Tag Archives: AD DS

Time Based Group Membership – AD DS 2016

In new AD DS 2016 allows administrators to assign temporally group membership which is expressed by TTL (Time-To-Live) value. This value will add to the Kerberos ticket. This also called as “Expiring-Link” feature. When user assign to a temporally group membership, his login Kerberos ticket granting ticket (TGT) life time will be equal to lowest TTL value he has. 

This feature is not enabled by default. The reason for that is, to use this feature the forest function level must be windows server 2016. Also, once this feature is enabled, it cannot be disabled. 

Let’s see how it works

Enable-ADOptionalFeature ‘Privileged Access Management Feature’ -Scope ForestOrConfigurationSet -Target rebeladmin.com

tg2

Rebeladmin.com can be replaced with your FQDN.

I have a user called Peter which I need to assign Domain Admin group membership for 15 minutes.

Get-ADGroupMember “Domain Admins” will list the current member of domain admin group. 

tg1

Next step is to add the peter to the domain admin group for 15 minutes.

Add-ADGroupMember -Identity ‘Domain Admins’ -Members ‘peter’ -MemberTimeToLive (New-TimeSpan -Minutes 15)

tg3

Once its run, we can verify the TTL value remaining for the group membership using,

Get-ADGroup ‘Domain Admins’ -Property member -ShowMemberTimeToLive

tg4

Once I log in as the user and list the Kerberos ticket it shows the renew time with less than 15 minutes as I log in as user after few minutes of granting.

tg5

Once the TGT renewal come the user will no longer be member of domain admin group. 

hope this was useful and if you have any questions feel free to contact me on rebeladm@live.com

Step-by-Step guide to setup Active Directory on Windows Server 2016

Long wait is over for windows server 2016 and its available for public from Oct 12, 2016. So most looking for upgrade paths or at least start testing in their lab environments. (if it wasn’t brave enough to try with technical previews :) ). 

What is new in Active Directory? 

There are interesting new features such as time based group membership, privileged access management etc. but in this post I am not going to discuss those as I am going to write separate articles to provide more info about those new features. But still you can find more details https://technet.microsoft.com/en-us/windows-server-docs/identity/whats-new-active-directory-domain-services

In this post I am going to demonstrate how to install active directory on windows server 2016. 

Before the AD install it is important to understand what is the minimum requirement to install windows server 2016. This information can find in https://technet.microsoft.com/en-us/windows-server-docs/get-started/system-requirements–and-installation

Processor

1.4 GHz 64-bit processor

Compatible with x64 instruction set

Supports NX and DEP

Supports CMPXCHG16b, LAHF/SAHF, and PrefetchW

Supports Second Level Address Translation (EPT or NPT)

Coreinfo is a tool you can use to confirm which of these capabilities you CPU has.

RAM

512 MB (2 GB for Server with Desktop Experience installation option)

ECC (Error Correcting Code) type or similar technology

Storage controller and disk space requirements

Computers that run Windows Server 2016 must include a storage adapter that is compliant with the PCI Express architecture specification. Persistent storage devices on servers classified as hard disk drives must not be PATA. Windows Server 2016 does not allow ATA/PATA/IDE/EIDE for boot, page, or data drives.

The following are the estimated minimum disk space requirements for the system partition.

Minimum: 32 GB

Network adapter requirements

Minimum:

An Ethernet adapter capable of at least gigabit throughput

Compliant with the PCI Express architecture specification.

Supports Pre-boot Execution Environment (PXE).

A network adapter that supports network debugging (KDNet) is useful, but not a minimum requirement.

So in my demo I am using a virtual server with windows server 2016 datacenter. In order to setup active directory we need to log in as local administrator. First thing to check is IP address configuration. 

1) Once Active directory setup on the server, it also going to act as DNS server. There for change the DNS settings in network interface and set the server IP address (or local host IP 127.0.0.1) as the primary DNS server.

2016AD1

2) Then open the server manager. Go to PowerShell (as administrator) and type ServerManager.exe and press enter.

2016AD2

3) Then on server manager click on add roles and features

2016AD3

4) Then it opens the add roles and features wizard. Click on next to proceed. 

2016AD4

5) Then in next window keep the default and click next

2016AD5

6) Since its going to be local server, in next window keep the default selection. 

2016AD6

7) In next window from the roles put tick box for active directory domain services. Then it will prompt to show you what are the associated features for the role. Click on add features to add those. Then click next to continue.

2016AD7

2016AD8

2016AD9

8) The features page, keep it default and click on next to proceed. 

2016AD10

9) In next windows it gives brief description about AD DS service. Click next to proceed.

2016AD11

10) Then it will give the confirmation about install, click on install to start the role installation process. 

2016AD12

11) Once done, it will start the installation process

2016AD13

12) Once installation completes, click on option promote this server to a domain controller.

2016AD14

13) Then it will open the active directory configuration wizard. In my demo I am going to setup new forest. But if you adding this to existing domain you can choose relevant option. (I am going to write separate article to cover how you can upgrade from older version of Active Directory). Select the option to add new forest and type FQDN for the domain. Then click next.

2016AD15

14) In next page you can select the domain and forest functional levels. I am going to set it up with latest. Then type a password for DSRM. Then click next

2016AD16

15) For the DNS options, this going to be the first DNS server in new forest. So no need any modifications. Click next to proceed. 

2016AD17

16) For the NETBIOS name keep the default and click next 

2016AD18

17) Next page is to define the NTDS, SYSVOL and LOG file folders. You can keep default or define different path for these. In demo I will be keeping default. Once changes are done, click next to continue

2016AD19

18) Next page will give option to review the configuration changes. If everything okay you can click next to proceed or otherwise can go back and change the settings. 

2016AD20

19) In next windows it will do prerequisite check. If it’s all good it will enable option to install. Click on install to begin installation process. 

2016AD21

20) Then it will start the installation process. 

2016AD22

21) After the installation system will restart automatically. Once it comes back log in to the server as domain admin.

2016AD23

22) Once log in open the powershell (as administrator) and type dsac.exe and press enter. It will open up the active directory administrative center. There you can start managing the resources. 

2016AD24

2016AD25

23) Also you can use Get-ADDomain | fl Name,DomainMode and Get-ADForest | fl Name,ForestMode from powershell to confirm domain and forest functional levels

2016AD26

Hope this was helpful and if you have any questions feel free to contact me on rebeladm@live.com

Service Accounts

In an organization there can be lot of applications, services running to serve its user base. Some time when you setup an application services it asking you to use a service account with certain permissions.

In a computer normally we can run application as Local Service, Network Service or Local System. Also if required you can use a user account setup on the domain or local computer.

service1

Traditional Service Account

Well in past (before server 2008 R2) a service account is nothing but a user account. As you know by default a typical user account password expires (in domain it’s depend on group policies), if it’s happens to a service account, the service or application will stop running as it can’t authenticate. So what usually do is create a user account and set password “not to expire”. So it’s more vulnerable. 

service2

Managed Service Accounts

Microsoft introduce Managed Server Accounts (MSAs) with windows server 2008 R2 to address the issues with traditional service accounts.

In traditional service account its night mare to handle the password changes. But with MSA it will automatically will change the password. In AD DS it will store the MSA object as msDS-ManagedServiceAccount. However MSAs are cannot be use between multiple computers or in cluster environment. MSA uses a complex, random, 240-character password and change that automatically when it reach the domain or computer password expire date. By default its 30 days’ time.  It also can’t be locked out and can’t use for interactive logins. Mainly the benefits of MSAs are automatic password change and simplified SPN (Service Principal Name) management.

In AD DS, MSA’s will stored under CN=Managed Service Accounts, DC=<domain>, DC=<com>, Container.

service3

In order to run MSAs you need to have following in your environment,
• Windows server 2008 R2 or later domain controller
• AD module for powershell
• .NET framework 3.5

Let’s see how we can create the MSA

1) Load the powershell cmd with domain administrator privileges

service4

2) To create service account,
New-ADServiceAccount –Name <MSA_Name> –DNSHostname <DNS name of Domain_Controller>

So in my demo-
New-ADServiceAccount –Name testmsa1 –DNSHostname DCM1.canitpro.local

service5

3) Then we need to associate it with the computer object

Add-ADComputerServiceAccount –identity <Host_Computer_Name> -ServiceAccount <MSA_Name>

In my demo I associate it with computer DCM1

Add-ADComputerServiceAccount –identity DCM1 -ServiceAccount testmsa1

service6

4) Then we need to install the MSA in hostcomputer.

Install-ADServiceAccount –Identity <MSA_Name>

In my demo its

Install-ADServiceAccount –Identity testmsa1

Now we can use it to assign for service. If you go to AD now we can see the new account under MSA OU

service7

If you have any question feel free to contact me on rebeladm@live.com

Step-by-Step Guide to install Active Directory on Windows server technical preview 2

Microsoft released Windows Server 2016 Technical Preview 2 for the public. I am sure most of you already got the news. In this article I am going to demonstrate how we can install AD in Windows server 2016 TP2.

You can download windows 2016 TP2 from https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-previewit

You can deploy it using .iso or .vhd file. If you notice, installation no longer allows to select the GUI option during the installation. It gives 2 options to select from, one is goes as core version and the one with administrative tools gives ability to use admin tools such as server manager. If you like to install GUI you need to install it using server manager or using command Install-WindowsFeature Server-Gui-Shell –Restart -Source wim:E:\sources\install.wim:4

In here E: is the DVD with the windows server 2016 source files.

What is new in AD DS?

Well it may be too early to look for what is going to be in windows server 2016 in AD end. But here is the few new features, enhancements available for TP.

Privileged Access Management – This PAM feature allows to mitigate security concerns in AD environment which cause by techniques such as pass-the-hash, spear fishing etc.

Azure AD Join – This enhance identity experience for businesses. Including benefits such as SSO, access organizational resources, MDM integration etc.

Microsoft Passport – Microsoft Passport is a new key-based authentication approach organizations and consumers that goes beyond passwords. This form of authentication relies on breach, theft, and phish-resistant credentials.

Deprecation of File Replication Service (FRS) and Windows Server 2003 functional levels – Although File Replication Service (FRS) and the Windows Server 2003 functional levels were deprecated in previous versions of Windows Server, it bears repeating that the Windows Server 2003 operating system is no longer supported. As a result, any domain controller that runs Windows Server 2003 should be removed from the domain. The domain and forest functional level should be raised to at least Windows Server 2008 to prevent a domain controller that runs an earlier version of Windows Server from being added to the environment.

Complete description about these features can find on https://technet.microsoft.com/en-us/library/mt163897.aspx

Let’s gets started. In here my demo I am using windows server 2016 TP2 with GUI.
Log in to server as administrator. Then load server manager.

2016dc1

Then go to Manage > Add Roles and Features

2016dc2

In the wizard click on next.

2016dc3

In installation type selection, let the default selection run and click on next.

2016dc4

For the server selection leave the default and click on next.

2016dc5

From the role selection window select “Active Directory Domain Services” click next. Then it will ask to add the dependent features. Click on add features button. Then click next.

2016dc6

2016dc7

In the features selection will keep the default selection and then click next to continue.

2016dc8

Then it gives description window about AD DS. Click next to proceed.

2016dc9

Then in next window click on install button to install AD DS role.

2016dc10

Once it is finished, click on link “Promote this server to a domain controller”

2016dc11

Then it will open up the new wizard for the AD DS configuration. In here I am going to deploy new forest, so do the relevant selection and fill information and click on next.

2016dc12

In next window select the forest function and domain function level, to “Windows server technical preview” and then add the domain controller capabilities such as DNS, then submit the DSRM password and click next.

2016dc13

Then click next to complete DNS delegation.

2016dc14

In next window we can specify the Netbios name and then click next to continue.

2016dc15

In next window select the paths for database installation etc. then click next.

2016dc16

Then it gives option to review the configuration, and click next to continue.

2016dc17

Once prerequisite check is done, click on install to proceed.

2016dc18

Then it starts the installation process. It will reboot server automatically once completed.
Once reboot, we can see AD DS is configured and functioning as expected.

2016dc19

This completes installation process. The steps are very similar to with AD DS installation on windows server 2012.

If you have any issues feel free to contact me on rebeladm@live.com