Tag Archives: Domain Controller

Group Policy Security Filtering

Group Policy can map to Sites, Domain and OUs. If group policy is mapped to OU, by default it will apply to any object under it. But within a OU, Domain or Site there are lots of objects. The security, system or application settings requirements covers by group policies not always applies to boarder target groups. Group Policy filtering capabilities allows to further narrow down the group policy target to security groups or individual objects. 

There are few different ways we can do the filtering in group policy.

1) Security Filtering

2) WMI Filtering

In this post we are going to look in to Security Filtering. In one of my previous post I already covered WMI filtering. It can be found under http://www.rebeladmin.com/2018/02/group-policy-wmi-filters-nutshell/ 

Before apply the security filtering, the first thing to make sure is group policy mapped correctly to the Site, Domain or OU. The security group or the objects you going to target should be under correct level where group policy is mapped. 

We can use the GMPC or PowerShell cmdlets to add the security filtering to GPO.

gsec1
As you can see, by default any policy have “Authenticated Users” group added to the security filtering. It means by default the policy will apply to any authenticated user in that OU. When we add any group or object to security filtering, it also creates entry under delegation. In order to apply a group policy to an object, it needs minimum of,
 
1) READ
2) APPLY GROUP POLICY
 
Any object added to the Security Filtering section will have both of these permissions set by default. Same way if an object added directly to delegation section and apply both permissions, it will list down those objects under Security Filtering section. 
Now, before we add custom objects to the filtering, we need change the default behavior of the security filtering with “Authenticated Users”. Otherwise it doesn’t matter what security group or object you add it will still apply group policy settings to any authenticated user. Before Microsoft release security patch MS16-072 in year 2016, we can simply remove the Authenticated Users group and add the required objects to it. with this new security patch changes, group policies now will run with in computer security context. Before it was executed with in user’s security context. In order to accommodate this new security requirements, one of following permissions must be available under group policy delegation. 
 
Authenticated Users – READ
Domain Computers – READ
 
In order to edit these changes, Go to Group Policy, Then to Delegation tab, Click on Advanced, Select Authenticated users and then remove Apply group policy permissions. 
 
gsec2
 
Now we can go back to Scope tab and add the required security group or objects in to security filtering section. it will automatically add the relevant Read and Apply Group Policy permissions. 
 
gsec3
 
In here we looking in to how to apply group policy to specific target, but it also allows to explicitly allow it to large number of objects and block groups or object by applying it. as an example, let’s assume we have a OU with few hundred objects from different classes. From all these we have like 10 computer objects which we do not need to apply a given group policy. Which one is easy? go and add each and every security group and object to security filtering or allow every one for group policy and block it only for one security group? Microsoft allows to use the second method in filtering too. In order to do that, group policy should have default security filtering which is “Authenticated users” with READ and APPLY GROUP POLICY permissions. Then go to Delegation tab and click on Advanced option. In next window click on Add button and select the group or object that you need to block access to. 
 
gsec4
 
Now in here we are denying READ and APPLY GROUP POLICY permissions to an object. So, it will not able to apply the group policy and all other object under that OU will still able to read and apply group policy. Easy ha?
 
This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Active Directory Replication Status Review Using PowerShell

Data Replication is crucial for healthy Active Directory Environment. There are different ways to check status of replication. In this article I am going to explain how you can check status of domain replication using PowerShell.

For a given domain controller we can find its inbound replication partners using, 

Get-ADReplicationPartnerMetadata -Target REBEL-SRV01.rebeladmin.com

Above command provide detail description for the given domain controller including last successful replication, replication partition, server etc. 

We can list down all the inbound replication partners for given domain using, 

Get-ADReplicationPartnerMetadata -Target "rebeladmin.com" -Scope Domain

In above command the scope is defined as the domain. this can change to forest and get list of inbound partners in the forest. The output is for default partition.  If needed the partition can change using – Partition to Configuration or Schema partition. It will list down the relevant inbound partners for given partition. 

Associated replication failures for a site, forest, domain, domain controller can find using Get-ADReplicationFailure cmdlet. 

Get-ADReplicationFailure -Target REBEL-SRV01.rebeladmin.com

Above command will list down the replication failures for the given domain controller. 

Replication failures for domain can find out using, 

Get-ADReplicationFailure -Target rebeladmin.com -Scope Domain

Replication failures for forest can find out using, 

Get-ADReplicationFailure -Target rebeladmin.com -Scope Forest

Replication failures for site can find out using, 

Get-ADReplicationFailure -Target LondonSite -Scope Site

In command, LondonSite can replace using relevant site name. 

Using both Get-ADReplicationPartnerMetadata and Get-ADReplicationFailure, following PowerShell script can provide report against specified domain controller. 

## Active Directory Domain Controller Replication Status##

$domaincontroller = Read-Host 'What is your Domain Controller?'

## Define Objects ##

$report = New-Object PSObject -Property @{

ReplicationPartners = $null

LastReplication = $null

FailureCount = $null

FailureType = $null

FirstFailure = $null

}

## Replication Partners ##

$report.ReplicationPartners = (Get-ADReplicationPartnerMetadata -Target $domaincontroller).Partner

$report.LastReplication = (Get-ADReplicationPartnerMetadata -Target $domaincontroller).LastReplicationSuccess

## Replication Failures ##

$report.FailureCount  = (Get-ADReplicationFailure -Target $domaincontroller).FailureCount

$report.FailureType = (Get-ADReplicationFailure -Target $domaincontroller).FailureType

$report.FirstFailure = (Get-ADReplicationFailure -Target $domaincontroller).FirstFailureTime

## Format Output ##

$report | select ReplicationPartners,LastReplication,FirstFailure,FailureCount,FailureType | Out-GridView

In this command, it will give option for engineer to specify the Domain Controller name. 

$domaincontroller = Read-Host 'What is your Domain Controller?'

Then its creates some object and map those to result of the PowerShell command outputs. Last but not least it provides a report to display a report including, 

Replication Partner (ReplicationPartners)

Last Successful Replication (LastReplication)

AD Replication Failure Count (FailureCount)

AD Replication Failure Type (FailureType)

AD Replication Failure First Recorded Time (FirstFailure)

repower1

Further to Active Directory replication topologies, there are two types of replications.

1) Intra-Site – Replications between domain controllers in same Active Directory Site

2) Inter-Site – Replication between domain controllers in different Active Directory Site

We can review AD replication site objects using Get-ADReplicationSite cmdlet. 

Get-ADReplicationSite -Filter *

Above command returns all the AD replication sites in the AD forest. 

repower2

We can review AD replication site links on the AD forest using, 

Get-ADReplicationSiteLink -Filter *

In site links, most important information is to know the site cost and replication schedule. It allows ro understand the replication topology and expected delays on replications. 

Get-ADReplicationSiteLink -Filter {SitesIncluded -eq "CanadaSite"} | Format-Table Name,Cost,ReplicationFrequencyInMinutes -A

Above command list all the replication sites link included CanadaSite AD site along with the site link name, link cost, replication frequency. 

A site link bridge can use to bundle two or more site links and enables transitivity between site links.

Site link bridge information can retrieve using, 

Get-ADReplicationSiteLinkBridge -Filter *

Active Directory sites may use multiple IP address segments for its operations. It is important to associate those with the AD site configuration so domain controllers know which computer related to which site. 

Get-ADReplicationSubnet -Filter * | Format-Table Name,Site -A

Above command will list down all the Subnets in the forest in a table with subnet name and AD site.

repower3

Bridgehead servers are operating as the primary communication point to handle replication data which comes in and go out from AD site. 

We can list down all the preferred bridgehead servers in a domain using, 

$BHservers = ([adsi]"LDAP://CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=rebeladmin,DC=com").bridgeheadServerListBL

$BHservers | Out-GridView

In above command the attribute value bridgeheadServerListBL retrieve via ADSI connection. 

We can list down all of these findings using on script. 

## Script to gather information about Replication Topology ##

## Define Objects ##

$replreport = New-Object PSObject -Property @{

Domain = $null

}

## Find Domain Information ##

$replreport.Domain = (Get-ADDomain).DNSroot

## List down the AD sites in the Domain ##

$a = (Get-ADReplicationSite -Filter *)

Write-Host "########" $replreport.Domain "Domain AD Sites" "########"

$a | Format-Table Description,Name -AutoSize

## List down Replication Site link Information ##

$b = (Get-ADReplicationSiteLink -Filter *)

Write-Host "########" $replreport.Domain "Domain AD Replication SiteLink Information" "########"

$b | Format-Table Name,Cost,ReplicationFrequencyInMinutes -AutoSize

## List down SiteLink Bridge Information ##

$c = (Get-ADReplicationSiteLinkBridge -Filter *)

Write-Host "########" $replreport.Domain "Domain AD SiteLink Bridge Information" "########"

$c | select Name,SiteLinksIncluded | Format-List

## List down Subnet Information ##

$d = (Get-ADReplicationSubnet -Filter * | select Name,Site)

Write-Host "########" $replreport.Domain "Domain Subnet Information" "########"

$d | Format-Table Name,Site -AutoSize

## List down Prefered BridgeHead Servers ##

$e = ([adsi]"LDAP://CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=rebeladmin,DC=com").bridgeheadServerListBL

Write-Host "########" $replreport.Domain "Domain Prefered BridgeHead Servers" "########"

$e

## End of the Script ##

The only thing we need to change is the ADSI connection with relevant domain DN. 

$e = ([adsi]"LDAP://CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=rebeladmin,DC=com")

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Manage Active Directory Permissions with Delegate Control method

In one of my previous post I explained how we can manage AD administration privileges using ACLs. If you didn’t read it yet you can find it using http://www.rebeladmin.com/2018/02/step-step-guide-manage-active-directory-permissions-using-object-acls/

This Delegate Control method also works similar to ACLs, but its simplified the process as its uses,

Delegation of Control Wizard which can use to apply delegated permissions. 

Allows to use predefined tasks and assign permission to those

The Wizard contain following predefined tasks which can use to assign permissions. 

Create, delete, and manage user accounts

Reset user passwords and force password change at next logon

Read all user information

Create, delete and manage groups

Modify the membership of a group

Manage Group Policy links

Generate Resultant Set of Policy (Planning)

Generate Resultant Set of Policy (Logging)

Create, delete, and manage inetOrgPerson accounts

Reset inetOrgPerson passwords and force password change at next logon

Read all inetOrgPerson information

This also allows to create custom task to delegate permissions, if it’s not covered from the common task list. 

Similar to ACLs, Permissions can apply in,

1) Site – Delegated permission will valid for all the objects under the given Active Directory Site. 

2) Domain – Delegated permission will valid for all the objects under the given Active Directory Domain. 

3) OU – Delegated permission will valid for all the objects under the given Active Directory OU.

As an example, I have a security group called Second Line Engineers and Scott is a member of it. I like to allow members of this group to reset password for objects in OU=Users,OU=Europe,DC=rebeladmin,DC and nothing else. 

1) Log in to Domain Controller as Domain Admin/Enterprise Admin

2) Review Group Membership Using 

Get-ADGroupMember “Second Line Engineers”

dele1

3) Go to ADUC, right click on the Europe OU, then from list click on “Delegate Control

4) This will open new wizard, in initial page click Next to proceed. 

5) In next page, Click on Add button and add the Second Line Engineers group to it. Then click Next to proceed.

dele2

6) From the task to delegate window select Delegate the following common tasks option and from list select Reset user passwords and force password change at next logon. In this page, we can select multiple tasks. If none of those works, we still can create custom task to delegate. Once completes the selection, click next to proceed. 

dele3

7) This completes the wizard and click on Finish to complete. 

8) Now it’s time for testing. I log in to Windows 10 computer which has RSAT tools installed as user Scott. 

According to permissions, I should be able to reset password of an object under OU=Users,OU=Europe,DC=rebeladmin,DC

Set-ADAccountPassword -Identity dfrancis

This allows to change the password successfully. 

dele4

However, it should not allow to delete any objects. we can test it using,

Remove-ADUser -Identity "CN=Dishan Francis,OU=Users,OU=Europe,DC=rebeladmin,DC=com"

And as expected, it returns access denied error. 

dele5

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Integrity check to Detect Low Level Active Directory Database Corruption

Active Directory maintains a multi-master database. like any other database there can be data corruptions, crashes, data lost etc. In my entire career, I still did not come across with a situation that a full database recovery is required in production environment. The reason is AD DS database is keep replicating to other available Domain Controllers and it is very rare that all the available Domain Controllers crash in same time and loose data.

By running integrity check, we can identify binary level AD database corruption. This comes as part of the Ntdsutil tool which use for Active Directory database maintenance. This go through every byte of the database file. The integrity command also checks if correct headers exist in the database itself and if all of the tables are functioning and consistent. This process also run as part of Active Directory Service Restore Mode (DRSM).

This check need to run with NTDS service off. 

In order to run integrity check,

1) Log in to Domain Controller as Domain/Enterprise Administrator
2) Open PowerShell as Administrator
3) Stop NTDS service using net stop ntds
4) Type 
 
ntdsutil
activate instance ntds
files
integrity
 
ntds1
 
5) In order to exit from the utility type, quit.
6) it is also recommended to run Semantic database analysis to confirm the consistency of active directory database contents. 
7) In order to do it, 
 
ntdsutil
activate instance ntds
semantic database analysis
go
 
ntds2
 
8) If its detected any integrity issues can type go fixup to fix the errors. 
9) After process is completed, type net start ntds to start the ntds service.
 
This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step guide to Manage Active Directory Permissions using Object ACLs

Users or groups access and permissions to a shared folder is controlled by its Access Control List (ACL). Similar way we can define permissions to Active Directory Objects. This can apply to individual object or apply to AD Site/Domain/OU and then inherit to lower level objects. 

As an Example, I have a security group called “First Line Engineers” and Liam is a member of this group. Liam is engineer of Europe office. In active directory environment, he should allow to add user objects under any sub OU in “Europe” OU. But he should not be allowed to delete any object under it. Let’s see how we can do it using ACLs. 

1) Log in to Domain Controller as Domain Admin/Enterprise Admin

2) Review Group Membership Using 

Get-ADGroupMember “First Line Engineers”

acl1

3) Go to ADUC, right click on the Europe OU and click properties. Then go to Security tab.

4) In security tab, click on Add 

5) In the new window, type First Line Engineers and click Ok. After, In Security Tab, select First Line Engineers and click on Advanced

acl2

6) In next window, select the First Line Engineers from the list and click on Edit

7) From Applies to list select “This object and all descendant objects”. Then it will apply permission to all child objects. 

acl3

8) Under the Permissions section, tick Create All child objects and click Ok

9) Then keep clicking Ok until all permission window closed. 

10) Then I log in to Windows 10 computer which has RSAT tools installed as user Liam. 

11) According to permissions, he should be able to add user account under Europe OU. 

New-ADUser -Name "Dale" -Path "OU=Users,OU=Europe,DC=rebeladmin,DC=com"

This successfully add the user. Let’s see if we can add another user on different OU. 

New-ADUser -Name "Simon" -Path "OU=Users,OU=Asia,DC=rebeladmin,DC=com"

And as soon as I run it, I gets access denied error. 

acl4

According to applied permissions, I should not be able to delete any object under OU=Users,OU=Europe,DC=rebeladmin,DC=com either. Let’s check it using, 

Remove-ADUser -Identity "CN=Dishan Francis,OU=Users,OU= Europe,DC=rebeladmin,DC=com"

And as soon as I run it, I gets access denied error. 

acl5

As above confirms we can manage permissions for AD management tasks in granular level. 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step Guide to Setup Read-only Domain Controller (PowerShell Guide)

RODC are a great feature which is introduce with windows server 2008 in order to maintain a low risk domain controller in locations where it cannot guarantee physical security and the maintenance. Though out article we have discussed possible scenarios where we required a domain controller in a remote site. When considering a domain controller in remote site, the link between site is not the only thing we need to focus on. When we deploy a domain controller, by default it will be aware of any changes in active directory structure. Once an update trigger, it updates its own copy of the active directory database. This ntds.dit file is contain everything about active directory infrastructure, including identity data of the user objects. If its falls in to wrong hands, they can retrieve data related to identities and compromise the identity infrastructure. when consider about information security, the physical security is also important. That’s why the datacenters have al sort of security standards. So, when deploying a domain controller in remote site, physical security also a consideration as we do not need to have loose ends. If you have a requirement for domain controller in remote site and yet you cannot confirm its security the RODC is the answer. RODC do not store any password in its database. All the authentication request against an object will be process by the closest writable domain controller. So even someone manage to get copy of the database they will not be able to do much. 

RODC deployment process involves following stages. In this process, we can use a pre-selected account and promote the RODC using it instead of using Domain Admin or Enterprise Administrator account. 

1) Setup Computer Account for RODC domain controller

2) Attached that account to the RODC during the promo process

In order to create RODC computer account we can use Add-ADDSReadOnlyDomainControllerAccount cmdlet. 

Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName REBEL-RODC-01 -DomainName rebeladmin.com -DelegatedAdministratorAccountName "rebeladmin\dfrancis" -SiteName LondonSite

Above command will create RODC domain controller account for REBEL-RODC-01. The domain name is defined using -DomainName and -DelegatedAdministratorAccountName defines which account to delegate the RODC installation. The new RODC will be place in LondonSite

rodc1

Now we can see the newly added object under the Active Directory Domain Controllers.

rodc2

Now we have things ready for the new RODC and next step is to promote it. 

Install-WindowsFeature –Name AD-Domain-Services -IncludeManagementTools

Above command will install the AD DS role first in the RODC. Once its completed we can promote it using, 

Import-Module ADDSDeployment  

Install-ADDSDomainController `  

-Credential (Get-Credential) `  

-CriticalReplicationOnly:$false `  

-DatabasePath "C:\Windows\NTDS" `  

-DomainName "rebeladmin.com" ` 

-LogPath "C:\Windows\NTDS" `

-ReplicationSourceDC "REBEL-PDC-01.rebeladmin.com" `

-SYSVOLPath "C:\Windows\SYSVOL" `  

-UseExistingAccount:$true `  

-Norebootoncompletion:$false  

-Force:$true

Once this is executed it will prompt for the user account and we need to input user account info which was delegated for RODC deployment. The command is very similar to regular domain promotion. 

Now we have the RODC and next steps to look in to password replication policies (PRPs). 

The default policy is already in place and we can view the allowed and denied list using,

Get-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -Allowed

Above command will list down the allowed objects for password caching. By default, a security group called “Allowed RODC Password Replication Group” is allowed for the replication. This doesn’t contain any members by default. By adding object to this group will allow caching. 

Get-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -Denied

Above command list down the denied objects for password caching. By default, following security groups are in the denied list. 

Denied RODC Password Replication Group

Account Operators

Server Operators

Backup Operators

Administrators

These are high privileged accounts in active directory infrastructure these should not be cached at all. By adding objects to Denied RODC Password Replication Group, we can simply block the replication. 

Apart from the use of predefine security groups we can add objects to allow and denied list using Add-ADDomainControllerPasswordReplicationPolicy cmdlet. 

Add-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -AllowedList "user1"

Above command will add user object user1 to the allowed list. 

rodc3

Add-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -DeniedList "user2"

The above command will add the user object “user2” to the denied list. 

rodc4

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step guide to force replication for an AD Object (PowerShell Guide)

Once object is added to a domain controller, it needs to replicate to all other domain controllers. otherwise users will face issues on login, using AD integrated application and services etc. The replication is depending on many different facts such as replication schedule, intra site connectivity. However sometime it is required to force the replication between domain controllers for fast results. Following script can use to replicate a object from one DC to another forcefully. 

## Replicate Object to From Domain Controller to Another ##

$myobject = Read-Host 'What is your AD Object Includes?'

$sourcedc = Read-Host 'What is the Source DC ?'

$destinationdc = Read-Host 'What is the Destination DC ?'

$passobject = (Get-ADObject -Filter {Name -Like $myobject})

Sync-ADObject -object $passobject -source $sourcedc -destination $destinationdc

Write-Host "Given Object Replicated to" $destinationdc

Above script will ask for few questions, 

1) Name of Object – This no need to be DN. All need is text included in object Name field

2) Source DC – Hostname of Source DC

3) Destination DC – Hostname of Destination DC

Once relevance info provided, the object will be replicated forcefully. 

frep1

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Group Policy: WMI Filters in a nutshell

Windows Management Instrumentation (WMI) filters is another method that we can use to filter the group policy target. This method is only can use to filter the computer objects and it based on computer attribute values. As an example, WMI filters can use to filter out different operating system versions, processor architecture (32bit/64bit), Windows server roles, Registry settings, Event id etc. WMI filters will run against WMI data of the computers and decide if it should apply policy or not. If its match the WMI query it will process the group policy and if its false it will not process the group policy. This method was first introduced with windows server 2003. 

We can use GPMC to create/manage WMI filters. Before apply filter to a GPO, first we need to create it. Single WMI filter can attach to many GPO buy a GPO only can have single WMI filter attached. 

To create WMI filter, Open GPMC, right click on WMI Filter and click New.

wmi1

It will open up the new window where we can define the WMI query. 

wmi2

By clicking on Add button we can define the Namespace and WMI query. As an example, I have created a WMI query to filter out windows 10 operating system runs 32-bit version. 

select * from Win32_OperatingSystem WHERE Version like "10.%" AND ProductType="1" AND NOT OSArchitecture = "64-bit"

In below you can find few examples of commonly use WMI queries,

To Filter OS – Windows 8 – 64bit

select * from Win32_OperatingSystem WHERE Version like "6.2%" AND ProductType="1" AND OSArchitecture = "64-bit"

To Filter OS – Windows 8 – 32 bit

select * from Win32_OperatingSystem WHERE Version like "6.2%" AND ProductType="1" AND NOT OSArchitecture = "64-bit"

To Filter any Windows server OS – 64bit

select * from Win32_OperatingSystem where (ProductType = "2") OR (ProductType = "3") AND  OSArchitecture = "64-bit"

To apply policy in selected day of the week

select DayOfWeek from Win32_LocalTime where DayOfWeek = 1

Day 1 is Monday. 

Once WMI Filter is created, it need to attach to the GPO. To do that Go to GPMC and select the required GPO. Then under the WMI Filtering section, select the required WMI filter from the drop down box. 

wmi3

Now it is time for testing. Out test query is to target 32 bit windows 10 operating systems. if I try to run it over 64-bit operating system it should not apply. We can check this by running gpupdate /force to apply new group policy and gpresult /r to check results. 

wmi4

Test has been successful and the policy was blocked as I am running windows 10 – 64-bit OS version. 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Group Policy Item-Level Targeting

Item-level targeting can use to target group policy preference settings based on application settings and properties of users and computers in granular level. we can use multiple targeting items in preference settings and make selections based on logical operators (AND, OR, IS, IS NOT).

Item-level targeting in group policy preferences can setup/manage using GPMC. To do that open the group policy settings > Go to relevant Preference settings > right click and select properties 

In my example I am using GPO created for IE 10 Settings, there for the path for it is User Configuration > Preferences > Internet Settings > Internet Explorer 10. Then right click and select properties

From properties window, then select Common tab > tick item-level targeting > then click on Targeting button. 

item1

In next window, we can build granular level targeting based on one item or multiple items with logical operators. 

item2

In above example I have built a query based on three setting which is NetBIOS name, Operating System and IP address. In order to apply the preference setting, all three statements should give TRUE value as result as I used AND logical operator. If its OR logical operator the result can have True or False values. 

In the window, New Item menu contained items we can use of targeting. Add Collections allows to create parenthetical grouping. Item Options menu is responsible for defining logical operators. 

WMI Filters is another way of targeting objects in group policies. We will look in to it in next blog post. 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

How Active Directory Replication Works?

Active Directory Infrastructure is depending on healthy replication. Every domain controller in the network should aware of every change which has made. When domain controller triggers a sync, it passes the data through the physical network to the destination.

In active directory environment, there are mainly two types of replications.

1) Intra-Site Replication 

2) Inter-Site Replication

Intra-Site Replication

As the name confirms, this covers the replication happens with in a site. By default, (according to Microsoft) any domain controller will aware of any directory update within 15 seconds. Within site despite the number of domain controllers, any directory update will be replicate in less than one minute. 

rep1

Within the site, the replication connections are performing in ring topology. Which mean an any give domain controller have two replication links (of cause if there is minimum of three domain controllers). this architecture will prevent domain controllers having endless replication loops. As example if there are 5 domain controllers and if all are connected to each other with one-to-one connection each domain controller will have 4 connection and when there is an update in one of the domain controller it will need to advertise it to 4 domain controllers. then the first one to receive update will advertise to its 4 connected domain controllers and its go on and on. It will be too much replication processes to advertise, listen and sort out the conflicts. But in ring topology, despite the number of domain controllers in the site, any given domain controller only need to advertise or listen to two domain controllers in any given time. This replication topology is no need to configure manually and active directory will automatically determine the connections it need to make. When number of domain controllers grow, the replication time can grow as well as its in ring topology. But to avoid the latency active directory will create additional connections. This is also determined automatically and we do not need to worry about these replication connections. 

Inter-Site Replication

If active directory infrastructure contains more than one site, a change happens in one site need to replicate over to other sites. This is called as inter-site replication and its topology is different from the intra-site replication. Replication with in site is always benefited from the high-speed links. But when it comes to between sites bandwidth, latency and reliability comes to considerations. In previous section, we discussed about site-links, site costs and replication schedules when we can use to control the inter-site replication. 

rep2

When it comes to inter-site, the replication will happen via site links. The replication with in each site still uses the ring topology. In above example let’s assume an object been added to REBEL-DC-02 in London Site. Now based on the topology it will be advertise to REBEL-DC-03 too. But apart from been domain controller, this particular domain controller is bridgehead server as well. So, it is this server’s responsibility to advertise the updates it received in to the bridge server in Canada Site which is REBEL-DC-04. Once it receives the update it will advertise to other domain controllers in the site. The replication between sites still need to obey the rules which is applied to control the replication. Active Directory domain services automatically selects the bridgehead server for a site. But if need we can decide what should act as bridgehead server for site. 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.