across site links occurs every 180 minutes; you can change this if necessary. In addition, you can schedule the availability of the site links for use. By default, a site link is accessible to carry replication 24 hours a day, seven days a week, and you can also change this if necessary.You also can configure a site link to use low-speed synchronous RPCs over TCP/IP or asynchronous SMTP transport. That is, replication within a site always uses RPC over IP, whereas replication between sites can use either RPC over IP or SMTP over IP. Replication between sites over SMTP is supported for only DCs of different domains. DCs of the same domain must replicate by using the RPC over IP transport. Hence, you can configure a site link to point-to-point, low-speed synchronous RPC over IP between sites, and low-speed asynchronous SMTP between sites.
Bridgehead Servers A bridgehead server is a server that is mainly used for intersite replication. You can configure a bridgehead server for every site that is created for each intersite replication protocol. This helps to control the server that is used to replicate information to other servers. To configure a server as a bridgehead server, follow these steps: 1. Choose Start | Administrative Tools | Active Directory Sites and Services. 2. Expand the Sites folder. 3. Expand the site in which a bridgehead server has to be created, and then expand the Servers folder. 4. Right-click on the server and choose Properties. 5. In the Transports available for inter-site transfer area, select the protocol for which this server should be a bridgehead and click Add. 6. Click OK to set the properties, and then close Active Directory Sites and Services. The ability to configure a server as a bridgehead server gives you greater control over the resources used for replication between intersites.
Site Link Bridges Often, there is no need to deal with site link bridges separately, as all the links are automatically bridged by a property known as a transitive site link. Sometimes when
www.syngress.com
259
260
Chapter 4 • Configuring the Active Directory Infrastructure
you need to control through which sites the data can flow, you need to create site link bridges. By default, all the site links created are bridged together. The bridging enables the sites to communicate with each other. If this is not enabled by the automatic bridging due to the network structure, disable the same and create an appropriate site link bridge. In some cases, it is necessary to control the data flow through the sites. In these cases, it is necessary to create site link bridges. To disable transitive site links (automatic bridging), follow these steps: 1. Choose Start | Administrative Tools | Active Directory Sites and Services. 2. Expand the Sites folder and then expand the Inter-Site Transports folder. 3. Right-click on the transport for which the automatic bridging should be turned off, and choose Properties. 4. On the General tab, clear the Bridge all site links checkbox and click OK. To create a site link bridge, follow these steps: 1. Choose Start | Administrative Tools | Active Directory Sites and Services. 2. Expand the Sites folder and then the Inter-Site Transports folder. 3. Right-click on the transport that needs to be used, and choose New Site Link Bridge. 4. In the Name box, enter a name for the site link bridge. 5. From the list of Site links not in this bridge, select the site link to be added. 6. Remove any extra site links in the Site links in this bridge box and click OK.
Scheduling You can configure replication frequency by providing an integer value that informs the Active Directory as to how many minutes it should wait before it can use a connection to check replication updates. The interval of time must be not less than 15 minutes and not more than 10,080 minutes. For any replication to happen, a site link is essential. Follow these steps to configure site link replication frequency: www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
1. Choose Start | Administrative Tools | Active Directory Sites and Services. 2. Expand the Inter-Site Transports folder; select either the IP or the SMTP folder and right-click the site link for which the site replication frequency is to be set. 3. Click Properties, and in the Properties dialog box for the site link, enter in the Replicate Every box the number of minutes between replications. The default value is 180. 4. Click OK.
Forcing Replication Data is usually replicated based on a change notification within sites. It’s up to the administrator to force immediate replication. To do so for all data on a given connection in a single direction, perform the following steps: 1. Choose Start | Administrative Tools | Active Directory Sites and Services. Expand Sites in the left-hand tree pane. 2. Expand the name of the site that has to replicate to. 3. Expand the name of the server for replicating. 4. Select the server’s NTDS Settings object. The right console pane will be populated with the server’s inbound connection objects. 5. In the right pane, right-click the name of the server from which you want to replicate, and select Replicate Now. You also can force replication from the command line by using the repadmin. exe utility from the Support Tools.
Replication Protocols When creating site links, you have the option of using either IP or SMTP as the transport protocol: ■
SMTP replication You can use SMTP only for replication over site links. It is asynchronous; that is, the destination DC does not wait for the reply, so the reply is not received in a short amount of time. SMTP replication also neglects Replication Available and Replication Not Available settings on the site link schedule, and uses the replication interval to indicate how often the server requests changes When choosing SMTP, you must install www.syngress.com
261
262
Chapter 4 • Configuring the Active Directory Infrastructure
and configure an enterprise certificate authority (CA), as it signs the SMTP messages that are exchanged between DCs. SMTP replication is designed for use over slow or unreliable WAN links, in situations where IP connectivity between sites is too unreliable to be used for Active Directory replication. ■
IP replication All replication within a site occurs over synchronous RPC over IP transport. The replication within a site is fast and has uncompressed delivery of updates. Replication events occur more frequently within a site than between sites, and the overhead of compression would be inefficient over fast connections.
Planning, Creating, and Managing the Replication Topology An important job when implementing replication topology is planning, creating, and managing the replication topology, as discussed next.
Planning Replication Topology Let’s now discuss how to plan a replication topology: ■
Before starting a replication planning process, we need to first finish the forest, domain, and DNS.
■
It is essential to have an understanding of Active Directory replication, the File Replication Service (FRS), and SYSVOL replication used to replicate group policy changes.
■
For Active Directory replication, a rule of thumb is that a given DC that acts as a bridgehead server should not have more than 50 active simultaneous replication connections at any given time.
Creating Replication Topology The next step is to create the replication topology. Let’s discuss how to create a replication topology: ■
Active Directory replication is a one-way pull replication whereby the DC that needs updates (the target DC) gets in touch with the replication partner (the source DC). Then, the source DC selects the updates that the target DC needs, and copies them to the target DC. Because Active
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Directory uses a multimaster replication model, each DC functions as both source and target for its replication partners. From the view of a DC, it has both inbound and outbound replication traffic, depending on whether it is the source or the destination of a replication sequence. ■
Inbound replication is the incoming data transfer from a replication partner to a DC, and outbound replication is the data transfer from a DC to its replication partner.
■
System policies and logon scripts that are stored in SYSVOL use FRS to replicate. Each DC keeps a copy of SYSVOL for network clients to access. FRS is also used for DFS.
■
Components of the replication topology such as the KCC, connection objects, site links, and site link bridges are to be checked by the administrator.
There are two methods for creating a replication topology: ■
Use the KCC to create connection objects. This method is recommended if there are 100 or fewer sites.
■
Use a scripted or third-party tool for the creation of connection objects. This method is recommended if there are more than 100 sites.
Configuring Replication between Sites To ensure that users can log on within a given span of time, it is necessary to locate DCs near them, which sometimes involves moving the DCs between sites. The purpose of a site is to help manage the replication between DCs and across slow network links. In addition to creating the site and adding subnets to that site, we also need to move DCs into the site, as replication happens between DCs. The DC has to be added to a site to which it belongs so that clients within a site can look for the DCs in the site and can log on to it. To move DCs, follow these steps: 1. Select Click Active Directory Sites and Services. 2. Choose the Sites folder and then select the site where the server is located. 3. In the site, expand the Servers folder. 4. Right-click on the DC you want to move, and choose Move. 5. Select the destination subnet from the dialog box and click OK.
www.syngress.com
263
264
Chapter 4 • Configuring the Active Directory Infrastructure
Troubleshooting Replication Failure DCs usually handle the process involved with replication automatically. Unsuccessful network links and wrong configurations prevent the synchronization of information between DCs. There are many ways to monitor the behavior of Active Directory replication and correct problems if they occur.
Troubleshooting Replication A common symptom of replication problems is that the information is not updated on some or all DCs. There are several steps that you can take to troubleshoot Active Directory replication, including: ■
Check the network connectivity The basic requirement for any type of replication to work properly in a distributed environment is network connectivity. The ideal situation is that all the DCs are connected by highspeed LAN links. In the real world, either a dial-up connection or a slow connection is common. Check to see whether the replication topology is set up properly. In addition, confirm whether the servers are communicating. Failed dial-up connection attempts can prevent important Active Directory information from being replicated.
■
Examine the replication topology The Active Directory Sites and Services tool helps to verify whether a replication topology is logically consistent. You do this by right-clicking the NTDS Settings within a Server object and selecting All Tasks | Check Replication Topology. If there are any errors, a dialog box will alert you to the problem.
■
Validate the event logs Whenever an error in the replication configuration occurs, events are written to the Directory Service event log. The Event Viewer administrative tool can provide the details associated with any problems in replication.
■
Verify whether the information is synchronized Many administrators forget to execute manual checks regarding the replication of Active Directory information. One of the reasons for this is that Active Directory DCs have their own read/write copies of the Active Directory database. Therefore, no failures are encountered while creating new objects if connectivity does not exist. It is important to regularly check whether the objects have been synchronized between DCs. The manual check, although tedious, can prevent inconsistencies in the information stored on DCs.
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4 ■
Check router and firewall configurations Firewalls are used to restrict the types of traffic transferred between networks. They increase security by preventing unauthorized users from transferring information. In some cases, company firewalls might block the types of network access that should be available for Active Directory replication to occur.
■
Verify site links Before any DCs in different sites can communicate, the sites must be connected by site links. If replication between sites doesn’t occur properly, verify whether the site links are in the proper positions.
Using Event Viewer You use the Event Viewer for configuring Active Directory event logging. To configure Active Directory event logging, follow these steps: 1. Select Start | Run. In the Open box, type regedit, and click OK. 2. Locate and click the following Registry key: HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\ Diagnostics. 3. Each entry in the right-hand pane of the Registry Editor window represents a type of event that Active Directory can log. All entries are set to the default value of 0 (None). To configure event logging for the appropriate component, follow these steps: 1. In the right-hand pane of the Registry Editor, double-click the entry that represents the type of event that is to be logged; for example, Security Events. 2. Type the logging level that’s needed in the Value data box, and click OK. 3. Repeat step 2 for each component that you want to be logged. Then, on the Registry menu, click Exit to quit the Registry Editor. Some of the events that you can write to the event log include: ■
KCC
■
MAPI events
■
Security events
■
Replication events
■
Directory access www.syngress.com
265
266
Chapter 4 • Configuring the Active Directory Infrastructure ■
Internal configuration
■
Internal processing
■
Intersite messaging
■
Service control setup
Each entry is assigned a value of 0 through 5, which determines the level of details of the events that are logged: ■
0 (None) Only critical events and error events are logged at this level. This is the default setting for all entries.
■
1 (Minimal) Very high-level events are recorded in the event log at this setting. Events can include one message for each major task that the service performs. You can use this when the location to start an investigation is not known.
■
2 (Basic) This level adds additional information beyond what is logged at the minimal level, without significantly impacting the system resources required to capture these log events
■
3 (Extensive) This level records more detailed information than the lower levels, such as steps that are performed to complete a task.
■
4 (Verbose) This level records significant details, but excludes the debug strings that are recorded at the highest logging level.
■
5 (Internal) This level logs all events, including debug strings and configuration changes. A complete log of the service is recorded.
NOTE Logging levels should always be set to the default value of 0 (None) unless there is an investigation at issue. If the Registry Editor is used incorrectly, it can cause serious problems that will require reinstalling the operating system.
Working with Trusts One of the many issues that need to be dealt with in any computer organization is how to protect resources. The main difficulty that administrators face is the dilemma www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
of how to ensure that the company’s resources are not accessible by those who do not need access. The other side of that coin, and something that is equally important, is how to ensure that people who do need access are granted access with the least amount of hassle. In small companies, the issues are simpler, because multiple domains rarely exist. In today’s larger corporations and conglomerates, the issues of security are compounded. What administrators need is an easy tool to manage access across multiple domains and, often, across forests. The tool is Active Directory Domains and Trusts. With Active Directory Domains and Trusts, an administrator can establish relationships between domains that will allow users in one domain to access the resources in another. This way, the administrator can ensure that all users who need access can have it without the hassles involved in having user accounts in multiple domains. As the name implies, trusts are all about sharing information. For security purposes, you should carefully consider your reasons before creating a new trust relationship, as well as knowing which type of trust to implement. In Active Directory, a shortcut trust doesn’t add more trust; rather, it can make the trusts you already have more efficient. External trusts are a concept left over from Windows NT, but are still necessary for sharing resources with a Windows NT domain or any other Windows domain outside your forest. Finally, you should consider the Windows Server 2008 forest trust to provide a transitive trust relationship between two Active Directory forests that are running Windows Server 2003 or Windows Server 2008 on all installed DCs. As you can see, trusts are varied in properties and purposes. The most important concepts to understand about trusts before you create them are direction and transitivity. Always be aware of the extent of any internal access that you grant to external users. Trusts are predetermined avenues of access to forest resources. It is like giving someone a key to your house and hoping that he or she won’t misuse your trust. DCs do the authenticating, but not all DCs necessarily trust each other. That’s where you come in, setting the relationships between domains that govern the flow of information. Two primary attributes of trusts are direction and transitivity. The direction of trust flows from the trusting domain to the trusted domain, as shown by the arrow in Figure 4.24. Cats.com trusts Dogs.com. The direction of access is always in the opposite direction; Dogs.com accesses resources in Cats.com. This is a one-way trust. Likewise, Dogs.com trusts Fish.com, but does not trust Cats.com. Two one-way trusts can combine to simulate a single two-way trust.
www.syngress.com
267
268
Chapter 4 • Configuring the Active Directory Infrastructure
Figure 4.24 The Nontransitive Trust Dogs.com
Cats.com
Domain
No
e itiv ns rt a st n u No Tr
Root Domain
Trust
nt ra Tr nsi us tiv t e
Fish.com
Domain
The second attribute of the trust is transitivity, or a measure of how far the trust extends. A nontransitive trust has limits. The trusted domain, and only the trusted domain, can access resources through the trust to the trusting domain. As shown in Figure 4.24, if the Dogs.com domain has trusts to other domains such as Fish.com, those other domains are barred from access to Cats.com unless they have a nontransitive trust of their own. The absence of the third leg of the trust breaks the circle of access. This is the behavior of all trusts in Windows NT. Conversely, transitive trusts, such as the ones shown in Figure 4.25, are the skeleton keys of access. Anyone on the trusted side of the trust relationship can enter, including anyone trusted by the trusted domain. When a user or process requests access to a resource in another domain, a series of hand-offs occurs within the authentication process down the trust path, as shown in Figure 4.25. When Cats. com trusts Dogs.com, they must trust all Dogs.com child domains equally at the level of the trust. There are two types of trusts in Figure 4.25, parent and child and tree-root. All trusts shown are bidirectional and transitive, as they are by default in Windows Server 2008. Calico.cats.com has a trust relationship with Yellow.labs.dogs. com because of the trust path that extends through all three intervening domains. If Calico.cats.com has no reason to trust Yellow.labs.dogs.com, the cats must apply permissions to limit or block the access.
TEST DAY TIP Remember that default Windows Server 2008 trust relationships are friendly. The default and most common trusts in Active Directory, which are parent and child and tree-root trusts, are both bidirectional and transitive, meaning that the trust path extends throughout the entire forest. www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
You can remember this type of transitive trust with the old saying, “Any friend of yours is a friend of mine.” Other types of Windows Server 2008 trusts exist, such as forest, shortcut, and external, each of which can be bidirectional or unidirectional and have different transitivity properties. One of the first things you should do when you sit down at the testing station is to write down the trusts and their properties on your scratch paper. Do this before starting the test so as not to waste valuable time.
Figure 4.25 The Transitive Trust e itiv ns ts a r T rus T
Root Domain
Dogs.com
Cats.com Domain
Child Domain
Labs.dogs.com
Trust Child Domain Calico.cats.com
Child Domain Yellow.labs.dogs.com
A trust is a logical authentication path between two domains. A trust path is the number of trusts that must be traversed between the source and destination of a resource request. Two trusts, tree-root and parent and child, are created by default when running the Active Directory Installation Wizard. You can create the other four trusts—shortcut, external, realm, and forest—as needed with the New Trust Wizard or the Netdom.exe command-line tool. When creating those four trusts, you have the option of creating two one-way relationships, simulating bidirectional capabilities. As with any use of passwords, it is a security best practice to use long, random, and complex passwords in the establishment of trusts. The best option is to use the New Trust Wizard to create both sides simultaneously, in which case the wizard generates a strong password for you. Naturally, you must have the appropriate administrative credentials in both domains for this to work. We’ve been talking about two-way (bidirectional) trusts; but a trust can also be one-way (unidirectional). One-way trusts are created to allow more restrictive www.syngress.com
269
270
Chapter 4 • Configuring the Active Directory Infrastructure
control over which users are allowed access to resources. For example, in Figure 4.26, a one-way trust is created between Domain X and Domain Y. Users in Domain X have access to resources in Domain Y. However, users in Domain Y do not have access to resources in Domain X. In this definition, Domain X is referred to as the trusted domain, and Domain Y is the trusting domain. A two-way trust allows users in either domain to have access to resources in the other domain. One-way trusts must specify the direction of the trust. One-way trusts can be either incoming or outgoing, depending on whether the trust is created from the trusting or the trusted domain. Incoming trusts permit the users in the domain where the trust is created (the trusted domain) to access resources in the specified domain (the trusting domain). Users in the trusting domain do not have access, through this trust, to the resources in the trusted domain. (You can, however, create a second trust that goes the other way, to accomplish the same effect as a two-way trust). Outgoing trusts allow the users in the specified domain (the trusted domain) to have access to resources in the originating domain (the trusting domain). Users in the originating domain do not have access to resources in the specified domain.
Figure 4.26 One-Way Trust
Domain X
One-Way Trust
Domain Y
Another concept and set of terms to understand in regard to trusts is: ■
Implicit
■
Explicit
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Implicit trusts are trusts that are created automatically by the nature of the builtin relationships between domains within a forest. These implicit trusts are two-way and transitive. Implicit trusts automatically exist between each domain that is created and its child domain(s). An implicit trust also exists between the root domain of each domain tree and the root domains of every other domain tree in the forest. An explicit trust is one that is created by an administrator; it does not exist automatically, but has to be explicitly created. For example, an administrator can create an explicit trust (in this case, called a shortcut trust) between any two child domains in different domain trees to provide for a direct trust (and faster authentication) between them. Explicit trusts are also used to enable authentication across forests. When a forest trust is created, a transitive trust is created between the forest root domains in both forests. This allows all the members in the forest to exchange authentication information with the other forest. The forest trust is also called an explicit trust between the two forests. If an additional forest trust is created between one of the original forests and a third forest, an implicit trust with the other original forest is not established to the third forest. For the third forest to have a trust relationship with the other forest, an explicit forest trust must be created between the two (see Figure 4.27).
Figure 4.27 Implicit Trust X
Forest 1 Implied Trust Y
Transitive Two-Way Trust Z
Transitive Two-Way Trust Forest 2
Forest 3
Implicit Trust
www.syngress.com
271
272
Chapter 4 • Configuring the Active Directory Infrastructure
TEST DAY TIP On the day of the test, you will want to review the types of trusts as well as when to use them. On the exam, you might be given a scenario that will require you to determine the type of trust that will best meet the requirements in the scenario.
The primary advantage of Active Directory trust relationships is that administrators no longer need to create multiple user accounts for each user who needs access to resources within each domain. Administrators can now add the users of the other domains to their access control lists (ACLs) to control access to a resource. To take full advantage of these relationships, the administrator must know about the various types of trust that exist, and when to use them.
Default Trusts When the Active Directory Installation Wizard is used to create a new domain within an existing forest, two default trusts are created: a parent and child trust, and the tree-root trust. Four additional types of trusts can be created using the New Trust Wizard or the command-line utility netdom. The default trust relationships inside a Windows 2000, Windows Server 2003, and Windows Server 2008 forest are transitive, two-way trusts. A parent and child trust is a transitive, two-way trust relationship. It allows authentication requests made in the child domain to be validated in the parent domain. Because the trusts are transitive, these requests pass upward from child to parent until they reach the root of the domain namespace. This relationship will allow any user in the domain to have access to any resource in the domain if the user has the proper permissions granted. An additional transitive, two-way trust is created to simplify the navigation: the tree-root trust. This is especially needed in large organizations that might have multiple levels of child domains. The tree-root trust is a trust that is created between any child domain and the root domain. This provides a shortcut to the root. This trust relationship is also automatically created when a new domain is created.
Forest Trusts A forest trust can only be created between the root domains in two forests. Both forests must be Windows Server 2003 or Windows Server 2008 forests. These trusts www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
can be one- or two-way trusts. They are considered transitive trusts because the child domains inside the forest can authenticate themselves across the forest to access resources in the other forest.
EXAM WARNING Although the trust relationship is considered transitive, this applies only to the child domains within forests. The transitive nature of the trust exists only within the two forests explicitly joined by a forest trust. The transitivity does not extend to a third forest unless you create another explicit trust (see Figure 4.27).
Forest trusts help to manage the Active Directory infrastructure. They do this by simplifying the management of resources between two forests by reducing the required number of external trusts. Instead of needing multiple external trusts, a two-way forest trust between the two root domains will allow full access between all the affected domains. Additionally, the administrator can take advantage of both the Kerberos and NTLM authentication protocols to transfer authorization data between forests. Forest trusts can provide complete two-way trusts with every domain within the two forests. This is useful if you have created multiple forests to secure data within the forest or to help isolate directory replication within each forest.
External Trusts You use an external trust when you need to create a trust between domains outside of your forest. These trusts can be one- or two-way trusts. They are always nontransitive in nature. This means you have created an explicit trust between the two domains, and domains outside this trust are not affected. You can create an external trust to access resources in a domain in a different forest that is not already covered by a forest trust (see Figure 4.28).
EXAM WARNING You will always need to create an external trust when connecting to a Windows NT 4.0 or earlier domain. These domains are not eligible to participate in Active Directory. These trusts must be one-way trusts. If you have worked with Windows NT 4.0, you will remember that the only trusts allowed were nontransitive one-way trusts.
www.syngress.com
273
274
Chapter 4 • Configuring the Active Directory Infrastructure
After the trust has been established between a domain in a forest and a domain outside the forest, the security principals from the domain outside the forests will be able to access the resources in the domain inside the forest. Security principals can be the users, groups, computers, or services from the external domain. They are account holders that are each assigned a SID automatically to control access to the resources in the domain. The Active Directory in the domain inside the forest will then create foreign security principal objects representing each security principal from the trusted external domain. You can use these foreign security principals in the domain local groups. This means that the domain local groups can have members from the trusted external domain. You use these groups to control access to the resources of the domain. The foreign security principals are seen in Active Directory Users and Computers. Because the Active Directory automatically creates them, you should not attempt to modify them.
Shortcut Trusts Shortcut trusts are transitive in nature and can be either one-way or two-way. These are explicit trusts that you create when the need exists to optimize (“shortcut”) the authentication process. Without shortcut trusts in place, authentication travels up www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
and down the domain tree using the default parent and child trusts, or by using the tree-root trusts. In large, complex organizations that use multiple trees, this path can become a bottleneck when authenticating users. To optimize access, the network administrator can create an explicit shortcut trust directly to the target domain (see Figure 4.29).
Figure 4.29 Shortcut Trust Forest 1
Shortcut Trust
You use these trusts when user accounts in one domain need regular access to the resources in another domain. Shortcut trusts can be either one- or two-way. You should establish one-way shortcut trusts when the users in one domain need access to resources in the other domain, but those in the second domain do not need access to resources in the first domain. You should create two-way trusts when the users in both domains need access to the resources in the other domain. The shortcut trust will effectively shorten the authentication path, especially if the domains belong to two separate trees in the forest.
SID Filtering One security concern when using trusts is a malicious user who has administrative credentials in the trusted domain sniffing the trusting domain to obtain the credentials of an administrator account. With the credentials of the trusting domain administrator, the malicious user could add his SID to allow full access to the trusting domain’s resources. This type of threat is called an elevation of privilege attack. The security mechanism used by Windows Server 2003 and Windows Server 2008 to counter an elevation of privilege attack is SID filtering. SID filtering is used to verify that an authentication request coming in from the trusted domain only contains the domain SIDs of the trusted domain. It does this by using the SIDHistory attribute on a security principal. www.syngress.com
275
276
Chapter 4 • Configuring the Active Directory Infrastructure
NOTE Security principal is a term used to describe any account that has a SID automatically assigned. Examples of security principals are users, groups, services, and computers. Part of each security principal is the domain SID to identify the domain in which the account was created.
SID filtering uses the domain SID to verify each security principal. If a security principal includes a domain SID other than one from trusted domains, the SID filtering process removes the SID in question. This is done to protect the integrity of the trusting domain. This will prevent the malicious user from being able to elevate his or her privileges or those of other users. There are some potential problems associated with SID filtering. It is possible for a user whose SID contains SID information from a domain that is not trusted to be denied access to the resources in the trusting domain. This is can be a problem when universal groups are used. Universal groups should be verified to contain only users that belong to the trusted domain. You can disable SID filtering if there is a high level of trust for all administrators in the affected domains, there are strict requirements to verify all universal group memberships, and any migrated users have their SIDHistories preserved. To disable SID filtering, use the netdom command.
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Summary of Exam Objectives The logical structure of the network is defined by forests and domains, with domains organized into domain trees in which subdomains (called child domains) can be created under parent domains in a branching structure. Domains are logical units that hold users, groups, computers, and OUs (which in turn can contain users, groups, computers, and other OUs). Forests are collections of domain trees that have trust relationships with one another, but each domain tree has its own separate namespace. Aspects of the physical structure include sites, servers, roles, and links. An Active Directory always begins with a forest root domain, which is automatically the first domain that you install. This root domain becomes the foundation for additional directory components. The domain is the starting point of Active Directory. It is the most basic component that can functionally host the directory. Simply put, Active Directory uses the domain as a container of computers, users, groups, and other object containers. Objects within the domain share a common directory database partition, replication boundaries and characteristics, security policies, and security relationships with other domains. The process of creating the forest and domain structure is centered on the use of the Active Directory Installation Wizard, which is also known as the dcpromo utility. In Windows NT 4.0, the domain had only one authoritative source for domainrelated information: the primary DC, or PDC. The implementation of Active Directory brought the multimaster model, where objects and their properties could be modified on any DC and become authoritative through replication conflict resolution measures. The problem with the multimaster architecture is that some domain and enterprise-wide operations are not well suited for it. The best design placed those functions on a single DC within the domain or forest, and Microsoft created the Active Directory FSMO roles. The Active Directory supports five operational master roles: the Schema Master, Domain Master, RID Master, PDC Emulator, and Infrastructure Master. Two of these operate at the forest level only: the Schema Master and the Domain Naming Master. Conversely, the RID Master, PDC Emulator, and Infrastructure Master operate at the domain level.You can use the ntdsutil.exe command-line utility to transfer FSMO roles, or you can use an MMC snap-in tool. Depending on which role you want to transfer, you need to use one of the following three MMC snap-in tools: Active Directory Schema, Active Directory Domains and Trusts, or Active Directory Users and Computers. To seize a role, you must use the ntdsutil utility. If a computer cannot be contacted due to a hardware malfunction or long-term network failure, the role must be seized. After you seize a Master role, the old DC that hosted it should never be brought back online. www.syngress.com
277
278
Chapter 4 • Configuring the Active Directory Infrastructure
This is especially true of the Schema Master, Domain Naming Master, and RID Master roles. The GC server is one of the most important roles played by one or more DCs in your network. It might not appear to do much on the surface, but the GC is responsible for helping to resolve names for objects throughout your forest. The GC server holds a copy of all the objects in the domain in which the server is located. That same GC server holds a partial replica of other domains in the forest. The information that the GC holds from other domains includes common search items. This limited but frequently accessed information makes queries very efficient. GC servers are responsible for UPN authentication. When a user logs on using the UPN, the GC is queried to locate the user account and a DC in the appropriate domain. GC servers are also responsible for answering queries against Active Directory. If a user wants to locate another person within the organization, that user could use his workstation to search Active Directory. The queries are sent to IP port 3268, which is used for GC communication. You must consider placement of GC servers early in the design process for your network. If you don’t determine where you do and do not need a GC server and plan accordingly, you could have communication problems and users could be adversely affected. A good rule of thumb is to remember that if a location has more than 50 users, a DC is needed at that location. Dividing the network into sites makes a difference in how replication traffic is handled in regard to GC information. Replication within a site (intrasite replication) is handled differently than replication between different sites (intersite replication). Placement of GC servers within every site might not be necessary, but you should keep track of how much bandwidth computers are using. GC queries in large quantities can tie up significant bandwidth. Active Directory trust relationships come in many flavors to meet the needs of the situation where users in one domain need access to the resources in another domain. First, there are the default trusts created between parent and child domains. These trusts are automatically created to simplify usage of resources in a tree. The network administrator can create additional types of trusts, such as external, shortcut, realm, and forest trusts. External trusts link two external domains. Shortcut trusts simplify the authentication paths needed to authenticate users. Realm trusts are created to connect a non-Windows network to a Windows Server 2003 or Windows Server 2008 domain. Forest trusts link forests together in the enterprise. As you create these additional trust types, you can determine whether the trust will work in one direction only, or in both directions. When the trust works in both directions, it is called a two-way or bidirectional trust, and users in both domains have access to resources in both domains. www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Another issue is whether the trust is transitive. A transitive trust “passes” through one trusted domain to another. A transitive trust implies a trust relationship when more than two domains are involved. If Domain A trusts Domain B and Domain B trusts Domain C, Domain A trusts Domain C. This is sometimes not the effect you want when creating trusts. The administrator has control over the transitive nature of the trust. As a further protection, SID filtering prevents users from an untrusted domain from being able to access resources in your domain. Finally, this chapter also explained the role of sites, and discussed the relationship of sites to other Active Directory components. We showed you how to create sites and site links, and explained site replication. This chapter enables you to become familiar with exam objectives covering such topics as the various roles and services offered by Active Directory sites.
Exam Objectives Fast Track Working with Forests and Domains ˛ You should know what type of domain you want to install before you
begin, and the namespace it will use. ˛ To improve a domain’s reliability, you should always create at least two DCs
in each domain. ˛ The first DC that you install in the forest is the root DC. It is responsible
for the GC and for all five FSMO roles. Some roles can later be transferred to other DCs for performance and diversification.
Working with Sites ˛ Sites are used for optimizing the authentication process, by reducing
authentication traffic across slow, high-cost WAN links. ˛ Subnets provide rapid and reliable communication between locations. ˛ The primary role of sites is to increase the performance of a network,
which is achieved by economic and rapid transmission of data. ˛ Replication enables transferring data from a data store present on a source
computer to an identical data store present on a destination computer. ˛ The KCC is a process that runs on a DC.
www.syngress.com
279
280
Chapter 4 • Configuring the Active Directory Infrastructure
˛ The process of associating a subnet with a site notifies Active Directory
sites about the physical networks that are represented by the site. ˛ Cost is the value used to calculate site links by comparing one to others, in
terms of speed and reliability charges.
Working with Trusts ˛ Active Directory trust relationships allow users in one domain to access
resources in another domain without having to create additional accounts in the domain with the resources. ˛ Whenever a child domain is created, two-way transitive trusts are
automatically created between the parent and the child. ˛ Forest trusts are created between the root domains of two forests to allow
users in one forest to access resources in the other forest. ˛ SID filtering is a security device that uses the domain SID to verify each
security principal.
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Exam Objectives Frequently Asked Questions Q: What is the big deal about raising the functional levels of my domains and forests? Shouldn’t I raise the levels as soon as they meet the prerequisites?
A: No. Remember that functional levels, once raised, cannot be lowered again. In addition, some situations are better suited to skipping a level, rather than raising to one level and then the other. In this case, known future restructuring and upgrade activities should be considered before raising functional levels.
Q: How much of the Active Directory design stage should be complete before I install my first DC?
A: Primarily, the DNS design should be complete, and the decision should be made about how the forest-root domain will be used. Additional DCs and domains can be added later. FSMO roles and GCs can be shifted as needed, and trusts with other forests and external domains can be added later. Essentially, the first DC that you install should be in a lab environment. From that perspective, you should install your first DC for testing and training purposes as soon as possible.
Q: If every FSMO role can be seized by another DC upon failure, why would I want to spread the roles out among different machines?
A: There are several reasons. Chief among these are the associated risks of seizing roles. Lost or corrupted directory data can result from FSMO failures, especially if the malfunctioning machine ever comes back online. Seizing roles should not be considered a routine operation. Another consideration is performance. Each role exacts a certain amount of CPU and memory overhead, and your servers might perform better if roles are spread among multiple systems. If that weren’t enough, some roles and functions should not coexist on the same DC, such as the Infrastructure Master and the GC. FSMO placement should not be ignored, and this knowledge will be important on the test.
Q: What are the differences between external, realm, and shortcut trusts? A: An external trust is created to establish a relationship with a domain outside your tree or forest. A realm trust is created to establish a relationship with a non-Microsoft network using Kerberos authentication. A shortcut trust is used to optimize the authentication process. www.syngress.com
281
282
Chapter 4 • Configuring the Active Directory Infrastructure
Q: What type of trust needs to be created between the root domain and a domain that is several layers deep inside the same tree?
A: None. Transitive two-way trusts are automatically created between the layers of the tree structure. A root trust is also created automatically so that any child domain has a shortcut to the root domain.
Q: What is the difference between implied, implicit, and explicit trusts? A: An implicit trust is one that is automatically created by the system. An example is the trusts created between parent and child domains. An explicit trust is one that is manually created. An example is a forest trust between two trees. An implied trust is one that is implied because of the transitive nature of trusts. An example is the trust between two child domains that are in different trees, and a forest trust was created between the roots of the tress.
Q: What exactly does SID filtering accomplish? A: SID filtering is used to secure a trust relationship where the possibility exists that someone in the trusted domain might try to elevate his or her own or someone else’s privileges.
Q: How do you change the time the KCC runs? A: The KCC, which manages connection objects for inter- and intrasite replication, runs every 15 minutes by default. To change this, start regedit and go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ NTDS\Parameters Registry entry. Then, from the Edit menu, select New, DWORD Value.
Q: How do I move a server to a different site? A: If the sites and subnets are configured, new servers are automatically added to the site that owns the subnet. However, a server can be manually moved to a different site. To perform this task, start the Active Directory Sites and Services. Expand the site that currently contains the server, and expand the Servers container. Right-click the server and select Move from the context menu. There will be a list of all the sites. Select the new target site, and click OK.
Q: How can a server belong to more than one site? A: By default, a server belongs to only one site. However, you can configure a server to belong to multiple sites. Because sites are necessary for replication, www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
for clients to find resources, and to decrease traffic on intersite connections, simply modifying a site’s membership might cause performance problems. To configure a server for multiple site membership, log on to the server you want to join multiple sites. Start regedit or regedt32. Go to the HKEY_ LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesNetlogon\ Parameters Registry entry, select Add Value from the Edit menu, enter the name Site Coverage and a REG_MULTI_SZ value, and click OK. Next, enter the names of the sites to join, each on a new line. (Press Shift + Enter to move to the next line.) Click OK. Close the Registry Editor.
Q: How do I disable site link transitivity? A: Site links are bridged together to make them transitive so that the KCC can create connection objects between DCs. We can disable site link transitivity manually by bridging specific site links. Start the Active Directory Sites and Services snap-in. (Select Administrative Tools | Active Directory Sites and Services from the Start menu.) Expand the Sites folder and expand the Inter-Site Transports folder. Right-click the protocol for which you want to disable transitivity (IP or SMTP), and select Properties. Clear the Bridge all site links checkbox, and click Apply.
Q: How do you rename a site? A: When you install your first DC, the DC creates the default site, DefaultFirst-Site-Name. This name isn’t very descriptive, so you might want to rename it. Start the Active Directory Sites and Services snap-in. (Select Administrative Tools | Active Directory Sites and Services from the Start menu.) Expand the Sites folder. Right-click the site that is to be renamed (e.g., Default-First-Site-Name), and select Rename. Enter the new name, and press Enter.
Q: I want to enable GC functionality on a DC. Where do I do that? A: In the NTDS Settings Properties window on the General tab.You simply check the box next to Global Catalog and click OK.
Q: I have an office with only 10 users. Should I put a GC server at this location? A: Probably not; Microsoft recommends that 50 or more users at a location constitutes the necessity for a local DC at that office.
www.syngress.com
283
284
Chapter 4 • Configuring the Active Directory Infrastructure
Q: I am noticing a large amount of traffic between my corporate office and branch office. I recently added a GC server/DC at my branch office. Why all the extra traffic?
A: More than likely, you didn’t set up a site for each location. Having GC servers located in sites helps to control replication and should cut down on bandwidth usage. Data is compressed before being sent between sites, which keeps bandwidth usage down.
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
Self Test 1. A large company has just merged with yours. This organization has recently converted its internal network from IPv4 addressing to IPv6 to support a number of new network applications that required it. You must now begin to plan for IPv6 support on your own internal network. You are creating training materials for your junior networking staff. Which of the following features is built into IPv6 that was not required in IPv4? A. Classless Inter-Domain Routing (CIDR) B. IP Security through the use of IPSec C. Network address translator (NAT) D. Loopback IP addressing 2. Your IT manager wants you to link four divisions of the company through a ring of eight unidirectional cross-forest trusts. He uses this reasoning: If multiple forest trusts are established, authentication requests made in any domain of any forest can pass through multiple forest trusts, hence multiple Kerberos domains, on their way to their destination. Why is he wrong? A. Although each cross-forest trust is transitive at the forest level, where all domains in both forests can authenticate, they are not transitive at the federated forest level as he suggests. The trust path cannot include more than one cross-forest trust. B. Cross-forest trusts are not transitive, and will not allow pass-through authentication. C. To create a mesh trust relationship between four forests, you need only four cross-forest trusts. D. Cross-forest trusts are bidirectional, so only three trusts are needed to link all four forests. Completing the “ring” is not necessary. 3. What FSMO roles should exist in a child domain in a Windows Server 2008 forest? (Choose all that apply). A. Schema Master B. Domain Naming Master C. PDC Emulator D. RID Master www.syngress.com
285
286
Chapter 4 • Configuring the Active Directory Infrastructure
E. GC F. Infrastructure Master Correct Answers & Explanations: C, D, and F. Answer C is correct because the PDC Emulator FSMO role exists in each domain in an Active Directory forest. Answer D is correct because the RID Master FSMO role exists in each domain in an Active Directory forest. Answer F is correct because the Infrastructure Master FSMO role exists in each domain in an Active Directory forest. Incorrect Answers & Explanations: A, B, and E. Answer A is incorrect because the Schema Master FSMO role exists only in the forest root domain. Answer B is incorrect because the Domain Naming Master FSMO role exists only in the forest root domain. Answer E is incorrect because the Global Catalog is not a FSMO role. 4. Your network operations center has identified excessive bandwidth utilization caused by authentication traffic in the root domain subnet, especially between Calico.cats.com and Labs.dogs.com.Your logical network is set up as shown in the diagram. What type of trust or trusts would you set up to alleviate the situation? Question #4 Diagram e itiv ns ts Dogs.com a r T r us Root T Domain
Cats.com Domain
Child Domain Calico.cats.com
Labs.dogs.com Child Domain
Child Domain Yellow.labs.dogs.com
A. Set up a bidirectional transitive parent and child trust between Calico.cats. com and Labs.dogs.com. B. Set up a shortcut trust between Calico.cats.com and the forest root, and set up a second shortcut trust between Labs.dogs.com and the forest root. www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
C. Set up a shortcut trust between Calico.cats.com and Labs.dogs.com. D. Set up two shortcut trusts between Calico.cats.com and Labs.dogs.com. E. Set up a realm trust between Calico.cats.com and Labs.dogs.com. 5. Your company, mycompany.com, is merging with the yourcompany.com company. The details of the merger are not yet complete. You need to gain access to the resources in the yourcompany.com company before the merger is completed. What type of trust relationship should you create? A. Forest trust B. Shortcut trust C. External trust D. Tree Root trust 6. Your boss just informed you that your company will be participating in a joint venture with a partner company. He is very concerned about the fact that a trust relationship needs to be established with the partner company. He fears that an administrator in the other company might be able to masquerade as one of your administrators and grant himself privileges to resources. You assure him that your network and its resources can be protected from an elevated privilege attack. Along with the other security precautions that you will take, what will you tell your boss that will help him rest easy about the upcoming scenario? A. The permissions set on the Security Account Manager (SAM) database will prevent the other administrators from being able to make changes. B. The SIDHistory attribute tracks all access from other domains. Their activities can be tracked in the System Monitor. C. The SIDHistory attribute from the partner’s domain attaches the domain SID for identification. If an account from the other domain tries to elevate its own or another user’s privilege, the SID filtering removes the SID in question. D. SID filtering tracks the domain of every user who accesses resources. The SIDHistory records this information and reports the attempts to the Security log in the Event Viewer.
www.syngress.com
287
288
Chapter 4 • Configuring the Active Directory Infrastructure
7. You recently completed a merger with yourcompany.com. Corporate decisions have been made to keep the integrity of both of the original companies; however, management has decided to centralize the IT departments.You are now responsible for ensuring that users in both companies have access to the resources in the other company. What type of trust should you create to solve the requirements? A. Forest trust B. Shortcut trust C. External trust D. Tree root trust 8. Robin is managing an Active Directory environment of a medium-size company. He is troubleshooting a problem with the Active Directory. One of the administrators made an update to a user object and another reported that he had not seen the changes appear on another DC. It was more than a week since the change was made. Robin checks the problem by making a change to another Active Directory object. Within a few hours, the change appears on a few DCs, but not on all of them. Which of the following is a possible cause for this problem? A. Connection objects are not properly configured. B. Robin has configured one of the DCs for manual updates. C. There might be different DCs for different domains. D. Creation of multiple site links between the sites. 9. James is a systems administrator for an Active Directory environment that consists of two dozen sites. The physical network environment is not fully routed, and James has disabled automatic site link transitivity. He now wants to set up three site links to be transitive, as they are physically connected to one another. Which of the following Active Directory objects is responsible for representing a transitive relationship between sites? A. Additional sites B. Additional site links C. Bridgehead servers D. Site link bridges
www.syngress.com
Configuring the Active Directory Infrastructure • Chapter 4
10. Steffi is an administrator of a medium-size organization responsible for managing Active Directory replication traffic. She finds an error in the replication configuration. How can she look for specific error messages related to replication? A. Use the Active Directory Sites and Services administrative tool B. Use the Disk Management tool C. View the System log option in the Event Viewer D. View the Directory Service log option in the Event Viewer
www.syngress.com
289
290
Chapter 4 • Configuring the Active Directory Infrastructure
Self Test Quick Answer Key 1.
B
6.
C
2. A
7. A
3.
C, D, and F
8. A
4.
C
9.
D
5.
C
10.
D
www.syngress.com
Chapter 5
MCTS/MCITP Exam 640 Understanding Group Policy Exam objectives in this chapter: ■
Types of Group Policies
■
Group Policy Hierarchy
■
Creating and Linking GPOs
■
Controlling Application of Group Policies
■
GPO Templates
Exam objectives review: ˛ Summary of Exam Objectives ˛ Exam Objectives Fast Track ˛ Exam Objectives Frequently Asked Questions ˛ Self Test ˛ Self Test Quick Answer Key 291
292
Chapter 5 • Understanding Group Policy
Introduction One of the major advantages of Active Directory is its ability to offer authentication and identity management for users and computers. Although this is certainly a key component of Active Directory, one can argue that an even more important (and sometimes overlooked) component of Active Directory is its ability to centrally manage the experience of these users and computers. By offering a centralized management solution, we can take a majority of the “legwork” out of system administration. Group Policy makes it possible to perform a number of tasks, including: ■
Password enforcement
■
Auditing
■
Software deployment
■
Desktop management
■
Desktop security
For example, if you were the administrator of a 10,000-seat organization, would you prefer configuring the background and display settings on all 10,000 systems individually, or would you like to implement one set of rules—or one policy—and have it “pushed down” to these machines? How about patch management? Would you prefer to manually walk around a CD or DVD to each workstation to patch systems, or would you rather point machines (via a policy) to an update site, where you have preapproved these patches? Group Policy and “sites” are also a key component of Active Directory administration. Today people tend to work from home, work from the office, and travel to branch offices rather frequently. It may be important to manage each scenario differently. Again, it is much easier to manage these systems from a policy as opposed to individual system management. In this chapter, you will learn about the different types of policies available to you as an administrator, how to create and manage these policies, as well as key design principles, such as Group Policy Object (GPO) hierarchies.
Types of Group Policies Group Policies allow you, the administrator, to manage users and computers in your Active Directory environment. Being able to enforce settings and configurations in your infrastructure allows you to do everything from dictate lockdown to empower users with simplicity. A wide-open infrastructure just doesn’t make sense in today’s world of viruses, Trojans, and network attacks. It just makes sense as an administrator www.syngress.com
Understanding Group Policy • Chapter 5
to take advantage of Group Policy to manage your environment in a centralized fashion with ease and flexibility. There are two types of Group Policy: ■
Local Group Policy
■
Nonlocal Group Policy
A good amount of planning and testing should go into any Group Policy before it is deployed, but to get started you will need a thorough understanding of the types of Group Policies. We will discuss these in the following sections.
Local Group Policy Local Group Policies exist on every machine. They are stored on each computer individually and affect the local machine and local users with their settings. The benefit of Local Group Policies is that if a machine does not belong to a domain a mechanism still exists to lock down the local workstation. In the past, only one Local Group Policy could exist per machine, but a new feature of Windows Vista and Windows Server 2008 is the Multiple Local Group Policy object (MLGPO). Traditional Local Group Policies have two configurable sections: a User Configuration section and a Computer Configuration section. MLGPOs further segment the User Configuration section to allow configuration based on user role. The new User Configurations come in three “flavors”: ■
Administrator
■
Non-Administrator
■
User-specific
Each person in an environment falls into one of two user roles:You are an administrator, calling the shots and controlling the environment, or a nonadministrator, living and working in the environment configured by the administrator. The Administrator role will include any user account that is part of the local Administrators group. The Non-Administrator role is every other user account on the local machine. Each user will apply either the Administrator or the Non-Administrator policy, but never both. The user-specific configuration allows the Administrator to configure additional settings for any individual user on the local machine. There can still only be one local Computer configuration policy per machine, and it will affect all users logging on. These flavors allow you the flexibility to control users on shared machines, where different types of users may be working on the same workstations throughout the day. This is a particularly useful feature in smaller working environments where sharing is frequent or environments where kiosks and common area machines may be predominant. The one large drawback of utilizing Local Group Policies is that www.syngress.com
293
294
Chapter 5 • Understanding Group Policy
they are configured per machine, which can result in a lot of running around for anyone to manage in larger environments.You cannot edit multiple Local Group Policies with the default Local Security Policy console from the Administrative Tools menu. The Local Security Policy console allows you to edit the traditional Local Group Policy.You must use a custom console for multiple Local Group Policies. See Exercise 5.1 for step-by-step details.
EXERCISE 5.1 ACCESSING MULTIPLE LOCAL GROUP POLICIES 1. Click Start | Run. 2. In the Open dialog box type mmc and click OK. 3. Click File | Add/Remove Snap-in. 4. Select Group Policy Object Editor from Available Snap-ins: and click Add (see Figure 5.1).
Figure 5.1 Adding the GPO Editor Snap-In
www.syngress.com
Understanding Group Policy • Chapter 5
5. In the Select Group Policy Object window click Browse. 6. In the Browse for a Group Policy Object window select the Users tab (see Figure 5.2).
Figure 5.2 Configuring Multiple Local Group Policies
7. Select Non-Administrators and click OK. 8. In the Select Group Policy Object window click Finish. 9. In Add or Remove Snap-ins click OK. 10. In the console tree expand the Console Root and then expand Local Computer \Non-Administrators Policy. 11. Expand User Configuration | Administrative Templates | Control Panel and click on Add or Remove Programs. 12. In the Settings pane double-click Add or Remove Programs. 13. On the Setting tab select Enabled and click OK. 14. Close all windows and logon as a Non-Administrator account to test the configuration of the policy. www.syngress.com
295
296
Chapter 5 • Understanding Group Policy
Local Group Policies can be very useful in large and small environments alike. With the new MLPGO user roles, workgroups are now offered greater flexibility which contributes to ease of administration. Machines in larger environments that require isolation from the domain can now be locked down more readily as well. Because LGPOs are stored on the local computer upholding the policies and maintaining consistency across machines can prove difficult. Running around from machine to machine making LGPO changes is something that can quickly fill an administrator’s day.
Non-Local Group Policy Objects Non-local GPOs exist in Active Directory with the same purpose as LGPOs— lockdown and configuration. GPOs contain boatloads of settings and configuration options that allow you to depict user and workstation environments in your enterprise. So, for instance, you can perform action. Machines belonging to an Active Directory domain will download the GPOs affecting them from the domain controllers (DCs) in their domain and apply the policy settings. When you create a new GPO in the Active Directory environment it is broken down into a Group Policy Container (GPC) and a Group Policy Template (GPT). The GPC exists in Active Directory and contains version information, and the GPT is stored in the System Volume (SYSVOL) directory on each DC in the domain and contains the settings of a policy. The SYSVOL directory on the DCs is a shared directory which is replicated between DCs. This allows a client to authenticate against any DC and download the policies they require from that same DC. Because the SYSVOL directory is replicated throughout the domain environment, the clients receive a consistent copy of any GPO regardless of the DC they connect to. Another benefit in using SYSVOL as a storage location for GPOs is that regardless of where or how many times in Active Directory the GPO is referenced, only a single copy of the GPC and GPT needs to be stored. Just like LGPOs, all GPOs are divided into two configurable sections: ■
User Configuration
■
Computer Configuration
These sections each have Policies and Preferences that are configurable. It’s the combination of the User and Computer Configuration sections that make up a user’s environment on any given workstation in your enterprise.
www.syngress.com
Understanding Group Policy • Chapter 5
EXAM WARNING Know when Group Policies are processed. Machine starts up: 1. Computer Configuration settings are applied. 2. Startup scripts run. User logs on: 1. User Configuration settings are applied. 2. Logon scripts run. Background refresh of changes takes place every 90 minutes for both the Computer and the User configurations. Only changes are applied, not the entire policy.
When you are configuring policies sometimes your policy will contain only User Configuration settings or only Computer Configuration settings, but not both. In these cases, it is a best practice recommendation to disable the unused portion of the policy. The benefit of doing so is that downloads will not take place unnecessarily. Normally, a computer will download all GPOs applied to it in Active Directory. The machine isn’t aware of how many settings exist in the policy until it actually gets to the GPT and pulls the files and applies them. If the GPT is empty for Computer settings, the machine will be initiating a download without cause. So, by disabling policy pieces not in use, you ultimately save your machines the trouble of downloading empty policies, as well as unnecessary network bandwidth use. A policy can also be disabled altogether. This is particularly useful when you suspect a policy of causing issues in your environment. You may disable a policy and then test to see if the unwanted effect is gone. If the issue is resolved you know that the policy was the root cause. If the undesired situation persists you can enable the policy and move on to the next one. This allows for easy troubleshooting without having to unlink policies in the Active Directory environment. Perform the following steps to adjust the status of a policy: 1. Click Start | Server Manager. 2. Expand Features | Group Policy Management | Forest | Domains. 3. Expand the domain where the policy exists—for example, The3Bears.com.
www.syngress.com
297
298
Chapter 5 • Understanding Group Policy
4. Expand Group Policy Objects. 5. Select the policy you would like to edit—for example, All Users Desktop Lockdown. 6. In the center pane click the Details tab. 7. Under GPO Status click the drop-down menu and select the desired option (see Figure 5.3): ■
All settings disabled
■
Computer configuration settings disabled
■
Enabled
■
User configuration settings disabled
Figure 5.3 Configuring GPO Status Settings
www.syngress.com
Understanding Group Policy • Chapter 5
EXAM WARNING Remember: It is a best practice recommendation to disable unused portions of Group Policies.
As you create policies in your environment, it is a good idea to name them in a way that is intuitive. You will find that months later when you return to a policy for whatever reason, it will be easier to figure out the intended purpose of the policy if you have created a descriptive naming convention and abided by it. To assist in the administrator’s quest for clarity, Microsoft has created a new “Comment” section within Group Policy. The Comment section is configured per policy, not per link, so each place in Active Directory where the policy is linked will reflect the same text in the Comment section. The Comment section gives you the opportunity to type in a few descriptive sentences about the Group Policy. You can really input whatever you like, but it may be a good idea to set up company standards around what belongs in this field. Some good suggestions would be to input text describing the author of the policy, who authorized the policy, the purpose of the policy, whom the policy should be affecting and why, and so on. To view the Comment field for a Group Policy, follow these steps: 1. Click Start | Server Manager. 2. Expand Features | Group Policy Management | Forest | Domains. 3. Expand the domain where the policy exists—for example, The3Bears.com. 4. Expand Group Policy Objects. 5. Select the policy you would like to view—for example, Smokey’s Team Lockdown. 6. In the center pane click the Details tab. 7. The Comment section is displayed on this tab. See Figure 5.4.
www.syngress.com
299
300
Chapter 5 • Understanding Group Policy
Figure 5.4 Comment Section of a Group Policy
To edit/enter text into the Comment field follow these steps: 1. Click Start | Server Manager. 2. Expand Features | Group Policy Management | Forest | Domains. 3. Expand the domain where the policy exists—for example, The3Bears.com.
www.syngress.com
Understanding Group Policy • Chapter 5
4. Expand Group Policy Objects. 5. Select the policy you would like to edit—for example, Smokey’s Team Lockdown. 6. Right-click on the policy and select Edit. 7. In the Group Policy Management Edit window right-click the name of the policy and click Properties. See Figure 5.5. 8. Select the Comment tab to edit/enter text. See Figure 5.6. Figure 5.5 Selecting the Properties of a Group Policy
www.syngress.com
301
302
Chapter 5 • Understanding Group Policy
Figure 5.6 Entering or Editing Comments on a Group Policy
The Comment field is also available on each Administrative Template setting within a Group Policy. If there are things you need to remember about a setting, or if there is information that would prove useful to other administrators about how something is configured, a comment at the policy level may be too broad. You can take advantage of the setting level Comment field to document additional details. Just remember that the field exists only on Administrative Template settings and will not be visible on Software Settings, Windows Settings, or any Preferences for both User and Computer Configuration. To view the Comment tab at the setting levels right-click a setting within a policy and click Properties. See Figure 5.7. www.syngress.com
Understanding Group Policy • Chapter 5
Figure 5.7 Setting Level Comment Field
Preferences A new feature of Group Policy in Windows Server 2008 is the ability to configure Preferences. Preferences allow you to configure many settings in a user’s environment that are not available via traditional Group Policies. Things that were traditionally configured in logon scripts such as printers, mapped network drives, and shortcuts can now be set via Preferences. These new settings are extremely interesting in that what you configure is not enforced. When a setting is enforced users cannot change the enforced value and the option to modify the setting will appear grayed out. With Preferences the settings are configured by the policy; however, the values are not grayed out and the user can modify the values at any time. For instance, if a user has a shortcut icon created via Preferences, the user retains the ability to edit or delete www.syngress.com
303
304
Chapter 5 • Understanding Group Policy
the shortcut icon. If a policy is removed for any reason the configuration does not revert, but instead remains as the policy left it. Because the user is not restricted from changing the setting, the user can edit it at any time. By default, Preferences are refreshed when Group Policy refreshes, but this can be configured on a perPreference basis.You can also configure the Preferences in a policy to be applied just once. This can be useful for policies that normally don’t require adjustment after their initial configuration, such as Environmental Values or Power Settings. Each Preference has a Common tab which allows you to configure options (see Figure 5.8). Figure 5.8 Common Tab Options for Preferences
Another exciting feature of Preferences is the ability to perform targeting. Targeting allows you to select which users and machines the Preference will apply to. Instead of using mechanisms available in Group Policies, such as Security Filtering and WMI Filtering, Preferences take things to a new level. Security www.syngress.com
Understanding Group Policy • Chapter 5
Filtering uses permissions to allow specific users, computers, and groups to apply a policy. WMI Filtering uses information about the computer, such as operating system or free disk space, to determine whether the policy should apply. Both of these mechanisms determine whether a policy in its entirety should apply. So, either all the settings in a policy apply, or none of the settings apply. With Preferences, there is more flexibility in defining the audience for a policy than with Security Filtering and WMI Filtering. Within Preferences exists a whole slew of criteria that can be combined to target the smallest to the largest groups of users and computers. Settings such as CPU Speed, Free Disk Space, Language, IP Address Range, and Operating System are examples of the granularity that can be achieved within the Targeting Editor (see Figure 5.9). Also, targeting of different groups for different settings can be performed from within a single policy. Because targeting is configured per Preference setting in a single policy you can have Printer A which pushes to IP Address Range 192.168.1.25-192.168.1.125 and Printer B which pushes to IP Address Range 192.168.1.126–192.168.1.199, as depicted in Figure 5.10. Figure 5.9 Targeting Editor
www.syngress.com
305
306
Chapter 5 • Understanding Group Policy
Figure 5.10 Utilizing Preference Targeting
EXAM WARNING Group Policy settings are enforced and Preferences are simply set. Users are allowed to modify a Preference after it has been configured on their workstations. If your goal is lockdown, Preferences are not the appropriate mechanism to employ.
Network Location Awareness In today’s disparate world, the reality is that users in a large enterprise may be connecting into the domain from a variety of places across a variety of bandwidth types. In situations where the bandwidth may be limited there are certain policy settings that you would not want traversing the wire. Software Policies are a good example of www.syngress.com
Understanding Group Policy • Chapter 5
a Group Policy setting that just doesn’t work in low-bandwidth situations. Office 2007 installing across a T1 line to 40 users in a satellite office should only ever occur in an administrator’s nightmare, not on his or her network. To allow Group Policy to determine what types of settings are appropriate based on the bandwidth of the connected user, Microsoft has built a new feature into Windows Vista and Windows Server 2008, called Network Location Awareness. In previous operating systems, network bandwidth was detected utilizing the Internet Control Message Protocol (ICMP). Essentially, ping packets sent across the network would determine whether a connection was deemed “slow.” This proved to be a less-than-perfect solution because in many situations, users connecting from a slow link location may have a firewall between them and the DC, potentially blocking the ICMP traffic. This prevented proper detection of network bandwidth, therefore causing policies to process improperly and allowing for large policy settings to process across slow links. Network Location Awareness mitigates this by making Group Policy aware of the network bandwidth and state. In earlier versions of Windows, Group Policy just wasn’t aware of the state of the network connection on a machine. Policies apply during system boot, during user logon, and thereafter at regular refresh intervals—that’s it. So, if a machine were to miss a Group Policy Refresh because it was disconnected from the network, it would start the countdown timer to the next refresh time frame. If the machine was reconnected to the network before reaching the refresh interval, it would just continue to wait until the refresh time arrived. Group Policy had no indication that the network was now available and that the policies would process successfully. With Windows Vista and Windows Server 2008 the implementation of Network Location Awareness allows Group Policy to become more in tune with the machine’s network state. For instance, if a mobile user moves his laptop in and out of different network conditions such as wireless, docked, virtual private network (VPN) connected, wired, and so on, the processing of Group Policy can occur with each change. So, if the machine failed on its last attempt to refresh or if the retry window has arrived, the machine will use the availability of the DCs as an additional factor in determining whether Group Policy processing should occur.
User Each GPO is broken down into two main components: User Configuration and Computer Configuration. The User Configuration has both Policies and Preferences available. The User Configuration can be used to do many things, including but not limited to deploying software, locking down application settings, administrating desktop settings, and assigning logon scripts. Configuring the user portion of a GPO www.syngress.com
307
308
Chapter 5 • Understanding Group Policy
gives you the ability to influence a user and her experience, even as she moves around within the organization. For example, Steve arrives at the office, rushes into the nearest conference room, and powers up his laptop. He logs on to the domain to prepare for a conference call. When Steve authenticates against the domain from his laptop, all policies affecting his user account in the domain are processed and applied. So, let’s say that Steve’s user account has the following settings in effect from those policies: ■
Run line removed from the Start menu
■
Control Panel hidden
He finishes his conference call and heads to his desk to officially start the day. He sits at his desk and logs on to the domain again, this time from his desktop machine. Steve is now using a different machine; however, the policies affecting his user account in Active Directory remain the same. If the summation of the processed policies gives him the previously listed settings at his laptop, from his desktop they would be the same. The policies follow his user account throughout the environment.
Computer The computer configuration section of a GPO also has both Policies and Preference sections available. Many of the sections in a GPO overlap between the User and Computer Configurations. Examples of overlap are scripts, security settings, and the Control Panel. The contents of each section will vary between the User and Computer Configurations, and what is possible in one may not exist in the other. The Control Panel settings are a good example of this. There are only two subsections within the Control Panel for Computer Configuration: Regional and Language Options, and User Accounts. The Control Panel under the User Configuration has much more to offer: Add or Remove Programs, Display, Printers, Programs, and Regional and Language Options. Notice the overlap between Regional and Language Options in the two sections. For the most part, setting options in the User and Computer Configurations will be different, but in the event of overlap, a conflict may occur. If a conflict arises between the User and Computer Configurations, the Computer Configuration will take precedence. Some settings within Group Policy you can apply only to machines. The Loopback Processing mode setting is a good example of this. Computer Configuration settings can be extremely useful in situations where the user is irrelevant in the application of the policy. Windows Updates and Event Viewer are good examples of this because regardless of the user logging on to the machine, the settings will rarely differ. It just makes sense to apply these types of policy settings to machine accounts rather www.syngress.com
Understanding Group Policy • Chapter 5
than user accounts because the logged on user is irrelevant. Computers that have a special function in an organization are also a practical target for computer-based policy settings, such as a dedicated kiosk machine or a public Web access workstation. In any case, Computer Configuration settings can offer a powerful solution to administrators seeking a method of applying machine-based settings across the enterprise.
Group Policy Hierarchy When applying GPOs in an Active Directory environment it is just as important to take heed of where you are applying a policy as it is to plan what you are putting in it. The default nature of a GPO is to trickle down the tree structure from where it is applied and impact all objects along the way. Without careful planning and consideration, you run the risk of ending up with an undesired outcome. As a result of poor planning or a lack of understanding of the Active Directory hierarchy, multiple policies can combine and produce lockdown when it is undesired or allow users to retain settings that may be considered a risk. To plan for and deploy an effective Group Policy infrastructure it is crucial to understand how the Active Directory hierarchy comes into play.
Site, Domain, and OU Hierarchy The first policy to process is always the local policy (LGPO). Once the local policy has completed processing, the domain-level policies are applied. Group Policies can be applied at three levels within the Active Directory environment: ■
Site
■
Domain
■
Organizational unit (OU)
A single GPO can be applied at multiple locations in the hierarchy and any level can have multiple policies applied. The Site level represents the highest level in which a GPO can be applied. Policies linked at the Site level are the first domain-based policies to be downloaded and applied. Because machines become members of Sites based on their Internet Protocol (IP) address, machines from multiple domains may become members of a single Site. This can present issues, because GPOs are stored at the domain level. Only DCs from the domain in which a GPO was created will have a copy of the GPT available for download. If a GPO is created directly on a site object, the GPT will be stored in the domain identified as the forest root. Machines may be required to use bandwidth to download the pertinent GPO while their users wait. In general, linking at the www.syngress.com
309
310
Chapter 5 • Understanding Group Policy
Site should be performed with caution. It has the implication of targeting multiple domains as well as the chance of creating inconsistency for mobile users unless applied with careful planning. With the proper planning and testing, linking at the Site level can be useful in situations such as software deployment, but understanding the ramifications of Site linking is critical for you to effectively apply GPOs.
Configuring & Implementing … Applying GPOs at the Site Level The Site level may present an unpredictability factor for applying GPOs. The reason most environments will stay away from settings at this tier has to do with the nature of a Site. A Site is a group of well-connected computers. You create a Site within Active Directory and then associate it with any subnets that are considered well connected. Geographically distributed environments will have numerous sites. Users in today’s world are mobile and they may move between different Sites by visiting remote offices or, in some cases, by simply carrying their laptops from building to building on a company campus. Each time a machine moves to a new Site it will be affected by the GPOs linked to the Site it is in at that point in time, hence the unpredictability factor. Sometimes the machine will get a setting and sometimes it will not—depending on the Site the GPOs happen to be in that day. If GPOs linked at the Site level are different from Site to Site, the GPO result for a given user or computer will vary. Without knowing which Site a mobile user may be associated with, there is no way to consistently enforce policy.
Once the Local and Site level policies have been processed, the next policies to apply are any Domain linked policies. When applying a Group Policy at the Domain level, the settings configured in the policy will be inherited down the tree structure and will be applied to all objects in the hierarchy. This includes both computer objects and user objects in the tree. Applying policies at the Domain level is appropriate when the settings are applicable across the enterprise. Settings mandated by corporate security policies are a good example of a compelling Domain level Group Policy. Because Domain level Group Policies are so widespread, they will have a large impact if many www.syngress.com
Understanding Group Policy • Chapter 5
policies are applied at this level. Keeping Domain level policies to a minimum is in your best interest to minimize processing overhead.
EXAM WARNING Remember that one policy with many settings will process faster than multiple policies with a few settings apiece. Reducing the number of policies will speed up the time it takes for policies to download, in turn making logon for users faster.
The final level in the hierarchy is the OU. In most organizations, you will want to apply your policies at the OU level. You will have more granular control at this tier, and the scope of the policy is narrowed to affect only the desired user or computer accounts. The default nature of policies at the OU level is to inherit down the tree structure to all child objects, user accounts, computer accounts, and child OUs, including their child objects.
TEST DAY TIP To help you remember the policy inheritance order, take advantage of the paper you will receive during your test. When you first sit down, draw the hierarchy of Site, Domain, and OU. You can then reference your diagram as you need it.
Group Policy Processing Priority When a machine boots up or a user logs on, the machine is tasked with scrambling to collect and download all applicable policies and apply them in the correct order. Many policies can affect a single user or machine, and when more than one GPO is applied the result is a summation of all the policies involved. This is similar to a person getting ready to go outside on a cold winter day. Let’s say Justin pulls on a long-sleeve shirt, a sweater, and finally a jacket. Justin is dressed in layers, but the first two layers he put on are covered by the layer he put on last. Policies are applied in a similar fashion. Starting from the top of the hierarchy, the settings are cumulated; however, if a conflict occurs, the last value processed for that setting applies. www.syngress.com
311
312
Chapter 5 • Understanding Group Policy
The first policy to be applied is the local policy. If the machine is a Windows Vista or Windows Server 2008 (non-DC), the MLGPO is applied in the following way: ■
Local Computer Policy
■
Administrators or Non-Administrators Local Group Policy
■
User-specific Local Group Policy
The final policy processed will win in the event of a conflict, so a Userspecific setting will always win over a Local Computer Policy setting. Next to be processed are policies linked to the Site level. It is typically not a recommended practice to link GPOs at the Site level. It can be difficult to predict which users will be affected by a Site-level policy and when. For example, if a laptop user were to work in the Atlanta office on a Monday, then hop a plane on Tuesday to the Miami office to work for the rest of the week, the policies that are applied to his machine may differ between the two locations when Site-level policies are in use. So, if the Miami administrator chose to lock down the command prompt in a GPO and then applied the GPO to the Miami Site, a programmer visiting that office may lose the ability to perform his job function due to the Site-level policy. To keep things consistent it may be a good idea for you to use caution when linking GPOs with certain settings at the Site level. Once Site-level policies have processed, the next policies to apply are any Domain-level GPOs. Finally, OU-level GPOs will apply. OU-level GPOs will transmit their settings to all child objects. So, with OU policies, depending on how deep a user or computer is in the hierarchy, administrators may have many OU-level GPOs to apply. The last setting of a policy always wins regardless of where it originated in the hierarchy. In Figure 5.11, the IT Users OU is inheriting one policy, the Company Wallpaper Policy, and has another applied, the Custom IT Policy. For a user or computer account residing in the IT Users OU, the wallpaper setting of Disable will apply because the policies on the lower OU will be processed after the Domain-level policy.
www.syngress.com
Understanding Group Policy • Chapter 5
Figure 5.11 Inheritance Example
Figure 5.12 shows the Group Policy Management Console (GPMC) displaying the Group Policy Inheritance tab for the Level 1 Support OU. The policies listed originated from higher in the tree structure and are being inherited. Notice that the Precedence column lists All Users Desktop Lockdown first, indicating that its settings will override any settings that conflict in the other policies.
www.syngress.com
313
314
Chapter 5 • Understanding Group Policy
Figure 5.12 GPMC Displaying Inheritance at the OU Level
Creating and Linking GPOs In this section we’ll discuss creating and linking GPOs.
Creating Stand-Alone GPOs When creating a GPO for the first time it may worry you to think of the impact you may have if the GPO were to be applied either with the wrong settings or at the wrong place within Active Directory. To avoid any GPO creation mistakes, Microsoft allows you to create stand-alone GPOs. Stand-alone GPOs are not linked anywhere in the infrastructure upon creation. They are simply floating
www.syngress.com
Understanding Group Policy • Chapter 5
within your Active Directory universe. Just like any other GPO, they will have a GPT and a GPC and the settings will exist in SYSVOL for users and computers to download, with one major difference: No one will be downloading them. Because the policies are not linked anywhere in the Active Directory environment, users and computers alike will not know that they exist, and therefore, any changes you make to the policies will go unprocessed. To create a stand-alone GPO follow these steps: 1. Click Start | Server Manager. 2. Expand Features | Group Policy Management | Forest | Domains. 3. Expand the domain name—for example, The3Bears.com. 4. Right-click on the Group Policy Objects folder and select New.
Linking Existing GPOs Once you have created a stand-alone GPO, it will affect no person or machine in your environment. To have your new policy have an impact on your network you must link it somewhere in the hierarchy. You can do this at the Site, Domain, or OU level. One of the fabulous things about GPOs is their reusability. So, if your Accounting department has incurred administrative wrath and is locked down from toes to chin with Desktop Policies, there isn’t any reason why you can’t easily spread the joy to the Human Resources staff if they get on your nerves with the same policy. Once you have created GPOs in your Active Directory environment, you can link them at different places within your Active Directory infrastructure with just a few simple clicks. Depending on the design of your Active Directory OU structure, you may want to link a GPO to multiple OUs to effectively target all the users for whom the policy was designed. To link an existing GPO, follow these steps: 1. Click Start | Server Manager. 2. Expand Features | Group Policy Management | Forest | Domains. 3. Expand the domain name—for example, The3Bears.com. 4. Right-click the location where you would like to link the policy and select Link an Existing GPO (see Figure 5.13).
www.syngress.com
315
316
Chapter 5 • Understanding Group Policy
Figure 5.13 Linking an Existing GPO
5. In the Select GPO dialog box, under the Group Policy Objects section, highlight the GPO you wish to link. 6. Click OK.
Creating and Linking at One Time In some instances, you already know where you would like a GPO to go before you create it. In these cases, it makes sense to simply create the policy where it is going to be linked and then configure the settings afterward (see Figure 5.14).
www.syngress.com
Understanding Group Policy • Chapter 5
Figure 5.14 Creating and Linking a GPO with One Action
For step-by-step create and link instructions, see Exercise 5.2.
EXERCISE 5.2 CREATING
AND
LINKING
A
GPO
1. Click Start | Server Manager. 2. Expand Features | Group Policy Management | Forest | Domains. 3. Expand the domain name—for example, The3Bears.com. 4. Right-click the location where you would like to create and link the GPO—in this case, the AD Admins OU. 5. Select Create a GPO in this Domain, and Link it here. 6. In the New GPO window, type in a name for the new GPO. You can also select a Source Started GPO in this window if you want. 7. Click OK.
www.syngress.com
317
318
Chapter 5 • Understanding Group Policy
TEST DAY TIP Don’t get caught up in the details. Reading too much into an exam question can lead you to draw false conclusions. Take the information in the questions at face value, and remember, you know this stuff!
Controlling Application of Group Policies In every universe there is the “exception to the rule.” In the case of Group Policies, it isn’t a platypus or a tomato. It tends to be VPs of Finance or the CFO’s secretary or sometimes even your boss and colleagues. No matter the “why” behind the need for an exception, a few different mechanisms are available to you to tweak and adjust your policies so that everyone can be happy in your environment. Well, within reason anyway. Being able to bend the rules of policy application can be a fabulous tool when exceptions crop up in your environment. Because Group Policies will naturally flow down the Active Directory tree structure, altering that flow with Block Inheritance is one way to change the outcome of inherited settings. Another method is to give certain policies preference over others via Enforce. Other mechanisms include Security and WMI Filtering, as well as Group Policy Loopback settings. We will discuss each of these in more detail in the following sections.
Enforce In some organizations, certain policies must be in applied to everyone in the enterprise, period. Sometimes it’s a security mandate that requires all users to have the Run line removed from their Start menus, other times it’s a marketing mandate that requires all users to have the company wallpaper set at all times, or it’s a legal requirement to display a disclaimer every time a user logs on. The nature of Group Policy inheritance and the hierarchy of Active Directory can sometimes create unfavorable conditions, causing a policy to fail to apply where it is required. Enforce is configured in Active Directory where a GPO is linked, not on the overall policy itself. So, there is the potential to have a policy linked at many different levels, but to have it Enforced only where you indicate. You can see the direct effect of Enforce in the GPMC. To prevent a mandated policy from being overridden you must mark the link as Enforced. This allows you to avoid the unpleasant situation of having to explain www.syngress.com
Understanding Group Policy • Chapter 5
why the marketing manager noticed two employees in the IT department with World of Warcraft wallpaper instead of the prescribed company logo. By giving a wallpaper policy the ability to trample on any and all policies in its way, you will save yourself the reprimand. Enforce essentially creates a policy whose settings will “always win” in the case of a conflict. Notice the policies in Figure 5.15; because all policies are inheriting normally the Domain-level policy which is named Company Wallpaper Policy is at the bottom of the precedence list. This policy has the potential to have the wallpaper setting it is configured with overridden by both the Default Domain Policy and the Custom IT Policy. Figure 5.15 Normal Inheritance
When you enable Enforce on the Company Wallpaper Policy, the precedence is directly impacted and now the Company Wallpaper Policy moves to the top of the list. At this point, it will not be overridden by any of the lower precedence policies (see Figure 5.16). www.syngress.com
319
320
Chapter 5 • Understanding Group Policy
Figure 5.16 Enforcing a GPO
In the case of two policies set to Enforce with opposing settings, the administrators have to duel to the death and the last one standing gets to apply his policy. Okay, so maybe it doesn’t work quite that way. It actually goes something more like this: When two policies are set to Enforce and have conflicting values, the policy higher in the tree structure wins (see Figure 5.17). The concept is that if you have set permissions at the Domain level to apply policies, you probably have more clout in your Active Directory world. To reference the previous example, if both policies to apply wallpaper were configured with Enforce, the higher Company Wallpaper Policy would be the resultant winner. So, there is no way for a lower-level policy to attempt to override a policy higher in the tree structure with an Enforce. Figure 5.18 shows the Company Wallpaper Policy at the Domain level, which will win in the event of a conflict. Sorry, IT fellas.
www.syngress.com
Understanding Group Policy • Chapter 5
Figure 5.17 Higher-Level Enforce Wins
Figure 5.18 Higher-Level Enforce in GPMC
www.syngress.com
321
322
Chapter 5 • Understanding Group Policy
TEST DAY TIP Try not to panic if the exam throws a million policies at you to compare. Just work through them one at a time.
Block Inheritance An additional method of manipulating default inheritance is to apply Block Inheritance to a particular OU. When this setting is configured on an OU, it will not inherit or apply any of the policies linked to its parent objects. The only exception to this is the Enforce setting. Enforce will barrel through a Block Inheritance and will allow a policy to apply to objects within that OU regardless of the existence of Block Inheritance. If you need to isolate a lower-level OU from inheriting GPOs from its parents, the easiest way to achieve this is via Block Inheritance. A wonderful utilization of this feature often involves administrators like you. Let’s assume you would like to apply a policy that removes the Run line and the Control Panel from all users in the Charlotte office. You create and configure your policy and then link it to the Charlotte office OU in Figure 5.19. Figure 5.19 The Charlotte Office OU Structure
www.syngress.com
Understanding Group Policy • Chapter 5
The default behavior is for the policy to trickle down the tree structure and apply to all objects in its path. This will include all objects in the child OUs. If your user account or those of your fellow administrators happen to reside in the Charlotte IT Staff OU, you will inevitably be impacted by the policy. Try to perform your job as an administrator without a Run line or the Control Panel! The solution in this instance could be to Block Inheritance at the Charlotte IT Staff OU. When you configure a Block Inheritance the harmful policy will not be inherited by objects within the Charlotte IT Staff OU and you will retain your Run line and Control Panel. However, there can also be drawbacks to implementing this mechanism, so you should use it only after careful planning. Suppose another policy is configured at the Charlotte Office OU. This policy maps network drives to home drives for all Charlotte personnel, and runs Logon scripts. By putting a Block Inheritance in place at the Charlotte IT Staff OU, the desired policy will also be blocked. As you can see, Block Inheritance can be a very powerful disrupter in your environment, but when applied properly it should become a significant addition to your administrative arsenal.
Group Policy Results and Group Policy Modeling When Block Inheritance and Enforce start to wreak havoc on the outcome of the policies in your hierarchy, there are mechanisms you can employ to become aware of conflicts and either predict or mitigate them before real trouble brews. Microsoft provides two tools within the GPMC which will assist you in managing and troubleshooting Group Policy in a proactive and efficient manner: ■
Group Policy Results Wizard
■
Group Policy Modeling Wizard
The Group Policy Results Wizard allows you to view the outcome of your policies after all have been processed and applied and the dust has settled. To execute the tool from within the GPMC simply expand the Forest node and select Group Policy Results. Right-click on Group Policy Results and select the Group Policy Results Wizard. The wizard requires you to select a machine account as a first step (see Figure 5.20). It will then connect to the machine you have indicated and will list all the user accounts that have logged on to the machine before.You may then select the Current user option or a user from the displayed list of accounts available for policy processing (see Figure 5.21). The wizard will proceed to evaluate the combination of machine www.syngress.com
323
324
Chapter 5 • Understanding Group Policy
account and user account policies and will display the cumulative results in the Details pane.You can exclude either the user or the computer account from the processing if you wish. To exclude the computer policy settings select the Do not display policy settings for the selected computer in the results (display user policy settings only) checkbox on the Computer Selection screen, as shown in Figure 5.20. To exclude the user policy settings select the Do not display user policy settings in the results (display computer policy settings only) radio button visible on the User Selection screen in Figure 5.21.
Figure 5.20 Selecting a Computer Account
www.syngress.com
Understanding Group Policy • Chapter 5
Figure 5.21 Selecting a User Account
The wizard will then gather the information it requires to generate a report which will display in the Console window in the Details pane. The report is broken down into three tabs: ■
Summary
■
Settings
■
Policy Events
The Summary tab is divided into user and computer sections and displays an overview of the results (see Figure 5.22). The Settings tab contains the summation of each policy setting from all the contributing GPOs. The “Winning GPO” for each setting is also identified here. The Policy Events tab pulls from the Event Viewer of www.syngress.com
325
326
Chapter 5 • Understanding Group Policy
the target machines and displays any Event Viewer messages related to Group Policy. Using information from the three tabs you will be able to determine which settings are applied and where they are originating.You will also be able to determine whether any errors or warnings involving Group Policy are being logged, as well as the last time Group Policy was successfully applied. Also, any queries you create will display in the console, and you can rerun, rename, or delete them at any time.You can save the query results as a report in an XML or HTML file format for later review. This is a fabulous tool when trying to decipher issues involving Group Policy application in your environment!
Figure 5.22 Displaying the Group Policy Results
www.syngress.com
Understanding Group Policy • Chapter 5
So, here comes the way to attempt to avoid Group Policy issues in your environment, instead of resolving them as they occur. Just as Group Policy Results will evaluate the cumulative results of policies and display the results, Group Policy Modeling will do the same. The difference is that with Group Policy Modeling you can explore the realm of “what if ” before you actually implement the change. So, “what if ” Sabrina from Accounting has her user account moved into the Finance OU? Instead of relocating the user account in Active Directory and then crossing your fingers and hoping for the best, you can choose to proactively employ the Group Policy Modeling tool to perform an analysis before the move is actually performed. The tool will tell you what Sabrina’s policy outcome will be after the move has occurred, allowing you to make an educated decision as to whether this would be smart. The Group Policy Modeling Wizard has flexibility in that it allows you to select all the “what if ” details involved in Group Policy processing to create almost any fictional situation possible within your Active Directory environment. You launch the wizard from within the GPMC by expanding the Forest node and selecting Group Policy Modeling. Right-click on Group Policy Modeling and select the Group Policy Modeling Wizard. The first step in the wizard is to select a DC that is able to execute the simulation. The DC you select must be running Windows 2003 or later. The next step is to identify the targets for the simulation. You can choose to specify both user information and computer information, or you can identify only one of the two. Under User Information, you can select either a specific user or a container within Active Directory. The same is true for Computer Information; you may select either a specific computer account or a container. Once you have selected the target for the simulation, you then have two choices in what comes next: Select the checkbox at the bottom of the window and skip to the end of the wizard (see Figure 5.23) to receive the analysis results, or click Next and continue to provide criteria for the simulation.
www.syngress.com
327
328
Chapter 5 • Understanding Group Policy
Figure 5.23 The Group Policy Modeling Wizard
If you choose to click Next and skip the wizard, you will be asked to lay out the scenario by providing information such as: ■
Policy implementation settings: ■
Slow link processing consideration
■
Loopback policies consideration
■
Site association
■
New network locations
■
Security group membership: ■
For the user
■
For the computer
www.syngress.com
Understanding Group Policy • Chapter 5 ■
WMI Filters: ■
For the user
■
For the computer
Once you have fed the wizard all it needs to know about your hypothetical situation, it will process the policies and display the results across three tabs. The first two tabs are the same as with the Group Policy Results Wizard: the Summary and Settings tabs. The third one differs. With Group Policy Modeling the third tab contains information on the query that was executed (see Figure 5.24). So, by reviewing the outcome of your query you can determine whether your planned change is a wise decision. If the results of your simulation are not quite as you expected, you can just start over again, or if you prefer, you can copy existing queries. By using existing queries as a baseline, you can tweak the options selected in the wizard to see what different case scenarios will yield as results until you discover a favorable outcome. Figure 5.24 The Group Policy Modeling Query Tab
www.syngress.com
329
330
Chapter 5 • Understanding Group Policy
Head of the Class … Utilizing Enforce and Block Inheritance As an administrator, the more things you can do to simply life the easier you make your job and the better off you will be in the long run. To be a smart administrator you have to know two things. One, you have to know what is available to you in the features of any products you manage, and two, you have to know when to utilize these features. In Active Directory, you can go crazy Enforcing policies and Blocking Inheritance on OUs, but that doesn’t mean you always should. At the end of the day, by overutilizing these features, you have just complicated your life by making the outcome for a group of users that much more unpredictable. Granted, there are tools in place for you to interpret what the outcome will be for any users or computers in your organization, but the necessity to have to interpret and use tools to figure out resultant settings will only make your job that much more demanding. In general, it is a good idea to use restraint when applying these powerful features of Active Directory Group Policies. This doesn’t mean you should shy away from them entirely—there will always be exceptions to the rule. But when applying them in a real-world environment, there is one major guideline you will want to follow: KISS (Keep it simple silly!). Make sure there is a good business case to apply an Enforce or a Block Inheritance. If there is a chance you can accomplish the same function by moving user accounts or moving OUs around in Active Directory, this is a much easier means to an end. By documenting the heck out of any exceptions to the rule and making sure that before you make an exception it is absolutely necessary, you will find that keeping a handle on Group Policy Inheritance in Active Directory becomes an easier task. And always remember: KISS!
WMI WMI Filtering allows you to narrow down the scope of a GPO to machines based on information you collect about the machines.You do this by creating a WMI Filter that identifies desired properties that will be common across the targets for www.syngress.com
Understanding Group Policy • Chapter 5
the GPO. For instance, you may want to identify an operating system version or machines with a minimum amount of free space. WMI Filtering can be complex to configure without a programming background. The interface simply allows you to plug in a WMI query which you must construct. You may also import an existing query if you prefer (see Figure 5.25). By default, no filtering is in place, and therefore, the policy will apply to all machines inheriting it.
Figure 5.25 Configuring WMI Filtering
Group Policy Filtering In some environments, users with different policy needs may be intermingled in the same OU. Let’s think about an Accounting department, for instance. Assume that Accounts Payable and Accounts Receivable are different people in the organization; www.syngress.com
331
332
Chapter 5 • Understanding Group Policy
however, for administrative purposes, they have been lumped into the same OU. If a particular software package needed to be deployed to only the Accounts Payable users, filtering could be employed to accomplish this without the creation of additional OUs in Active Directory. In cases like this, it is still possible for you to single out users to receive a particular policy via Group Policy Filtering. Filtering is simply editing the permissions of a GPO. To download a policy the following things must be true: ■
The policy must apply to the user or the computer in the Active Directory hierarchy.
■
You must be able to connect to a DC that has a local copy of the policy.
■
You must have permissions to the policy.
By default, authenticated users have permissions on all new policies. To apply filtering on a policy this default must be removed and the appropriate groups or users added to the policy. Refer to Exercise 5.3 for detailed steps.
EXERCISE 5.3 ENABLING FILTERING
ON A
GROUP POLICY OBJECT
1. Click Start | Server Manager. 2. Expand Features | Group Policy Management | Forest | Domains. 3. Expand your domain name—for example, The3Bears.com. 4. Expand Group Policy Objects and then click on the policy you wish to filter. 5. On the Scope tab in the center pane, you will see the Security Filtering section (see Figure 5.26).
www.syngress.com
Understanding Group Policy • Chapter 5
Figure 5.26 Configuring Security Filtering
6. Highlight Authenticated Users and click Remove. 7. In the Group Policy Management pop-up window click OK. 8. Authenticated Users is now removed from the window. Click Add. 9. In the Select User, Computer, or Group window type in the name of the user or group you would like to add and click Check Names and then click OK. 10. The new user or group is now able to download and apply this GPO. Anyone not explicitly listed under Security Filtering will not be allowed to download this GPO.
www.syngress.com
333
334
Chapter 5 • Understanding Group Policy
Group Policy Loopback When multiple users must utilize a machine from the Active Directory environment you may want to enforce a Group Policy Loopback to promote conformity. Loopback processing causes the User Configuration settings for a user to apply in a different way. The machine downloads the user’s GPOs as usual, but when the Loopback setting is received the machine will take the User Configuration of the GPOs that apply to the computer and apply that one set of settings to all users logging on to the local machine. Local users are not affected. Loopback policy processing has two options available when configured: Merge and Replace. Merge mode allows for the combination of two worlds. So, in the case of a Merge mode logon the following occurs: 1. The machines boots and Computer Configuration settings are applied. 2. The user logs on and the user account’s User Configuration Settings are applied. 3. The user settings from the machine’s Computer Configuration policy are applied. Because the machine’s Computer Configuration settings are applied last they will triumph in the case of a conflict. The result is a compilation of the two sets of User configurations that will be set up for the user. Replace mode simply ignores the user account policies and applies only the settings that are obtained from the machine’s GPOs for both machine and user settings.
TEST DAY TIP When going through the exam questions do not try to apply the situations presented in the exam to your own work environment. The exam is attempting to test your knowledge of how the product works, not how you can make the product work for you. Your real-world experiences and implementations may differ greatly from the textbook recommendations. Stick to textbook recommendations for exam purposes.
GPO Templates Group Policy Templates allow you to expand on available settings in the GPOs in your environment. Because all environments will not have the same needs, Microsoft includes common settings in its GPOs out of the box. So, as you deploy www.syngress.com
Understanding Group Policy • Chapter 5
new applications to your desktops, controlling them via Group Policy becomes a reality with the help of GPO Templates. Traditionally, GPO Templates were utilized for administrative control, but now with Windows Server 2008, some new components have surfaced: Security Templates and Starter GPOs.
Administrative Templates Administrative Templates enable you to expand the default settings for a GPO by importing configuration files. Administrative Templates are the largest section of a GPO that allows you to manipulate and configure settings on the machines and users in your environment. This is where you can mold the user experience and dictate settings and configurations for people logging on to machines in your domains. By default, Administrative Templates exist in both the User and the Computer Configuration sections of all Group Policies. Without additional configuration, the number of settings available for both User and Computer Configuration is immense. They cover almost every conceivable environment setting for both workstations and users, and you can add to the available settings list. As new products are deployed in your environment, you will want to be able to administrate and configure these new products via GPOs. This is made possible with the .adm and .admx file types. These file types allow for additional settings to be available to you under the Administrative Templates sections of GPOs. Historically, you would download an .adm file from the Internet and then import the file into a GPO in your environment. The import would copy the .adm file to the GPT of the GPO on the SYSVOL directory. SYSVOL replication would then pass the GPT containing the .adm file around to all the DCs in the domain via File Replication Services (FRS). In environments where many .adm files were utilized, the result could mean a very large SYSVOL and, potentially, inconsistencies in how GPOs are applying due to replication issues caused by the SYSVOL size. Also, traditionally, .adm files used their own custom markup language which made it difficult to customize these files. With Windows Vista Microsoft introduced two new types of file for customizing GPOs: the .admx and the .adml file types. The .adml files are language-specific whereas the .admx files are language-neutral. The new .admx files are the same in purpose as the old-school .adm files, but they are stored and managed in a different way. The .admx files take advantage of XML for their formatting, which makes them much more customizable than their predecessors. Also, they are not stored in the SYSVOL directory with the GPO content. Instead, they are stored in SYSVOL in a Central Store. This reduces the amount of overhead. The Central Store must be configured manually and is not set up by default (see Exercise 5.4 for steps). It is recommended www.syngress.com
335
336
Chapter 5 • Understanding Group Policy
that you use the DC that hosts the PDC Emulator role for the domain as the host for the Central Store. The Group Policy tools connect to the PDC Emulator role by default and will use any .admx files existing in the Central Store. Once the Central Store has been configured, the contents will be replicated to all other DCs in the domain.
EXERCISE 5.4 CONFIGURING
THE
CENTRAL STORE
1. Click Start | All Programs | Accessories | Windows Explorer. 2. In the Address bar type in the following URL: \\domainFQDN\ SYSVOL\domainFQDN \policies. For example, \\The3Bears.com\ SYSVOL\The3bears.com\policies. 3. Right-click in the Details pane and click New | Folder. 4. Name the folder PolicyDefinitions (see Figure 5.27).
Figure 5.27 Creating the PolicyDefinitions Folder
www.syngress.com
Understanding Group Policy • Chapter 5
5. Next, manually copy all .admx files from a Windows Vista client computer to the PolicyDefinitions folder on the DC. 6. If required, copy the folders containing the .adml files. Language files require the default folder structure to carry over when copied.
EXAM WARNING Remember that the new file format for Administrative Templates is .admx and that this format is XML-based. Down-level clients will not be able to apply an .admx format, only Windows Vista and Windows Server 2008. You can still administrate the old-school .adm files in a Windows 2008 environment. They will be given a separate subfolder in the Administrative Templates section of a GPO.
Security Templates Security—everyone is concerned about security, and with due cause. One nice feature of Group Policy is the ability to configure Group Policy security settings uniformly across server types by taking advantage of Security Templates. Security Templates is a separate snap-in that you can access from a custom Microsoft Management Console (MMC). The snap-in allows you to build templates, which are stored in an .inf file format, which can be saved and later imported into GPOs anywhere in your environment. This creates reusability for security settings, but the snap-in does have some limitations. For instance, only a portion of the security settings are available to configure in the .inf files. Windows 2008 has a rich set of available settings, but because only a small portion of the settings are exposed through the Security Templates snap-in, additional configuration of settings after an import may be required. To add the snap-in to a custom MMC follow these steps: 1. Click Start | Run. 2. In the Open dialog box type MMC and click OK. 3. In the Console window click File | Add/Remove Snap-in. 4. In the Add or Remove Snap-ins dialog box select Security Templates from the Available snap-ins: column and click Add (see Figure 5.28). 5. Click OK. www.syngress.com
337
338
Chapter 5 • Understanding Group Policy
Figure 5.28 Adding the Security Templates Snap-in to a Custom MMC
Now that you have the Security Templates snap-in in your console window let’s discuss what you are looking at. If you expand the Security Templates node you will see that below it is a folder icon with a folder path as its name. The default behavior of the Security Templates snap-in is to open a folder in the User profile, called Templates. The folder is stored under the following path: C:\Users\ %username%\Documents\Security\Templates. If you click on the folder it will not expand, because by default in Windows Server 2008 no templates exist.You need to create your own templates. You do this by right-clicking on the folder path and selecting New Template from the menu (see Figure 5.29). You must name your new template; you can also input a description if you want (see Figure 5.30). This will create an .inf file in the path specified for you to store your configured settings. This is the file you will need to
www.syngress.com
Understanding Group Policy • Chapter 5
locate once it is time to import the settings into a GPO (see Figure 5.31). The file path is in the logged on user’s hierarchy, so it would be a good idea to centrally locate these files if they will be imported frequently. You can configure the Security Template snap-in to point to any location in your environment. Follow these instructions to open a new template search path: 1. Right-click on the Security Templates node in the custom console. 2. Select New Template Search Path from the menu. 3. Browse to the location of the folder you would like to search. 4. Click OK.
Figure 5.29 Adding a New Template to the Security Templates Snap-in
www.syngress.com
339
340
Chapter 5 • Understanding Group Policy
Figure 5.30 Naming and Inserting Description Text into a New Security Template
Figure 5.31 The New Security Template and Its Corresponding .inf File
www.syngress.com
Understanding Group Policy • Chapter 5
Okay, now that you have a new Security Template, you can go about configuring the settings. Not all of the GPO Security settings are available in the Security Templates. Once you have configured your settings, be sure to save your template by right-clicking on the template and selecting Save. At this point, it is time to import your newly created template into the GPO of your choice. To do so, start by opening the GPMC: 1. Click Start | Server Manager. 2. Expand Features | Group Policy Management | Forest | Domains. 3. Expand your domain name—for example, The3Bears.com. 4. Expand Group Policy Objects and then right-click on the policy into which you wish to import your template. 5. Click Edit. 6. In the Group Policy Management Editor expand either the User Configuration section or the Computer Configuration section. 7. Expand Policies | Windows Settings. 8. Right-click Security Settings and select Import Policy. 9. In the Import Policy From box browse to the location of your .inf file. 10. Select your .inf file and click Open. 11. Your settings have now been imported into the GPO. Browse the hierarchy to confirm that your settings have been imported.
Starter GPOs Administrators are more effective when they can quickly and accurately duplicate results. For those of you who are all about recycling and reusing, Starter GPOs are the ray of light you have been waiting for. A Starter GPO enables you to create a GPO with baseline settings.You can then select this GPO as a template for creation of new GPOs anytime thereafter. A limitation of the Starter GPO is that it can only store settings for user or computer Administrative Templates, and it cannot store Software Settings or Windows Settings. Software Settings allow you to deploy applications whereas Windows Settings contain configurations for settings such as security policies, scripts, and folder redirection. Most administrators shouldn’t complain about this limitation, considering that Administrative Templates are the means to manage many major environment configurations and settings in a GPO.
www.syngress.com
341
342
Chapter 5 • Understanding Group Policy
Starter GPOs are not enabled by default.You must enable them in each domain by first creating a folder called StarterGPOs which is stored in the SYSVOL share on DCs. Creating the folder is a one-time process; after the folder has been established in a domain you can then add and remove Starter GPOs at will. The folder is created from the GPMC (see Exercise 5.5).
EXERCISE 5.5 ENABLING STARTER GPOS
IN A
DOMAIN
1. Click Start | Server Manager. 2. Expand Features | Group Policy Management. 3. Expand the forest you wish to configure—for example, Forest: The3Bears.com. 4. Expand Domains. 5. Expand the domain you wish to configure—for example, The3Bears.com. 6. Click on the Starter GPO folder. 7. In the center pane you will see the button displayed in Figure 5.32 if you have not yet created the Starter GPO folder for this domain. 8. To create the Starter GPO folder, click the Create Starter GPOs Folder button one time.
www.syngress.com
Understanding Group Policy • Chapter 5
Figure 5.32 Creating the Starter GPO Folder
You are now ready to rock and roll with Starter GPOs. Let’s create one. Continue with these steps to create a Starter GPO: 9. Right-click the Starter GPO folder and select New. 10. In the New Starter GPO dialog box type a name for the new Starter GPO in the Name: box. 11. If desired, type a descriptive comment in the Comment: box, and click OK. 12. Your new Starter GPO appears below the Starter GPO node in the GPMC and is displayed on the Contents tab in the center pane. Starter GPOs are a fabulous springboard for building a set of reusable policies that you can port all over your environment. Now that you can create new policies you are ready to go off and configure them. Once you consider your policies street-ready you can use them to create new policies (see Figure 5.33). www.syngress.com
343
344
Chapter 5 • Understanding Group Policy
Figure 5.33 Utilizing a Starter GPO to Create a New Group Policy
In previous incarnations of Group Policy, the ability to easily port policies between domains was not readily available. You can export Starter GPOs to .cab files for portability. When you select the Starter GPOs node in the GPMC the Contents tab becomes visible in the center pane. This tab contains the options Load Cabinet and Save as Cabinet. These allow you to export individual Starter GPOs, port them to a new environment, and then import them, ready to go! You also have the option of backing up your Starter GPOs in one shot. Restoring them, though, is still a oneoff process. The ability to limit who can create Starter GPOs in a particular domain is useful. To limit Starter GPO creations follow these steps: 1. Click Start | Server Manager. 2. Expand Features | Group Policy Management.
www.syngress.com
Understanding Group Policy • Chapter 5
3. Expand the forest you wish to configure—for example, Forest: The3Bears.com. 4. Expand Domains. 5. Expand the domain you wish to configure—for example, The3Bears.com. 6. Click on the Starter GPO folder. 7. In the center pane click on the Delegation tab. 8. Use the Add and Remove buttons to adjust the list of delegated users or groups.
Configuring & Implementing … Enabling Starter GPOs In many environments, multiple domains exist. In some environments, multiple forests exist. In general, it is not recommended that you link GPOs across domain boundaries, even though this is possible. The biggest reason for this is that because GPOs are stored on DCs, for the GPO to be downloaded from a different domain, authentication across the trust relationships must be successful to gain access to the GPO on the DC in the other domain. By having to cross the trust relationship between the domains, you are adding processing time to the user’s logon or to the machine’s boot-up process. Another potential issue is that if a DC is not locally available, the wait time is extended because bandwidth would have to be transverse to obtain the policy. These are just a few reasons why applying GPOs across domains isn’t recommended. Applying GPOs across a forest is just impossible. So, what is the solution if you have similar needs across the enterprise? Starter GPOs. With Starter GPOs you now can create a baseline GPO and port it to wherever it is needed. Once you import the .cab file into the other domain or forest, you can use it to create GPOs in the domains in which they will be applied. This is a huge advantage over previous implementations of Group Policy where administrators striving for consistency in large environments had a largely uphill battle.
www.syngress.com
345
346
Chapter 5 • Understanding Group Policy
Summary of Exam Objectives Group Policy is a powerful tool that you can use to lock down and configure many different aspects of your environment. Two major kinds exist: ■
Local Group Policies
■
Non-Local Group Policies
Local Group Policies contain settings that apply to user accounts on the local machine as well as local computer settings. With Windows Vista and Windows Server 2008, Multiple Local Group Policies can be configured. Multiple Local Group Policies allow you granularity by giving you additional policies based on user type. Non-Local Group Policies exist in an Active Directory domain and are stored on Domain Controllers. Settings within GPOs come in two flavors: User Configuration and Computer Configuration. Within each flavor at the domain level are Policies and Preferences. Policies are enforced and Preferences are only set. Users can adjust preference settings after they are configured on their machines. They cannot adjust policy settings. GPOs can be created, created and separately linked, or created and linked in one action. GPOs can be applied at the Site, Domain, or OU level. All policies inherit down the tree structure from where they are applied—always down. You can control that behavior by using GPO features such as Block Inheritance, Enforce, and Filtering. Block Inheritance will prevent all policies from parent OUs from inheriting. The only exception to that is a policy configured with Enforce. Enforce is configured per policy and it will barrel through Block Inheritance. Enforce always wins in the event of a conflict regardless of where the Enforce originates—above or below the conflicting policy. If two policies configured with Enforce conflict, the one higher in the tree structure wins. Policies are extensible and additional configuration settings are made available through .adm and .admx files. The .adm files are the traditional administrative files and they contain additional settings, usually application-specific. They use a custom markup language and are stored with the policies GPT of a GPO within SYSVOL. The .admx files use an XML format and are stored in a Central Store within SYSVOL. Security Templates and Starter GPOs assist in duplicating administrative effort across the enterprise. Security Templates are stored in an .inf file format and can be imported into GPOs for uniform application of security settings. Starter GPOs allow the creation of baseline GPOs. They can be exported to a .cab file format and ported to different domains and forests easily.
www.syngress.com
Understanding Group Policy • Chapter 5
Exam Objectives Fast Track Types of Group Policies ˛ MLGPOs allow further customization of traditional LGPOs by segmenting
the User Configuration into user types. They do not affect domain users. ˛ GPOs now have Preference settings. These are set, but not enforced. ˛ Preferences can be configured to target very specific audiences for their
settings.
Group Policy Hierarchy ˛ The policy processing order is Site, Domain, and then OU. ˛ Site-level policies can span multiple domains. New policies created at the
Site are stored in the root of the forest. ˛ All policies inherit down the tree structure by default.
Creating and Linking Group Policy Objects (GPOs) ˛ Policies can be created without being linked. ˛ Policies can be linked in multiple locations within Active Directory. ˛ Permissions can be configured to restrict who can create and link.
Controlling Application of Group Policies ˛ Enforce always wins and is set at the policy level. ˛ Block Inheritance is set at the OU level and blocks all parent policies
except ones configured with Enforce. ˛ Filtering can be applied via Security or WMI.
GPO Templates ˛ ADMX files are the new Administrative Template type and are
XML-based files. ˛ Security Templates allow you to create reusable settings to be imported
into any GPOs in the environment. ˛ Starter GPOs are not enabled by default and are used as templates for
future GPOs. www.syngress.com
347
348
Chapter 5 • Understanding Group Policy
Exam Objectives Frequently Asked Questions Q: What is Group Policy and why is it used? A: A Group Policy is a collection of settings and configurations that can apply to either a computer or a user and works together to establish a user’s working environment. Administrators can utilize Group Policy to enforce restrictions, provide software, or even configure security settings in their environment.
Q: Can Group Policy contain application-specific content? A: Yes, Group Policy can be extended for specific applications by either importing .adm files or taking advantage of the new .admx file format for Windows Vista or Windows Server 2008 to make settings available. Not all applications will have existing available .adm or .admx files.
Q: What is a Starter GPO and what is it for? A: A Starter GPO is a policy that allows the administrator to create a baseline which contains frequently used settings. This policy re-creates reusability because it can be used as a starting point when creating additional GPOs in the organization, therefore reducing administrative effort.
Q: What is new with Group Policy in Windows 2008? A: Windows 2008 has the following new features to offer in Group Policy: ■
Comments for GPOs and policy settings
■
New ADMX file format for Administrative Template settings
■
Starter GPO capabilities
■
Preferences
■
Network Location Awareness
■
Multiple Local Group Policies
Q: Will I actually use settings such as Block Inheritance and Enforce? A: It depends on the environment you are administrating. Some environments are somewhat simple and do not require these advanced configurations. Others are more complex or may have poorly designed OU infrastructures, warranting the need. www.syngress.com
Understanding Group Policy • Chapter 5
Q: What exactly is a Computer Loopback policy? A: A Computer Loopback policy is a policy that allows you to control where user settings come from that apply to a particular machine. The user settings applied to the machine are pulled from the computer policy affecting the machine. The user settings from within the computer policy are either merged with the user’s settings or replace them. In environments where public machines exist, this policy will come in very handy. Companies that commonly have kiosks and public access computers, such as labs environments or libraries, will find these policies handy.
www.syngress.com
349
350
Chapter 5 • Understanding Group Policy
Self Test 1. A Charlotte user who recently transferred into the Accounts Payable department from the Accounts Receivable department in your company submits a help desk ticket complaining that she is not able to access her Control Panel on her computer. Upon further questioning, you discover that the user was able to access her Control Panel the previous week. Upon coming in Monday morning, she logged on to her workstation and it reportedly took longer than usual to get to the desktop. Her Group Policy infrastructure is depicted in Figure 5.34.
Figure 5.34 Charlotte User’s Accounting Hierarchy
www.syngress.com
Understanding Group Policy • Chapter 5
What is the most probable cause for the missing Control Panel on the user’s workstation? A. The user is logged on with cached credentials. She must log off and back on again to download the proper policy. B. The user requires local Administrator rights on her machine to view the Control Panel. C. The user account has been moved into the Accounts Payable OU and is now receiving policies that it didn’t before. D. The machine account has been moved into the Accounts Payable OU and is now receiving policies that it didn’t before. 2. A new requirement has come down from The 3 Bears, Inc. headquarters that requires all users to have a home page of www.the3bears.org. You create a new policy and configure the Internet Explorer Maintenance Setting which will set the IE home page. What would be the best approach to take in applying this new policy? A. Link the policy to the OUs in the domain that contain user accounts B. Link the policy to the domain and configure the machine OUs to Block Inheritance C. Link the policy to the domain and configure the policy to Enforce D. Link the policy to the domain 3. In your Windows 2008 Active Directory environment, you configure printer mappings via logon scripts. The number of printers and the complexity of managing the scripts are getting difficult to handle as the company grows. You have built multiple Group Policies, each with a logon script for each set of printers. You link the policies to OUs as departments request access to the printers. What is the best way to adjust your administration of printers to reduce configuration issues and lower administrative overhead? A. Create a single Group Policy, apply it at the domain level, and add a single logon script which contains all the printers in the environment. B. Create multiple Group Policies, apply them at the OU level for each department, and configure Preferences for each required printer.
www.syngress.com
351
352
Chapter 5 • Understanding Group Policy
C. Create a single Group Policy and apply it at the domain level. Configure Preferences for each required printer. Use item-level targeting to apply the printers to the server IP addresses. D. Create a single Group Policy and apply it at the domain level. Configure Preferences for each required printer. Use item-level targeting to apply the printers to the departmental security groups. 4. Darien is a new member of the Web Services team at your company. He is going to be responsible for running and testing scripts for an in-house homegrown application which requires a special application that is deployed via Group Policy. The first time he logs on to the domain he does not receive the software package. You verify that his user account is in the proper OU. What could be causing Darien not to receive the GPO with the software policy? A. Security filtering has been enabled on the GPO and Darien is not a member of the proper group B. WMI Filtering has been enabled on the GPO and Darien is not a member of the proper group C. Darien must be a local administrator on his machine to download a GPO with a software package in it D. Darien’s user account has Block Inheritance configured on it and therefore he cannot download the policy 5. What is the difference between Policies and Preferences in a Group Policy? A. Preferences are set, and Policies are enforced B. Preferences can be modified only by administrators, and policies can be modified by anyone, including users C. Preferences are enforced, and Policies are set D. B & C 6. Your Active Directory hierarchy is depicted in Figure 5.35. Which policies affecting the San Fran Office OU can have their settings overwritten in the event of a conflict?
www.syngress.com
Understanding Group Policy • Chapter 5
Figure 5.35 Active Directory Hierarchy
A. Default Domain Policy, Desktop Lockdown Policy B. Desktop Lockdown Policy C. Company Wallpaper Policy, Accounting SW, Accounting Desktop Lockdown Policy D. Accounting SW, Accounting Desktop Lockdown Policy, Default Domain Policy, Desktop Lockdown Policy 7. Maria is looking for the best method to standardize her GPO creation methods. Currently she prints all the settings in GPOs she would like to duplicate and then manually re-creates the OU. What features in Windows Server 2008 could Maria take advantage of to assist with her GPO creation standardization? A. Filtering B. Starter GPOs www.syngress.com
353
354
Chapter 5 • Understanding Group Policy
C. Security Templates D. A & C E. B & C 8. SueyDog Enterprises will soon be deploying Microsoft Office Communicator into its environment. All of its DCs are running Windows Server 2008. Their administrator, Matthew, is attempting to prepare for the new product by creating a GPO and exploring the available settings. He creates a new policy and proceeds to expand each section of the policy, looking for the section containing the Microsoft Office Communicator settings. He can’t seem to locate the settings for Microsoft Office Communicator. What should Matthew do to gain the settings he seeks? A. Download the appropriate .adm file and import it into the new GPO B. Install Microsoft Office Communicator on the DC to make the setting available C. Download the appropriate .admx file and import it into the new GPO D. Download the appropriate .adm file and place it in the Central Store 9. Joey is going to be migrating his Lotus Notes environment into his newly established Windows Server 2008 forest. He has guidance on what he will require for Group Policy settings for the different teams and departments. He has not yet created his OU structure. How should Joey proceed in creating the required GPOs? A. Create stand-alone GPOs B. Create the GPOs at the Domain level C. Create the GPOs at the Site level D. Wait to create the GPOs until the OU structure is in place 10. You work for a large hospital. The main users in the hospital are nurses and doctors. Because they are always on the go, you set up kiosk stations throughout the hospital for them to log on to and check Web mail or access applications. The kiosks share one user logon and the nurses and doctors use their personal accounts to gain access to resources via a browser interface which prompts them for credentials. One morning a nurse logs onto a kiosk machine and is greeted by extremely offensive wallpaper. How would you utilize Group Policy to prevent this from happening in the future?
www.syngress.com
Understanding Group Policy • Chapter 5
A. Create a Group Policy and apply it to the nurses’ and doctors’ user accounts. Disable Display Settings. B. Create a Group Policy and apply it to the nurses’ and doctors’ user accounts. Configure Loopback Processing in Replace mode. C. Create a Group Policy and apply it to the kiosk machines. Configure the wallpaper to the company logo and disable Display Settings. D. Create a Group Policy and apply it to the kiosk machines. Configure Loopback Processing in Replace mode.
www.syngress.com
355
356
Chapter 5 • Understanding Group Policy
Self Test Quick Answer Key 1.
C
6.
D
2.
C
7.
E
3.
D
8. A
4. A
9. A
5. A
www.syngress.com
10.
D
Chapter 6
MCTS/MCITP Exam 640 Configuring Group Policy
Exam objectives in this chapter: ■
Configuring Software Deployment
■
Configuring Account Policies
■
Configuring Audit Policies
■
Configuring Additional Security-Related Policies
Exam objectives review: ˛ Summary of Exam Objectives ˛ Exam Objectives Fast Track ˛ Exam Objectives Frequently Asked Questions ˛ Self Test ˛ Self Test Quick Answer Key
357
358
Chapter 6 • Configuring Group Policy
Configuring Software Deployment You can use group policy to manage the entire software life cycle, at both the user and the computer levels. Microsoft divides this life cycle into four phases: ■
Preparation Considerable planning should go into how group policy is used to deploy applications. Important considerations include who should be allowed to manage the process, and at what level; where the installation files should be located; whether the software needed for group policy deployment is available from the software manufacturer or must be created; whether to use existing or new Group Policy Objects (GPOs); whether to dedicate GPOs exclusively to software deployment; where and how to link the GPOs into the Active Directory structure to ensure maximum effectiveness; and so forth. The good news for you is that this is primarily a configuration exam. Although it’s important for you to be aware of these types of “big picture” planning items, you’re unlikely to be tested on them.
■
Deployment The bulk of your test preparation should center on this information, which deals with the actual configuration of the group policy and file system components for software deployment. This involves creating a software distribution point, creating the necessary GPOs, linking the GPOs into Active Directory, and configuring them.
■
Maintenance Maintenance refers to fixing problems with, patching, or upgrading applications that are already deployed. Software deployment in group policy is well thought out and allows these types of issues to be handled easily.
■
Removal The final part of the life cycle involves how to deal with software that is no longer needed.Virtually all possible scenarios for this are accommodated in group policy, including optional and forced removal from users and computers.
Installation Overview Regardless of the type of installation being performed, using group policy for software installation requires three major steps: 1. Creation of a software distribution point
www.syngress.com
Configuring Group Policy • Chapter 6
2. Selecting or creating a GPO 3. Configuring the GPO’s properties Unless the GPO is going to apply to only a single computer, the installation files must be shared from a network location. It’s important to ensure that the appropriate permissions have been set up on the share. Administrators or others who will actually maintain the installation files should have full access to the share, but the users or computers for which the policy will be effective require only read-level access. Generally you don’t want users to be able to alter these installation files, because doing so would affect all future installs. The share and its installation files can be located on any computer that is accessible via Windows networking.
Head of the Class… Advanced Software Distribution Point Recommendations Microsoft makes several advanced recommendations regarding software distribution shares, including using a domain-based Distributed File System (DFS) root to take advantage of its centralization, redundancy, and load-balancing features; organization of installation folders by application for ease of management; configuration of NTFS in addition to share-level permissions; and auditing object access for the installer files to make it easier to track their use. By far, one of the most practical recommendations Microsoft makes is the use of hidden shares. By adding a dollar sign ($) to the end of a share name (e.g., software$), you hide the share from users who browse the network. You can still access it directly by typing in the full path (e.g., \\servername\software$). Software distribution points often include installation files for applications to which users do and do not require access. To ease complexity, administrators typically assign read-level permissions to the software distribution point, which enables users to access installation files that relate to them, as well as those that don’t. Under normal circumstances, users can browse the network, find these files, and manually install them—potentially using more licenses for an application than the organization has purchased. Using a hidden “$” share is one way to prevent this without having to use a more complex permissions configuration.
www.syngress.com
359
360
Chapter 6 • Configuring Group Policy
Step two deals with selecting or creating a GPO. Earlier in this book, you learned to create and link GPOs within Active Directory. You also learned about Active Directory hierarchy. This should be all that you really need for this type of exam, because it is configuration-based. Step three deals with configuring the GPO’s properties. Software group policy is powerful and can be quite complex. In addition to options for managing the software life cycle, you can use a variety of methods for initial software deployment. As mentioned previously, you can deploy software at the computer or user level. You also can publish or assign it. The combinations of these two elements can get tricky because software can be published or assigned to users, but only assigned to computers. Let’s briefly examine the differences between these two options before exploring how to configure them. When software is published to a user, it is not installed automatically. A user can install published software in two ways, and group policy can be configured to disable either or both method(s). ■
File association Clicking on a file type that is associated with a published program will download and install it. For example, if Microsoft Excel is published to a user but not installed on the computer being used, when a user clicks on a file that is associated with Excel the program will be downloaded, installed, and opened with the file displayed in it.
■
Control Panel When a file is published to a user but not installed, a user can manually install the program from Programs and Features in Windows Vista or Add or Remove Programs in earlier versions of Windows.
Assigned software may or may not be automatically installed by group policy. When software is assigned to a computer it is automatically installed prior to a user being allowed to log on. When assigned to users, the default is for it not to automatically install; however, a configuration option is available to enable this. If this option is selected, the software is installed before the user’s logon completes and allows him or her to use the computer. If software is assigned to a user but not automatically installed, there are three ways the user can install the software: ■
File association Clicking on a file type that is associated with an assigned program will download and install it. For example, if Microsoft Excel is assigned to a user but not installed on the computer being used, when a user clicks on a file that is associated with Excel the program will be downloaded, installed, and opened with the file displayed in it.
www.syngress.com
Configuring Group Policy • Chapter 6 ■
Control Panel When a file is assigned to a user but not installed, a user can manually install the program from Programs and Features in Windows Vista or Add or Remove Programs in earlier versions of Windows.
■
Start menu and Desktop shortcuts When software is assigned to a user, shortcuts can be added to the user’s Start menu and Desktop. On the surface, it appears that the program is installed. When the user clicks one of these shortcuts, the files download from the software distribution point and installation begins.
EXAM WARNING One often overlooked detail about computer software assignment is that you cannot assign software to a domain controller (DC). Be sure to carefully examine questions that show an Active Directory hierarchy that includes computer accounts for DCs in it, and asks whether the computer software assignment policy settings will apply to all computers in the hierarchy.
Let’s examine how to configure assigning and publishing software.
Publishing to Users As discussed, publishing an application makes it available to users through file association (also called document activation) and the Control Panel. This is a great way to ensure that software is available if needed, but not have it be obvious to users. If you work in an organization where users like to install software that has not specifically been given to them, this could be an option for you to consider. Unnecessary installed software can increase support costs. The following procedure demonstrates how to publish software to users: 1. Create a shared folder, assign the appropriate permissions to it, and copy your installation files to it. 2. Open the GPO you are using to publish the software for editing using the Group Policy Management Editor. 3. Expand User Configuration | Policies | Software Settings and right-click on Software installation. 4. Select New | Package, as shown in Figure 6.1. www.syngress.com
361
362
Chapter 6 • Configuring Group Policy
Figure 6.1 The Software Installation Context Menu
5. In the Open dialog box that appears, enter the location of the MSI file in the text box on the top-left corner, as seen in Figure 6.2 (in this case, \\syngress-server\Programs\Cosmo1). Then, select the appropriate installation file (here, cosmo1.msi) and click Open. Remember that the installation files, including the MSI file, should be network-accessible. If you do not enter a network path, Windows Server 2008 will request one. Though you can continue with the process using a local path, the installation files will be accessible only to the server on which they are stored. 6. Ensure that the Published option is selected in the Deploy Software dialog box, and click OK (see Figure 6.3).
www.syngress.com
Configuring Group Policy • Chapter 6
Figure 6.2 Selecting the Installation File
Figure 6.3 Publishing the Software
www.syngress.com
363
364
Chapter 6 • Configuring Group Policy
7. The package should appear in the right side of the Group Policy Management Editor screen.
Assigning to Users Generally you assign software to users for two reasons. First, you may want the software to appear as already installed and available. You can make Start menu and Desktop shortcuts available when assigning software to users, even though the software isn’t actually installed. In larger organizations, the demands of installing software across the network can place a serious burden on available resources. Today’s applications can be sizable. If 200 users all boot up their computers at approximately the same time, such as first thing in the morning when they arrive for work, initiating a group policy software deployment on each, both the network and the server resources can be adversely affected. Advertising the software to users ensures that the application appears to be available, but does not initiate the installation process until the user attempts to launch the software. If the application is not used by everyone first thing in the morning, to continue with our example, assigning software in this way can stagger the server and network load used during installation. You might also want the software to automatically install and be available on every computer a user logs on to (see Exercise 6.1). Although you have to be careful that it does not place an undue burden on the software distribution server or network, this option is much more user-friendly. The reality is that it can be confusing for users when they double-click an icon for what appears to be an installed application, and have an unfamiliar process occur that does not appear to be opening the application. This can increase the load on support resources if these users contact their IT support person or help desk for assistance. Additionally, users who are not required to wait for software installation are more productive, because the application opens immediately and they can continue working without interruption. Another consideration is the number of applications that are assigned per user. It might be advisable to have the most frequently used or critical applications install immediately, and the less frequently used applications be advertised with Desktop or Start menu shortcuts. Assigning too many applications for automatic installation may cause a long delay in the login process because the user’s desktop will not be made available by default until all applications are installed. Installation of several large software packages, such as Microsoft Office, could delay the user’s login by a half hour or more.
www.syngress.com
Configuring Group Policy • Chapter 6
The following steps demonstrate the default installation procedure for assigning software to users, which does not automatically install the software prior to their logging on: 1. Create a shared folder, assign the appropriate permissions to it, and copy your installation files to it. 2. Open the GPO you are using to assign the software for editing using the Group Policy Management Editor. 3. Expand User Configuration | Policies | Software Settings and right-click on Software installation. 4. Select New | Package, as shown earlier in Figure 6.1. 5. In the Open dialog box that appears, enter the location of the MSI file in the text box on the top-left corner, as seen earlier in Figure 6.2 (in this case, \\syngress-server\Programs\Cosmo1). Then, select the appropriate file (here, cosmo1.msi) and click Open. Remember that the installation files, including the MSI file, should be network-accessible. 6. Ensure that the Assigned option is selected in the Deploy Software dialog box, and click OK (see Figure 6.4). The package should appear in the right side of the Group Policy Management Editor screen.
Figure 6.4 Assigning the Software
www.syngress.com
365
366
Chapter 6 • Configuring Group Policy
By default, assigning software to users does not automatically install the software on every computer the user logs on to. In Exercise 6.1, you’ll configure a GPO that assigns software to a user for automatic installation. Ideally, you’ll need to set up the following before beginning the exercise: ■
A shared folder containing your installation files.You’ll need at least one file with an MSI file extension in this folder. If you can’t think of one to use, Windows Server 2008 installations generally contain a few. If you go to Start | Computer and search for *.msi you can copy one to your shared folder. Be sure to copy, not move, the file!
■
You’ll also need a GPO which you’ve set up and configured for use.
EXERCISE 6.1 ASSIGNING SOFTWARE INSTALLATION
TO
USERS
FOR
AUTOMATIC
1. Open the GPO you are using to assign the software for editing using the Group Policy Management Editor. 2. Expand User Configuration | Policies | Software Settings and right-click on Software installation. 3. Select New | Package, as shown earlier in Figure 6.1. 4. In the Open dialog box that appears, enter the location of the MSI file in the text box on the top-left corner, as seen earlier in Figure 6.2, and click Open. Remember that the installation files, including the MSI file, should be network-accessible. 5. Ensure that the Advanced option is selected in the Deploy Software dialog box, and click OK (see Figure 6.5).
www.syngress.com
Configuring Group Policy • Chapter 6
Figure 6.5 Selecting the Advanced Option
6. In the Properties dialog box which comes up, select the Deployment tab. 7. Select the following two options (see Figure 6.6): Assigned (under Deployment type) Install this application at logon (under Deployment options)
Figure 6.6 Configuring the Deployment Properties
www.syngress.com
367
368
Chapter 6 • Configuring Group Policy
8. Click OK. 9. The package should appear in the right side of the Group Policy Management Editor screen.
Assigning to Computers Sometimes it is desirable to ensure that one or more applications are always available on a computer, regardless of who logs on to or uses it. Some computers are not assigned to a specific user, so the software assigned to them is not related to just one user. These computers are often shared among members of a work area or are meant as accessible systems for a certain class of users. Examples include a computer located in the lobby of a large corporation that is used to look up company information and stock data, a computer shared by personnel on a loading dock that contains shipment tracking information, or a workstation used by students in a computer lab. To accomplish this, assign the software to a GPO that applies to the computer or computers it should affect. Remember, at the computer level software can be assigned but not published. Computer policies are applied before user policies, so assigning software to computers using group policy installs the software before any user has the opportunity to log on. Prior to assigning the software, you should select or create the GPO which will contain it.You may link that GPO to an Active Directory container before or after configuring the software assignment, though it is generally a good idea to ensure that the software assignment is made available only after it has been thoroughly tested. The following procedure demonstrates how to assign software to computers: 1. Create a shared folder, assign the appropriate permissions to it, and copy your installation files to it. 2. Open the GPO you are using to assign the software for editing using the Group Policy Management Editor. 3. Expand Computer Configuration | Policies | Software Settings and right-click on Software installation. 4. Select New | Package, as shown in Figure 6.7.
www.syngress.com
Configuring Group Policy • Chapter 6
Figure 6.7 The Software Installation Context Menu
5. In the Open dialog box that appears, enter the location of the MSI file in the text box on the top-left corner, as seen earlier in Figure 6.2 (in this case, \\syngress-server\Programs\Cosmo1). Then, select the appropriate file (here, cosmo1.msi) and click Open. Remember that the installation files, including the MSI file, should be network-accessible. 6. Ensure that the Assigned option is selected in the Deploy Software dialog box, and click OK (see Figure 6.8). The package should appear in the right side of the Group Policy Management Editor screen. Figure 6.8 Assigning the Software
www.syngress.com
369
370
Chapter 6 • Configuring Group Policy
Maintenance Over the course of an application’s useful life, it may be necessary to apply service packs to the software, to upgrade it to new versions, and to repair it following virus outbreaks or other unforeseen issues. Group policy accommodates each of these scenarios. The two options Microsoft provides are redeploying and upgrading software. Redeployment is commonly used to fix problems with existing installations, such as the previous virus example, and to deploy service packs. Upgrading is typically reserved for major new version releases of an existing, installed software package.
Redeploying Software When you need to reinstall software rather than upgrading versions, redeployment is used. If you are using it to fix problems with an existing installation, such as missing files, the original MSI file that is stored on the software distribution point is typically used. When a service pack is being applied, this MSI file is replaced with an updated one, and the updated or additional installation files are added to the original software distribution point location. The MSI file tells the Windows installer what to do, so simply adding the updated install files is not enough. The correct “instruction” file must also be provided. Software redeployment is dependant upon how the original package was deployed. If the software was assigned or published to a user the redeployment will occur after the user’s next logon, the next time he or she attempts to use the software. If it is assigned to a computer, the redeployment will automatically occur the next time the computer starts. The following procedure demonstrates how to use the redeployment feature: 1. If applying a service pack, obtain the appropriate files from the software vendor and copy them to the software distribution point. Ensure that permissions are set so that the users or computers which will be reinstalling the software can read them. 2. Open the GPO you are using to assign the software for editing using the Group Policy Management Editor. 3. Navigate to and right-click on the package you want to redeploy, and select All Tasks | Redeploy application. See Figure 6.9.
www.syngress.com
Configuring Group Policy • Chapter 6
Figure 6.9 Selecting the Redeploy Option
4. When asked to verify redeployment, click Yes (see Figure 6.10). Figure 6.10 Verifying Redeployment
Upgrading Software Microsoft provides two methods for upgrading software using group policy: mandatory and optional. Optional updates allow users to continue to use their existing version of the software. If they choose, they can update the software using Programs and Features in Windows Vista or Add or Remove Programs in previous versions of Windows. Mandatory upgrades automatically trigger the software update. If the update is assigned to a computer, it is applied the next time the computer starts up. If it is assigned or published to a user, it occurs at the next logon before the user is able to use the system.You can only upgrade software that
www.syngress.com
371
372
Chapter 6 • Configuring Group Policy
was originally installed using group policy. In addition, the original deployment object must still exist under Software installation in the GPO. The following procedure demonstrates how to upgrade software: 1. Deploy the next version of the software by assigning it to users or computers, or publishing it for users, as required. See the previous examples in this chapter. When done you should have software deployment objects for both the original and the new versions in the right pane in Group Policy Management Editor, as shown in Figure 6.11.
Figure 6.11 Original and Upgrade Deployment Packages
2. Right-click on the upgrade package (here, Cosmo 2) and click Properties. 3. In the Properties dialog box, select the Upgrades tab and click Add. See Figure 6.12.
www.syngress.com
Configuring Group Policy • Chapter 6
Figure 6.12 Properties Dialog
4. In the Add Upgrade Package dialog box (see Figure 6.13), select the deployment package for the original version of the application in the Package to upgrade box (here, Cosmo 1). If the package you want to upgrade does not appear, it is probably because it is configured in a different GPO.You don’t need to configure the upgrade package within the same GPO as the version being updated. For example, you may be transitioning to a new set of GPOs as part of the software upgrade process, with the plan to eventually delete the older GPOs. Or you may want to have multiple GPOs so that they can be managed by different administrators. If this is the case, you can click Browse in the Choose a package from section at the top of the Add Upgrade Package dialog box, and locate the package you are updating in another GPO. Note that this dialog also contains the following two options: Uninstall the existing package, then install the upgrade package Some software upgrades will require that the current version of the application be uninstalled before the upgrade is installed. If that is the case, select this option (the default). www.syngress.com
373
374
Chapter 6 • Configuring Group Policy
Package can upgrade over the existing package Many upgrades are designed to install over the top of an existing installation. This is not the default setting for upgrades using group policy, so be sure to manually select it here.
Figure 6.13 The Add Upgrade Package Dialog
5. Click OK to return to the Properties dialog box. It should now be updated with the version to be updated from (see Figure 6.14).
www.syngress.com
Configuring Group Policy • Chapter 6
Figure 6.14 The Updated Properties Dialog
6. If you want the update to be mandatory instead of optional, select Required upgrade for existing packages. The default is unselected, making the upgrade optional. 7. Click OK to close the Properties dialog and complete the configuration.
Removing Software Deployed with Group Policy The final stage of the software life cycle is removal. Group policy provides two methods of software removal: forced and optional. As you might guess, forced removal does not give users the option of keeping the software loaded on their computers, whereas optional removal does. In addition to removing any installed software, both www.syngress.com
375
376
Chapter 6 • Configuring Group Policy
options also remove the user’s ability to reinstall the software through group policy, unless it is published or assigned again through group policy. It’s important to note that this does not prevent users from installing the software manually. If they have the installation media or can access the network location containing the install files, they can reinstall the software. This option simply removes the option for them to use the methods provided by software assigning and publishing in group policy.
Forced Removal Forced removal works differently depending on whether the software was published or assigned to a user or computer. If assigned to a computer, the software will be removed on the next reboot before a user is allowed to log on. If assigned or published to a user, the software will be removed during the user’s next logon before he or she is fully logged on and able to use the system. The following procedure demonstrates how to force removal of software that was assigned or published through group policy: 1. Open the GPO for editing using the Group Policy Management Editor. 2. If the software is assigned to a computer, expand Computer Configuration | Policies | Software Settings and right-click on Software installation. If the software is assigned or published for users, expand User Configuration | Policies | Software Settings and right-click on Software installation. 3. In the right pane, right-click on the deployed application and select All Tasks | Remove. See Figure 6.15.
Figure 6.15 Selecting Remove
www.syngress.com
Configuring Group Policy • Chapter 6
4. In the Remove Software dialog box, choose the Immediately uninstall the software from users and computers option (note that this is the default option). See Figure 6.16.
Figure 6.16 Forcing Removal
5. Click OK.
Optional Removal Optional removal leaves the software installed on the users’ computers until they manually remove it, typically by using Programs and Features in Windows Vista or Add or Remove Programs in previous versions of Windows. The following procedure demonstrates how to use the optional removal feature for software that was assigned or published through group policy: 1. Open the GPO for editing using the Group Policy Management Editor. 2. If the software is assigned to a computer, expand Computer Configuration | Policies | Software Settings and right-click on Software installation. If the software is assigned or published for users, expand User Configuration | Policies | Software Settings and right-click on Software installation. 3. In the right pane, right-click on the deployed application and select All Tasks | Remove, Refer back to Figure 6.15. 4. In the Remove Software dialog box, choose Allow users to continue to use the software, but prevent new installations. See Figure 6.17. www.syngress.com
377
378
Chapter 6 • Configuring Group Policy
Figure 6.17 Selecting Optional Removal
5. Click OK.
TEST DAY TIP One nice feature of Windows installer (MSI) files is that software installed with them can be self-healing. If an error occurs, as long as the original installation software is available these applications can often compare their current state to the original and correct any differences. Even if optional removal is used, this self-healing capability is retained as long as the application remains installed, it was installed from an MSI file, and it still has access to the original installation software. It is recommended that you not remove these files from the software distribution point, even if you have removed the software deployment from group policy, until the application has been uninstalled from all computers.
Configuring Account Policies Windows Server 2008 includes a Default Domain Policy GPO that is created by default when Active Directory is installed. This GPO is linked at the domain level for every domain in the forest. In Windows 2000 and 2003, password and account lockout policies could be configured only at the domain level. As we’ll see later in this chapter, this no longer has to be the case; however, by default, these policies are www.syngress.com
Configuring Group Policy • Chapter 6
still set at this level and in this GPO for each domain. Let’s examine the settings that can be configured and their defaults.
Domain Password Policy The default domain password policy contains the following configurable settings. The default settings for each and their location within group policy appear in Figure 6.18. ■
Enforce password history Determines how many passwords Active Directory remembers for each user before allowing them to reuse a password. The maximum value is 24. Setting the value to 0 disables this option.
■
Maximum password age Determines how many days a user can go without changing his or her password. The maximum value is 999. Setting the value to 0 disables this option and configures passwords to never expire.
■
Minimum password age Determines how many days a user has to wait after changing his or her password before it can be changed again. The maximum value is 998. Setting the value to 0 disables this option and allows users to change their password right away. This setting works in conjunction with Enforce password history to keep users from reusing a favorite password by quickly changing their password 24 times to different ones, and then setting their favorite for use again.
■
Minimum password length Determines the shortest length a user can make his or her password. The maximum value is 14. Setting the value to 0 disables this option and allows blank passwords.
■
Passwords must meet complexity requirements This is a special collection of settings which ensures that the password is at least six characters long, doesn’t contain the user’s account name or parts of the user’s full name that exceed two characters in length, and contains characters from at least three of the following categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Nonalphanumeric characters such as !, $, #, and %
■
Store passwords using reversible encryption Some applications require access to users’ passwords. Enabling this setting is very close to storing passwords in plain text, seriously erodes security, and is not recommended unless absolutely necessary. www.syngress.com
Account Lockout Policy Account lockout is used to prevent successful brute force password guessing. If it’s not enabled, someone can keep attempting to guess username/password combinations very rapidly using a software-based attack. The proper combination of settings can effectively block these types of security vulnerabilities. The default domain account lockout policy contains the following configurable settings. The default settings for each and their location within Active Directory appear in Figure 6.19. ■
Account lockout duration Determines the number of minutes an account remains locked out once the Account lockout threshold has been triggered. The maximum value is 99,999. If set to 0, the account remains locked out until an administrator unlocks it.
■
Account lockout threshold Determines the number of failed logon attempts before a user’s account is locked out, and further logon attempts are prevented. The maximum value is 999. If set to 0, accounts will never be locked out.
■
Reset account lockout counter after Determines the number of minutes between the last failed logon attempt and when the Account lockout threshold counter is reset. The minimum value is 1 and the maximum value is 99,999.
TEST DAY TIP Account lockout policies apply to every domain user except the Administrator account. This is a practical concession. If an attacker was brute-forcing all of your accounts, no one would be able to unlock them if the Administrator account was also locked out.
In Exercise 6.2, you’ll learn to modify the Default Domain Policy settings for passwords and account lockout. You will modify password security by decreasing the number of stored passwords from the default 24 to 20, and increasing the minimum password age from the default 1 to 5. Next, you’ll enable account lockout and set it to be triggered after five invalid logon attempts. You’ll need to have Windows Server 2008 and Active Directory installed, and domain-level administrator rights to complete the exercise.
EXERCISE 6.2 MODIFYING PASSWORD AND ACCOUNT LOCKOUT POLICY SETTINGS 1. To open the Default Domain Policy for editing, go to Start | Administrative Tools | Group Policy Management. 2. In the Group Policy Management utility, expand the Forest, Domains, and your domain (here, syngress.com) nodes, right-click on the Default Domain Policy, and select Edit, as shown in Figure 6.20. www.syngress.com
381
382
Chapter 6 • Configuring Group Policy
Figure 6.20 The Group Policy Management Utility
3. In the Group Policy Management Editor that appears, expand the Computer Configuration, Policies, Windows Settings, Security Settings, and Account Policies nodes, as shown in Figure 6.21. 4. Select the Password Policy node in the left pane. 5. In the right pane, right-click on Enforce Password History and select Properties. (See Figure 6.21).
Figure 6.21 The Enforce Password History Node Context Menu
6. In the Enforce password history Properties dialog box, change the Keep password history for: setting to 20, and click OK. (See Figure 6.22). www.syngress.com
Configuring Group Policy • Chapter 6
Figure 6.22 The Enforce Password History Properties Dialog
7. In the right pane, right-click on Minimum password age and select Properties. 8. In the Minimum password age Properties dialog box, change the Password can be changed after: setting to 5, and click OK. 9. In the left pane, select the Account Lockout Policy node. 10. In the right pane, right-click on Account lockout threshold and select Properties. 11. In the Account lockout threshold Properties dialog box, ensure that Define this policy setting is selected, increase the invalid logon attempts value to 5, and click OK. (See Figure 6.23).
Figure 6.23 The Account Lockout Threshold Properties Dialog
12. Accept the recommendations in the Suggested Value Changes dialog box, and click OK. (See Figure 6.24). www.syngress.com
383
384
Chapter 6 • Configuring Group Policy
Figure 6.24 The Suggested Value Changes Dialog
13. The Group Policy Management Editor should appear similar to Figure 6.25. Close it to complete the exercise.
Figure 6.25 The Group Policy Management Utility
Fine-Grain Password and Account Lockout Policies When a GPO is used to apply password and account lockout policies, these policies can be set for only the entire domain, and only one instance of each setting will be applied to for all users in the domain. In other words, you cannot set different password or account lockout policies for different types of users in a domain (such as administrators and general users) using GPOs.You can do this only using a new www.syngress.com
Configuring Group Policy • Chapter 6
feature, fine-grain password and account lockout policy. A key distinction between group policy-based user and account lockout enforcement and fine-grain policies is how you apply them. Unlike group policy, however, fine-grain policies are quite complex to configure.
EXAM WARNING It’s important to remember that only one set of GPO account and lockout policies applies to a domain. This functionality is unchanged from Windows 2000 Server and Server 2003. Although fine-grain policies can override the settings that are configured using a GPO at the domain level, they are not GPO-based.
You can apply fine-grain policies only to users and global security groups. They are not linked to the major Active Directory container objects: sites, domains, and organizational units (OUs). It is common for organizations to organize users using these traditional Active Directory container structures, so Microsoft recommends the creation of shadow groups which map to an organization’s domain and OU structure. In this way, you can add the global security groups to the appropriate fine-grain policy object in Active Directory one time, and use group membership to determine to whom it applies. It’s possible that a user can be a member of more than one global security group and for these groups to be associated with different fine-grain policies. To accommodate this, Microsoft allows you to associate a precedence value to each fine-grain policy. A policy given a lower number will take precedence over one given a higher number if both apply to a user.
New & Noteworthy… A Long-Awaited Password and Account Policy Solution Fine-grain password and account lockout policy is new in Windows Server 2008. In Windows 2000 and 2003 forests, you could apply these settings only at the domain level. A single effective set of policy settings was enforced Continued www.syngress.com
385
386
Chapter 6 • Configuring Group Policy
for all users. For many mid-size to large organizations, this provided an unacceptable level of security. The limitation led to all kinds of complicated technical workarounds and the use of more complex domain and forest structures, which increased management costs. Although fine-grain policies are certainly not as easy to use as traditional GPOs, they are a step in the right direction. Most companies will no longer require their previous workarounds, and Microsoft expects that many who adopted more complex domain structures will be consolidating and simplifying their forests. Fine-grain policies also represent a major departure from Microsoft’s previous instructions to administrators to adopt a site-, domain-, and OU- based management style. They cannot be applied to any of these Active Directory container objects.
Configuring a Fine-Grain Password Policy Two new Active Directory object classes have been added to the Active Directory schema to support fine-grain policies. Policies are configured under a Password Settings Container (PSC). The actual policy objects themselves are called Password Settings objects (PSO). Creating a PSO involves using a lower-level Active Directory editing tool than you might be familiar with. There are two ways to do it. One is with the ADSI Edit graphics utility. The other is by using ldifde to script the operation at the command line. In this chapter, we’ll be using ADSI Edit: 1. Open ADSI Edit by clicking Start | Run and type in adsiedit.msc. 2. Right-click on the ADSI Edit node in the leftmost pane, and click Connect to. (See Figure 6.26).
Figure 6.26 Bringing Up the Connections Settings Dialog
www.syngress.com
Configuring Group Policy • Chapter 6
3. Accept the default naming context which appears in the Name: text box or type in the fully qualified domain name (FQDN) of the domain you want to use. Click OK. (See Figure 6.27).
Figure 6.27 The Name: Text Box
4. Expand the Default naming context node (if present), rxpand your DC=DomainName node (here, DC=syngress, DC=com), and double-click on the CN=System node. 5. Right-click on the CN=Password Settings Container node and select New | Object, as shown in Figure 6.28.
www.syngress.com
387
388
Chapter 6 • Configuring Group Policy
Figure 6.28 Creating the New Object in ADSI Edit
6. In the Create Object dialog box, select msDS-PasswordSettings and click Next. (See Figure 6.29). Figure 6.29 Selecting the msDS-PasswordSettings Option
www.syngress.com
Configuring Group Policy • Chapter 6
7. In the Create Object dialog box, enter the desired name for your PSO in the Value: text box (here, psoUsers) and click Next. (See Figure 6.30).
Figure 6.30 Entering the PSO Name
8. Configure the appropriate value for each of the password and account lockout policy settings. All are required. Refer to the information in the list after Figure 6.31 for more details on each setting.
www.syngress.com
389
390
Chapter 6 • Configuring Group Policy
Figure 6.31 Configuring the Fine-Grain Settings
■
msDS-PasswordSettingsPrecedence Sets the precedence value for deciding conflicts when more than one fine-grain policy applies to a user. Values greater than 0 are acceptable.
■
msDS-PasswordReversibleEncryptionEnabled Equivalent to the Store passwords using reversible encryption group policy setting. Acceptable values are TRUE and FALSE.
■
msDS-PasswordHistoryLength Equivalent to the Enforce password history group policy setting. Acceptable values are 0 through 1024.
■
msDS-PasswordComplexityEnabled Equivalent to the Passwords must meet complexity requirements group policy setting. Acceptable values are TRUE and FALSE.
www.syngress.com
Configuring Group Policy • Chapter 6 ■
msDS-MinimumPasswordLength Equivalent to the Minimum password length group policy setting. Acceptable values are 0 through 255.
■
msDS-MinimumPasswordAge Equivalent to the Minimum password age group policy setting. Acceptable values are (None) and days:hours:minutes:seconds (i.e., 1:00:00:00 equals one day) through the value configured for msDS-MaximumPasswordAge.
■
msDS-MaximumPasswordAge Equivalent to the Maximum password age group policy setting. Acceptable settings are (Never) and msDS-MinimumPasswordAge value through (Never). This value cannot be set to 0. It follows the days:hours:minutes:seconds format (i.e., 1:00:00:00 equals one day).
■
msDS-LockoutThreshold Equivalent to the Account lockout threshold group policy setting. Acceptable settings are 0 through 65535.
■
msDS-LockoutObservationWindow Equivalent to the Reset account lockout counter after group policy setting. Acceptable values are (None) and 00:00:00:01 through msDS-LockoutDuration value.
■
msDS-LockoutDuration Equivalent to the Account lockout duration group policy setting. Acceptable values are (None), (Never), and msDS-LockoutObservationWindow value through (Never). This value follows the days:hours:minutes:seconds format (i.e., 1:00:00:00 equals one day).
9. After specifying the preceding values, click the More Attributes button, as shown in Figure 6.32.
www.syngress.com
391
392
Chapter 6 • Configuring Group Policy
Figure 6.32 The More Attributes Button
10. Although it is not required, at this point you can specify to which users or groups the fine-grain policy will apply. You can also do this in Active Directory Users and Computers (covered later). To configure this during PSO object creation: Set Select which properties to view: to either Optional or Both. Set Select a property to view to: to msDS-PSOAppliesTo. Enter a distinguished name (DN) for a user or global security group in the Edit Attribute: text box and click Add. Multiple users and groups can be added and removed. When done, click OK. (See Figure 6.33).
www.syngress.com
Configuring Group Policy • Chapter 6
Figure 6.33 Associating Users and Global Security Groups
11. Click Finish in the Create Object dialog box. When done, ADSI Edit should resemble Figure 6.34.
www.syngress.com
393
394
Chapter 6 • Configuring Group Policy
Figure 6.34 The ADSI Utility
Applying Users and Groups to a PSO with Active Directory Users and Computers In addition to using ADSI Edit to associate users and global security groups with a PSO, administrators can also use Active Directory Users and Computers: 1. Open Active Directory Users and Computers by clicking Start | Administrative Tools | Active Directory Users and Computers. 2. Ensure that View | Advanced Features is selected. 3. In the left pane, navigate to Your Domain Name | System | Password Settings Container.
www.syngress.com
Configuring Group Policy • Chapter 6
4. In the right pane, right-click on the PSO you want to configure, and select Properties, as shown in Figure 6.35.
Figure 6.35 Opening the Properties for the PSO
5. In the Properties dialog box, select the Attribute Editor tab. In the Attributes: selection window scroll down and click on msDS-AppliesTo followed by Edit. (See Figure 6.36).
www.syngress.com
395
396
Chapter 6 • Configuring Group Policy
Figure 6.36 The Attribute Editor Tab
6. There are two ways to add users and global security groups using the Multi-valued Distinguished Name With Security Principle Editor dialog (see Figure 6.37): Click Add Windows Account to search for or type in the object name using a standard Select Users, Computers, or Groups dialog box. Click Add DN to type in the DN for the object you want to add.
www.syngress.com
Configuring Group Policy • Chapter 6
Figure 6.37 The Multi-valued Distinguished Name With Security Principle Editor Window
7. You can also remove accounts from the Multi-valued Distinguished Name With Security Principle Editor dialog by highlighting the account in the Values: selection box and clicking the Remove button. When you are done adding and deleting accounts from this PSO, click OK. 8. In the Properties window, click OK.
Configuring Audit Policies The configuration settings for auditing can be a bit trickier to understand than other group policy settings. All types of auditing use the same types of settings, shown in Figure 6.39. You can audit the success and/or failure for a variety of tracked events. Examples of what can be tracked include logons, changes to policy, use of privileges, directory service or file access, and so forth (See Figure 6.38). www.syngress.com
397
398
Chapter 6 • Configuring Group Policy
Figure 6.38 Auditing Policies
If you audit, for example, success and failure events for logons, the system will keep track of key details when users successfully log on to their accounts, and also when a logon attempt fails. Once an auditing policy item has been enabled by selecting Define these policy settings in its properties dialog box, four configuration options become possible (see Figure 6.39): ■
Audit success is configured by selecting the Success setting.
■
Audit failure is configured by selecting the Failure setting.
■
Prevention of tracking auditing success is configured by unselecting the Success setting.
■
Prevention of tracking auditing failures is configured by unselecting the Failure setting.
Figure 6.39 Auditing Configuration Options
www.syngress.com
Configuring Group Policy • Chapter 6
Configuring & Implementing… Configuring Auditing Policy It is very important to understand how Microsoft wants you to think about auditing. Keep in mind that its tests are designed for all sizes of organizations. It might be tempting to think that you disable auditing by deselecting the Define these policy settings option on individual audit settings in group policy; however, this ignores that the organization may have other group policies that are being inherited for which auditing has been enabled. To ensure that auditing is not enabled, you must explicitly configure individual policies to turn it off. For example, let’s say you have a domain policy with Object Access enabled for Success and Failure auditing, but you want to turn that off for one part of your organization. One way might be to block the inheritance of that GPO within Active Directory; however, for this example, we’ll assume that other settings need to be applied. In this type of situation, the best option may be to create and link a GPO at just the level of Active Directory that applies to the portion of Active Directory that should have auditing disabled. In this GPO, you would configure the Object Access audit policy setting by selecting the option to Define these policy settings and making sure that Success and Failure are both unselected.
Logon Events Logon events are among the most important to monitor. It is recommended that, at a minimum, you monitor failure events for these policy options. This allows you to spot users who are having difficulty with their logons, as well as track potentially fraudulent attempts to log on. Microsoft provides two audit policy options for monitoring logons: ■
Audit account logon events This policy is used for credential validation, and the events audited relate to the computer which is authoritative for the credentials. For most users in a domain, this will be the DC which processes their logon, although these events can occur on any computer and may occur on both their local workstation and the DC. www.syngress.com
399
400
Chapter 6 • Configuring Group Policy ■
Audit logon events This policy tracks the creation and, when possible, the destruction of logon sessions. The actual audited event relates to the machine being accessed. If you are logging on to your local workstation (even using a domain-based user account), the event is generated on your local machine. If you accessing a resource on the network, such as files in a shared folder, this generates a logon event on the computer hosting the files.
EXAM WARNING Don’t be surprised to find an option on the exam that does not allow you to select just Failure auditing for logon events. Microsoft often recommends auditing both Success and Failure events for these policy items. Many administrators choose not to audit Success events because of the number of events generated. Hardcore security administrators, however, prefer to audit these events—and their feedback is often incorporated into Microsoft exams. They make the argument that auditing Failure does not enable you to spot potentially fraudulent successful logons that are uncharacteristic of users—for example, a successful logon from an overseas Internet Protocol (IP) address for a small company with one location in the United States.
In Exercise 6.3, we will enable Success and Failure auditing for logons. You will need a Windows Server 2008 DC.
EXERCISE 6.3 CONFIGURING AUDITING
FOR
LOGON EVENTS
1. Open your domain’s Default Domain Policy GPO using the Group Policy Management Editor and navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Audit Policy, as shown earlier in Figure 6.38. 2. In the right-hand pane, right-click on Audit account logon events and select Properties. 3. In the Audit account logon events Properties dialog that appears, select Define these policy settings. 4. Under Audit these attempts: select Success and Failure, then click OK. Refer back to Figure 6.39. www.syngress.com
Configuring Group Policy • Chapter 6
5. In the right-hand pane, right-click on Audit logon events and select Properties. 6. In the Audit logon events Properties dialog that appears, select Define these policy settings. 7. Under Audit these attempts: select Success and Failure, and then click OK. 8. Close the Group Policy Management Editor.
Directory Service Access Most Active Directory objects have their own permissions (officially called a system access control list or SACL). Any object in Active Directory that can have permissions set for it can be audited. By default, directory service auditing is not enabled in group policy; however, objects in Active Directory do come already set up with some auditing permissions assigned. For most objects this will be Success auditing for members of the Everyone group, but this does vary. For example, the domain object in Active Directory has additional auditing preconfigured for it. Setting up directory service access auditing is a two-step process: configuring a GPO to enable the directory service access auditing, and specifying what to audit on an object-by-object basis within Active Directory.
Configuring Directory Service Access Auditing in Group Policy You configure directory service access in group policy using the following steps: 1. Open the GPO that will be used to configure auditing using the Group Policy Management Editor and navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Audit Policy, as shown earlier in Figure 6.38. 2. In the right-hand pane, right-click on Audit directory service access and select Properties. 3. On the Security Policy Setting tab of the Audit directory service access Properties dialog box, configure the policy as desired by: Selecting Success to enable auditing successful object access events Deselecting Success to disable auditing successful object access events Selecting Failure to enable auditing failed object access events Deselecting Failure to disable auditing failed object access events 4. Click OK and close the Group Policy Management Editor. www.syngress.com
401
402
Chapter 6 • Configuring Group Policy
Configuring Active Directory Object Auditing To enable auditing of a specific object within Active Directory, follow these steps: 1. Open Active Directory Users and Computers and navigate to the object you want to audit (here, the Authors OU). 2. Right-click on the object and select Properties from the context menu. 3. In the Properties dialog box, select the Security tab, and click Advanced. See Figure 6.40. Figure 6.40 The Properties Dialog
4. In the Advanced Security Settings dialog box, click on the Auditing tab (see Figure 6.41) and note that the object has inherited auditing entries. www.syngress.com
Configuring Group Policy • Chapter 6
You can block these by deselecting Include inheritable auditing entries from this object’s parent.You also can modify existing entries by clicking the Edit button. Figure 6.41 The Advanced Security Settings Dialog
5. To add new users or groups click on the Add button. 6. In the Select User, Computer, or Group dialog box, type in or search for the users or groups you want to audit. This is a standard dialog box that works just like the permissions version. For this example, we will select Domain Users. 7. In the Auditing Entry dialog, configure the types of Success and/or Failure events you want to monitor for this group and click OK. For this example, we will choose Read permissions, Modify permissions, and Delete - Success and Failure events. See Figure 6.42. www.syngress.com
403
404
Chapter 6 • Configuring Group Policy
Figure 6.42 The Auditing Entry Dialog
8. Click OK again in the Advanced Security Settings dialog box and OK again to close the Properties dialog box.
Object Access You also can use group policy to monitor non-Active Directory objects such as files, folders, Registry keys, and printers. You can use this option to track resource usage, authorized and unauthorized access, object modification and deletion, and more. For example, most companies have servers that contain sensitive information such as legal, human resources, and accounting information. Who accesses this www.syngress.com
Configuring Group Policy • Chapter 6
information, and even how and when it is changed, is often subject to internal policy as well as government regulation. You can use this feature to ensure that all guidelines are being met, catch any anomalies such as unauthorized modification, deletion, or access, and so forth. Any object that has a SACL and can thus have permissions set for it can have auditing configured. As with directory service object auditing, object access auditing is a two-step process: configuring a GPO to enable the directory service access auditing, and specifying what to audit on an object-byobject basis.
Configuring Object Access Auditing in Group Policy You can configure directory service access in group policy using these steps: 1. Open the GPO that will be used to configure auditing using the Group Policy Management Editor and navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Audit Policy, as shown earlier in Figure 6.38. 2. In the right-hand pane, right-click on Audit directory service access and select Properties. 3. On the Security Policy Setting tab of the Audit object access Properties dialog box, configure the policy as desired by: Selecting Success to enable auditing successful object access events Deselecting Success to disable auditing successful object access events Selecting Failure to enable auditing failed object access events Deselecting Failure to disable auditing failed object access events 4. Click OK and close the Group Policy Management Editor.
Configuring Object Level Auditing For this example, we will configure file system auditing. A similar procedure is used to audit other objects such as printers and Registry keys. 1. Open Windows Explorer by going to Start | Computer, and navigate to the file system object on which you want to enable auditing. For this example, we will use a folder named Programs. 2. Right-click on the object you’ve selected, and click Properties. 3. In the Properties dialog box, select the Security tab, and click Advanced. See Figure 6.43. www.syngress.com
405
406
Chapter 6 • Configuring Group Policy
Figure 6.43 The Properties Dialog
4. In the Advanced Security Settings dialog box, click on the Auditing tab. Note that the object does not have any existing or inherited auditing entries. Sometimes what needs to be audited is very object-specific. Auditing requirements for parent objects can differ considerably from child objects. To prevent inheritance of undesired settings, deselect Include inheritable auditing entries from this object’s parent. 5. Click the Edit button.
www.syngress.com
Configuring Group Policy • Chapter 6
6. A second, slightly different Advanced Security Settings dialog box appears (see Figure 6.44). Click on the Add button.
Figure 6.44 The Second Advanced Security Settings Dialog
7. In the Select User, Computer, or Group dialog box, type in or search for the users or groups you want to audit. For this example, we will select Domain Users. 8. In the Auditing Entry dialog, configure the types of Success and/or Failure events you want to monitor for this group and click OK. For this example, we will choose Delete, Success and Failure events. See Figure 6.45.
www.syngress.com
407
408
Chapter 6 • Configuring Group Policy
Figure 6.45 The Auditing Entry Dialog
9. Click OK again in each Advanced Security Settings dialog box and OK again to close the Properties dialog box.
Other Audit Policies Now let’s discuss some other audit policies. This section includes brief descriptions of the following audit policies: ■
Audit account management This audit policy tracks all account management events. Some examples of what this policy covers include creation, change, or deletion of user or group accounts; renaming or enabling/disabling a user’s account; and changing a user’s password.
www.syngress.com
Configuring Group Policy • Chapter 6 ■
Audit policy change This audit policy tracks changes made to user rights assignment policies, audit policies, or trust policies.
■
Audit privilege use This audit policy tracks the exercise of many user rights.
■
Audit system events This audit policy tracks when a user restarts or shuts down his or her computer, when an event occurs that affects system security, or when an event occurs that affects the security log.
EXAM WARNING Not all user rights are tracked when Audit privilege use is enabled. This is because some events are so numerous that they can quickly fill up the security log. By default, the following rights are omitted: Bypass traverse checking, Debug programs, Create a token object, Replace process level token, Generate security audits, Back up files and directories, and Restore files and directories. To audit these user rights, you must enable the FullPrivilegeAuditing Registry key.
Configuring Additional Security-Related Policies In this section, we’ll discuss configuring additional security-related policies, such user rights, security options, restricted groups, and administrative templates.
User Rights Administrators can grant a wide array of user rights. Rights include things such as the ability to log on to a server locally or from a network connection, the ability to shut down a server, the ability for certain accounts to be able to log on as a service, and many others. You should take a moment before the exam to familiarize yourself with the range of options offered by this portion of group policy. User rights follow the standard group processing order, but are exclusive unless otherwise noted. So, for example, if Log on as a batch job has been specifically configured in the local computer’s security policy, in a site-level GPO, in a domain-level GPO, and in an OU-level GPO that all apply to the computer object, the settings in the OU-level GPO will be applied. The settings are not cumulative, and all others will be ignored. www.syngress.com
409
410
Chapter 6 • Configuring Group Policy
Because of this, it is very important when defining a user right policy to ensure that all user and group accounts which require the right are identified and configured. To configure a user right, follow these steps: 1. Open the GPO that will be used to configure auditing using the Group Policy Management Editor and navigate to Computer Configuration | Policies | Windows Settings | Security Settings | User Rights Assignment. 2. In the right-hand pane, right-click on the user right you want to configure (here, Log on as a batch job) and select Properties. See Figure 6.46. Figure 6.46 The Properties Dialog
www.syngress.com
Configuring Group Policy • Chapter 6
3. In the Properties dialog, select Define these policy settings: and click the Add User or Group button. You can also select a user or group and click the Remove button to delete them from the policy. 4. In the Add User or Group dialog box, click Browse. 5. In the standard Select Users, Computers, or Groups dialog, enter or search for the user and/or group accounts you want to add, and then click OK. 6. In the Add User or Group dialog box, click OK. 7. In the Properties window, click OK.
Security Options Microsoft provides administrators with a large list of security parameters that can be defined using group policy. Items available in the Security Options portion of group policy include preventing users from installing printer drivers, blocking access to the CD-ROM drive, specifying various digital signing and encryption settings, restricting access to the Registry, and many more. You should take a moment before the exam to familiarize yourself with the range of options offered by this portion of group policy (see Table 6.1). Table 6.1 Group Policy Security Options Accounts: Administrator account status Accounts: Guest account status Accounts: Limit local account use of blank passwords to console logon only Accounts: Rename administrator account Accounts: Rename guest account Audit: Audit the access of global system objects Audit: Audit the use of Backup and Restore privilege Audit: Audit the use of Backup and Restore privilege Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Audit: Shut down system immediately if unable to log security audits Audit: Shut down system immediately if unable to log security audits Continued
www.syngress.com
411
412
Chapter 6 • Configuring Group Policy
Table 6.1 Continued. Group Policy Security Options DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax Devices: Allow undock without having to log on Devices: Allowed to format and eject removable media Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only Devices: Unsigned driver installation behavior Domain controller: Allow server operators to schedule tasks Domain controller: LDAP server signing requirements Domain controller: Refuse machine account password changes Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine account password age Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Do not display last user name Interactive logon: Do not require CTRL+ALT+DELETE Interactive logon: Message text for users attempting to logon Interactive logon: Message title for users attempting to logon Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require Domain Controller authentication to unlock workstation Interactive logon: Require smart card Continued
www.syngress.com
Configuring Group Policy • Chapter 6
Table 6.1 Continued. Group Policy Security Options Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to third-party SMB servers Microsoft network server: Amount of idle time required before suspending session Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees) Microsoft network server: Disconnect clients when logon hours expire Network access: Allow anonymous SID/Name translation Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or .NET Passports for network authentication Network access: Let Everyone permissions apply to anonymous users Network access: Named Pipes that can be accessed anonymously Network access: Remotely accessible registry paths Network access: Remotely accessible registry paths Network access: Remotely accessible registry paths and subpaths Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts Network security: Do not store LAN Manager hash value on next password change Network security: Force logoff when logon hours expire Network security: LAN Manager authentication level Network security: LDAP client signing requirements Continued
www.syngress.com
413
414
Chapter 6 • Configuring Group Policy
Table 6.1 Continued. Group Policy Security Options Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing System cryptography: Force strong key protection for user keys stored on the computer System objects: Default owner for objects created by members of the Administrators group System objects: Require case insensitivity for non-Windows subsystems System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) System settings: Optional subsystems System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies Admin Approval Mode for the Built-in Administrator account Behavior of the elevation prompt for administrators in Admin Approval Mode Behavior of the elevation prompt for standard users Detect application installations and prompt for elevation Only elevate executables that are signed and validated Only elevate UIAccess applications that are installed in secure locations Run all administrators in Admin Approval Mode Switch to the secure desktop when prompting for elevation Virtualize file and registry write failures to per-user locations Allow UIAccess applications to prompt for elevation without using the secure desktop. www.syngress.com
Configuring Group Policy • Chapter 6
Security Options follow the standard group processing order, but are exclusive unless otherwise noted. So, for example, if a setting has been specifically configured in the local computer’s security policy, in a site-level GPO, in a domain-level GPO, and in an OU-level GPO that all apply to the computer object, the settings in the OU-level GPO will be applied. The settings are not cumulative, and all others will be ignored. To configure a user right, follow these steps: 1. Open the GPO that will be used to configure auditing using the Group Policy Management Editor and navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Security Options. 2. In the right-hand pane, right-click on the security option you want to configure and select Properties. 3. In the Properties window, select Define these policy settings: and configure the policy options as desired. Unlike other types of group policy, there are no standardized settings for Security Options policies. The Properties tab may have Enabled or Disabled options, a drop-down box with a variety of configuration options, or any number of other configuration types and options. 4. In the Properties window, click OK.
TEST DAY TIP Group policy options such as User Rights Assignment, Security Options, and Administrative Templates have large numbers of possible configuration options. There is no way for a study guide to cover them all or to know which ones Microsoft will consider important to know for the exam. Be sure to familiarize yourself with as many as possible.
Restricted Groups The Restricted Groups object allows you to exert some control over group membership using group policy. By default, no groups are configured for management in any default or new GPO, so the first step is to choose which groups you want to manage using the policy. Microsoft recommends primarily using restricted groups to manage critical security groups such as Enterprise and Schema Admins. Once a group as been added for management, two configuration options apply to it: www.syngress.com
415
416
Chapter 6 • Configuring Group Policy ■
Members of this group: This setting strictly controls who can be a member of the group. If a group or user is listed here but is removed from the group (e.g., with Active Directory Users and Computers), it will be added back the next time group policy refreshes. Likewise, if an account is added with a tool such as Active Directory Users and Computers that is not on this list, it will be removed at refresh. The default setting is . This setting removes all users from the restricted group.
■
This group is a member of: Unlike the previous setting, this setting does not strictly enforce membership. The restricted group you are configuring will be added to any groups you configure here. However, if you remove a group from this configuration setting, you can still add the group using a utility such as Active Directory Users and Computers. The default setting is . This setting does not change any group memberships.
TEST DAY TIP Microsoft has received considerable feedback on the confusing differences between these two options. Make sure you are clear on what is and isn’t enforced by each on the exam, because Microsoft considers it important to know. The Members of this group setting strictly controls who can be a member of the group. The This group is a member of setting does not strictly enforce membership. The group you are configuring will be added to any groups you configure here.
Adding a New Restricted Group Use the following procedure to add a new restricted group: 1. Open the GPO that will be used to configure auditing using the Group Policy Management Editor and expand Computer Configuration | Policies | Windows Settings | Security Settings. 2. Right-click on the Restricted Groups node and click Add Group. See Figure 6.47. www.syngress.com
Configuring Group Policy • Chapter 6
Figure 6.47 Adding a Restricted Group
3. In the Add Group dialog box, click Browse. 4. In the Select Groups dialog box, in the Enter the object names to select (examples): text area, type the name of the group (here, Authors) and click Check Names followed by OK. 5. In the Add Group dialog box, click OK. 6. A Properties dialog box appears with the following configuration options (see Figure 6.48): Members of this group: Click the Add button next to this configuration option to specify which users and groups will be enforced as members of this group. We will be demonstrating this option in the next step. This group is a member of: Click the Add button next to this configuration option to specify which other groups this group will be a member of. www.syngress.com
417
418
Chapter 6 • Configuring Group Policy
Figure 6.48 The Initial Properties Dialog
7. Click the Add button next to Members of this group:. 8. In the Add Member dialog box, click Browse. 9. In the Select Users or Groups dialog, type in the user(s) and/or group(s) you want to add, click Check Names, and then click OK. For this example, we will add two users (Author 1 and Author 2), and a global security group (Editors). 10. In the Add Member dialog box, click OK. 11. The accounts you added should appear in the Properties dialog; see Figure 6.49. www.syngress.com
Configuring Group Policy • Chapter 6
Figure 6.49 The Completed Properties Dialog
12. Click OK to complete the process.
Modifying a Restricted Group Use the following procedure to modify a restricted group: 1. Open the GPO that will be used to configure auditing using the Group Policy Management Editor and click on Computer Configuration | Policies | Windows Settings | Security Settings | Restricted Groups. 2. In the right pane, right-click on the restricted group you want to modify and click Properties. 3. A Properties dialog box appears with the following (see Figure 6.48): www.syngress.com
419
420
Chapter 6 • Configuring Group Policy
Members of this group: To add a user or group, click the Add button next to this configuration option to specify which users and groups will be enforced as members of this group. To remove a user or group, select it and then click the Remove button. This group is a member of: Click the Add button next to this configuration option to specify which other groups this group will be a member of. To remove a group from the list, select it and then click the Remove button. 4. When you have finished making your changes, click OK to close the Properties dialog.
Deleting a Restricted Group Use the following procedure to delete a restricted group: 1. Open the GPO that will be used to configure auditing using the Group Policy Management Editor and click on Computer Configuration | Policies | Windows Settings | Security Settings | Restricted Groups. 2. In the right pane, right-click on the restricted group you want to modify and click Delete. 3. In the Security Templates dialog box, click Yes.
EXAM WARNING It’s important to remember that group nesting rules apply when configuring Restricted Groups. For example, you cannot configure a global group in one domain to be a member of a global group in another domain.
Administrative Templates The Administrative Templates group policy settings control a large number of Registry-based settings on the workstations and servers to which they apply. You should spend some time before the exam to familiarize yourself with the options offered by this portion of group policy. Pre-Windows Vista versions of Windows used proprietary ADM files to configure these settings. These files were stored within individual GPOs, often increasing their size by 2 MB or more. For organizations with a large number of GPOs, the traffic required for replicating this portion of group policy could really add up. www.syngress.com
Configuring Group Policy • Chapter 6
Microsoft addressed this by moving to an XML-based file structure. There are now two components: ADMX files and ADML files. ADMX files contain the actual settings, whereas ADML files are used for language localization.You can use the new ADMX technology only with Windows Server 2008 and Vista operating systems.You must still manage previous versions of Windows in Administrative Templates using ADM files. The new version of the Group Policy Management Editor that runs on Windows Server 2008 and Vista is backward-compatible and can manage ADM-based settings; however, you cannot use older clients to manage ADMX-based settings. By default, ADMX files are not stored within the centralized group policy System Volume (SYSVOL) on DCs. When you first open the Group Policy Management Editor and select the Administrative Templates node, it will use the ADMX files which are stored in the %systemroot%\PolicyDefinitions\ folder. You can determine this graphically; see Figure 6.50.
Figure 6.50 Administrative Templates Using Local ADMX Files
TEST DAY TIP Microsoft often uses default settings that are different from their recommended settings. It’s important for you to know not only what Microsoft recommends, but also what the default settings are when they differ.
www.syngress.com
421
422
Chapter 6 • Configuring Group Policy
ADMX Central Store To maximize the capabilities of Microsoft’s new ADMX technology, you must manually create an ADMX central store. This is simply a folder under the SYSVOL share that contains the PolicyDefinitions folder and its ADMX and ADML files. To create the central store, copy a Windows Server 2008 or Vista %systemroot%\ PolicyDefinitions folder to your %sysvol%\\policies\ folder. When you open or restart the Group Policy Management Editor and select Administrative Templates, you’ll see that a central store is now being used, as shown in Figure 6.51. Figure 6.51 Administrative Templates Using an ADMX Central Store
In Exercise 6.4, we will create an ADMX central store. A Windows Server 2008 DC is required to complete the exercise.
EXERCISE 6.4 CREATING
AN
ADMX CENTRAL STORE
1. Open Windows Explorer by clicking Start | Computer. 2. Navigate to your %systemroot% folder, probably C:\Windows. 3. Select the PolicyDefinitions folder and press CTRL+C to let Windows know you want to copy it. 4. Navigate to your SYSVOL folder’s Policies folder, probably C:\Windows\SYSVOL\sysvol\\Policies. 5. Press CTRL+V to finish copying the PolicyDefinitions to this location. www.syngress.com
Configuring Group Policy • Chapter 6
6. When the folder has finished copying, open it and verify that the ADMX files and at least one language-based directory (here, en-US) for the ADML files copied successfully. See Figure 6.52.
Figure 6.52 Administrative Templates Using an ADMX Central Store
7. Open a GPO for editing using the Group Policy Management Editor. 8. Expand Computer Configuration | Policies and ensure that the Administrative Templates node says that the ADMX files are being retrieved from a central store. Refer back to Figure 6.51.
EXAM WARNING New features, such as the ADMX central store, that Microsoft considers to be an improvement are often heavily tested. Pay special attention to information and consider reading more about them on Microsoft’s Web site.
www.syngress.com
423
424
Chapter 6 • Configuring Group Policy
Adding ADM Templates to a GPO Although Microsoft is converting over to the ADMX format, ADM files are still supported in Windows Vista and Windows Server 2008 GPOs. Although you can add ADMX templates by simply copying them into the appropriate location in the file system (generally the central store on an Active Directory-based network), you still add and remove ADM files through the Group Policy Management Editor utility. Follow these steps to add or remove an ADM file from a GPO: 1. Open the GPO that will be used to configure auditing using the Group Policy Management Editor and expand Computer Configuration | Policies | Administrative Templates. 2. In the right-side pane of the Group Policy Management Editor window, right-click the Administrative Templates node and select Add/Remove Templates. See Figure 6.53. Figure 6.53 The Administrative Templates Context Menu
3. In the Add/Remove Templates dialog, click the Add button to add a template or Remove to remove a template from the GPO. See Figure 6.55. www.syngress.com
Configuring Group Policy • Chapter 6
4. In the Policy Templates dialog, browse to the location of your ADM file, select it, and click the Open button. See Figure 6.54. A brief dialog may appear notifying you that the file is being copied to the proper location. Figure 6.54 The Policy Templates Dialog
5. In the Add/Remove Templates dialog, click the Close button. See Figure 6.55.
www.syngress.com
425
426
Chapter 6 • Configuring Group Policy
Figure 6.55 The Add/Remove Templates Dialog
6. Under the Administrative Templates node, the Classic Administrative Templates node will appear. Expand this node to see your added template (here, Microsoft Office 2007 system (machine)). See Figure 6.56. Figure 6.56 The Classic Administrative Templates Node
www.syngress.com
Configuring Group Policy • Chapter 6
Converting ADM Files to the ADMX Format As mentioned previously, you cannot store ADM files in the ADMX central store. To get settings that are contained in an ADM file into the central store, you must convert the ADM file to an ADMX file. Microsoft provides a free conversion utility called ADMX Migrator that you can install on Windows XP, Vista, Server 2003, and Server 2008 computers. You can download the utility from http://go.microsoft. com/fwlink/?LinkId=103774. You can convert ADM files using the command prompt, or a provided Microsoft Management Console (MMC) snap-in. We cover each method in the following sections.
Converting ADM Files to ADMX Files Using the Command Prompt Follow these steps to convert an ADM file into an ADMX file using the command prompt: 1. Download and install ADMX Migrator. 2. Open a command prompt by clicking Start | Command Prompt. 3. Change to the C:\Program Files\FullArmor\ADMX Migrator directory, or wherever you specified that the software should be installed. 4. A number of options exist for the conversion that you can view by typing faAdmxConv.exe /?. To perform a simple conversion, type the following: faAdmxConv.exe source [targetpath]. For example: faAdmxConv.exe C:\Downloads\Templates\ADM\en-us\ office12.adm C:\Downloads\Templates\ADM\en-us\
Converting ADM Files to ADMX Files Using the MMC Snap-in Follow these steps to convert an ADM file into an ADMX file using the MMC snap-in: 1. Download and install ADMX Migrator. 2. Click Start | Run. 3. In the Run dialog box, type MMC in the Open: text box and click OK. 4. In the Console 1 window that appears, click File | Add/Remove Snap-in. See Figure 6.57.
www.syngress.com
427
428
Chapter 6 • Configuring Group Policy
Figure 6.57 Adding a Snap-in
5. In the Add or Remove Snap-ins dialog, under Available Snap-ins, select FullArmor ADMX Migrator and click the Add button. See Figure 6.58. Figure 6.58 Selecting the ADMX Migrator Snap-in
www.syngress.com
Configuring Group Policy • Chapter 6
6. Click OK. 7. In the Console 1 window, select the ADMX Editor node in the right-hand pane. 8. In the right-hand pane, click Generate ADMX from ADM. See Figure 6.59.
Figure 6.59 Selecting the Generate ADMX from ADM Option
9. In the Open dialog box, browse to and select the ADM file you want to convert, and then click the Open button. See Figure 6.60.
www.syngress.com
429
430
Chapter 6 • Configuring Group Policy
Figure 6.60 Specifying the ADM File to Convert
10. In the ADM to ADMX Conversion Results dialog, review the provided information and click Close. See Figure 6.61.
www.syngress.com
Configuring Group Policy • Chapter 6
Figure 6.61 The ADMX Conversion Results Dialog
11. In the ADMX Migrator dialog, note where the converted files are and click the No button. See Figure 6.62. Figure 6.62 The ADMX Migrator Dialog
12. Close the MMC. 13. To use the newly created ADMX files, copy them into the appropriate folder on a Windows Vista or Windows Server 2008 computer, or into the ADMX central store. www.syngress.com
431
432
Chapter 6 • Configuring Group Policy
Summary of Exam Objectives You can use group policy to deploy, maintain, and remove software in Windows 2000 and later computers. Three elements are necessary for software deployment: a software distribution point to make the software available across the network, a GPO to link to the appropriate containers in Active Directory to manage which users and computers receive the software, and a properly configured deployment package within the GPO. In addition to initial deployment, you can use group policy to redeploy software with service packs and to fix issues, as well as upgrade software to new versions. Redeployment is mandatory but upgrades can be forced or optional. If forced, software is removed at the next computer startup or user logon. If optional, users can remove the software at any time using the Control Panel. Group polices can be published or assigned to users, and assigned to computers. Publishing allows users to install software from document activation and the Control Panel. Assignment includes these as well as the capability to advertise the availability of the uninstalled application through the Start menu and Desktop icons, even though they are not actually installed on the system. You can use group policy settings to enforce security-related settings across multiple Windows 2000 and later computers. Password and account lockout group policy items must be linked at the domain level to be effective. Windows Server 2008 creates a Default Domain Policy GPO and links it to the domain level for each domain in the forest. The domain password policy allows administrators to specify a combination of password security options, including how frequently users change their passwords, how long passwords must be, how many unique passwords must be used before a user can reuse one, and how complex passwords must be. Account lockout is used to prevent successful brute force password guessing. If it is not enabled, an attacker can continue to guess username and password combinations very rapidly using software. The proper combination of settings can effectively block these types of security vulnerabilities by either locking the account out permanently or requiring long waiting times between a low number of incorrect guesses. Only one password and account lockout policy will be effective for all users and computers in the domain unless fine-grain policies are used. Although more difficult to create than standard GPOs, these fine-grain policy objects, called Password Settings objects, allow administrators to apply different password and account lockout settings to user accounts and global security groups.You can create them using ldifde or ADSI Edit, and you can modify them using either of these tools as well as Active Directory Users and Computers. www.syngress.com
Configuring Group Policy • Chapter 6
You can also use group policy objects to enable auditing. Auditing is used to track authorized and unauthorized resource access, usage, and change. Administrators can audit the success and/or failure for a number of tracked events. Examples of what can be tracked include logons, changes to policy, use of privileges, directory service or file access, and so forth. Some objects such as the Active Directory directory service, the file system, Registry keys, and printers require two steps to enable auditing. Administrators must enable auditing in group policy and on the specific objects they want to track.You can configure these resources to track individual and group accounts, as well as specific actions such as changing permissions on or deleting the object. Most objects have a sizable number of possible auditing options. Unlike the other items in the previous list, some Active Directory objects already have auditing configured for them. Despite this convenience, administrators should always double-check the objects they specifically want to audit and ensure that the settings are appropriate for the information they want to receive. Additional security-related policies include User Rights Assignment, Security Options, Restricted Groups, and Administrative Templates. Administrators can grant or revoke a significant number of user rights, including the ability to log on to a server locally or from a network connection, the ability to shut down a server, the ability for certain accounts to be able to log on as a service, and many others. In addition, Microsoft provides administrators with a large list of security parameters that can be defined using group policy, including preventing users from installing printer drivers, blocking access to the CD-ROM drive, specifying various digital signing and encryption settings, restricting access to the Registry, and many more. The Restricted Groups GPO allows an administrator to exert control over group membership using group policy. You can use it to strictly enforce the membership of groups it is configured to manage, and to add the managed groups to other groups. The Administrative Templates group policy settings control a large number of Registry-based settings on the workstations and servers to which they apply. Pre-Windows Vista computers exclusively used ADM files, which were stored within each GPO in an Active Directory environment. You can still use ADM files with Windows Vista and Server 2008; however, Microsoft recommends using the newer ADMX and ADML file formats. You can create a central store for ADMX and ADML files under the sysvol%\\policies\ folder. You can convert ADM files to ADMX using the ADMX Migrator utility.
www.syngress.com
433
434
Chapter 6 • Configuring Group Policy
Exam Objectives Fast Track Configuring Software Deployment ˛ Three things must occur for any software deployment using group policy: The software distribution point must be created, the GPO that will be used must be created or decided upon, and the GPO must be configured for the deployment. ˛ You can use group policy to manage the entire software life cycle: preparation, deployment, maintenance, and removal. The maintenance cycle includes the ability to redeploy software with service packs and to fix issues, as well as being able to upgrade to new versions. Redeployment is mandatory but upgrades can be mandatory or optional. ˛ Group policies can be published or assigned to users, and assigned to computers. Publishing allows users to install software from document activation and the Control Panel. Assignment includes these as well as the capability to advertise the availability of the uninstalled application through the Start menu and Desktop icons. ˛ Administrators can specify whether software removal will be forced or optional. If forced, software is removed at the next computer startup or user logon. If optional, users can remove the software at any time using the Control Panel.
Configuring Account Policies ˛ Windows Server 2008 creates a Default Domain Policy GPO for every domain in the forest. This domain is the primary method used to set some security-related policies such as password expiration and account lockout. ˛ You can use fine-grain password and account lockout policy to apply custom password and account lockout policy settings to individual users and global security groups within a domain. ˛ The domain password policy allows you to specify a range of password security options, including how frequently users change their passwords,
www.syngress.com
Configuring Group Policy • Chapter 6
how long passwords must be, how many unique passwords must be used before a user can reuse one, and how complex passwords must be. ˛ You can use account lockout to prevent successful brute force password guessing. If it’s not enabled, someone can keep attempting to guess username/password combinations very rapidly using a software-based attack. The proper combination of settings can effectively block these types of security vulnerabilities.
Configuring Audit Policies ˛ Auditing is used to track authorized and unauthorized resource access, usage, and change within Windows Server 2008. ˛ You can audit the success and/or failure for a variety of tracked events. Examples of what can be tracked include logons, changes to policy, use of privileges, directory service or file access, and so forth. ˛ Some objects such as directory services, the file system, Registry keys, and printers require two steps to enable auditing. You must enable auditing in group policy and on the specific objects you want to track.
Configuring Additional Security-Related Policies ˛ Administrators can grant a wide array of user rights, including the ability to log on to a server locally or from a network connection, the ability to shut down a server, the ability for certain accounts to be able to log on as a service, and many others. ˛ Microsoft provides administrators with a large list of security parameters that can be defined using group policy, including preventing users from installing printer drivers, blocking access to the CD-ROM drive, specifying various digital signing and encryption settings, restricting access to the Registry, and many more. ˛ The Restricted Groups object allows you to exert some control over group membership using group policy. You can use it to strictly enforce the membership of groups it is configured to manage, and to add the managed groups to other groups.
www.syngress.com
435
436
Chapter 6 • Configuring Group Policy
˛ The Administrative Templates group policy settings control a large number of Registry-based settings on the workstations and servers to which they apply. Pre-Windows Vista computers exclusively used ADM files, which were stored within each GPO in an Active Directory environment. You can still use ADM files with Windows Vista and Server 2008; however, Microsoft recommends using the newer ADMX and ADML file formats. You can create a central store for ADMX and ADML files under the sysvol%\\policies\ folder. ˛ You can convert ADM files to ADMX using the ADMX Migrator utility.
www.syngress.com
Configuring Group Policy • Chapter 6
Exam Objectives Frequently Asked Questions Q: What methods of software deployment are available at the user level? A: Administrators can assign and publish software to users, but only assign software to computers.
Q: What permissions should be set for the software distribution point? A: At a minimum, share-level permissions should be set with those responsible for administering the files having full control of them, and users having read-only access. NTFS permissions are preferred over share-level permissions and should be set similarly.
Q: What is the difference between software redeployment and upgrades? A: Redeployment is used when the current application version needs to be reinstalled, or when a service pack needs to be applied. Upgrades are used to move from one version of the software to another.
Q: What options are available when removing software using group policy? A: Software can be removed if it was installed using group policy. Administrators can force removal at the next computer start or user logon, or allow users to determine when they uninstall the software.
Q: I created a GPO with specific password and account lockout settings and applied it to an OU in my Active Directory domain. Why weren’t the settings applied?
A: A GPO with password and account lockout settings is applied only when linked at the domain level of Active Directory.
Q: My security administrator is concerned about brute force password attacks. Are there any Windows Server 2008 features which can help to manage those risks?
A: Account lockout can be used to minimize risks from brute force password attacks by setting an appropriate combination of values for the Account lockout duration, Account lockout threshold, and Reset account lockout counter after options.
www.syngress.com
437
438
Chapter 6 • Configuring Group Policy
Q: I’m concerned about users going for too long without changing their passwords, or using passwords that are really simple and easy to guess. What can I do about this in Windows Server 2008?
A: Windows Server 2008 group policy allows you to specify a range of password security options, including how frequently users change their passwords, how long passwords must be, how many unique passwords must be used before a user can reuse one, and how complex passwords must be when initially specified or changed.
Q: How can I apply a different set of password and account lockout policy to administrators?
A: In Windows Server 2008, a new feature called fine-grain password and account lockout policy can be used to apply custom password and account lockout policy settings to individual users and global security groups within a domain.
Q: What can I monitor using auditing in Windows Server 2008? A: Auditing can be used to track successful and failed resource access, usage, and change, including logon events, directory service objects, file system objects, Registry objects, printers, exercise of user privileges and rights, system events, account management changes, and much more.
Q: It seems like auditing file system and directory service objects would produce too many log entries to sort through. Is there a way to limit this?
A: In addition to enabling auditing of these types of objects, you can also specify exactly what you want to track on an object-by-object basis. This includes both who changed an object and what was specifically changed.
Q: I see that two types of logon events can be audited. What is the difference between them?
A: The Audit account logon events policy is used for credential validation, and the events audited relate to the computer which is authoritative for the credentials. For most users in a domain, this will be the DC which processes their logon regardless of the location of the resources being accessed. The Audit logon events policy relates directly to where the resources being accessed are located.
www.syngress.com
Configuring Group Policy • Chapter 6
Q: I’d like to restrict some users from being able to change their workstation’s time, shut down servers, and so forth. This doesn’t seem to be configurable with permissions. How can I accomplish this?
A: The User Rights Assignment node in group policy can be used to configure options such as this. Administrators can grant a wide array of user rights, including the ability to log on to a server locally or from a network connection, the ability to shut down a server, the ability for certain accounts to be able to log on as a service, and many others.
Q: How can I set the logon, signing, and encryption options for all of my Windows Server 2008 servers and Windows Vista Enterprise workstations at once, rather than having to configure the Local Security Policy on each computer?
A: Group policy can be used to enforce these types of settings across a wide range of Windows 2000 and later workstations and servers using the Security Options node in a GPO. A significant range of security settings can be defined, including preventing users from installing printer drivers, blocking access to the CD-ROM drive, specifying various digital signing and encryption settings, restricting access to the Registry, and many more.
Q: It seems like my organization is constantly having problems with inappropriate accounts being added to sensitive groups within Active Directory. What can be done to help prevent this?
A: The group policy Restricted Groups node can be used to strictly enforce the membership of groups it is configured to manage, and to add the managed groups to other groups.
Q: I looked for the ADMX central store on my server under %sysvol%\\policies\ but did not find the PolicyDefinitions folder. Was my Active Directory installation completed properly?
A: No ADMX central store is created by default in Windows Server 2008. To manually create one, copy a Windows Server 2008 or Vista’s %systemroot%\ PolicyDefinitions folder to your %sysvol%\\policies\ folder.
www.syngress.com
439
440
Chapter 6 • Configuring Group Policy
Self Test 1. The CIO has asked you to configure a GPO that will ensure that antivirus software is installed on every computer in the company. You are the most senior administrator in the company and have full access to every computer, and to Active Directory. Your company has a single domain and site. Which one of the following actions do you take? A. You configure a GPO at the domain level, and publish the application to all computers. B. You configure a GPO at the site level, and assign the application to all computers. C. You create a GPO with the required settings and link it into all OUs that have computer accounts in it.You set the options to assign the application to computers. D. You tell him it cannot be done. 2. You’ve just taken over the domain-level administration for a mid-size company. The previous administrator did not use group policy software deployment. You have just configured and tested your first published application to users. The application was designed to be used by all users in the accounting department. You created the software distribution point and copied the installation files over to it. You then created the GPO and linked it to the AcctgUsers OU, which contains all user accounts for the department. When the users log on to their computers, the application is visible in Control Panel | Add or Remove Programs, but when users attempt the installation it fails. When you log on from a computer in accounting, you are able to access the installation files and run them manually. Which one of the following is most likely the problem? A. The application files are corrupt. B. The permissions on the software distribution point are configured incorrectly. C. The GPO is corrupt. D. The GPO is linked to the wrong place within Active Directory. 3. You’ve been asked by a senior administrator to deploy an update to an existing application that is assigned to users. The senior administrator created and tested the upgrade, and has given you all information required, including in which GPO to configure the upgrade package. You create the package in the GPO, www.syngress.com
Configuring Group Policy • Chapter 6
right-click on it, and attempt to configure the update, but the current version is not listed for selection. Which of the following should you do next? A. Notify the senior administrator that the application failed to detect that it was an upgrade to an existing version. B. Manually enter the name of the package for the existing version and check the Required upgrade for existing packages box. C. Deploy the upgrade as a new software installation instead of an upgrade. D. Ask the senior administrator which GPO the existing version’s package is located in, browse to it, and select it. 4. Microsoft has released a new service pack for Microsoft Word, along with the necessary MSI file for deploying it via group policy. You’ve copied the files over to the correct software distribution point and verified their permissions. The application is assigned to all workstation computers in the company via a domain-level GPO. After configuring the files, you selected the redeployment option for the Microsoft Word software deployment package. Only some computers seem to be getting the service pack. The computers are a mix of Windows XP and Vista. Which of the following is the most likely cause? A. All computers have not been rebooted since the redeployment. B. Redeployment does not work with operating systems earlier than Windows Vista. C. Service packs should be treated as upgrades, not reinstallations. D. All users have not logged off and back on since the redeployment. 5. Your company decided not to renew the license agreement for its contact management software. The software is deployed on systems across many client computers in the company. A single GPO was configured to install the software, and was linked into multiple places in the Active Directory hierarchy to accommodate the various user groups that needed the program. You’ve gone into the GPO and removed the published object for the software. Now, the object is gone from the GPO but the application is still installed on the client computers. Which one of the following most likely explains what happened? A. You left the default option for removal enabled. B. You selected the option to make the removal optional. C. You selected the option to force removal. D. You deleted the software object from the GPO but forgot to select the uninstall options first. www.syngress.com
441
442
Chapter 6 • Configuring Group Policy
6. The application testing team at your company has given you the approval to deploy an upgrade to an existing software package. The team testing it has revealed that the upgrade works best when the software is installed over the existing software. They ask you if it is possible to upgrade the software using group policy in a way which meets their recommendations, or if they should write a script to push out the installation. Which one of the following do you tell them? A. You tell them that the default in group policy is to install over the previous version of the software. B. You tell them that group policy requires the previous version of the software to be removed. C. You tell them that it is an optional configuration setting, but that it is possible. D. You recommend a script, saying that you don’t trust group policy for such a complex deployment scenario. 7. This morning you deployed an application by assigning it to computers, and then many of the applications failed. On some systems the application installed just fine, on others it only partially installed, and on still others it failed very early in the process. You figured out what went wrong, and have modified the MSI file. Which one of the following should you do to correct the problem? A. You should do a forced removal of the software. B. You should delete and re-create the deployment object in group policy. C. You should redeploy the software. D. You should begin manually troubleshooting the workstations that had problems. 8. You are a mid-level administrator for a large multinational company. Each major company office has its own domain. The technical services manager at your office is tired of receiving complaints from the VP-level employees who work at your location. She has asked you to allow passwords to be as short as four characters, and to be all lowercase letters. Which of the following do you do? (Select all that apply). A. You tell her that the Default Domain Password Policy supports these settings by default. B. You tell her that you will create a custom GPO and link it in to the OU containing the VP’s user accounts. www.syngress.com
Configuring Group Policy • Chapter 6
C. You tell her that you will disable the Passwords must meet complexity requirements option. D. You tell her that you will set the Minimum password length option to 4. 9. Recently the security for your network was taken over by the firewall and UNIX administrator. He has requested that you increase your password history setting from the Windows Server 2008 default setting to remember the maximum number of passwords. Which one of the following do you tell him? A. You tell him that you will increase the Enforce password history setting to 48. B. You tell him that you will increase the Enforce password history setting to 24. C. You tell him that the default setting is the maximum. D. You tell him that there is no maximum setting, and ask him to provide a specific value. 10. You work for a small accounting firm. Recently your boss, the owner of the company, read an article about weaknesses in password security. He’s asked that you require everyone in the company to change his or her password every 30 days, and to have to use at least 12 different passwords per year. Which of the following settings do you configure in the Default Domain Policy? (Select all that apply). A. You set the Maximum password age option to 30. B. You set the Enforce password history option to 12. C. You set the Minimum password age option to 15. D. You disable the Passwords must meet complexity requirements option.
www.syngress.com
443
444
Chapter 6 • Configuring Group Policy
Self Test Quick Answer Key 1.
D
6.
C
2.
B
7.
C
3.
D
8.
C, D
4. A
9.
C
5.
B
www.syngress.com
10. A, C
Chapter 7
MCTS/MCITP Exam 640 Configuring Certificate Services and PKI Exam objectives in this chapter: ■
What Is PKI?
■
Analyzing Certificate Needs within the Organization
■
Working with Certificate Services
■
Working with Templates
Exam objectives review: ˛ Summary of Exam Objectives ˛ Exam Objectives Fast Track ˛ Exam Objectives Frequently Asked Questions ˛ Self Test ˛ Self Test Quick Answer Key 445
446
Chapter 7 • Configuring Certificate Services and PKI
Introduction Computer networks have evolved in recent years to allow an unprecedented sharing of information between individuals, corporations, and even national governments. The need to protect this information has also evolved, and network security has consequently become an essential concern of most system administrators. Even in smaller organizations, the basic goal of preventing unauthorized access while still allowing legitimate information to flow smoothly requires the use of more and more advanced technology. That being stated, all organizations today rely on networks to access information. These sources of information can range from internal networks to the Internet. Access to information is needed, and this access must be configured to provide information to other organizations that may request it. When we need to make a purchase, for example, we can quickly check out vendors’ prices through their Web pages. In order not to allow the competition to get ahead of our organization, we must establish our own Web page for the advertising and ordering of our products. Within any organization, many sites may exist across the country or around the globe. If corporate data is available immediately to employees, much time is saved. In the corporate world, any time saved is also money saved. In the mid 1990s, Microsoft began developing what was to become a comprehensive security system of authentication protocols and technology based on already developed cryptography standards known as public key infrastructure (PKI). In Windows 2000, Microsoft used various standards to create the first Windowsproprietary PKI—one that could be implemented completely without using thirdparty companies. Windows Server 2008 expands and improves on that original design in several significant ways, which we’ll discuss later in this chapter. PKI is the method of choice for handling authentication issues in large enterprise-level organizations today. Windows Server 2008 includes the tools you need to create a PKI for your company and issue digital certificates to users, computers, and applications. This chapter addresses the complex issues involved in planning a certificate-based PKI. We’ll provide an overview of the basic terminology and concepts relating to the public key infrastructure, and you’ll learn about public key cryptography and how it is used to authenticate the identity of users, computers, and applications/services. We’ll discuss different components of PKI, including private key, public key, and a trusted third party (TTP) along with PKI enhancements in Windows Server 2008. We’ll discuss the role of digital certificates and the different types of certificates (user, machine, and application certificates). www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
You’ll learn about certification authorities (CAs), the servers that issue certificates, including both public CAs and private CAs, such as the ones you can implement on your own network using Server 2008’s certificate services. Next, we’ll discuss the CA hierarchy and how root CAs and subordinate CAs act together to provide for your organization’s certificate needs. You’ll find out how the Microsoft certificate services work, and we’ll walk you through the steps involved in implementing one or more certification authorities based on the needs of the organization. You’ll learn to determine the appropriate CA type—enterprise or stand-alone CA—for a given situation and how to plan the CA hierarchy and provide for security of your CAs. We’ll show you how to plan for enrollment and distribution of certificates, including the use of certificate requests, role-based administration, and autoenrollment deployment. Next, we’ll discuss how to implement certificate templates, different types of templates that you can use in your environment. Finally, we’ll discuss the role of key recovery agent and how it works in a Windows Server 2008 environment.
What Is PKI? The rapid growth of Internet use has given rise to new security concerns. Any company that does not configure a strong security infrastructure is literally putting the company at risk. An unscrupulous person could, if security were lax, steal information or modify business information in a way that could result in major financial disaster. To protect the organization’s information, the middleman must be eliminated. Cryptographic technologies such as public key infrastructure (PKI) provide a way to identify both users and servers during network use. PKI is the underlying cryptography system that enables users or computers that have never been in trusted communication before to validate themselves by referencing an association to a trusted third party (TTP). Once this verification is complete, the users and computers can now securely send messages, receive messages, and engage in transactions that include the interchange of data. PKI is used in both private networks (intranets) and on the World Wide Web (the Internet). It is actually the latter, the Internet, that has driven the need for better methods for verifying credentials and authenticating users. Consider the vast number of transactions that take place every day over the internet—from banking to shopping to accessing databases and sending messages or files. Each of these transactions involves at least two parties. The problem lies in the verification of who those parties are and the choice of whether to trust them with your credentials and information. www.syngress.com
447
448
Chapter 7 • Configuring Certificate Services and PKI
The PKI verification process is based on the use of keys, unique bits of data that serve one purpose: identifying the owner of the key. Every user of PKI actually generates or receives two types of keys: a public key and a private key. The two are actually connected and are referred to as a key pair. As the name suggests, the public key is made openly available to the public while the private key is limited to the actual owner of the key pair. Through the use of these keys, messages can be encrypted and decrypted, allowing data to be exchanged securely (this process will be covered in a few sections later in this chapter). The use of PKI on the World Wide Web is so pervasive that it is likely that every Internet user has used it without even being aware of it. However, PKI is not simply limited to the Web; applications such as Pretty Good Privacy (PGP) also leverage the basis of PKI technology for e-mail protection; FTP over SSL/TLS uses PKI, and many other protocols have the ability to manage the verification of identities through the use of key-based technology. Companies such as VeriSign and Entrust exist as trusted third-party vendors, enabling a world of online users who are strangers to find a common point of reference for establishing confidentiality, message integrity, and user authentication. Literally millions of secured online transactions take place every day leveraging their services within a public key infrastructure. Technology uses aside, PKI fundamentally addresses relational matters within communications. Specifically, PKI seeks to provide solutions for the following: ■
Proper authentication
■
Trust
■
Confidentiality
■
Integrity
■
Nonrepudiation
By using the core PKI elements of public key cryptography, digital signatures, and certificates, you can ensure that all these equally important goals can be met successfully. The good news is that the majority of the work involved in implementing these elements under Windows Server 2008 is taken care of automatically by the operating system and is done behind the scenes. The first goal, proper authentication, means that you can be highly certain that an entity such as a user or a computer is indeed the entity he, she, or it is claiming to be. Think of a bank. If you wanted to cash a large check, the teller will more than likely ask for some identification. If you present the teller with a driver’s license and the picture on it matches your face, the teller can then be highly certain that you are that person—that is, if the teller trusts the validity of the license itself. Because the driver’s www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
license is issued by a government agency—a trusted third party—the teller is more likely to accept it as valid proof of your identity than if you presented an employee ID card issued by a small company that the teller has never heard of. As you can see, trust and authentication work hand in hand. When transferring data across a network, confidentiality ensures that the data cannot be viewed and understood by any third party. The data might be anything from an e-mail message to a database of social security numbers. In the last 20 years, more effort has been spent trying to achieve this goal (data confidentiality) than perhaps all the others combined. In fact, the entire scientific field of cryptology is devoted to ensuring confidentiality (as well as all the other PKI goals).
NOTE Cryptography refers to the process of encrypting data; cryptanalysis is the process of decrypting, or “cracking” cryptographic code. Together, the two make up the science of cryptology.
As important as confidentiality is, however, the importance of network data integrity should not be underestimated. Consider the extreme implications of a patient’s medical records being intercepted during transmission and then maliciously or accidentally altered before being sent on to their destination. Integrity gives confidence to a recipient that data has arrived in its original form and hasn’t been changed or edited. Finally we come to nonrepudiation. A bit more obscure than the other goals, nonrepudiation allows you to prove that a particular entity sent a particular piece of data. It is impossible for the entity to deny having sent it. It then becomes extremely difficult for an attacker to masquerade as a legitimate user and then send malevolent data across the network. Nonrepudiation is related to, but separate from authentication.
The Function of the PKI The primary function of the PKI is to address the need for privacy throughout a network. For the administrator, there are many areas that need to be secured. Internal and external authentication, encryption of stored and transmitted files, and e-mail privacy are just a few examples. The infrastructure that Windows Server 2008 www.syngress.com
449
450
Chapter 7 • Configuring Certificate Services and PKI
provides links many different public key technologies in order to give the IT administrator the power necessary to maintain a secure network. Most of the functionality of a Windows Server 2008-based PKI comes from a few crucial components, which are described in this chapter. Although there are several third-party vendors such as VeriSign (www.verisign.com) that offer similar technologies and components, using Windows Server 2008 can be a less costly and easier to implement option—especially for small and medium-sized companies.
Components of PKI In today’s network environments, key pairs are used in a variety of different functions. This series will likely cover topics such as virtual private networks (VPNs), digital signatures, access control (SSH), secure e-mail (PGP—mentioned already— and S/MIME), and secure Web access (Secure Sockets Layer, or SSL). Although these technologies are varied in purpose and use, each includes an implementation of PKI for managing trusted communications between a host and a client. While PKI exists at some level within the innards of several types of communications technologies, its form can change from implementation to implementation. As such, the components necessary for a successful implementation can vary depending on the requirements, but in public key cryptography there is always: ■
A private key
■
A public key
■
A trusted third party (TTP)
Since a public key must be associated with the name of its owner, a data structure known as a public key certificate is used. The certificate typically contains the owner’s name, their public key and e-mail address, validity dates for the certificate, the location of revocation information, the location of the issuer’s policies, and possibly other affiliate information that identifies the certificate issuer with an organization such as an employer or other institution. In most cases, the private and public keys are simply referred to as the private and public key certificates, and the trusted third party is commonly known as the certificate authority (CA). The certificate authority is the resource that must be available to both the holder of the private key and the holder of the public key. Entire hierarchies can exist within a public key infrastructure to support the use of multiple certificate authorities. In addition to certificate authorities and the public and private key certificates they publish, there are a collection of components and functions associated with the www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
management of the infrastructure. As such, a list of typical components required for a functional public key infrastructure would include but not be limited to the following: ■
Digital certificates
■
Certification authorities
■
Certificate enrollment
■
Certificate revocation
■
Encryption/cryptography services
Although we have already covered digital certificates and certificate authorities at a high level, it will be well worth our time to revisit these topics. In the sections to follow, we will explore each of the aforementioned topics in greater detail.
New & Noteworthy… PKI Enhancements in Windows Server 2008 Windows Server 2008 introduces many new enhancements that allow for a more easily implemented PKI solution and, believe it or not, the development of such solutions. Some of these improvements extend to the clients, such as the Windows Vista operating system. Overall, these improvements have increased the manageability throughout Windows PKI. For example, the revocations services have been redesigned, and the attack surface for enrollment has decreased. The following list items include the major highlights: ■
Enterprise PKI (PKIView) PKIView is a Microsoft Management Console (MMC) snap-in for Windows Server 2008. It can be used to monitor and analyze the health of the certificate authorities and to view details for each certificate authority certificate published in Active Directory Certificate Servers.
■
Web Enrollment Introduced in Windows Server 2000, the new Web enrollment control is more secure and makes the use of Continued
www.syngress.com
451
452
Chapter 7 • Configuring Certificate Services and PKI
scripts much easier. It is also easier to update than previous versions. ■
Network Device Enrollment Service (NDES) In Windows Server 2008, this service represents Microsoft’s implementation of the Simple Certificate Enrollment Protocol (SCEP), a communication protocol that makes it possible for software running on network devices, such as routers and switches that cannot otherwise be authenticated on the network, to enroll for X.509 certificates from a certificate authority.
■
Online Certificate Status Protocol (OCSP) In cases where conventional CRLs (Certificate Revocation Lists) are not an optimal solution, Online Responders can be configured on a single computer or in an Online Responder Array to manage and distribute revocation status information.
■
Group Policy and PKI New certificate settings in Group Policy now enable administrators to manage certificate settings from a central location for all the computers in the domain.
■
Cryptography Next Generation Leveraging the U.S. government’s Suite B cryptographic algorithms, which include algorithms for encryption, digital signatures, key exchange, and hashing, Cryptography Next Generation (CNG) offers a flexible development platform that allows IT professionals to create, update, and use custom cryptography algorithms in cryptography-related applications such as Active Directory Certificate Services (AD CS), Secure Sockets Layer (SSL), and Internet Protocol Security (IPsec).
How PKI Works Before we discuss how PKI works today, it is perhaps helpful to understand the term encryption and how PKI has evolved. The history of general cryptography almost certainly dates back to almost 2000 B.C. when Roman and Greek statesmen used simple alphabet-shifting algorithms to keep government communication private. Through time and civilizations, ciphering text played an important role in wars and politics. As modern times provided new communication methods, scrambling information became increasingly more important. World War II brought about the first use of the computer in the cracking of Germany’s Enigma code. In 1952, www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
President Truman created the National Security Agency at Fort Meade, Maryland. This agency, which is the center of U.S. cryptographic activity, fulfills two important national functions: It protects all military and executive communication from being intercepted, and it intercepts and unscrambles messages sent by other countries. Although complexity increased, not much changed until the 1970s, when the National Security Agency (NSA) worked with Dr. Horst Feistel to establish the Data Encryption Standard (DES) and Whitfield Diffie and Martin Hellman introduced the first public key cryptography standard. Windows Server 2008 still uses Diffie-Hellman (DH) algorithms for SSL, Transport Layer Security (TLS), and IPsec. Another major force in modern cryptography came about in the late 1970s. RSA Labs, founded by Ronald Rivest, Adi Shamir, and Leonard Adleman, furthered the concept of key cryptography by developing a technology of key pairs, where plaintext that is encrypted by one key can be decrypted only by the other matching key. There are three types of cryptographic functions. The hash function does not involve the use of a key at all, but it uses a mathematical algorithm on the data in order to scramble it. The secret key method of encryption, which involves the use of a single key, is used to encrypt and decrypt the information and is sometimes referred to as symmetric key cryptography. An excellent example of secret key encryption is the decoder ring you may have had as a child. Any person who obtained your decoder ring could read your “secret” information. There are basically two types of symmetric algorithms. Block symmetric algorithms work by taking a given length of bits known as blocks. Stream symmetric algorithms operate on a single bit at a time. One well-known block algorithm is DES. Windows 2000 uses a modified DES and performs that operation on 64-bit blocks using every eighth bit for parity. The resulting ciphertext is the same length as the original cleartext. For export purposes the DES is also available with a 40-bit key. One advantage of secret key encryption is the efficiency with which it takes a large amount of data and encrypts it quite rapidly. Symmetric algorithms can also be easily implemented at the hardware level. The major disadvantage of secret key encryption is that a single key is used for both encryption and decryption. There must be a secure way for the two parties to exchange the one secret key. In the 1970s this disadvantage of secret key encryption was eliminated through the mathematical implementation of public key encryption. Public key encryption, also referred to as asymmetric cryptography, replaced the one shared key with each user’s own pair of keys. One key is a public key, which is made available to everyone and is used for the encryption process only. The other key in the pair, the private key, is available only to the owner. The private key cannot be created as a result of the public key’s being available. Any data that is encrypted by a public key can be www.syngress.com
453
454
Chapter 7 • Configuring Certificate Services and PKI
decrypted only by using the private key of the pair. It is also possible for the owner to use a private key to encrypt sensitive information. If the data is encrypted by using the private key, then the public key in the pair of keys is needed to decrypt the data. DH algorithms are known collectively as shared secret key cryptographies, also known as symmetric key encryption. Let’s say we have two users, Greg and Matt, who want to communicate privately. With DH, Greg and Matt each generate a random number. Each of these numbers is known only to the person who generated it. Part one of the DH function changes each secret number into a nonsecret, or public, number. Greg and Matt now exchange the public numbers and then enter them into part two of the DH function. This results in a private key—one that is identical to both users. Using advanced mathematics, this shared secret key can be decrypted only by someone with access to one of the original random numbers. As long as Greg and Matt keep the original numbers hidden, the shared secret key cannot be reversed. It should be apparent from the many and varied contributing sources to PKI technology that the need for management of this invaluable set of tools would become paramount. If PKI, like any other technology set, continued to develop without standards of any kind, then differing forms and evolutions of the technology would be implemented ad hoc throughout the world. Eventually, the theory holds that some iteration would render communication or operability between different forms impossible. At that point, the cost of standardization would be significant, and the amount of time lost in productivity and reconstruction of PKI systems would be immeasurable. Thus, a set of standards was developed for PKI. The Public-Key Cryptography Standards (PKCS) are a set of standard protocols sued for securing the exchange of information through PKI. The list of these standards was actually established by RSA laboratories—the same organization that developed the original RSA encryption standard—along with a group of participating technology leaders that included Microsoft, Sun, and Apple.
PKCS Standards Here is a list of active PKCS standards. You will notice that there are gaps in the numbered sequence of these standards, and that is due to the retiring of standards over time since they were first introduced. ■
PKCS #1: RSA Cryptography Standard Outlines the encryption of data using the RSA algorithm. The purpose of the RSA Cryptography Standard is in the development of digital signatures and digital envelopes. PKCS#1 also describes a syntax for RSA public keys and private keys.
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
The public-key syntax is used for certificates, while the private-key syntax is used for encrypting private keys. ■
PKCS #3: Diffie-Hellman Key Agreement Standard Outlines the use of the Diffie-Hellman Key Agreement, a method of sharing a secret key between two parties. The secret key used to encrypt ongoing data transfer between the two parties. Whitefield Diffie and martin Hellman developed the Diffie-Hellman algorithm in the 1970s as the first public asymmetric cryptographic system (asymmetric cryptography was invented in the United Kingdom earlier in the same decade, but was classified as a military secret). Diffie-Hellman overcomes the issue of symmetric key system, because management of the keys is less difficult.
■
PKCS #5: Password-based Cryptography Standard A method for encrypting a string with a secret key that is derived from a password. The result of the method is an octet string (a sequence of 8-bit values). PKCS #8 is primarily used for encrypting private keys when they are being transmitted between computers.
■
PKCS #6: Extended-certificate Syntax Standard Deals with extended certificates. Extended certificates are made up of the X.509 certificate plus additional attributes. The additional attributes and the X.509 certificate can be verified using a single public-key operation. The issuer that signs the extended certificate is the same as the one that signs the X.509 certificate.
■
PKCS #7: Cryptographic Message Syntax Standard The foundation for Secure/Multipurpose Internet Mail Extensions (S/MIME) standard. It is also compatible with Privacy-Enhanced Mail (PEM) and can be used in several different architectures of key management.
■
PKCS #8: Private-key Information Syntax Standard Describes a method of communication for private-key information that includes the use of public-key algorithm and additional attributes (similar to PKCS #6). In this case, the attributes can be a DN or a root CA’s public key.
■
PKCS #9: Selected Attribute Types Defines the types of attributes for use in extended certificates (PKCS #6), digitally signed messages (PKCS #7), and private-key information (PKCS #8).
www.syngress.com
455
456
Chapter 7 • Configuring Certificate Services and PKI ■
PKCS #10: Certification Request Syntax Standard Describes a syntax for certification request. A certification request consists of a DN, a public key, and additional attributes. Certification requests are sent to a CA, which then issues the certificate.
■
PKCS #11: Cryptographic Token Interface Standard Specifies an application program interface (API) for token devices that hold encrypted information and perform cryptographic functions, such as smart cards and Universal Serial Bus (USB) pigtails.
■
PKCS #12: Personal Information Exchange Syntax Standard Specifies a portable format for storing or transporting a user’s private keys and certificates. Ties into both PKCS #8 (communication of private-key information) and PKCS #11 (Cryptographic Token Interface Standard). Portable formats include diskettes, smart cards, and Personal Computer Memory Card International Association (PCMCIA) cards. On Microsoft Windows platforms, PKCS #12 format files are generally given the extension .pfx. PKCS #12 is the best standard format to use when exchanging private keys and certificates between systems.
TEST DAY TIP On the day of the test, do not concern yourself too much with what the different standard numbers are. It is important to understand why they are in place and what PKCS stands for.
RSA-derived technology in its various forms is used extensively by Windows Server 2008 for such things as Kerberos authentication and S/MIME. In practice, the use of the PKI technology goes something like this: Two users, Dave and Dixine, wish to communicate privately. Dave and Dixine each own a key pair consisting of a public key and a private key. If Dave wants Dixine to send him an encrypted message, he first transmits his public key to Dixine. She then uses Dave’s public key to encrypt the message. Fundamentally, since Dave’s public key was used to encrypt, only Dave’s private key can be used to decrypt. When he receives the message, only he is able to read it. Security is maintained because only public keys are transmitted—the private keys are kept secret and are known only to their owners. Figure 7.1 illustrates the process. www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Figure 7.1 Public/Private Key Data Exchange
EXAM WARNING In a Windows Server 2008 PKI, a user’s public and private keys are stored under the user’s profile. For the administrator, the public keys would be under Documents and Settings\Administrator\System Certificates\ My\Certificates and the private keys would be under Documents and Settings\Administrator\Crypto\RSA (where they are double encrypted by Microsoft’s Data Protection API, or DPAPI). Although a copy of the public keys is kept in the registry, and can even be kept in Active Directory, the private keys are vulnerable to deletion. If you delete a user profile, the private keys will be lost!
www.syngress.com
457
458
Chapter 7 • Configuring Certificate Services and PKI
RSA can also be used to create “digital signatures” (see Figure 7.2). In the communication illustrated in Figure 7.1, a public key was used to encrypt a message and the corresponding private key was used to decrypt. If we invert the process, a private key can be used to encrypt and the matching public key to decrypt. This is useful, for example, if you want people to know that a document you wrote is really yours. If you encrypt the document using your private key, then only your public key can decrypt it. If people use your public key to read the document and they are successful, they can be certain that it was “signed” by your private key and is therefore authentic.
Figure 7.2 Digital Signatures
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Head of the Class… Modern Cryptography 101 Thanks to two mathematical concepts, prime number theory and modulo algebra, most of today’s cryptography encryption standards are considered intractable—that is, they are unbreakable with current technology in a reasonable amount of time. For example, it might take 300 linked computers over 1,000 years to decrypt a message. Of course, quantum computing is expected to some day change all that, making calculations exponentially faster and rendering all current cryptographic algorithms useless—but we won’t worry about that for now. First, an explanation of the modulo operator. Let’s go back to elementary school where you first learned to do division. You learned that 19/5 equals 3 with a remainder of 4. You also probably concentrated on the 3 as the important number. Now, however, we get to look at the remainder. When we take the modulus of two numbers, the result is the remainder—therefore 19 mod 5 equals 4. Similarly, 24 mod 5 also equals 4 (can you see why?). Finally, we can conclude that 19 and 24 are congruent in modulo 4. So how does this relate to cryptography and prime numbers? The idea is to take a message and represent it by using a sequence of numbers. We’ll call the sequence xi. What we need to do is find three numbers that make the following modulo equation possible: (xe)d mod y = x. The first two numbers, e and d, are a pair and are completely interchangeable. The third number, y, is a product of two very large prime numbers (the larger the primes, the more secure the encryption). Prime number theory is too complex for an in-depth discussion here, but in a nutshell, remember that a prime number is only divisible by the number 1 and itself. This gives each prime number a “uniqueness.” Once we have found these numbers (although we won’t go into how because this is the really deep mathematical part), the encryption key becomes the pair (e, y) and the decryption key becomes the pair (d, y). Now it doesn’t matter which key we decide to make public and which key we make private because they’re interchangeable. It’s a good thing that Windows Server 2008 does all of the difficult work for us!
www.syngress.com
459
460
Chapter 7 • Configuring Certificate Services and PKI
How Certificates Work Before we delve into the inner workings of a certificate, let’s discuss what a certificate actually is in layman’s terms. In PKI, a digital certificate is a tool used for binding a public key with a particular owner. A great comparison is a driver’s license. Consider the information listed on a driver’s license: ■
Name
■
Address
■
Date of birth
■
Photograph
■
Signature
■
Social security number (or another unique number such as a state issued license number)
■
Expiration date
■
Signature/certification by an authority (typically from within the issuing state’s government body)
The information on a state license photo is significant because it provides crucial information about the owner of that particular item. The signature from the state official serves as a trusted authority for the state, certifying that the owner has been verified and is legitimate to be behind the wheel of a car. Anyone, like an officer, who wishes to verify a driver’s identity and right to commute from one place to another by way of automobile need only ask for and review the driver’s license. In some cases, the officer might even call or reference that license number just to ensure it is still valid and has not been revoked. A digital certificate in PKI serves the same function as a driver’s license. Various systems and checkpoints may require verification of the owner’s identity and status and will reference the trusted third party for validation. It is the certificate that enables this quick hand-off of key information between the parties involved. The information contained in the certificate is actually part or the X.509 certificate standard. X.509 is actually an evolution of the X.500 directory standard. Initially intended to provide a means of developing easy-to-use electronic directories of people that would be available to all Internet users, it became a directory and mail standard for a very commonly known mail application: Microsoft Exchange 5.5. The X.500 directory standard specifies a common root of a hierarchical tree although the “tree” is inverted: the root of the tree is depicted at the “top” level while the other www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
branches—called “containers”—are below it. Several of these types of containers exist with a specific naming convention. In this naming convention, each portion of a name is specified by the abbreviation of the object type or a container it represents. For example, a CN= before a username represents it is a “common name”, a C= precedes a “country,” and an O= precedes “organization”. These elements are worth remembering as they will appear not only in discussions about X.500 and X.509, but they are ultimately the basis for the scheme of Microsoft’s premier directory service, Active Directory. X.509 is the standard used to define what makes up a digital certificate. Within this standard, a description is given for a certificate as allowing an association between a user’s distinguished name (DN) and the user’s public key. The DN is specified by a naming authority (NA) and used as a unique name by the certificate authority (CA) who will create the certificate. A common X.509 certificate includes the following information (see Table 7.1 and Figures 7.3 and 7.4):
Table 7.1 X.509 Certificate Data Item
Definition
Serial Number
A unique identifier.
Subject
The name of the person or company that is being identified, sometimes listed as “Issued To”.
Signature Algorithm
The algorithm used to create the signature.
Issuer
The trusted authority that verified the information and generated the certificate, sometimes listed as “Issued By”.
Valid From
The date the certificate was activated.
Valid To
The last day the certificate can be used.
Public Key
The public key that corresponds to the private key.
Thumbprint Algorithm
The algorithm used to create the unique value of a certificate.
Thumbprint
The unique value of every certificate, which positively identifies the certificate. If there is ever a question about the authenticity of a certificate, check this value with the issuer.
www.syngress.com
461
462
Chapter 7 • Configuring Certificate Services and PKI
Figure 7.3 A Windows Server 2008 Certificate Field and Values
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Figure 7.4 A Windows Server 2008 Certificate Field and Values
Public Key Functionality Public key cryptography brings major security technologies to the desktop in the Windows 2000 environment. The network now is provided with the ability to allow users to safely: ■
Transmit over insecure channels
■
Store sensitive information on any commonly used media
■
Verify a person’s identity for authentication www.syngress.com
463
464
Chapter 7 • Configuring Certificate Services and PKI ■
Prove that a message was generated by a particular person
■
Prove that the received message was not tampered with in transit
Algorithms based on public keys can be used for all these purposes. The most popular public key algorithm is the standard RSA, which is named after its three inventors: Rivest, Shamir, and Adleman. The RSA algorithm is based on two prime numbers with more than 200 digits each. A hacker would have to take the ciphertext and the public key and factor the product of the two primes. As computer processing time increases, the RSA remains secure by increasing the key length, unlike the DES algorithm, which has a fixed key length. Public key algorithms provide privacy, authentication, and easy key management, but they encrypt and decrypt data slowly because of the intensive computation required. RSA has been evaluated to be from 10 to 10,000 times slower than DES in some environments, which is a good reason not to use public key algorithms for bulk encryption.
Digital Signatures Document letterhead can be easily created on a computer, so forgery is a security issue. When information is sent electronically, no human contact is involved. The receiver wants to know that the person listed as the sender is really the sender and that the information received has not been modified in any way during transit. A hash algorithm is implemented to guarantee the Windows 2000 user that the data is authentic. A hash value encrypted with a private key is called a digital signature. Anyone with access to the corresponding public key can verify the authenticity of a digital signature. Only a person having a private key can generate digital signatures. Any modification makes a digital signature invalid. The purpose of a digital signature is to prevent changes within a document from going unnoticed and also to claim the person to be the original author. The document itself is not encrypted. The digital signature is just data sent along with the data guaranteed to be untampered with. A change of any size invalidates the digital signature. When King Henry II had to send a message to his troops in a remote location, the letter would be sealed with wax, and while the wax was still soft the king would use his ring to make an impression in it. No modification occurred to the original message if the seal was never broken during transit. There was no doubt that King Henry II had initiated the message, because he was the only person possessing a ring that matched the waxed imprint. Digital signatures work in a similar fashion in that only the sender’s public key can authenticate both the original sender and the content of the document. www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
The digital signature is generated by a message digest, which is a number generated by taking the message and using a hash algorithm. A message digest is regarded as a fingerprint and can range from a 128-bit number to a 256-bit number. A hash function takes variable-length input and produces a fixed-length output. The message is first processed with a hash function to produce a message digest. This value is then signed by the sender’s private key, which produces the actual digital signature. The digital signature is then added to the end of the document and sent to the receiver along with the document. Since the mere presence of a digital signature proves nothing, verification must be mathematically proven. In the verification process, the first step is to use the corresponding public key to decrypt the digital signature. The result will produce a 128-bit number. The original message will be processed with the same hash function used earlier and will result in a message digest. The two resulting 128-bit numbers will then be compared, and if they are equal, you will receive notification of a good signature. If a single character has been altered, the two 128-bit numbers will be different, indicating that a change has been made to the document, which was never scrambled.
Authentication Public key cryptography can provide authentication instead of privacy. In Windows 2000, a challenge is sent by the receiver of the information. The challenge can be implemented one of two ways. The information is authenticated because only the corresponding private key could have encrypted the information that the public key is successfully decrypting. In the first authentication method, a challenge to authenticate involves sending an encrypted challenge to the sender. The challenge is encrypted by the receiver, using the sender’s public key. Only the corresponding private key can successfully decode the challenge. When the challenge is decoded, the sender sends the plaintext back to the receiver. This is the proof for the receiver that the sender is truly the sender. For example, when Alice receives a document from Bob, she wants to authenticate that the sender is really Bob. She sends an encrypted challenge to Bob, using his public key. When he receives the challenge, Bob uses his private key to decrypt the information. The decrypted challenge is then sent back to Alice. When Alice receives the decrypted challenge, she is convinced that the document she received is truly from Bob. The second authentication method uses a challenge that is sent in plaintext. The receiver, after receiving the document, sends a challenge in plaintext to the www.syngress.com
465
466
Chapter 7 • Configuring Certificate Services and PKI
sender. The sender receives the plaintext challenge and adds some information before adding a digital signature. The challenge and digital signature now head back to the sender. The digital signature is generated by using a hash function and then encrypting the result with a private key, so the receiver must use the sender’s public key to verify the digital signature. If the signature is good, the original document and sender have at this point been verified mathematically.
Secret Key Agreement via Public Key The PKI of Windows 2000 permits two parties to agreed on a secret key while they use nonsecure communication channels. Each party generates half the shared secret key by generating a random number, which is sent to the other party after being encrypted with the other party’s public key. Each receiving side then decrypts the ciphertext using a private key, which will result in the missing half of the secret key. By adding both random numbers together, each party will have an agreed-upon shared secret key, which can then be used for secure communication even though the secret key was first obtained through a nonsecure communication channel.
Bulk Data Encryption without Prior Shared Secrets The final major feature of public key technology is that it can encrypt bulk data without generating a shared secret key first. The biggest disadvantage of using asymmetric algorithms for encryption is the slowness of the overall process, which results from the necessary intense computations; the largest disadvantage of using symmetric algorithms for encryption of bulk data is the need for a secure communication channel for exchanging the secret key. The Windows 2000 operating system combines symmetric and asymmetric algorithms to get the best of both worlds at just the right moment. For a large document that must be kept secret, because secret key encryption is the quickest method to use for bulk data, a session key is used to scramble the document. To protect the session key, which is the secret key needed to decrypt the protected data, the sender encrypts this small item quickly by using the receiver’s public key. This encryption of the session key is handled by asymmetric algorithms, which use intense computation, but do not require much time due to the small size of the session key. The document, along with the encrypted session key, is then sent to the receiver. Only the intended receiver will possess the correct private key to decode the session key, which is needed to decode the actual document. When the session key is in plaintext, it can be applied to the ciphertext of the bulk data and then transform the bulk data back to plaintext. www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
EXERCISE 7.1 REVIEWING
A
DIGITAL CERTIFICATE
Let’s take a moment to go on the Internet and look at a digital certificate. 1. Open up your Web browser, and go to www.syngress.com. 2. Select a book and add it to your cart. 3. Proceed to the checkout. 4. Once you are at the checkout screen, you will see a padlock in your browser. In Internet Explorer 7, this will be to the right of the address box; older browsers place the padlock in the bottom right of the window frame. Open the certificate properties. In Internet Explorer 7, you do this by clicking on the padlock and selecting “View Certificates” from the prompt; older browsers generally let you double-click the padlock. 5. Move around the tabs of the Properties screen to look at the different information contained within that certificate.
The Windows Server 2008 PKI does many things behind the scenes. Thanks in part to auto enrollment (discussed later in this chapter) and certificate stores (places where certificates are kept after their creation), some PKI-enabled features such as EFS work with no user intervention at all. Others, such as IPsec, require significantly less work than would be required without an advanced operating system. Even though a majority of the PKI is handled by Server, it is still instructive to have an overview of how certificate services work. 1. First, a system or user generates a public/private key pair and then a certificate request. 2. The certificate request, which contains the public key and other identifying information such as user name, is forwarded on to a CA. 3. The CA verifies the validity of the public key. If it is verified, the CA issues the certificate. 4. Once issued, the certificate is ready for use and is kept in the certificate store, which can reside in Active Directory. Applications that require a certificate use this central repository when necessary. In practice, it isn’t terribly difficult to implement certificate services, as Exercise 7.2 shows. Configuring the CA requires a bit more effort, as does planning the structure www.syngress.com
467
468
Chapter 7 • Configuring Certificate Services and PKI
and hierarchy of the PKI—especially if you are designing an enterprise-wide solution. We’ll cover these topics later in this chapter.
EXERCISE 7.2 INSTALLING CERTIFICATE SERVICES 1. After logging on with administrative privileges, click Start, click All Programs, click Administrative Tools, and then click Server Manager. 2. In the Roles Summary section, click Add Roles. 3. On the Before You Begin page, click Next (see Figure 7.5).
Figure 7.5 Before You Begin Page
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
4. On the Select Server Roles page, click the Active Directory Certificate Services (see Figure 7.6). Click Next.
Figure 7.6 Select Server Roles Page
5. On the Introduction to Active Directory Certificate Services page, click Next. 6. On the Select Role Services page, click the Certification Authority check box, as shown in Figure 7.7. Click Next.
www.syngress.com
469
470
Chapter 7 • Configuring Certificate Services and PKI
Figure 7.7 Select Role Services Page
7. On the Specify Setup Type page, click Enterprise, as shown in Figure 7.8. Click Next.
Figure 7.8 Specify Setup Type Page
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
8. On the Specify CA Type page, click Root CA, as shown in Figure 7.9. Click Next.
Figure 7.9 Specify CA Type Page
9. On the Set Up Private Key page, either accept the default value or configure optional configuration settings. For this exercise, choose the default settings as shown in Figure 7.10. Click Next.
www.syngress.com
471
472
Chapter 7 • Configuring Certificate Services and PKI
Figure 7.10 Set Up Private Key Page
10. On the Configure Cryptography for CA page, either accept the default value or configure optional configuration settings as per project requirements. For this exercise, choose the default settings as shown in Figure 7.11. Click Next.
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Figure 7.11 Configure Cryptography for CA Page
11. In the Common name for this CA box, type the common name of the CA. For this exercise, type MyRootCA as shown in Figure 7.12. Click Next.
www.syngress.com
473
474
Chapter 7 • Configuring Certificate Services and PKI
Figure 7.12 Configure CA Name Page
12. On the Set the Certificate Validity Period page, you can change the default five-year validity period of the CA. You can set the validity period as a number of days, weeks, months or years. Accept the default validity duration for the root CA as shown in Figure 7.13, and then click Next.
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Figure 7.13 Set Validity Period Page
14. On the Configure Certificate Database page, for this exercise, accept the default values or specify other storage locations for the certificate database and the certificate database log (see Figure 7.14). Click Next.
www.syngress.com
475
476
Chapter 7 • Configuring Certificate Services and PKI
Figure 7.14 Configure Certificate Database Page
15. On the Confirm Installation Selections page, click Install (see Figure 7.15).
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Figure 7.15 Confirm Installation Selections Page
16. On the Installation Results page, review the information and make sure it read Installation succeeded. 17. Click Close to close the Add Roles Wizard.
www.syngress.com
477
478
Chapter 7 • Configuring Certificate Services and PKI
TEST DAY TIP Pay special attention to the above exercise as you may be asked questions about the distinguished name of the CA.
In our previous discussion of public and private key pairs, two users wanted to exchange confidential information and did so by having one user encrypt the data with the other user’s public key. We then discussed digital signatures, where the sending user “signs” the data by using his or her private key. Did you notice the security vulnerability in these methods? In this type of scenario, there is nothing to prevent an attacker from intercepting the data mid-stream, and replacing the original signature with his or her own, using of course his or her own private key. The attacker would then forward the replacement public key to the unsuspecting party. In other words, even though the data is signed, how can you be sure of who signed it? The answer in the Windows PKI is the certificate. Think of a certificate as a small and portable combination safe. The primary purpose of the safe is to hold a public key (although quite a bit of other information is also held there). The combination to the safe must be held by someone you trust—that trust is the basis for the entire PKI system. If I am a user and want to send you my public key so that you can encrypt some data to send back to me, I can just sign the data myself, but I am then vulnerable to the attack mentioned above. However if I allow a trusted third party entity to take my public key (which I don’t mind because they’re trustworthy), lock it away in the safe and then send the safe to you, you can ask the trusted party for the combination. When you open the safe, you can be certain that the public key and all other information inside really belongs to me, because the safe came from a trustworthy source. The “safe” is really nothing more than a digital signature, except that the signature comes from a universally trusted third party and not from me. The main purpose of certificates, then, is to facilitate the secure transfer of keys across an insecure network. Figure 7.16 shows the properties of a Windows certificate—notice that the highlighted public key is only part of the certificate.
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Figure 7.16 A Windows Server 2008 Certificate
User Certificates Of the three general types of certificates found in a Windows PKI, the user certificate is perhaps the most common. User certificates are certificates that enable the user to do something that would not be otherwise allowed. The Enrollment Agent certificate is one example. Without it, even an administrator is not able to enroll smart cards and configure them properly at an enrollment station. Under Windows Server 2008, required user certificates can be requested automatically by the client and subsequently issued by a certification authority (discussed below) with no user intervention necessary. www.syngress.com
479
480
Chapter 7 • Configuring Certificate Services and PKI
Machine Certificates Also known as computer certificates, machine certificates (as the name implies) give the system—instead of the user—the ability to do something out of the ordinary. The main purpose for machine certificates is authentication, both client-side and server-side. As stated earlier, certificates are the main vehicle by which public keys are exchanged in a PKI. Machine certificates are mainly involved with these behindthe-scenes exchanges, and are normally overseen by the operating system. Machine certificates have been able to take advantage of Windows’ autoenrollment feature since 2000 Server was introduced. We will discuss auto-enrollment later in this chapter.
Application Certificates The term application certificate refers to any certificate that is used with a specific PKIenabled application. Examples include IPsec and S/MIME encryption for e-mail. Applications that need certificates are generally configured to automatically request them, and are then placed in a waiting status until the required certificate arrives. Depending upon the application, the network administrator or even the user might have the ability to change or even delete certificate requests issued by the application.
TEST DAY TIP Certificates are at the very core of the Windows PKI. Make certain that you understand what certificates are, and why they are needed when using public keys. Also, be familiar with the types of certificates listed in this section and the differences between them.
Analyzing Certificate Needs within the Organization We’ve just concluded a tour of most of the properties associated with a CA, but knowing what you can do does not mean that we know what you should do. To find out more about what you should do, you need to analyze the certificate needs of your organization, and then move on to create an appropriate CA structure. According to Microsoft’s TechNet, the analysis of certificate needs springs primarily from “the analysis of business requirements and the analysis of applications that benefit from PKI-based security”. In other words, when designing a PKI/CA www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
structure, you will need to understand the different uses for certificates and whether your organization needs to use certificates for each of these purposes. Examples include SSL for a secure Web server, EFS for encryption of files, and S/MIME for encryption of e-mail messages. The use of S/MIME might dictate that your CA hierarchy have a trust relationship with external CAs, and the use of SSL might lead you to implement a stand-alone CA instead of an enterprise CA. Thus, analyzing these needs before you implement your PKI can save you a lot of time and trouble.
Working with Certificate Services Certificate Services in Windows Server 2008 is an easier venture than ever before. As we look at what is entailed in the components involved in establishing and supporting a PKI in Windows Server 2008 we need to quickly discuss what Certificate Services do for us. In Active Directory and Windows Server 2008, Certificate Services allow administrators to establish and manage the PKI environment. More generally, they allow for a trust model to be established within a given organization. The trust model is the framework that will hold all the pieces and components of the PKI in place. Typically, there are two options for a trust model within PKI: a single CA model and a hierarchical model. The certificate services within Windows Server 2008 provide the interfaces and underlying technology to setup and manage both of these type of deployments.
Configuring a Certificate Authority By definition, a certificate authority is an entity (computer or system) that issues digital certificates of authenticity for use by other parties. With the ever increasing demand for effective and efficient methods to verify and secure communications, our technology market has seen the rise of many trusted third parties into the market. If you have been in the technology field for any length of time, you are likely familiar with many such vendors by name: VeriSign, Entrust, Thawte, GeoTrust, DigiCert and GoDaddy are just a few. While these companies provide an excellent and useful resource for both the IT administrator and the consumer, companies and organizations desired a way to establish their own certificate authorities. In a third-party, or external PKI, it is up to the third-party CA to positively verify the identity of anyone requesting a certificate from it. Beginning with Windows 2000, Microsoft has allowed the creation of a trusted internal CA—possibly eliminating the need for an external third party. With a Windows Server 2008 CA, the CA verifies the identity of the www.syngress.com
481
482
Chapter 7 • Configuring Certificate Services and PKI
user requesting a certificate by checking that user’s authentication credentials (using Kerberos or NTLM). If the credentials of the requesting user check out, a certificate is issued to the user. When the user needs to transmit his or her public key to another user or application, the certificate is then used to prove to the receiver that the public key inside can be used safely.
Certificate Authorities Certificates are a way to transfer keys securely across an insecure network. If any arbitrary user were allowed to issue certificates, it would be no different than that user simply signing the data. In order for a certificate to be of any use, it must be issued by a trusted entity—an entity that both the sender and receiver trust. Such a trusted entity is known as a Certification Authority (CA). Third-party CAs such as VeriSign or Entrust can be trusted because they are highly visible, and their public keys are well known to the IT community. When you are confident that you hold a true public key for a CA, and that public key properly decrypts a certificate, you are then certain that the certificate was digitally signed by the CA and no one else. Only then can you be positive that the public key contained inside the certificate is valid and safe. In the analogy we used earlier, the state driver’s licensing agency is trusted because it is known that the agency requires proof of identity before issuing a driver’s license. In the same way, users can trust the certification authority because they know it verifies the authentication credentials before issuing a certificate. Within an organization leveraging Windows Server 2008, several options exist for building this trust relationship. Each of these begins with the decisions made around selecting and implementing certificate authorities. With regard to the Microsoft implementation of PKI, there are at least four major roles or types of certificate authorities to be aware of: ■
Enterprise CA
■
Standard CA
■
Root CA
■
Subordinate CA
Believe it or not, beyond this list at least two variations exist: intermediate CAs and leaf CAs, each of which is a type of subordinate CA implementation.
Standard vs. Enterprise An enterprise CA is tied into Active Directory and is required to use it. In fact, a copy of its own CA certificate is stored in Active Directory. Perhaps the biggest www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
difference between an enterprise CA and a stand-alone CA is that enterprise CAs use Kerberos or NTLM authentication to validate users and computers before certificates are issued. This provides additional security to the PKI because the validation process relies on the strength of the Kerberos protocol, and not a human administrator. Enterprise CAs also use templates, which are described later in this chapter, and they can issue every type of certificate. There are also several downsides to an enterprise CA. In comparison to a stand-alone CA, enterprise CAs are more difficult to maintain and require a much more in-depth knowledge about Active Directory and authentication. Also, because an enterprise CA requires Active Directory, it is nearly impossible to remove it from the network. If you were to do so, the Directory itself would quickly become outdated—making it difficult to resynchronize with the rest of the network when brought back online. Such a situation would force an enterprise CA to remain attached to the network, leaving it vulnerable to attackers.
Root vs. Subordinate Certificate Authorities As discussed earlier, there are two ways to view PKI trust models: single CA and hierarchical. In a single CA model PKIs are very simplistic; only one CA is used within the infrastructure. Anyone who needs to trust parties vouched for by the CA is given the public key for the CA. That single CA is responsible for the interactions that ensue when parties request and seek to verify the information for a given certificate. In a hierarchical model, a root CA functions as a top-level authority over one or more levels of CAs beneath it. The CAs below the root CA are called subordinate CAs. Root CAs serve as a trust anchor to all the CA’s beneath it and to the users who trust the root CA. A trust anchor is an entity known to be trusted without requiring that it be trusted by going to another party, and therefore can be used as a base for trusting other parties. Since there is nothing above the root CA, no one can vouch for its identity; it must create a self-signed certificate to vouch for itself. With a self-signed certificate, both the certificate issuer and the certificate subject are exactly the same. Being the trust anchor, the root CA must make its own certificate available to all of the users (including subordinate CAs) that will ultimately be using that particular root CA. Hierarchical models work well in larger hierarchical environments, such as large government organizations or corporate environments. Often, a large organization also deploys a Registration Authority (RA, covered later in this chapter), Directory Services and optionally Timestamping Services in an organization leveraging a hierarchical approach to PKI. In situations where different organization are trying to develop a www.syngress.com
483
484
Chapter 7 • Configuring Certificate Services and PKI
hierarchical model together (such as post acquisition or merger companies or those that are partnered for collaboration), a hierarchical model can be very difficult to establish as both parties must ultimately agree upon a single trust anchor. When you first set up an internal PKI, no CA exists. The first CA created is known as the root CA, and it can be used to issue certificates to users or to other CAs. As mentioned above, in a large organization there usually is a hierarchy where the root CA is not the only certification authority. In this case, the sole purpose of the root CA is to issue certificates to other CAs in order to establish their authority. Any certification authority that is established after the root CA is a subordinate CA. Subordinate CAs gain their authority by requesting a certificate from either the root CA or a higher level subordinate CA. Once the subordinate CA receives the certificate, it can control CA policies and/or issue certificates itself, depending on your PKI structure and policies. Sometimes, subordinate CAs also issue certificates to other CAs below them on the tree. These CAs are called intermediate CAs. Is most hierarchies, there is more than one intermediate CA. Subordinate CAs that issue certificates to end users, server, and other entities but do not issue certificates to other CAs are called leaf CAs.
Certificate Requests In order to receive a certificate from a valid issuing CA, a client—computer or user—must request a certificate from a CA. There are three ways that this request can be made: ■
Autoenrollment
■
Use of the Certificates snap-in
■
Via a web browser
It is very likely that the most common method for requesting a certificate is autoenrollment, and we’ll discuss its deployment shortly. A client can also request a certificate by use of the Certificates snap-in. The snap-in, shown in Figure 7.17, can be launched by clicking Start | Run, and then typing in certmgr.msc and pressing Enter. Note that the Certificates snap-in does not appear in the Administrative Tools folder as the Certification Authority snap-in does after installing certificate services. Once you open the Certificate Snap-in, expand the Personal container, and then right-clicking the Certificates container beneath it. You can start the Certificate Request Wizard by choosing All Tasks | Request New Certificate…, as shown in the following figure: www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Figure 7.17 Certificates Snap-in
Next, you will receive the Before You Begin welcome screen, as shown in Figure 7.18. Click Next. Figure 7.18 Before You Begin
www.syngress.com
485
486
Chapter 7 • Configuring Certificate Services and PKI
Next to Welcome screen, the wizard prompts you to choose the certificate enrollment type. Figure 7.19 shows you the available options. You can choose only a type for which the receiving CA has a template. Once you choose an appropriate template, click Enroll. Figure 7.19 Request Certificates
Next to Certificate Enrollment screen, verify it reads, STATUS: Succeeded, as shown in Figure 7.20. Click Finish to complete the request.
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Figure 7.20 Certificate Installation Results
The last method for requesting a certificate is to use a Web browser on the client machine. Note that if you use this option, IIS must be installed on the CA. Exercise 7.3 shows the steps for requesting a certificate using a client machine in this manner.
TEST DAY TIP The order of component installation can be important when dealing with CAs. If you install certificate services before you install IIS, a client will not be able to connect as in the exercise below until you run the following from the command line: certutil –vroot. This establishes the virtual root directories necessary for Web enrollment. Note also that you must have selected the Web enrollment support option during the certificate services installation procedure that we completed in Exercise 7.1.
www.syngress.com
487
488
Chapter 7 • Configuring Certificate Services and PKI
EXERCISE 7.3 REQUEST
A
CERTIFICATE
FROM A
WEB SERVER
1. On any computer for which you want to request a certificate, launch Internet Explorer (version 5.0 or later) by clicking Start | Programs or All Programs | Internet Explorer. 2. In the address bar, type http://servername/certsrv, where servername is the name of the issuing CA. 3. When the welcome screen appears, as shown in Figure 7.21, click Request a Certificate.
Figure 7.21 Welcome Screen of the CA’s Web Site
4. Click User Certificate, then Submit when the next screen appears. 5. When the Certificate Issued page appears, click Install This Certificate. Close the browser.
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Certificate Practice Statement As the use of X.509-based certificates continues to grow it becomes increasingly important that the management an organization of certificates be as diligent as possible. We know what a digital certificate is and what its critical components are, but a CA can issue a certificate for a number of different reasons. The certificate, then, must indicate exactly what the certificate will be used for. The set of rules that indicates exactly how a certificate may be used (what purpose it can e trusted for, or perhaps the community for which it can be trusted) is called a certificate policy. The X.509 standard defines certificate policies as “a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements.” Different entities have different security requirements. For example, users want a digital certificate for securing e-mail (either encrypting the incoming messages signing outgoing mail), Syngress (as other Web vendors do) wants a digital certificate for their online store, etc. Every user will want to secure their information, and a certificate owner will use the policy information to determine if they want to accept a certificate. It is important to have a policy in place to state what the appropriate protocol is for use of certificates—how they are requested, how and when they may be used, etc.—but it is equally as important to explain exactly how to implement those policies. This is where the Certificate Practice Statement (CPS) comes in. A CPS describes how the CA plans to manage the certificates it issues.
Key Recovery Key recovery is compatible with the CryptoAPI architecture of Windows 2008, but it is not a necessary requirement. For key recovery, an entity’s private key must be stored permanently. The storage of private keys guarantees that critical information will always be accessible, even if the information should get corrupted or deleted. On the other hand, there is a security issue in the backup of the private keys. The archived private key should be used to impersonate the private key owner only if corruption occurs on your system.
Backup and Restore Microsoft recommends that you back up your entire CA server. By backing up the system state data on your CA, you will automatically get a backup of the certificate store, the registry, system files, and Active Directory (if your CA is a domain controller). Sometimes, you may want to just back up the certificate services portion of your computer without doing a full backup of everything else. www.syngress.com
489
490
Chapter 7 • Configuring Certificate Services and PKI
Exercise 7.4 walks you through backing up Certificate Services. Your backups are only useful if you can restore them—Exercise 7.5 walks you through restoring Certificate Services.
EXERCISE 7.4 BACKING
UP
CERTIFICATE SERVICES
1. On any computer for which you want to take a backup, Log on with administrative privileges. 2. Click Start, click All Programs, click Administrative Tools, and then click Certification Authority. 3. Right-click the name of your CA, and choose All Tasks | Back up CA… from the pop-up menu, as shown in Figure 7.22.
Figure 7.22 Certificate Authority Page
4. On the Welcome to the Certification Authority Backup Wizard page, click Next to continue.
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
5. On Items to Back Up page, click Private key and CA certificate and Certificate database and certificate database log. Type in the path of back up location, and then click Next (see Figure 7.23).
Figure 7.23 Items to Back Up
6. Type in the backup password twice and click Next. 7. On Completing the Certification Authority Backup Wizard page, verify it reads as follows: You have successfully completed the Certification Authority Backup Wizard, as shown in Figure 7.24.
www.syngress.com
491
492
Chapter 7 • Configuring Certificate Services and PKI
Figure 7.24 Completing the CA Backup Wizard
8. Click Finish to close the wizard.
EXERCISE 7.5 RESTORING CERTIFICATE SERVICES 1. On any computer for which you want to take a restore, Log on with administrative privileges. 2. Click Start, click All Programs, click Administrative Tools, and then click Certification Authority. 3. Right-click the name of your CA, and choose All Tasks | Restore CA… from the pop-up menu, as shown in Figure 7.25.
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Figure 7.25 Certificate Authority page
4. Click OK to stop Certificate Services from running and start the wizard. 5. On the Welcome to the Certification Authority Restore Wizard page, click Next to continue. 6. On Items to Restore page, click Private key and CA certificate and Certificate database and certificate database log to restore the backup of Private key, CA certificate, Certificate database and database log file (see Figure 7.26). Alternatively, you can choose only few components as per your requirements. Type in the path of back up location, and then click Next.
www.syngress.com
493
494
Chapter 7 • Configuring Certificate Services and PKI
Figure 7.26 Items to Restore
7. On the Provide Password page, type in the restore password, and then click Next. 8. On Completing the Certification Authority Restore Wizard page, verify it reads as You have successfully completed the Certification Authority Restore Wizard, as shown in Figure 7.27.
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Figure 7.27 Completing the CA Restore Wizard
9. Click Finish to complete the wizard. 10. You will now be prompted to restart the certificate services, as shown in Figure 7.28. Click Yes to restart the services.
Chapter 7 • Configuring Certificate Services and PKI
Assigning Roles In a small network of one or two servers and just a handful of clients, administration is generally not a difficult task. When the size of the network increases, however, the complexity of administration seems to increase exponentially. Microsoft’s recommendations for a large network include dividing administrative tasks among the different administrative personnel. One administrator may be in charge of backups and restores, whereas another administrator may have complete control over a certain domain and so on. The role of each administrator is defined by the tasks that he or she is assigned to, and individual permissions are granted based on those tasks. PKI administration, which can be as daunting as general network administration, can be similarly divided. Microsoft defines five different roles that can be used within a PKI to facilitate administration: ■
CA Administrator
■
Certificate Manager
■
Backup Operator
■
Auditor
■
Enrollee
At the top of the hierarchy is the CA administrator. The role is defined by the Manage CA permission and has the authority to assign other CA roles and to renew the CA’s certificate. Underneath the CA administrator is the certificate manager. The certificate manager role is defined by the Issue and Manage Certificates permission and has the authority to approve enrollment and revocation requests. The Backup Operator and the Auditor roles are actually operating system roles, and not CA specific. The Backup Operator has the authority to backup the CA and the Auditor has the authority to configure and view audit logs of the CA. The final role is that of the Enrollees. All authenticated users are placed in this role, and are able to request certificates from the CA.
Enrollments In order for a PKI client to use a certificate, two basic things must happen. First, a CA has to make the certificate available and second, the client has to request the certificate. Only after these first steps can the CA issue the certificate or deny the request.
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Making the certificate available is done through the use of certificate templates and is a topic that we discuss in detail below. Like Windows Server 2003, Windows Server 2008 PKI also supports autoenrollment for user certificates as well as for computer certificates. The request and issuance of these certificates may proceed without user intervention. Group policies are used in Active Directory to configure autoenrollment. In Computer Configuration | Windows Settings | Security Settings | Public Key Policies, there is a group policy entitled Automatic Certificate Request Settings. The Property sheet for this policy allows you to choose to either Enroll certificates automatically or not. Also, you will need to ensure that Enroll subject without requiring any user input option is selected on the Request Handling tab of the certificate template Property sheet. Finally, be aware that doing either of the following will cause autoenrollment to fail: ■
Setting the This number of authorized signatures option on the Issuance Requirements tab to higher than one.
■
Selecting the Supply in the request option on the Subject Name tab.
TEST DAY TIP Remember that autoenrollment is only available for user certificates if the client is Windows XP, Windows Server 2003, or Windows Server 2008.
Revocation A CA’s primary duty is to issue certificates, either to subordinate CAs, or to PKI clients. However, each CA also has the ability to revoke those certificates when necessary. Certificates are revoked when the information contained in the certificate is no longer considered valid or trusted. This can happen when a company changes ISPs (Internet Service Providers), moves to a new physical address or when the contact listed on the certificate has changed. Essentially, a certificate should be revoked whenever there is a change that makes the certificate’s information “stale” and no longer reliable from that point forward.
www.syngress.com
497
498
Chapter 7 • Configuring Certificate Services and PKI
NOTE Information that has already been encrypted using the public key in a certificate that is later revoked is not necessarily invalid. Maintaining the example of a driver’s license, checks that are written and authenticated by a cashier using your driver’s license one week are not automatically voided if you lose your license or move states the next.
In addition to the changes in circumstance that can cause a certification revocation, certain owners may have their certificate revoked upon terminating employment. The most important reason to revoke a certificate is if the private key as been compromised in any way. If a key has been compromised, it should be revoked immediately.
EXAM WARNING Certificate expiration is different from certificate revocation. A certificate is considered revoked if it is terminated prior to the end date of the certificate.
Along with notifying the CA of the need to revoke a certificate, it is equally important to notify all certificate users of the date that the certificate will no longer be valid. After notifying users and the CA, the CA is responsible for changing the status of the certificate and notifying users that it has been revoked. When a certificate revocation request is sent to a CA, the CA must be able to authenticate the request with the certificate owner. Once the CA has authenticated the request, the certificate is revoked and notification is sent out. CAs are not the only ones who can revoke a certificate. A PKI administrator can revoke a certificate, but without authenticating the request with the certificate owner. This allows for
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
the revocation of certificates in cases where the owner is no longer accessible or available as in the case of termination. The X.509 standard requires that CA’s publish certificate revocation lists (CRLs). In their simplest form, a CRL is a published form listing the revocation status of certification that the CA manages. There are several forms that revocation lists may take, but the two most noteworthy are simple CRLs and delta CRLs. A simple CRL is a container that holds a list of revoked certificates with the name of the CA, the time the CRL was published, and when the next CRL will be published. It is a single file that continues to grow over time. The fact that only information about the certificates is included and not the certificate itself helps to manage the size of a simple CRL. Delta CRLs can handle the issues that simple CRLs cannot- size and distribution. While simple CRLs contain only certain information about a revoked certificate, it can still become a large file. How, then, do you continually distribute a large file to all parties that need to see the CRL? The solution is in Delta CRLs. In an environment leveraging delta CRLs, a base CRL is sent to all end parties to initialize their copies of the CRL. Afterwards, updates know as deltas are sent out on a periodic basis to inform the end parties of any changes. In practice within Windows Server 2008, the tool that the CA uses for revocation is the certificate revocation list, or CRL. The act of revoking a certificate is simple: from the Certification Authority console, simply highlight the Issued Certificates container, right-click the certificate and choose All | Revoke Certificate. The certificate will then be located in the Revoked Certificates container. When a PKI entity verifies a certificate’s validity, that entity checks the CRL before giving approval. The question is: how does a client know where to check for the list? The answer is the CDPs, or CRL Distribution Points. CDPs are locations on the network to which a CA publishes the CRL; in the case of an enterprise CA under Windows Server 2008, Active Directory holds the CRL, and for a standalone, the CRL is located in the certsrv\certenroll directory. Each certificate has a location listed for the CDP, and when the client views the certificate, it then understands where to go for the latest CRL. Figure 7.29 shows the Extensions tab of the CA property sheet, where you can modify the location of the CDP.
www.syngress.com
499
500
Chapter 7 • Configuring Certificate Services and PKI
Figure 7.29 Extensions Tab of the CA Property Sheet
In order for a CA to publish a CRL, use the Certificate Authority console to right-click the Revoked Certificates container and choose All Tasks | Publish. From there, you can choose to publish either a complete CRL, or a Delta CRL.
TEST DAY TIP On the day of the test, be clear as to which types of CRLs are consistently made available to users in Windows Server 2008. Since Server 203, Delta CRLs have been used to publish only the changes made to an original CRL for the purposes of conserving network traffic. www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Whether you select a New CRL or a Delta CRL, you are next prompted to enter a publication interval (the most frequent intervals chosen are one week for full CRLs and one day for Delta CRLs). Clients cache the CRL for this period of time, and then check the CDP again when the period expires. If an updated CDP does not exist or cannot be located, the client automatically assumes that all certificates are invalid.
Working with Templates A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. Often when someone refers to building and managing a PKI for their enterprise, they are usually only thinking of the Certificate Authority and the associated infrastructure needed to support the authentication and authorization required to support the function of the CA. While this is certainly important for the proper function of the PKI, it is only half of the picture—the certificates themselves must be carefully planned to support the business goals that are driving the need to install and configure the PKI. When you consider that certificates are flexible and can be used in scores of different scenarios, the true power of the certificate becomes apparent. While these different uses can all coexist within a single PKI, the types and functions of the certificates can be very different. Certificates that are used to support two-factor authentication on smart cards can be very different than those used to establish SSL connections to web servers, sign IPsec traffic between servers, support 802.1x wireless access through NAP, or even certificates used to sign e-mail communication. In all of these cases, the CA and the PKI it supports are the same, but it is the certificate itself that is changing. For each of these different uses, it is important for the certificate to contain appropriate data to facilitate in the function that the designer of the PKI has intended and no more. While additional data could be provided in the certificate, the fact that these are intended to mediate security exchanges makes it inappropriate to include any more information than is necessary to complete the certificate’s objective. It is the Certificate Template that specifies the data that must be included in a certificate for it to function as well as to ensure that all of the needed data are provided to ensure the certificate’s validity.
EXAM WARNING Many different types of certificates can be used together within a single Public Key Infrastructure. It is the Certificate Templates that allow the certificates to differentiate themselves for different purposes ensuring that the appropriate information is stored in the cert. www.syngress.com
501
502
Chapter 7 • Configuring Certificate Services and PKI
For an individual certificate, there are a number of properties and settings that go into the certificate template specification. Each of these combine to build the final template that will determine the settings for the resulting Certificate. There are many built-in templates that can be viewed using the Certificate Templates snap-in (see Figure 7.30). The snap-in can be run by right-clicking the Certificate Templates container located in the Certification Authority console and clicking Manage. You can use one of the built-in templates or create your own. Figure 7.30 Certificate Templates Snap-in
When creating your own template, you have multiple options that will guide the CA in how to handle incoming requests. The first step in the creation process is to duplicate an existing template. You do this by using the Certificate Templates snap-in, then right-clicking the template you wish to copy and selecting Duplicate Template. On the General tab that appears by default (seen in Figure 7.31), there are time-sensitive options such as validity period and renewal period. Note the default validity period of one year, and the default renewal period of six weeks. There are also general options such as the template display name and a checkbox for publishing the certificate in Active Directory. www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Figure 7.31 General Tab of the New Template Property Sheet
General Properties Now we’ll describe the following settings under the General tab of the new certificate template: ■
Template Display Name It is important that the certificate that you are creating has a descriptive name accurately describes the function of the certificate. This name cannot be changed once it is assigned, but you can always recreate the certificate from another template later.
■
Validity Period This is the period for which the derived certificates are valid. This time should be long enough so as not to create a burden on the end user, but not so long as to create a security problem. www.syngress.com
503
504
Chapter 7 • Configuring Certificate Services and PKI ■
Renewal Period This is the period in which the certificate is notified of its expiration and that it will attempt to renew if this is an option for the certificate.
■
Publish in Active Directory Some certificates can be stored in the active directory tied to security principals there. This generally applies to User certificates that are not ties to specific hardware.
The Request Handling tab, shown in Figure 7.32, has options to enroll without user interaction. Figure 7.32 Request Handling Tab of the New Template Property Sheet
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Request Handling The Request Handling tab includes the following settings: ■
Purpose It is important to consider the activities for which this new certificate will be responsible. Some keys can be used just to validate identity while others can also provide signing for encryption. ■
■
The private key can also be archived or shared with the CA so that it may be recovered in the event of loss. Otherwise, the certificate must be recreated.
Enrollment Actions Different notification actions can be specified when the private key for this certificate is used. This can range from transparent usage of the key to full notification prompting the certificate owner for permission.
The Cryptography tab seen in Figure 7.33, gives you the choice of algorithms that can be used.
www.syngress.com
505
506
Chapter 7 • Configuring Certificate Services and PKI
Figure 7.33 Cryptography Tab
Cryptography The Cryptography tab includes the following settings: ■
Algorithm Name There are a number of cryptographic Algorithms that can be used to provide encryption for the keys. Valid methods under server 2008 are RSA, ECDH_P256, ECDH_P384, ECDH_P521.
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7 ■
■
Note: If the Purpose is changed to Signature, additional algorithms become available: ECDSA_P256, ECDSA_P384, ECDSA_P521.
Hash Algorithm To provide one-way hashes for key exchanges, a number of algorithms are available. These include: MD2, MD4, MD5, SHA1, SHA256, SHA384, SHA512.
The Subject Name tab seen in Figure 7.34, gives you the choice of obtaining subject name information from Active Directory or from the certificate request itself. In the latter case, autoenrollment (which we’ll discuss later in the chapter) is not available.
Figure 7.34 Subject Name Tab of the New Template Property Sheet
www.syngress.com
507
508
Chapter 7 • Configuring Certificate Services and PKI
Subject Name The Subject Name tab includes the following settings: ■
Supply in the Request Under this option, the CA will expect to get additional subject information in the certificate request. As noted, this will not permit autoenrollment, requiring intervention to issue the certificate.
■
Build from this AD Information Under this option, the Active Directory will be queried and the certificate will be built based on the AD files you specify.
Usually the default of the Distinguished Name is adequate for most purposes, but the common name will sometime be preferable. The Issuance Requirements tab seen in Figure 7.35 allows you to suspend automatic certificate issuance by selecting the CA certificate manager approval checkbox. Figure 7.35 Issuance Requirements Tab of the New Template Property Sheet
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Issuance Requirements These settings can be used to manage the approval requirements in order for a certificate to be issued. These settings allow for a workflow or approval chain to be applied to the certificate type. ■
CA Certificate Manager Approval Using this setting will require that the CA Manager assigned in the CA approve of the certificate before it is released to the end-user of the certificate.
■
Number of Authorized Signatures Under these settings, additional approvals steps may be required to release the certificate. In these scenarios, two or more approval authorities will have to consent before the certificate is generated.
■
Require the Following for Reenrollment These settings specify the approval and prerequisites that are in place for renewal of the certificate. This gives the network administrator to allow subjects with valid certificates to renew without having to go through the approval chain.
The Superseded Templates tab, as shown in Figure 7.36, is used to define which certificates are superseded by the current template. Usually, this tab is used to configure a template that serves several functions, e.g. IPsec and EFS. In this case, a template used only for IPsec or a template used only for EFS would be placed on the superseded templates list. This section allows the network administrator to specify other templates that are superseded by the new template type. This allows control of both versioning and wholesale template replacement. As templates evolve, it may be useful to replace templates that are already deployed in the wild with a new template.
www.syngress.com
509
510
Chapter 7 • Configuring Certificate Services and PKI
Figure 7.36 Superseded Templates Tab of the New Template Property Sheet
In addition to the standard usage patterns that are inherited from the parent certificate, it is sometimes important to specify new circumstances and roles that a certificate will fill. In this case, additional extensions to the certificate will be applied to provide this new functionality. Under these settings, a new ability such as code signing can be applied to all derivative certificates to allow these new subjects the ability to complete multiple tasks. The Extensions tab as seen in Figure 7.37 can be used to add such things as the Application Policies extension, which defines the purposes for which a generated www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
certificate can be used. The Issuance Policies extension is also worth mentioning, because it defines when a certificate may be issued. Figure 7.37 Extensions Tab of the New Template Property Sheet
The Security tab is similar to the Security tab that we saw in Figure 7.38, except that this tab is used to control who may edit the template and who may request certificates using the template. Figure 7.38 shows the default permission level for the Authenticated Users group. In order for a user to request a certificate, however, the user must have at least the Enroll permission assigned to them for manual requests, and the Autoenroll permission for automatic requests. www.syngress.com
511
512
Chapter 7 • Configuring Certificate Services and PKI
Figure 7.38 Security Tab of the New Template Property Sheet
Security The security settings control the actions that different types of users are able to perfume on a certificate template. ■
Enroll These subjects are able to request that a certificate be created from this template and assigned to them. This enrollment process will abide by the constraints listed under the Issuance Requirements tab.
■
Autoenroll These subjects are able to make a request to the CA and will be automatically issued the certificate if the subject meets the Issuance Requirements. In this case, the certificate will be applied without administrator intervention or assistance.
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
After you have configured a particular template, it still cannot be used by the CA to issue certificates until it is made available. To enable a template, you use the Certification Authority console and right-click the Certificate Templates container. Selecting New | Certificate Template to Issue completes the process.
Types of Templates There are a number of different templates that are included with Windows Server 2008 that provide basic signing and encryption services in the Enterprise Windows PKI role. In addition to these pre-built templates, the network administrator also has the option to build custom templates to address needs that might not be covered by the standard templates or to provide interoperation with other systems. The Subject Field of the Certificate templates determines the scope of action and the types of objects to which the resulting certificates can be bound.
User Certificate Types User Certificate Templates are intended to be bound to a single user to provide identity and/or encryption services for that single entity. ■
Administrator This certificate template provides signature and encryption services for administrator accounts providing account identification and trust list (CTL) management within the domain. Certificates based on the Administrator Template are stored in the Active Directory.
■
Authenticated Session This certificate template allows users to authenticate to a web server to provide user credentials for site logon. This is often deployed for remote users as a way to validate identity without storing formation insecurely in a cookie while avoiding the need for a user to log on to the site each time.
■
Basic EFS Certificates derived from this template are stored in Active Directory with the associated user account and are used to encrypt data using the Encrypting File System (EFS).
■
Code Signing These certificate templates allow developers to create certificates that can be used to sign application code. This provides a check on the origin of software so that code management systems and end-users can be sure that the origin of the software is trusted.
■
EFS Recovery Agent Certificates of this type allow files that have been encrypted with the EFS to be decrypted so that the files can be used again. www.syngress.com
513
514
Chapter 7 • Configuring Certificate Services and PKI
EFS Recovery Agent certificates should be a part of any disaster recovery plan when designing an EFS implementation. ■
Enrollment Agent Certificates derived from this template are used to request and issue other certificates from the enterprise CA on behalf of another entity. For example, the web enrollment application uses these certificates to manage the certificate requests with the CA.
■
Exchange Enrollment Agent These certificates are used to manage enrollment services form within exchange to provide certificates to other entities within the exchange infrastructure.
■
Exchange Signature Certificates derived from the Exchange Signature template are user certificates used to sign e-mail messages sent from within the Exchange system.
■
Exchange User Certificates based on the Exchange User template are user certificates that are stored in the Active Directory used to encrypt e-mail messages sent from within the Exchange system.
■
Smartcard Logon These certificates allow the holder of the smart card to authenticate to the active directory and provides identity and encryption abilities. This is usually deployed as a part of a two-factor security schema using smart cards as the physical token.
■
Smartcard User Unlike the Smartcard Logon certificate template, these types of certificates are stored in the Active Directory and limit the scope of identity and encryption to e-mail systems.
■
Trust List Signing These certificates allow the signing of a trust list to help manage certificate security and to provide affirmative identity to the signer.
■
User This template is used to create general User Certificates—the kind that are usually thought of when talking about user certificates. These are stored in the Active Directory and are responsible for user activities in the AD such as authentication, EFS encryption, and interaction with Exchange.
■
User Signature Only These certificates allow users to sign data and provide identification of the origin of the signed data.
Computer Certificate Types Computer Certificate Templates are intended to be bound to a single computer entity to provide identity and/or encryption services for that computer. These are www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
often the cornerstone of workstation authentication systems like NAP and 802.1x which might require computer certificates for EAP authentication. ■
CA Exchange These certificates are bound to Certificate Authorities to mediate key exchange between CAs allowing for PK sharing and archival.
■
CEP Encryption Certificates of this type are bound to servers that are able to respond to key requests through the Simple Certificate Enrollment Protocol (SCEP).
■
Computer This template is used to generate standard Computer certificates that allow a physical machine to assert its identity on the network. These certificates are extensively used in EAP authentication in identifying endpoints in secured communication tunnels.
■
Domain Controller Authentication Certificates of this type are used to authenticate users and computers in the active directory. This allows a Domain Controller to access the directory itself and provide authentication services to other entities.
■
Enrollment Agent (Computer) These certificates allow a computer to act as an enrollment agent against the PKI so that they can offer computer certificates to physical machines.
■
IPsec Certificates based on this template allow a computer to participate in IPsec communications. These computers are able to assert their identity as well as encrypt traffic on the network. This is used in IPsec VPN tunnels as well as in Domain and Server Isolation strategies.
■
Kerberos Authentication These certificates are used by local computers to authenticate with the Active Directory using the Kerberos v5 protocol.
■
OCSP Response Signing This is a unique certificate type to Windows Server 2008 allowing a workstation to act as an Online Responder in the validation of certificate request queries.
■
RAS and IAS Server These certificates are used to identify and provide encryption for Routing and Remote Access Server (RRAS) as well as Internet Authorization Servers (IAS) to identify themselves in VPN and RADIUS communications with RADIUS Clients.
■
Router This is also a new role to Windows Server 2008 providing services to provide credentials to routers making requests through SCEP to a CA. www.syngress.com
515
516
Chapter 7 • Configuring Certificate Services and PKI ■
Web Server These certificates are commonly used by servers acting as web servers to provide end=point identification and traffic encryption to their customers. These kinds of certificates are used to provide Secure Socket Layer (SSL) encryption enabling clients to connect to the web server using the HTTPS protocol.
■
Workstation Authentication Like general computer certificates, the workstation certificate allows computers that are domain members the ability to assert their identity on the network and encrypt traffic that they send across the network.
Other Certificate Types There are a number of other certificate types that are not directly tied to either user or computer entities. These are usually infrastructure-based certificate types that are used to manage the domain or the Certificate Authorities themselves. ■
Cross-Certification Authority These certificates are used within the Certificate Authority Infrastructure to cross -certify CAs to validate the hierarchy that makes up the PKI.
■
Directory E-mail Replication Certificates that are derived from this type are used within the larger Exchange infrastructure to allow for the replication of e-mail across the directory service.
■
Domain Controller This kind of certificate is only held by the Domain Controllers in the domain. These differentiate from the Domain Controller Authentication certificates as they identify the individual DC rather than facilitate authorization of inbound authentication requests.
■
Root CA These certificates are only issued to Root Certificate Authorities to assert its identity in the Public Key Infrastructure.
■
Subordinate CA This certificate type is used to assert the identity of Subordinate Certificate Authorities in the PKI. This type of certificate can only be issued by a computer holding the Root CA certificate or another Subordinate CA that is the direct parent of the on to which the new certificate is being issued.
Custom Certificate Templates In some circumstances, it might be necessary to create a custom certification type that can be used to support a specific business need. If you are using a version of www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Windows Server 2008 that is not either the WEB or Standard edition, you can create your own templates.
EXERCISE 7.6 CREATING
A
CUSTOM TEMPLATE
In this exercise, we will create a new User Template based on the existing default user template. This new template will be valid for 10 years rather than the default 1-year expiration date. 1. Log in to your domain with an account that is a member of the Domain Admins group. 2. Navigate to Start | Administrative Tools | Certificate Authority. 3. Right-click the Certificate Templates folder on the left pane. Choose Manage to open the Certificate Templates Console (see Figure 7.39).
Figure 7.39 Creating a Custom Template
www.syngress.com
517
518
Chapter 7 • Configuring Certificate Services and PKI
4. Right-click the User Template. Choose Duplicate Template. 5. On the Duplicate Template page, choose Server 2008 versioning as all of our CAs are running Server 2008 (see Figure 7.40). Click OK.
Figure 7.40 Creating a Custom Template
6. In the Template display name, enter Long-term User. 7. Change the Validity Period to 10 Years (see Figure 7.41).
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Figure 7.41 Creating a Custom Template
8. Click OK.
The new Long-term User certificate template has now been created on this CA and is ready to be used to create new derivative certificates.
Securing Permissions With the wide set of configuration options that are available when creating a new Certificate Template, it might come as a surprise that the permissions model is relatively simple. All of the more complicated security controlling the approval www.syngress.com
519
520
Chapter 7 • Configuring Certificate Services and PKI
process and revocation is already built into the Certificate Template itself, so there is little left to control through the more traditional Access Control Entries on the template’s Access Control List. ■
Full Control Users with this permission have access to do anything with the Certificate Template. Users with this right should be confined to the Domain Administrators and CA Managers who will be maintaining the CA and the associated Templates.
■
Read These users will be able to read the template and view its contents. It is important for users to be able to Read the template if they are to apply it and continue to use the associated certificates issued from the template.
■
Write Users who are able to modify and manage the template will need to have write permissions on the template. Again, this should be confined to Domain Administrators and CA Managers who will be responsible for maintaining the Templates.
■
Enroll Users who will request certificates of this type or who already have these certs will need to have Enroll privileges.
■
AutoEnroll Subjects that will request new certificates through the autoenrollment process will need to have autoenrollment privileges in addition to the enroll and read permissions.
NOTE In order to keep the Certificate Authority communicating with the Active Directory, it is important that the Cert Publishers group be protected. Make sure that this group is not inadvertently destroyed or changed.
Versioning Certificates are all tagged with version information allowing them to evolve over time. Without this feature, when a Certificate Template would get updated, all of the certificates based on the old template would have to be revoked forcing the endusers to apply for new certificates again. This is disruptive to business and introduces a large amount of risk to business continuity as the certificates are brought into compliance again. www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
With versioning, a new version of the Certificate Template can be issued into the production environment. Then using the autoenrollment process, these certificates can be superseded bring all of the certificate holding subjects into compliance quickly and with a minimum of both disruption to the business and administrative intervention.
EXAM WARNING In an environment that has been upgraded from a previous version of Windows Server into the Server 2008 platform, an update to the certificate templates may be required to bring the templates into compliance. This should be done before the domain is upgraded to ensure continuity with the active directory.
Key Recovery Agent Sometimes it is necessary to recover a key from storage. One of the problems that often arise regarding PKI is the fear that documents will become lost forever— irrecoverable because someone loses or forget their private key. Let’s say that employees use Smart Cards to hold their private keys. If a user were to leave his smart card in his wallet which was left in the pants that he accidentally threw into the washing machine, then that user might be without his private key and therefore incapable of accessing any documents or e-mails that used his existing private key. Many corporate environments implement a key recovery server solely for the purpose of backing up and recovering keys. Within an organization, there is at least one key recovery agent. A key recovery agent is an employee who has the authority to retrieve a user’s private key. Some key recover servers require that two key recovery agents retrieve private user keys together for added security. Some key recovery servers also have the ability to function as a key escrow server, thereby adding the ability to split the keys onto two separate recovery servers, further increasing security. Luckily, Windows Server 2008 provides a locksmith of sorts (called a Registration Authority, or RA) that earlier versions of Windows did not have. A key recovery solution, however, is not easy to implement and requires several steps. The basic method follows: 1. Create an account to be used for key recovery. 2. Create a new template to issue to that account. 3. Request a key recovery certificate from the CA. www.syngress.com
521
522
Chapter 7 • Configuring Certificate Services and PKI
4. Have the CA issue the certificate. 5. Configure the CA to archive certificates by using the Recovery Agents tab of the CA property sheet (shown in Figure 7.42). 6. Create an archive template for the CA. Figure 7.42 Recovery Agents Tab of the CA Property Sheet
Each of these steps requires many substeps, but can be well worth the time and effort. It is worth noting again that key recovery is not possible on a stand-alone CA, because a stand-alone cannot use templates. It is also worth noting that only encryption keys can be recovered—private keys used for digital signatures cannot. www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Summary of Exam Objectives The purpose of a PKI is to facilitate the sharing of sensitive information such as authentication traffic across an insecure network. This is done with public and private key cryptography. In public key cryptography, keys are generated in pairs so that every public key is matched to a private key and vice versa. If data is encrypted with a particular public key, then only the corresponding private key can decrypt it. A digital signature means that an already encrypted piece of data is further encrypted by someone’s private key. When the recipient wants to decrypt the data, he or she must first “unlock” the digital signature by using the signer’s public key, remembering that only the signer’s public key will work. This might seem secure, but because anyone at all can sign the data, how does the recipient know for certain the identity of the person who actually signed it? The answer is that digital signatures need to be issued by an authoritative entity, one whom everyone trusts. This entity is known as a certification authority. An administrator can use Windows Server 2008, a third-party company such as VeriSign, or a combination of the two to create a structure of CAs. Certification authorities, as the name implies, issue certificates. In a nutshell, certificates are digitally signed public keys. Certificates work something like this: party A wants to send a private message to party B, and wants to use party B’s public key to do it. Party A realizes that if B’s public key is used to encrypt the message, then only B’s private key can be used to decrypt it and since B and no one else has B’s private key, everything works out well. However, A needs to be sure that he’s really using B’s public key and not an imposter’s, so instead of just asking B for B’s public key, he asks B for a certificate. B has previously asked the CA for a certificate for just such an occasion (B will present the certificate to anyone who wants to verify B’s identity). The CA has independently verified B’s identity, and has then taken B’s public key and signed it with its own private key, creating a certificate. A trusts the CA, and is comfortable using the CA’s well-known public key. When A uses the CA’s public key to unlock the digital signature, he can be sure that the public key inside really belongs to B, and he can take that public key and encrypt the message. The “I” in PKI refers to the infrastructure, which is a system of public key cryptography, certificates, and certification authorities. CAs are usually set up in a hierarchy, with one system acting as a root and all the others as subordinates at one or more levels deep. By analyzing the certificate requirements for your company, you can design your CA structure to fit your needs. Most organizations use a three-tier model, with a root CA at the top, an intermediate level of subordinates who control CA policy, and a bottom level of subordinates who actually issue certificates to users, www.syngress.com
523
524
Chapter 7 • Configuring Certificate Services and PKI
computers, and applications. In addition to choosing root and subordinate structure for the CA hierarchy, each CA during installation needs to be designated as either an enterprise or a stand-alone. Each of these choices has distinct advantages and disadvantages. Most CA configuration after installation is done through the Certification Authority snap-in. In addition to issuing certificates, CAs are also responsible for revoking them when necessary. Revoked certificates are published to a CRL that clients can download before accepting a certificate as valid. Enterprise CAs use templates to know what to do when a certificate request is received and how to issue a certificate if approved. There are several built-in templates included in Server 2008, or you can configure new ones. Once a CA is ready to issue certificates, clients need to request them. Autoenrollment, Web enrollment, or manual enrollment through the Certificates snap-in are the three ways by which a client can request a certificate. Autoenrollment is available for computer certificates, and in Windows Server 2008, for user certificates as well.
Exam Objectives Fast Track Planning a Windows Server 2008 Certificate-Based PKI ˛ A PKI combines public key cryptography with digital certificates to create
a secure environment where network traffic such as authentication packets can travel safely. ˛ Public keys and private keys always come in pairs. If the public key is used
to encrypt data, only the matching private key can decrypt it. ˛ When public key-encrypted data is encrypted again by a private key, that
private key encryption is called a digital signature. ˛ Digital signatures provided by ordinary users aren’t very trustworthy, so
a trusted authority is needed to provide them. The authority (which can be Windows-based) issues certificates, which are basically digitally signed containers for public keys and other information. ˛ Certificates are used to safely exchange public keys, and provide the basis
for applications such as IPsec, EFS, and smart card authentication.
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Implementing Certification Authorities ˛ Certificate needs are based on which applications and communications an
organization uses and how secure they need to be. Based on these needs, CAs are created by installing certificate services and are managed using the Certification Authority snap-in. ˛ A CA hierarchy is structured with a root and one or more level of
subordinates—three levels are common. The bottom level of subordinates issues certificates. The intermediate level controls policies. ˛ Enterprise CAs require and use Active Directory to issue certificates,
often automatically. Stand-alone CAs can be more secure, and need an administrator to manually issue or deny certificate requests. ˛ CAs need to be backed up consistently and protected against attacks. Keys
can be archived and later retrieved if they are lost. This is a new feature for Windows Server 2008. ˛ CAs can revoke as well as issue certificates. Once a certificate is revoked, it
needs to be published to a CRL distribution point. Clients check the CRL periodically before they can trust a certificate.
Planning Enrollment and Distribution of Certificates ˛ Templates control how a CA acts when handed a request, and how to
issue certificates. There are a quite a few built-in templates, or you can create your own using the Certificate Template snap-in. Templates must be enabled before a CA can use them. ˛ Certificates can be requested with the Certificates snap-in or by using
Internet Explorer and pointing to http://servername/certsrv on the CA. ˛ Machine and user certificates can be requested with no user intervention
requirement by using autoenrollment. Autoenrollment for user certificates is new to Windows Server 2008. ˛ Role-based administration is recommended for larger organizations. Different
users can be assigned permissions relative to their positions, such as certificate manager.
www.syngress.com
525
526
Chapter 7 • Configuring Certificate Services and PKI
Exam Objectives Frequently Asked Questions Q: In what format do CAs issue certificates? A: Microsoft certificate services use the standard X.509 specifications for issued certificates and the Public Key Cryptography Standard (PKCS) #10 standard for certificate requests. The PKCS #7 certificate renewal standard is also supported. Windows Server 2003 also supports other formats, such as PKCS #12, DER encoded binary X.509, and Base64 Encoded X.509, for exporting certificates to computers running non-Windows operating systems.
Q: If certificates are so important in a PKI, why don’t I see more of them? A: Many portions of a Windows PKI are hidden to the end user. Thanks to features such as autoenrollment, some PKI transactions can be completely done by the operating system. Most of the work in implementing a PKI comes in the planning and design phase. Operations such as encrypting data via EFS use certificates, but the user does not “see” or manually handle the certificates.
Q: I’ve heard that I can’t take my laptop overseas because it uses EFS. Is this true? A: Maybe. The backbone of any PKI-enabled application such as EFS is encryption. Although the U.S. government now permits the exporting of “high encryption” standards, some countries still do not allow their import. The Windows Server 2008 PKI can use high encryption, and so the actual answer depends on the country in question. For information on the cryptographic import and export policies of a number of countries, see http://www.rsasecurity.com/rsalabs/ faq/6-5-1.html.
Q: Can I create my own personal digital signature and use it instead of a CA? A: Not if you need security. The purposes behind digital signatures are privacy and security, and a digital signature at first glance seems to fit the bill. The problem, however, is not the signature itself, but the lack of trust in a recipient. Impersonations become a looming security risk if you can’t guarantee that the digital signatures you receive came from the people with whom they were supposed to have originated. For this reason, a certificate issued by a trusted third party provides the most secure authentication.
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Q: Can I have a CA hierarchy that is five levels deep? A: Yes, but that’s probably overkill for most networks. Microsoft’s three-tier model of root, intermediate, and issuing CAs will more than likely meet your requirements. Remember that your hierarchy can be wide instead of deep.
Q: Do I have to have more than one CA? A: No. Root CAs have the ability to issue all types of certificates and can assume responsibility for your entire network. In a small organization, a single CA might be sufficient for your purposes. For a larger organization, however, this structure would not be suitable.
Q: How can I change the publishing interval of a CRL? A: From the Certification Authority console, right-click the Revoked Certificates container and choose Properties. The CRL Publishing Parameters tab allows you to change the default interval for full and Delta CRLs.
Q: Why can’t I seem to get autoenrollment for user certificates to work? A: Remember that autoenrollment for machines is a feature that has been around since Windows 2000, but autoenrollment for user certificates is new to Windows Server 2003. In order to use this feature, you need to be running either a Windows Server 2003 or XP client and you must log on to a Windows Server 2003 domain. Finally, autoenrollment must be enabled through Active Directory’s group policy. Also, you won’t be able to autoenroll a user unless the user account has been assigned an e-mail address.
Q: What is the default validity period for a new certificate? A: The default, which can be changed on the General tab of a new template’s Property sheet, is one year. Other important settings, such as minimum key size and purpose of the certificate, can be found on the sheet’s other tabs.
Q: If my smart card is lost or stolen, can I be reissued one? A: Yes. The enrollment agent can enroll a new card for you at the enrollment station. Although most smart card providers allow cards to be reused (such as when they are found), a highly secure company may require old cards to be destroyed. For similar security reasons, PINs should not be reused on a newly issued card although it is possible. Remember that a card is only good to a thief if the corresponding PIN is obtained as well. www.syngress.com
527
528
Chapter 7 • Configuring Certificate Services and PKI
Q: When setting up smart cards for my company, can I use the MS-CHAP or MS-CHAP v2 protocols for authentication?
A: No. EAP is the only authentication method you can use with smart cards. It is considered the pinnacle of the authentication protocols under Windows Server 2003. MS-CHAP v2 is probably the most secure of the password-based protocols, but still does not provide the level of protection that smart cards using EAP do. This is because EAP is not really an authentication protocol by itself. It interfaces with other protocols such as MD5-CHAP, and is therefore extremely flexible. As a result it has been widely implemented by many different vendors. MS-CHAP and MS-CHAP v2 are Microsoft proprietary, and do not enjoy the same popularity or scrutiny applied to EAP. It is this scrutiny over the last several years that gives EAP the reputation of a highly secure protocol.
Q: How can I determine the length of time for which a certificate should be valid? A: It is important to plan out your PKI implementation before it goes into production. In the case of certificate validity, you’ll want to choose a time period that will cover the majority of your needs without being so long as to open your environment up to compromise. If you are planning a certificate to support a traveling workforce that only connects to the corporate infrastructure once a quarter, it would be detrimental to expire certificates once a month. At the same time, specifying a certificate to be valid for 20 years might open your business up to compromise by an ex-employee long after his employment has been terminated. Finally, you will want to ensure that your certificate lifetime is less than the lifetime for the lifetime of the CA’s own cert. If the issuing CA will only be valid for a year, having a subordinate cert that is good for 5 years will lead to problems when the parent authority is revoked.
Q: My domain has been active for some time, but I have only recently implemented a Certificate Authority in my domain. I am now getting messages that my Domain Controllers do not have appropriate certificates. What should I do?
A: Make sure that you have enabled auto enrollment on your Domain Controller certificate templates. This step is often missed and can lead to a number of secondary problems, the least of which is annoying messages in the Event Logs.
www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
Self Test 1. You have been asked to provide an additional security system for your company’s internet activity. This system should act as an underlying cryptography system. It should enable users or computers that have never been in trusted communication before to validate themselves by referencing an association to a trusted third party (TTP). The method of security the above example is referencing is? A. Certificate Authority (CA) B. Nonrepudiation C. Cryptanalysis D. Public Key Infrastructure (PKI) 2. You are engaged in an exercise that is meant to demonstrate the Public-Key Cryptography Standards (PKCS).You arrive at a portion of the exercise dealing with encrypting a string with a secret key based on a password. Which of the following PKCS does this exercise address? A. PKCS #5 B. PKCS #1 C. PKCS #8 D. PKCS #9 3. You are working in a Windows Server 2008 PKI and going over various user profiles that are subject to deletion due to company policy. The public keys for these users are stored under Documents and Settings\Administrator\System Certificates\My\Certificates and the private keys would be under Documents and Settings\Administrator\Crypto\RSA. You possess copies of the public keys in the registry, and in Active Directory. What effect will the deletion of the user profile have on the private key? A. It will have no effect. B. It will be replaced by the public key that is stored. C. The Private Key will be lost. D. None of the above. 4. Two users, Dave and Dixine, wish to communicate privately. Dave and Dixine each own a key pair consisting of a public key and a private key. If Dave wants www.syngress.com
529
530
Chapter 7 • Configuring Certificate Services and PKI
Dixine to send him an encrypted message, which of the following security measures occurs first? A. Dave transmits his public key to Dixine. B. Dixine uses Dave’s public key to encrypt the message. C. Nothing occurs the message is simply sent. D. Dixine requests a access to Dave’s private key. 5. You are browsing your company’s e-commerce site using Internet Explorer 7 and have added a number of products to the shopping cart. You notice that there is a padlock symbol in the browser. By right clicking this symbol you will be able to view information concerning the site’s: A. Private Key. B. Public Key. C. Information Architecture. D. Certificates. 6. You are engaged in an exercise that is meant to demonstrate the Public-Key Cryptography Standards (PKCS) used in modern encryption. You arrive at a portion of the exercise which outlines the encryption of data using the RSA algorithm. Which of the following PKCS does this exercise address? A. PKCS #5 B. PKCS #1 C. PKCS #8 D. PKCS #9 7. You are the administrator of your company’s Windows Server 2008-based network and are attempting to enroll a smart card and configure it at an enrollment station. Which of the following certificates must be requested in order to accomplish this action? A. A machine certificate. B. An application certificate. C. A user certificate. D. All of the above. 8. Dave and Dixine each own a key pair consisting of a public and private key. A public key was used to encrypt a message and the corresponding private www.syngress.com
Configuring Certificate Services and PKI • Chapter 7
key was used to decrypt. Dave wants Dixine to know that a document he is responding with was really written by him. How is this possible using the given scenario? A. Dave’s private key can encrypt the document and the matching public key can be used to decrypt it. B. Dave can send Dixine his private key as proof. C. Dixine can allow Dave access to her private key to encrypt the document. D. None of the above. 9. You are administrating a large hierarchal government environment in which a trust model needs to be established. The company does not want external CA’s involved in the verification process. Which of the following is the best trust model deployment for this scenario? A. A hierarchal first party trust model. B. A third party single CA trust model. C. A first party single CA trust Model. D. None of these will meet the needs of the company. 10. Two users, Dave and Dixine, wish to communicate privately. Dave and Dixine each own a key pair consisting of a public key and a private key. A public key was used to encrypt a message and the corresponding private key was used to decrypt. What is the major security issue with this scenario? A. Private keys are revealed during the initial transaction. B. Information encrypted with a public key can be decrypted too easily with out the private key. C. An attacker can intercept the data mid-stream, and replace the original signature with his or her own, using his private key. D. None of the Above.
www.syngress.com
531
532
Chapter 7 • Configuring Certificate Services and PKI
Self Test Quick Answer Key D
6.
B
2. A
7.
C
3.
C
8. A
4. A
9. A
1.
5.
C
www.syngress.com
10.
C
Chapter 8
MCTS/MCITP Exam 640 Maintaining an Active Directory Environment Exam objectives in this chapter: ■
Backup and Recovery
■
Offline Maintenance
■
Monitoring Active Directory
Exam objectives review: ˛ Summary of Exam Objectives ˛ Exam Objectives Fast Track ˛ Exam Objectives Frequently Asked Questions ˛ Self Test ˛ Self Test Quick Answer Key 533
534
Chapter 8 • Maintaining an Active Directory Environment
Introduction Being able to implement a Windows Server 2008 Active Directory environment is only half the battle.You must also be able to maintain the environment to provide minimum downtime and optimum performance of your enterprise.Various solutions and strategies come into play as part of maintenance. Some can be seen as larger “disaster recovery” components, whereas others may simply be “tweaking” the environment to improve user experience. In some situations, “maintenance” may fall somewhere in between—a user account is accidentally deleted, a file is accidentally deleted, or replication is underperforming or not performing at all! In this chapter, you will learn about the many maintenance and management tools offered as a part of Windows Server 2008, as well as some solutions to better improve your Windows Active Directory environment. These topics will be critical not only to your exam success, but also to your success as an IT professional. We will begin this section with a discussion of Windows Server Backup and how it has changed drastically from earlier versions of the Windows server product.
Backup and Recovery Most people never think about backup and recovery until they need it. Microsoft has been shipping a simple backup solution with Windows since Windows NT 3.1 back in 1993. The technology used today has changed since then, but the needs are still the same. Administrators need the ability to effectively back up servers, data, and the system state while also having an easy way to restore when needed. Windows Server 2008 does not support the old NTBackup.exe tool or its backup format. It now uses a backup feature called Windows Server Backup. This feature cannot read the old .bkf files. Therefore, it cannot restore any backups from NTBackup.exe. Windows Server Backup is primarily intended for use by small businesses and companies that do not have full-time or a highly technical IT staff. Windows Server Backup uses the same backup technology found in Windows Vista, which is a block-level image. It uses .vhd image files just like those found in Microsoft Virtual Server. After the first full backup is complete, Windows Server Backup can be configured to automatically run incremental backups, therefore saving only the data that has changed and not the entire object over and over again. Restoration is also simplified in that an administrator no longer has to manually restore from multiple backups if an item was stored on an incremental backup. They can now restore items by choosing a backup to recover from and then select www.syngress.com
Maintaining an Active Directory Environment • Chapter 8
the item(s) to restore. One thing that you cannot do in Windows Server Backup, however, is back up to tape. Tape is not a supported medium for Windows Server Backup. You can back up to disks, DVDs, and network shares.
New and Noteworthy … Windows Server Backup Although you cannot use Windows Server Backup to recover files from a .bkf format, you can download a version of Windows Backup for Windows Server 2008. It is for use by administrators who need to recover data from backups taken using NTBackup. The downloadable version cannot be used to create additional backups on Windows Server 2008. To download NTBackup for Windows Server 2008 go to http://go.microsoft. com/fwlink/?LinkId=82917.
Using Windows Server Backup Before using Windows Server Backup, you must install the feature. Just like many of the features within Windows Server 2008, Windows Server Backup is installed via a wizard through Server Manager. Installing the Windows Server Backup feature is easy and simple; just follow the steps in Exercise 8.1.
EXERCISE 8.1 INSTALLING WINDOWS SERVER BACKUP 1. Log on to Windows Server 2008 as an administrator (domain admin or local admin). 2. Click Start | Administrative Tools | Server Manager. Server Manager should come up. 3. In Server Manager, on the left window pane also known as the Console Tree, click on the top icon where it reads Server Manager <server name>. In our case, it reads Server Manager (SIGMA). www.syngress.com
535
536
Chapter 8 • Maintaining an Active Directory Environment
4. You’ll now see a list of different options. Go to Features and click on it. Server Manager will show the different features installed on that particular server in the Details pane to the right of the console tree. Figure 8.1 is an example of what an administrator would see after doing this.
Figure 8.1 The List of Features Installed
5. In the console tree, right-click Features and choose Add Features. You will now come to the Select Features window via the Add Features Wizard. Scroll down the list to where you see Windows Server Backup Features and put a check beside it and click Next. In Figure 8.2, you’ll notice that you are installing the Windows Server Backup and the Command-line Tools.
www.syngress.com
Maintaining an Active Directory Environment • Chapter 8
Head of the Class… Command-Line Tools If you want to install the Command-line Tools with the Windows Server Backup Features, you must also install the Windows PowerShell. The Windows PowerShell is a command-line and scripting language that allows IT professionals to better control system administration and automation. It is built on top of the .NET Framework and uses cmdlet’s (command lets), which is a single-function command-line tool built into the shell.
Figure 8.2 Selecting Windows Server Backup Features
www.syngress.com
537
538
Chapter 8 • Maintaining an Active Directory Environment
6. Now you will come to the Confirm Installation Selections screen. Once you’ve verified that the feature(s) you plan to install are shown in the confirmation list, click Install. 7. Once the installation has completed, you will come to the Installation Results screen, as shown in Figure 8.3. Notice that we installed the Windows PowerShell and the Windows Server Backup Features successfully. Once the installation is complete, click on Close.
Figure 8.3 Installation Results
8. Back in Server Manager, you will see the list of features installed, and in the list you will see Windows Server Backup Features, just as you see in Figure 8.4.
www.syngress.com
Maintaining an Active Directory Environment • Chapter 8
Figure 8.4 The List of Features Installed
To use the newly installed Windows Server Backup, simply click Start | Administrative Tools | Windows Server Backup. As you can see in Figure 8.5, Windows Server Backup’s interface is pretty straightforward. Information about backups and messages is shown in the left pane, and options such as the following are shown in the right pane: ■
Backup Schedule
■
Backup Once
■
Recover
■
Configure Performance Settings
■
Connect To Another Computer
www.syngress.com
539
540
Chapter 8 • Maintaining an Active Directory Environment
Figure 8.5 Windows Server Backup
Scheduling a Backup Windows Server Backup allows administrators and operators with sufficient rights to schedule backups to take place at certain times on a regular basis. In scheduling a backup, you need to decide what you want to back up, how often and when the backup(s) are to take place, and where to store the backup(s). To schedule a backup, follow the steps in Exercise 8.2.
EXERCISE 8.2 SCHEDULING
A
BACKUP
1. In Windows Server Backup go to the Actions pane and select Backup Schedule. This will kick off the Backup Schedule Wizard which you see in Figure 8.6. www.syngress.com
Maintaining an Active Directory Environment • Chapter 8
Figure 8.6 The Backup Schedule Wizard’s Getting Started Screen
2. Next you’re asked what type of configuration you want to schedule. You can select Full Server or you can select Custom, as shown in Figure 8.7. The full server configuration will back up all data, applications, and system state. Selecting Custom, though, allows you to select which items you would prefer to back up. For our example, we will choose to conduct a Full Server backup. After you have made your decision just click Next.
www.syngress.com
541
542
Chapter 8 • Maintaining an Active Directory Environment
Figure 8.7 Selecting Backup Configuration
3. The next thing we need to do in scheduling our backup is decide how often we want to conduct a backup and what time(s) to run it. In Figure 8.8, you see we have decided to kick off our backup once a day at midnight. After deciding when and how often backups are to take place, click Next to continue.
www.syngress.com
Maintaining an Active Directory Environment • Chapter 8
Figure 8.8 Specifying the Backup Time
4. Now we need to tell Windows Server Backup where we want to store the backup. For scheduled backups, we have to use a locally attached drive. This can be a DVD drive, a USB flash drive, or even an externally attached drive. It cannot be a network drive. Although Windows Server Backup does allow you to back up to a network drive, you are not allowed to schedule a job that does. On our system, we have a second drive listed as volume E. We will have our scheduled backup job use this as the destination; to continue we just click Next. You’ll notice a pop-up from Windows Server Backup, letting you know that it will reformat the destination drive you selected and that it will only be dedicated to backing up files and will not show up in Windows Explorer. www.syngress.com
543
544
Chapter 8 • Maintaining an Active Directory Environment
To continue, just click Yes. Figure 8.9 shows that we have chosen the E drive as our destination disk and Figure 8.10 informs us that the destination drive will be reformatted, among other things.
Figure 8.9 Selecting the Destination Disk
Figure 8.10 The Destination Drive Will Be Reformatted
www.syngress.com
Maintaining an Active Directory Environment • Chapter 8
5. Windows Server Backup will now label the destination disk. The default name will be in the form of <server name> year_month_ date <military time>. As you see in Figure 8.11, our label will be SIGMA 2008_01_10 14:08. After confirming this, you can click Next.
Figure 8.11 Labeling the Destination Disk
EXAM WARNING It is highly recommended that administrators and backup operators alike write the label name on the destination drive. During recovery Windows Server Backup may specify a disk holding backups with a specific label name.
www.syngress.com
545
546
Chapter 8 • Maintaining an Active Directory Environment
6. The final step in scheduling a backup is to confirm your selections. The Confirmation screen will show you what you have chosen at the backup items, times, and the destination, as you see in Figure 8.12. After you’ve confirmed your choices, click Finish.
Figure 8.12 The Backup Schedule Confirmation
Now that we have a scheduled backup, we can just wait for it to kick off at midnight. In Figure 8.13, you’ll notice in Windows Server Backup we went ahead and ran a full backup. You’ll see under Messages and Status that we have conducted a successful backup. We did this by going into the Actions pane and selecting Backup Once. This gave us a chance to test the backup configuration. www.syngress.com
Maintaining an Active Directory Environment • Chapter 8
Figure 8.13 A Successful Backup
As you’ve seen, we’ve gone through installing Windows Server Backup, and gone over the media it supports, how to schedule a backup, and how to immediately start one. What we have not covered, which you will be tested on, is how to use the wbadmin command. Wbadmin.exe is the command-line utility that comes with Windows Server Backup. It can be used to perform backups and restores from the command line or via batch files and scripts. Table 8.1 is a list of the commands supported by wbadmin.exe. Table 8.1 The wbadmin.exe Command Command
Description
wbadmin enable backup
Enables or configures scheduled daily backups
wbadmin disable backup
Disables running scheduled daily backups
wbadmin start backup
Runs a backup job Continued
www.syngress.com
547
548
Chapter 8 • Maintaining an Active Directory Environment
Table 8.1 Continued. The wbadmin.exe Command Command
Description
wbadmin stop job
Stops a running backup or recovery job
wbadmin get versions
Reports information about the available backups
wbadmin get items
Lists the items included in a backup based on parameters you specify
wbadmin start recovery
Runs a recovery of the volumes, applications, or files and folders specified
wbadmin get status
Gives the status of a backup or recovery job
wbadmin get disks
Lists disks that are currently online
wbadmin start systemstaterecovery
Recovers the system state from a backup
wbadmin start systemrecovery
Runs a full system recovery. Available only if you are using the Windows Recovery environment.
wbadmin start recovery
Runs a recovery
wbadmin restore catalog
Recovers a catalog that has been corrupted. Helpful in times if the recovery from the backup catalog has been corrupted.
wbadmin delete catalog
Deletes a catalog that has been corrupted
wbadmin start systemstatebackup
Runs a system state backup
wbadmin delete systemstatebackup
Deletes a system state backup(s)
Backing Up to Removable Media Windows Server 2008, WBS can back up to removable media such as DVD and USB-based flash drives. Although the wizard-driven GUI interface cannot back up to removable media, wbadmin.exe can. One of the big advantages of being able to back up to removable media is that you can easily take it offsite. One disadvantage to using removable media with WBS is that recovery can be done only at the volume level. It cannot be done by recovering individual files or folders that can www.syngress.com
Maintaining an Active Directory Environment • Chapter 8
be done only via the GUI which does not support removable media. So, how do we back up to removable media? That’s a good question. In Exercise 8.3, we will back up a server to DVDs.
EXERCISE 8.3 BACKING
UP TO
DVD
1. Make sure your system has a DVD burner either attached to it or internal to the server. 2. Log on as either the Administrator or a member of the Backup Operators. 3. Put a blank DVD in the DVD burner. 4. Open a command prompt (Start | Command Prompt); at the prompt type wbadmin start backup –backupTarget:E: -include:C: and then press Enter. You should see a screen similar to that shown in Figure 8.14 (if your DVD drive is another drive letter instead of E, use that drive letter for the backupTarget argument).
Figure 8.14 Backing Up the Server to DVD
5. At the Do you want to start the backup operation? prompt, type Y for yes and press Enter. 6. Now you are told to insert new media, which in this case is a DVD, which we will label as SIPOC 2008_01_14 23:19 DVD_01, as shown in Figure 8.15. The naming standard is <server name> www.syngress.com
549
550
Chapter 8 • Maintaining an Active Directory Environment
![MCTS 70-620 Exam Prep: Microsoft Windows Vista Client Configuring [Exam Prep Series]](https://epdf.tips/img/300x300/mcts-70-620-exam-prep-microsoft-windows-vista-clie_5a6803e2b7d7bc354ddbf779.jpg)
