Tag Archives: Domain Services

Integrity check to Detect Low Level Active Directory Database Corruption

Active Directory maintains a multi-master database. like any other database there can be data corruptions, crashes, data lost etc. In my entire career, I still did not come across with a situation that a full database recovery is required in production environment. The reason is AD DS database is keep replicating to other available Domain Controllers and it is very rare that all the available Domain Controllers crash in same time and loose data.

By running integrity check, we can identify binary level AD database corruption. This comes as part of the Ntdsutil tool which use for Active Directory database maintenance. This go through every byte of the database file. The integrity command also checks if correct headers exist in the database itself and if all of the tables are functioning and consistent. This process also run as part of Active Directory Service Restore Mode (DRSM).

This check need to run with NTDS service off. 

In order to run integrity check,

1) Log in to Domain Controller as Domain/Enterprise Administrator
2) Open PowerShell as Administrator
3) Stop NTDS service using net stop ntds
4) Type 
 
ntdsutil
activate instance ntds
files
integrity
 
ntds1
 
5) In order to exit from the utility type, quit.
6) it is also recommended to run Semantic database analysis to confirm the consistency of active directory database contents. 
7) In order to do it, 
 
ntdsutil
activate instance ntds
semantic database analysis
go
 
ntds2
 
8) If its detected any integrity issues can type go fixup to fix the errors. 
9) After process is completed, type net start ntds to start the ntds service.
 
This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Active Directory Right Management Service (AD RMS) – Part 04 – AD RMS Configuration

So far in this series we learn what is RMS and how it works. You can access those using,

Part 01 What is AD RMS ?

Part 02AD RMS Components

Part 03How AD RMS Works ?

This is the last part of the series and in here I am going to demonstrate how to install and configure AD RMS. 

Setup AD RMS Root Cluster

AD RMS only can install in Domain Member Server. I have a demo server setup and its already member server of the domain. First AD RMS server add to the forest creates the AD RMS cluster. 

Install AD RMS Role

1) Log in to the server as Enterprise Administrator. 

2) Install the AD RMS role and related management tools using, 

Install-WindowsFeature ADRMS -IncludeManagementTools

rms04-1

Configure AD RMS Role

1) Launch Server Manager > Notifications > Under “Configuration required for Active Directory Rights Management Services” > Perform Additional Configuration. This will open the AD RMS Configuration Wizard. Click Next to start the configuration. 

rms04-2

2) In next screen, it gives option to create new AD RMS root cluster or join it to existing AD RMS cluster. Since it is new cluster, select option Create a new AD RMS root cluster and click Next.  

3) Next Screen is to define the AD RMS database configuration. If it’s going to use MS SQL server need to specify the Database server and the instance. Or else it can use Windows Internal Database. Please note if WID used, it cannot have any more AD RMS servers and cannot have AD RMS mobile extension either. Since its demo, I am going to use WID. Once selection made, click Next to move to next step. 

rms04-3

4) In Next window, we need to define service account. It is used to communicate with other services and computers. This doesn’t need to have Domain or Enterprise Admin rights. Click on Specify and provide the user name and password for the account. Then click Next to Proceed to next window. 

rms04-4

5) In next windows, we need to select the Cryptographic mode. This defines the strength of the hashes. This is support two mode which is SHA-1 and SHA-256. It is highly recommended to use Mode 2 which is SHA-256 for stronger hashing. However, this need to be match with the other RMS cluster it deals with. In our setup, I am going to use default SHA-256. Once Selection is made click next to proceed. 

rms04-5

6) AD RMS uses cluster key to sign the certificate and licenses it issues. This is also required when AD RMS restore or when new AD RMS server add to the same cluster. It can be saved in two places. Default method is to use AD RMS centrally managed key storage. So, it doesn’t need any additional configurations. It also supports to use cryptographic service provider (CSP) as storage. But this required manual distribution of key when add another AD RMS server to the cluster. In this we will use option “Use AD RMS centrally managed key storage”. Once selection is made click Next to proceed. 

7) AD RMS also uses Password to encrypt the cluster key described in above. This is required to provide when add another AD RMS server to cluster or when restore AD RMS from backup. This key is cannot reset. There for recommended to keep it recorded in secure place. Once define the AD RMS Cluster Key Password, click Next to proceed. 

8) In next window, we need to define the IIS virtual directory for the AD RMS web site. Unless there is specific requirement always use the default and click Next. 

rms04-6

9) In next step, we need to define a AD RMS cluster URL. This will use by AD RMS clients to communicate with AD RMS cluster. It is highly recommended to use SSL for this even its allow to use it with HTTP only method. The related DNS records and Firewall rules need to be adjusted in order to provide connection between AD RMS clients and this URL (Internally or Externally). Once configuration values provided, click Next to proceed. One thing need to noted is, once this URL is specified, it cannot be change. In this demo, the RMS URL is https://rms.rebeladmin.com. 

rms04-7

10) In next step, we need to define Server Authentication Certificate. This certificate will use to encrypt the network traffic between RMS clients and AD RMS cluster. For testing it can use self-signed certificate but not recommended for production. If its uses internal CA, client computers should be aware of the root certificate. In wizard, it automatically takes the list of SSL certificates installed in the Computer and we can select the certificate from there. It also allowed to configure this setting in later time. Once settings are defined, click Next to proceed. 

rms04-8

11) In next window, it asks to provide Name for the Server License Certificate (SLC). This certificate is to define the identity of the AD RMS cluster and it used in the Data protection process between clients to encrypt/decrypt symmetric keys. Once defined a meaningful name, click Next to proceed. 

12) Last step of the configuration is to register AD RMS connection service point (SCP) with the AD DS. If needed this can configure later too. This need enterprise administrator privileges to register it with AD DS. In this demo, I already logged as enterprise administrator so I am using “Register the SCP now”. Once option selected, click Next

rms04-9

13) After the confirmation, installation will begin and wait for the result. If it’s all successful, log off and log back in the AD RMS server. 

14) Once log back in, Go to Server Manager > Tools > Active Directory Rights Management Service to access the AD RMS cluster.

rms04-10

Test Protecting Data using AD RMS Cluster

Next step of the demo is to test the AD RMS cluster by protecting data. For that I am using two user accounts. 

User

Email Address

Role

Peter

peter@rebeladmin.com

Author

Adam

adam@rebeladmin.com

Recipient

Email account filed is must and if user doesn’t have email address defined, it will not be allowed to protect the document. 

The end user computers must have added https://rms.rebeladmin.com to the Internet Explorer, Local Intranet’s trusted site lists. This can be done via GPO. If it’s not added, when go to protect the document, users will get following error,

rms04-11

In this demo as user Peter going to create protected document using Word 2013. The recipient will only be user Adam and he will only have read permission. 

To Protect the Document

1) Log in to the Windows 10 (Domain member) computer as user Peter

2) Open word 2013 and type some text

3) Then Go to File > Protect Document > Restrict Access > Connect to Digital Rights Management Servers and get templates 

rms04-12

4) Once its successfully retrieves the templates, go back to same option and select Restricted Access

rms04-13

5) Then it will open up new window. On there for the read permissions, type adam@rebeladmin.com to provide read only permission to user adam. Then click OK.  

rms04-14

6) After that save the document. In demo, I used a network share which user adam also have access. 

7) Now I log in to another window 10 computers as user adam. 

8) Then brows to path where document was saved and open it using word 2013. 

9) On the opening process, it asks to authenticate to the RMS to retrieve the licenses. After that it open the document. In top of the document it says document got limited access. When click on the “View Permission” it list down the allowed permissions and it matches what we set in the author side. 

rms04-15

10) Further in to testing I have log in to system as another user (Liam) and when I access the file I gets, 

rms04-16

This ends the configuration and testing of the AD RMS cluster. In this demo, I explained how we can set up AD RMS cluster with minimum resource and configuration. I only used the default configuration of AD RMS cluster and no custom policies applied. By understand core functions allows you to customize it to meet your organization requirements. 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Active Directory Right Management Service (AD RMS) – part 03 – How AD RMS Works?

In part 01 of this series we learned RMS and its capabilities. if you didn’t read it yet, you can find it in here. In part 02 we learned about AD RMS components. You can read it using  

In part 03, I am going to explain how AD RMS works. 

By now we know the components of the AD RMS and its capabilities. In this section, we are going to look in details to understand how all these components work together to protect corporate data. 

Before start the data protecting process, we need to have healthy AD RMS Cluster, AD RMS Clients (Author and Recipient) and reliable connection between those components. Once these prerequires fulfill, Data protection process will happen in three main stages which is protect content by author, publish protected content and access protected content by recipient. Let’s assume Peter is trying to protect a document using AD RMS. He going to send it to Adam and he do not want him to edit or print it. This is the first time he going to use AD RMS. In AD RMS environment, user Peter will refer as Information Author. On his first authentication in to AD RMS cluster, it creates Right Account Certificate (RAC) and it will be user’s identity in AD RMS. This is a onetime process. This certificate contains the public key and private key of the Peter which is encrypted by his computer’s public key. When Peter register with AD RMS cluster it also creates another certificate called Client Licensor Certificate (CLC). This CLC includes Client Licensor Certificate’s public key and private key which is protected by public key of Peter. It also includes AD RMS cluster public key which is signed by AD RMS private key.

Peter decides what data need to be protected first. Then it generates symmetric key (random) and encrypt the data which needs to be protected. It uses AES-256 standards to encrypt the data. When first AD RMS server added to the cluster, it creates another certificate called Server Licensor Certificate (SLC). This represent the identity element of the AD RMS server. This is shared with clients so they can use to exchange confidential data in secure way. SLC includes the public key of the AD RMS server. As the next step the system will encrypt the symmetric key used for data encryption by using it. So, only AD RMS cluster can open it. 

After that RMS Client creates Publishing License (PL). This PL use to indicate allowed recipients, what rights they got and what condition will apply towards protected data. PL includes encrypted symmetric key that can used to decrypt the protected data. All these data then encrypt with Server Licensor Certificate’s public key. Apart from that AD RMS client also will sign encrypted data with private key of CLS. At the end this protected data will attached to PL. it also included the copy of symmetric key which is encrypted with CLS public key. This confirms Peter’s authority over the protected document, so he can decrypt the document without using another license. Once all these encryptions and signings are done, the document is ready to send over to Adam. 

Once Adam receives the document, his Ad RMS aware application try to open it and found it is a protected document. Similar to Peter, Adam already have his RAC and CLS from the AD RMS Cluster. In order to open the protected document at once does it encrypt it with does it encrypt or sign with any of Adam’s certificates? No, it’s not. But his AD RMS client knows who need to contact in order to sort it out for him. To open the protected document Adam should have a Use License (UL). This is issue by the RMS cluster. So, AD RMS client request for license also included encrypted Publishing License, Encrypted Symmetric Key, Peter’s CLC and Public key of Adam’s RAC. The protected document will not send over with this request to RMS Cluster. To decrypt the protected document Adam needs the Symmetric key which used by Peter to encrypt the document. As first step Server needs to know if Adam is permitted to access the document, if he is permitted what sort of conditions and rights will apply. This info is in Publishing License. It is encrypted using public key of SLC. AD RMS server is the private key owner for it and he can easily extract it. if Adam is not allowed in PL, it will be declined the access to it. if its allowed it creates a list mentioning Adam’s rights to the document. The most important part of the decryption process is to retrieve the Symmetric Key. This is also encrypted by SLC’s public key. Once it is extract, it will be re-encrypt using Adam’s RAC public key. it was a part of the Use License request. This ensure, the only one can see the key is Adam’s system. Since server got all the required information, it generates Use License including the permission list and encrypted symmetric key. then it sends over to Adam’s RMS client. Once it reaches Adam’s system, it can decrypt the symmetric key using RAC’s private key. then RMS aware application will decrypt the document and attach the rights information retrieved from the User License. At the end, voila!!! Adam can see the content of the document. 

In above I have talked lots about different certificates, licenses, data encryption and decryption. I thought its still better to explain it in high level to recap things we learned. 

rms03-01

Peter wants to send protected document to Adam. Adam should only have read permission to the document and should not be able to modify or print. 

1) This is the first-time peter going to use AD RMS. As soon as he tries to protect the document, RMS client initiate a connection to AD RMS server (cluster)

2) AD RMS Server replied with Right Account Certificate and Client Licensor Certificate. This is one time process. 

3) In Peter’s system, random symmetric key is generated and encrypt the document using it. Then this symmetric key is encrypt using SLC’s public key. After that it is attached to a Publishing License which includes Adam’s rights for the protected document. After that PL attached to encrypted document.

4) Peter sends protected document (along with this additional info) to Adam.

5) Adam’s RMS Aware application try to open it and found that it need Use License from AD RMS Server. then RMS client request it from the RMS Server.

6) RMS server decrypt the symmetric key and the PL. after that server checks if the requester match with the PL. in our scenario it matches, so it went ahead and creates Use License. This includes symmetric key (it re-encrypts using Adam’s RAC Public Key) and a list which contains rights describes in PL. Then it delivers to Adam’s system.

7) Once Adam’s system receives the Use License, it retrieves Symmetric key and decrypt the document. Then Adam open the document and use it according to rights described on PL. 

This marks the end of this blog post. In Part 04, I will demonstrate deployment of AD RMS. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Active Directory Right Management Service (AD RMS) – Part 02 – AD RMS Components

In my previous blog post about AD RMS, I have explained what is RMS and its capabilities. If you didn’t read it yet, you can find it here . In this post I am going to explain about AD RMS components. 

AD RMS have its own role services and related components which need to work together in order to maintain healthy AD RMS environment. Let look in to these components in details. 

Active Directory Domain Services (AD DS) – AD RMS is one of Active Directory Role service. AD RMS can only be installed in AD DS environment and it must be on member servers. It also uses to publish service connection point (SCP), where internal users can automatically discover the URL for AD RMS environment. 

AD RMS Cluster – AD RMS Cluster is a single RMS server or group of servers which shares certificates and licensing requests from its clients. Even its says as “Cluster” it is different from typical Windows failover cluster. Failover cluster at least needed two nodes. But in RMS cluster, event it’s have single server it become a cluster. But there is one requirement for AD RMS cluster if there are multiple servers involves. AD RMS supports two types of databases similar to AD FS. By default, it uses Windows Internal Database (WID) and it also supports to Microsoft SQL Server Database. If AD RMS Cluster going to have multiple servers it must use MS SQL database in separate server. 

There are two type of clusters in AD RMS, 

Root Cluster – When setup first AD RMS server in infrastructure, it becomes root cluster. By default, it responds to both licensing and certificates requests from clients. When required, additional RMS servers can be added to the cluster. There is only one root cluster can exist on one AD DS forest. 

Licensing Cluster – If organization has multiple active directory sites, there are situation where remote sites prefers to use servers in their own site whenever possible. It prevents users by connecting sites through slow links. In such scenarios, organizations can deploy licensing-only cluster in remote sites. It only responses to licensing requests from clients. 

When new RMS server add to the infrastructure, based on installed roles it will automatically make it part of relevant cluster. However, it is recommended to use root cluster only as it will automatically load balance both certificates and licensing requests. When it has two clusters, load balancing is handled by each cluster separately even though it’s components of one system. 

Web Server – AD RMS required web service for its operations. There for it required IIS 7.0 or latest with following role services. 

Web Server (IIS)

Web Server

o Common HTTP Features

Static Content

Directory Browsing

HTTP Errors

HTTP Redirection

o Performance

Static Content Compression

o Health and Diagnostics

HTTP Logging

Logging Tools

Request Monitor

Tracing

o Security

Windows Authentication

Management Tools

o IIS Management Console

o IIS 6 Management Compatibility

IIS 6 Metabase Compatibility

IIS 6 WMI Compatibility

SQL Server – AD RMS supports Windows Internal Database (WID) and Microsoft SQL Server Database. If AD RMS Cluster going to have multiple servers, its database must be in MS SQL server. It supports SQL server 2005 onwards. AD RMS have three databases. 

Configuration Database – Configuration database includes configuration data related to AD RMS cluster, windows users identities and AD RMS certificate key pair which used to create cluster. 

Logging Database – This contain the logging data for the AD RMS setup. By default, it will install it in the same SQL server instance which hosts the Configuration Database.

Directory Service Database – This database maintains cached data about users, SID Values, Group membership and related identifiers. This data been collected by AD RMS licensing service from LDAP queries which ran against global catalog server. by default its refresh in every 12 hours.  

AD RMS support SQL High availability solutions including SQL failover clustering, database mirroring and log shipping. It is NOT supported SQL server AlwaysOn. 

In previous section I have mentioned about mobile device extensions which can used to extend AD RMS to manage corporate data in mobile devices. It does not support to Windows Internal Database (WID) and if you going to use this feature, Ad RMS databases must run for separate SQL server. 

AD RMS Client – AD RMS client is required to communicate with AD RMS cluster and protect data. This is included in all the recent operating systems which was released after windows XP. However, this still need to install on MAC and Mobile devices to use AD RMS. 

Active Directory Certificate Service (AD CS) – AD RMS uses several certificates to protect the communication between AD RMS components and clients. Most of those can issue using corporate trusted certificate authority. As an example, AD RMS cluster can build using SSL certificate to protect communication between servers in cluster. If AD RMS setup required to publish service URLs externally, then it will be required a certificate from public certificate authority. AD RMS itself uses various Extensible Rights Markup Language (XrML)-based certificates to protect communication between components and data. These certificates are different from AD CS certificates. 

This marks the end of this blog post. In Part 03 I will be explaining how AD RMS really works. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Active Directory Right Management Service (AD RMS) – Part 01

Microsoft had taken their first approach to information rights management (IRM) by introducing Windows Right Management Service with Windows Server 2003. This was fully compliant with Federal Information Processing Standard (FIPS) 140-1. The update version of Windows Right Management was renamed as Active Directory Rights Management Services and re introduced with Windows Server 2008. It continued to grow with features and included with every new windows server versions after that. Microsoft also released Azure RMS (included in Azure Information Protection) which can use in Hybrid-Cloud environment to protect data. 

However, AD RMS is not the solution for all the Data security requirements. In an infrastructure, there is other things attached to data security. First step of the protection is to decide who have access to corporate network and resources. This fall under perimeter defense and Hardware/Software firewalls can use to define rules to manage traffic come in to corporate network and traffic goes out from corporate network. Modern Layer-7 Firewalls and Next Generation Firewalls allows not only to manage connections but go further on analysis traffic based on applications, user accounts (AD integrated). If users are allowed to use Internet, it also can bring threats to corporate data. It can be via viruses, malware, phishing emails etc. Similar threats can be eliminate using Layer 7 firewalls or Proxies. The next step on Data Protection is to controlled the data access for users and groups in the corporate network. This is done by using NTFS and Access Control Lists (ACLs). These helps to control who have access to what data and resources. The challenge is to protect data once users and groups have access to it. As an example, REBELADMIN Inc. does have Sales Department. CEO creates a word document which includes last year total sales and save it in a network folder. The only people have access to it is CEO and Sales Manager. He sent email to Sales Manager and inform about the file. Access to folder is protected by ACLs but ones Sales Manager have access to it, what will prevent him emailing it to a person in Technical Department or bring it home with him and share it with another party? Active Directory Right Management Service controls the behavior of data once users have access it. But this will not prevent data leakage via digital photographs, third-party screen capturing, hard copies or viruses and malware. 

AD RMS can,

Follow Data with Policies (Persistent Usage Rights and Conditions) –  NTFS permission and ACLs only can manage a data within its operation boundaries. In my previous example, when the report is inside the Sales folder it will only can access by CEO and Sales Manager. However, if its copied to local disk, forward as email it will bypass the NTFS permissions and ACLs. AD RMS uses Persistent usage policies which follows the data. Even its moved, forwarded, the policies will follow it. 

Prevent Confidential Emails going in to wrong hands – Emails is one of the media that commonly involves with data leakage. Constants news are coming on medias due to wrong peoples got access to “confidential” emails. Once email is left outgoing email folder, we do not have control over the data and we do not have guarantee if this is only access by the recipient and it’s not forwarded to another party that original sender not aware of. AD RMS can prevent recipient been forwarding, modifying, copying or printing confidential emails. It also guarantees, its only can open by the expected recipient.

Prevent Data been access by unauthorized peoples – Similar to emails, AD RMS can also protect confidential files, reports been modified, copied, forwarded or print by unauthorized users.

Prevent Users by capturing content using Windows Print Screen feature – Even users do not forward or copy method to send data they still can use print screen option to capture the data in another format. AD RMS can prevent users by using windows print screen tool to capture data. However, this not going to prevent users by using third-party screen capturing solutions. 

File Expiration – AD RMS allows to set time limit to files so after certain period of time, content of it will not be able to access. 

Protect Data on Mobile Devices and MAC – People uses mobile devices to access corporate services and data. AD RMS mobile extension allow to extend its data protection capabilities in to mobile devices which runs with Windows, Android or iOS. In order to do that, Device should have latest RMS clients and RMS aware apps installed as well. This also applies to MAC devices as long as it uses Office 2016 for MAC and RMS aware applications. 

Integration with Applications – AD RMS not only support Microsoft office files, its support wide range of applications and file types. As an example, AD RMS directly can integrate with Share Point (2007 onwards) to protect the documents published on intranet site. There are third party applications which support RMS too. It also supports file types such as .pdf, .jpg, .txt, .xml. This allow corporates to protects more and more data types in infrastructure. 

This marks the end of this blog post. In Part 02 I will be explaining the components of RMS. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step Guide to Setup Read-only Domain Controller (PowerShell Guide)

RODC are a great feature which is introduce with windows server 2008 in order to maintain a low risk domain controller in locations where it cannot guarantee physical security and the maintenance. Though out article we have discussed possible scenarios where we required a domain controller in a remote site. When considering a domain controller in remote site, the link between site is not the only thing we need to focus on. When we deploy a domain controller, by default it will be aware of any changes in active directory structure. Once an update trigger, it updates its own copy of the active directory database. This ntds.dit file is contain everything about active directory infrastructure, including identity data of the user objects. If its falls in to wrong hands, they can retrieve data related to identities and compromise the identity infrastructure. when consider about information security, the physical security is also important. That’s why the datacenters have al sort of security standards. So, when deploying a domain controller in remote site, physical security also a consideration as we do not need to have loose ends. If you have a requirement for domain controller in remote site and yet you cannot confirm its security the RODC is the answer. RODC do not store any password in its database. All the authentication request against an object will be process by the closest writable domain controller. So even someone manage to get copy of the database they will not be able to do much. 

RODC deployment process involves following stages. In this process, we can use a pre-selected account and promote the RODC using it instead of using Domain Admin or Enterprise Administrator account. 

1) Setup Computer Account for RODC domain controller

2) Attached that account to the RODC during the promo process

In order to create RODC computer account we can use Add-ADDSReadOnlyDomainControllerAccount cmdlet. 

Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName REBEL-RODC-01 -DomainName rebeladmin.com -DelegatedAdministratorAccountName "rebeladmin\dfrancis" -SiteName LondonSite

Above command will create RODC domain controller account for REBEL-RODC-01. The domain name is defined using -DomainName and -DelegatedAdministratorAccountName defines which account to delegate the RODC installation. The new RODC will be place in LondonSite

rodc1

Now we can see the newly added object under the Active Directory Domain Controllers.

rodc2

Now we have things ready for the new RODC and next step is to promote it. 

Install-WindowsFeature –Name AD-Domain-Services -IncludeManagementTools

Above command will install the AD DS role first in the RODC. Once its completed we can promote it using, 

Import-Module ADDSDeployment  

Install-ADDSDomainController `  

-Credential (Get-Credential) `  

-CriticalReplicationOnly:$false `  

-DatabasePath "C:\Windows\NTDS" `  

-DomainName "rebeladmin.com" ` 

-LogPath "C:\Windows\NTDS" `

-ReplicationSourceDC "REBEL-PDC-01.rebeladmin.com" `

-SYSVOLPath "C:\Windows\SYSVOL" `  

-UseExistingAccount:$true `  

-Norebootoncompletion:$false  

-Force:$true

Once this is executed it will prompt for the user account and we need to input user account info which was delegated for RODC deployment. The command is very similar to regular domain promotion. 

Now we have the RODC and next steps to look in to password replication policies (PRPs). 

The default policy is already in place and we can view the allowed and denied list using,

Get-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -Allowed

Above command will list down the allowed objects for password caching. By default, a security group called “Allowed RODC Password Replication Group” is allowed for the replication. This doesn’t contain any members by default. By adding object to this group will allow caching. 

Get-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -Denied

Above command list down the denied objects for password caching. By default, following security groups are in the denied list. 

Denied RODC Password Replication Group

Account Operators

Server Operators

Backup Operators

Administrators

These are high privileged accounts in active directory infrastructure these should not be cached at all. By adding objects to Denied RODC Password Replication Group, we can simply block the replication. 

Apart from the use of predefine security groups we can add objects to allow and denied list using Add-ADDomainControllerPasswordReplicationPolicy cmdlet. 

Add-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -AllowedList "user1"

Above command will add user object user1 to the allowed list. 

rodc3

Add-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -DeniedList "user2"

The above command will add the user object “user2” to the denied list. 

rodc4

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Group Policy: WMI Filters in a nutshell

Windows Management Instrumentation (WMI) filters is another method that we can use to filter the group policy target. This method is only can use to filter the computer objects and it based on computer attribute values. As an example, WMI filters can use to filter out different operating system versions, processor architecture (32bit/64bit), Windows server roles, Registry settings, Event id etc. WMI filters will run against WMI data of the computers and decide if it should apply policy or not. If its match the WMI query it will process the group policy and if its false it will not process the group policy. This method was first introduced with windows server 2003. 

We can use GPMC to create/manage WMI filters. Before apply filter to a GPO, first we need to create it. Single WMI filter can attach to many GPO buy a GPO only can have single WMI filter attached. 

To create WMI filter, Open GPMC, right click on WMI Filter and click New.

wmi1

It will open up the new window where we can define the WMI query. 

wmi2

By clicking on Add button we can define the Namespace and WMI query. As an example, I have created a WMI query to filter out windows 10 operating system runs 32-bit version. 

select * from Win32_OperatingSystem WHERE Version like "10.%" AND ProductType="1" AND NOT OSArchitecture = "64-bit"

In below you can find few examples of commonly use WMI queries,

To Filter OS – Windows 8 – 64bit

select * from Win32_OperatingSystem WHERE Version like "6.2%" AND ProductType="1" AND OSArchitecture = "64-bit"

To Filter OS – Windows 8 – 32 bit

select * from Win32_OperatingSystem WHERE Version like "6.2%" AND ProductType="1" AND NOT OSArchitecture = "64-bit"

To Filter any Windows server OS – 64bit

select * from Win32_OperatingSystem where (ProductType = "2") OR (ProductType = "3") AND  OSArchitecture = "64-bit"

To apply policy in selected day of the week

select DayOfWeek from Win32_LocalTime where DayOfWeek = 1

Day 1 is Monday. 

Once WMI Filter is created, it need to attach to the GPO. To do that Go to GPMC and select the required GPO. Then under the WMI Filtering section, select the required WMI filter from the drop down box. 

wmi3

Now it is time for testing. Out test query is to target 32 bit windows 10 operating systems. if I try to run it over 64-bit operating system it should not apply. We can check this by running gpupdate /force to apply new group policy and gpresult /r to check results. 

wmi4

Test has been successful and the policy was blocked as I am running windows 10 – 64-bit OS version. 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Understanding Group Policy Conflicts

In an organization, there can be many group policies in used. Sometime multiple policies may target same thing. In that case it is important to understand which policy going to win. Group Polices precedence order LSDOU and Group Policy Inheritance decides which policy will win in Active Directory structure.  Let’s look in to this further with an example, 

gp1

As per above figure we have two policies inherited to “Users” OU. Policy 01 is Domain linked group policy. Policy 02 is OU linked group policy. Each of the group policy have its own values defined for the three selected settings. Based on the default group policy inheritance, Users OU will have both policies applied. According to LSDOU, Policy 02 will have lowest precedence valve as it is the closest policy for the Users OU. For Password Policy Settings, only Policy 01 has a valve defined. There for even it’s the least preferred group policy, that valve will apply to Users OU. For Windows Firewall Settings, only Policy 02 has a valve. It will also apply to the Users OU. When it comes to the Internet Explorer Settings both policies have values. That makes a conflict. The winning valve of conflicting policy settings will be decided based on LSDOU. There for the wining valve will be from Policy 02

Microsoft allows to change this default policy winning procedure by enforcing policies. When group policy been enforced, it will have the lowest precedence valve regardless where it’s been linked. Another advantage of the enforced policy is, it will apply even OU is blocked inheritance. If domain linked policy been enforced, it will apply to any OU under the domain and it will hold the lowest precedence. If multiple policies been enforced, all of them will take the lowest precedence numbers in order. 

To enforced a policy, load GPMC, right click on the selected group policy and then select “Enforced” option. It will enforce the policy and, change the policy icon with small padlock mark. It allows to identify enforced policies quickly from policy list. 

gp2

In above example, Policy 01 been enforced. It is domain linked group policy. In normal circumstances Policy 02 will gets a lowest precedence value when its applies to the Users OU. But when policy been enforced Policy 01 will have the lowest precedence valve. When we look in to winning policy values of the Users OU, For Password Policy Settings it will process the Policy 01 value as it is the only one have value for it. For Windows Firewall Settings, Policy 01 do not have any value defined. So even its been enforced the winning policy setting will be from Policy 02 as it’s the only one have a valve defined. Policy 01 and Policy 02 both have values for Internet Explorer Settings. But enforced Policy 01 is in top of the policy list and winning policy setting will be from it. 

So far, we talked about conflicting policy settings from different level on domain structure. How it will work if it’s in same level? Policies in same level also apply according to precedence order. When policies are in same level the LSDOU process is no use. The winning policy will decide based on its position in the policy list. The order of the list decided based on “Linked Group Policy Objects” list. This list can view using the Linked Group Policy Objects tab in the OU detail window in GPMC

gp3

The order of policy in same level can be change using two methods. One method is to enforced the policy. When policy is enforced, it will take the priority from the other policies in the same level. but it will not change the “Link Order” of the policy. The order of the list can change using the up and down buttons in the Linked Group Policy Objects Tab. Link order will match the precedence order of the group policies. 

gp4

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Troubleshooting Active Directory Replication Issues (PowerShell Guide)

There are certain windows cmdlets and utilities which we can use for replication issues troubleshooting purpose. Among those, Repadmin.exe is most commonly used Microsoft utility. This is available in servers which have AD DS or AD LDS role installed. It is also part of Remote Server Administration Tools (RSAT). This utility recommended to run as Domain Administrator or Enterprise Administrator. However, it is also possible to delegate permission only to review and manage replication. 

Let’s see it’s in action 

repadmin /replsummary /bydest

above command summarizes the replication status for all domain controllers based on the replication destination. This parameter does not display the source domain controller.

repadmin /replsummary /bysrc

above command summarizes the replication status for all domain controllers based on the replication source. This parameter does not display the destination domain controller.

repadmin /showrepl REBEL-SRV01.therebeladmin.com 

above command shows the replication partners for REBEL-SRV01.therebeladmin.com and the status of last sync attempt. 

repadmin /showrepl /errorsonly 

above command will list down the replication partners which have replication errors (last sync attempt failed) 

we also can view results in CSV format.

repadmin /showrepl /csv

tr1

repadmin /syncall REBEL-SRV01 dc=therebeladmin,dc=com

above command initiates domain directory partition synchronization with all replication partners of REBEL-SRV01. 

It will also indicate if there were any issues by doing it.

tr2

repadmin /queue

above command shows if there are any unprocessed inbound replications requests. If system keep que requests it can be due to high number of AD changes, System resource issue or too many replication partners. 

repadmin /showchanges REBELNET-PDC01 d3f89917-5fff-40a8-scc2-b148b60d9309 dc=therebeladmin,dc=com

above command list down the changes which are not replicated between server REBELNET-PDC01 and REBEL-SRV01. In here REBEL-SRV01 is the source server and it is listed with object GUID. 

tr3

repadmin /replicate REBEL-SRV01 REBELNET-PDC01 dc=therebeladmin,dc=com

above command initiate immediate directory partition replication from REBELNET-PDC01 to REBEL-SRV01.

Apart from the repadmin, there are certain PowerShell cmdlets which we can use to troubleshoot replication issues. Get-ADReplicationFailure cmdlet is one of those which can collect data about replication failures. 

Get-ADReplicationFailure -Target REBEL-SRV01

Above command will collect information about replication failures associated with REBEL-SRV01. 

This also can do with multiple servers. 

Get-ADReplicationFailure -Target REBEL-SRV01,REBELNET-PDC01

Further we can target all the domain controllers in the domain.

Get-ADReplicationFailure -Target "therebeladmin.com" -Scope Domain

Or even entire forest

Get-ADReplicationFailure -Target " therebeladmin.com" -Scope Forest

Get-ADReplicationConnection cmdlet can list down replication partner details for the given domain controller. 

Get-ADReplicationConnection -Filter *

Above command will list down all replication connection for the domain controller you logged in. 

tr4

We also can filter the replication connections based on the attributes. 

Get-ADReplicationConnection -Filter {ReplicateToDirectoryServer -eq "REBEL-SRV01"}

Above command will list down the replication connections with destination server as REBEL-SRV01.

We also can force sync object between domain controllers. 

Sync-ADObject -object “adam” -source REBEL-SRV01 -destination REBELNET-PDC01

Above command will sync user object adam from REBEL-SRV01 to REBELNET-PDC01

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

How to Enable Active Directory Recycle Bin? (PowerShell Guide)

Most common active directory related disasters are due to accidently deleted objects. Once object is deleted from active directory, it is not permanently deleteing from the active directory same time. As soon as an object deleted, it will set the isDeleted object value to True and move the object under CN=Deleted Object.

re1

Then the it is stay there till system reaches the tombstone lifetime value. By default, it is 180 days and this can be change if required. As soon as object passes the tombstone lifetime, it is available for permanent deletion. When I explain about the active directory database in previous section I mentioned about “online defragmentation”. It is uses garbage collector service to remove the deleted objects from the active directory database and release that space to database. This service runs in every 12 hours’ time. Once deleted object exceeded the tombstone lifetime value, it will be permanently removed in next garbage collector service cycle. the problem with this one is, during the tombstone process most of the object values are striped off. So even you were able to recover, these objects values will need to re-enter. 

With windows server 2008 R2, Microsoft introduced Active Directory Recycle Bin feature. When this feature is enabled, once object is deleted, it’s still set isDeleted object value to True and move the object under CN=Deleted Object. but instead of tombstone lifetime, now its control by Deleted Object Lifetime (DOL). Object attributes will remain same in this stage and it is recoverable easily. By default, the DOL value is equal to tombstone lifetime. This value can change by modifying msDS-deletedObjectLifetime object value. Once its exceeded the DOL, it is moved in to Recycled state and isRecycled object value set to True. By this state, it will not be able to recovered and it will be in that state till tombstone lifetime value exceed. After it reach the value it will be permanently delete from the AD. 

Active Directory Recycle Bin feature required minimum of windows server 2008 R2 domain and forest functional level. Once this feature is enabled it cannot be disabled. 

This feature can be enable using,

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target rebeladmin.com

In above -Target can be change with your domain name. 

re2

Once it is enabled, we can revive the objects which is deleted using,

Get-ADObject -filter 'isdeleted -eq $true' -includeDeletedObjects

It will search for the objects where isdeleted attributes set to true. 

Now we know the deleted object and it can be restore using, 

Get-ADObject -Filter 'samaccountname -eq "dfrancis"' -IncludeDeletedObjects | Restore-ADObject

The above will restore user object dfrancis

re3

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.