Tag Archives: GC

Active Directory Groups

I am sure every on who uses active directory heard about the groups. Even in stand-alone pc you can see set of groups. But it is important to know how these groups are working and what each type of groups really do.

In windows server 2012 have two types of groups in place.

Distributed Group – This is non-security related group and purpose of it to distribute information to a group of resources. These can use by AD aware applications for example, Microsoft Exchange to distribute email.

Security Group – This is security related group for granting access permissions to group of users in to resources. For example this group can use to assign permissions to a network share.

grp1

Group Scope

Apart from the group types we can define the boundaries for the groups. We can use it to current domain or extend to use different domains as well.

There are 3 types of group scope levels.

Domain Local

This group can have any of the following resources assigned.

•    User Accounts
•    Computer Accounts
•    Universal Groups
•    Domain Local groups from the same domain
•    Global Groups from the forest

This limits the group scope in to the same domain.

Global Group

This group can have any of the followings resources,

•    User Accounts
•    Computer Accounts
•    Other global groups from same domain

Using this you can use the group to assign permission to any resources in the forest. It can be either same domain or different domains. But the group membership are only replicated to domain controllers in same domain.

Universal Group

This can have the following resources

•    User accounts
•    Computer accounts
•    Other universal groups
•    Global Groups

This can use with any domain in the forest and also can use between trusted sites. Universal groups are stored in global catalog servers. So any changes to group membership will replicate to all GC servers in the forest.

grp2

Nested Groups

This is one of the nice features we can use for permission delegation. You can make a group in to member of another group. For ex- if you create a group for IT department it can be a member of “All Staff” user group.

If you have any questions about the post feel free to contact me on rebeladm@live.com

Active Directory Topology

In an infrastructure when you place domain controllers and related services it is important to identify exactly where it should logically locate. It will directly make impact on performances and security.
There are mainly four types of servers and roles when consider about AD topology design.

1)    Forest root domain controller
2)    Regional domain controller
3)    Global catalog server
4)    Operation master role


Forest root domain controller

This is usually used in multi domain network setup. This is the domain controller which will use to create trust paths between domains. In a network some time connections are made from unreliable connections from domain to domain, in such scenario it’s recommended to place forest root domain controller in the location or create shortcut trust.


Regional domain controller

As the name explain these domain controllers are placed in hub locations. This reduce the bandwidth usage between hub locations and main office, improve reliability, reduce support cost etc. writable regional domain controllers can place in hub location only if physical security guarantee. Otherwise it’s recommended to keep them as read only domain controllers (RODC).


Global Catalog Server

Global catalog server holds all the objects in forest. It keeps full copy of the objects in its own domain and read-only copy of objects for all other domains in same forest. The placement of global catalog server is crucial for multi forest environment. In such environment global catalog server should place at following locations,

1)    A location with more the 100 users
2)    A place that hosting applications which required global catalog server.
3)    A place with unreliable connection
4)    A place with Roaming users
5)    A place with slow log on performance

If it’s not one of above you can place domain controller with universal group membership caching.


Operation master role

In an active directory some of the data only can be written by operation master role servers. As we know there is 5 roles (FSMO). 3 of them remain in domain level and those are call as flexible single master operations (FSMO) roles.
1.    Primary Domain Controller (PDC) Emulator – This role responsible for password updates
2.    Relative ID (RID) Operation Master – this role maintains the global RID pool and allocates local RID to other DC
3.    Infrastructure Operation Master – It is responsible for maintain list of security principles from other domains that have membership of local domain


Forest level roles

1.    Schema Operations Master – This is responsible for schema changes
2.    Domain naming operation master – This responsible for changes in directory partition such as adding and removing domains from the forest

When you place operation master roles need to consider following,
•    PDC and RID responsibilities should place in sites with reliable network connectivity
•    Operation master role automatically will assign to first domain controller, but if need we can change it
•    PDC should place nearest the largest number of users.
•    Infrastructure master role should not place in same server as global catalog server. This role is important only in multi-domain forest.

If you have any question about post feel free to contact me on rebeladm@live.com

Step-by-Step Guide to install Active Directory on Windows server technical preview 2

Microsoft released Windows Server 2016 Technical Preview 2 for the public. I am sure most of you already got the news. In this article I am going to demonstrate how we can install AD in Windows server 2016 TP2.

You can download windows 2016 TP2 from https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-previewit

You can deploy it using .iso or .vhd file. If you notice, installation no longer allows to select the GUI option during the installation. It gives 2 options to select from, one is goes as core version and the one with administrative tools gives ability to use admin tools such as server manager. If you like to install GUI you need to install it using server manager or using command Install-WindowsFeature Server-Gui-Shell –Restart -Source wim:E:\sources\install.wim:4

In here E: is the DVD with the windows server 2016 source files.

What is new in AD DS?

Well it may be too early to look for what is going to be in windows server 2016 in AD end. But here is the few new features, enhancements available for TP.

Privileged Access Management – This PAM feature allows to mitigate security concerns in AD environment which cause by techniques such as pass-the-hash, spear fishing etc.

Azure AD Join – This enhance identity experience for businesses. Including benefits such as SSO, access organizational resources, MDM integration etc.

Microsoft Passport – Microsoft Passport is a new key-based authentication approach organizations and consumers that goes beyond passwords. This form of authentication relies on breach, theft, and phish-resistant credentials.

Deprecation of File Replication Service (FRS) and Windows Server 2003 functional levels – Although File Replication Service (FRS) and the Windows Server 2003 functional levels were deprecated in previous versions of Windows Server, it bears repeating that the Windows Server 2003 operating system is no longer supported. As a result, any domain controller that runs Windows Server 2003 should be removed from the domain. The domain and forest functional level should be raised to at least Windows Server 2008 to prevent a domain controller that runs an earlier version of Windows Server from being added to the environment.

Complete description about these features can find on https://technet.microsoft.com/en-us/library/mt163897.aspx

Let’s gets started. In here my demo I am using windows server 2016 TP2 with GUI.
Log in to server as administrator. Then load server manager.

2016dc1

Then go to Manage > Add Roles and Features

2016dc2

In the wizard click on next.

2016dc3

In installation type selection, let the default selection run and click on next.

2016dc4

For the server selection leave the default and click on next.

2016dc5

From the role selection window select “Active Directory Domain Services” click next. Then it will ask to add the dependent features. Click on add features button. Then click next.

2016dc6

2016dc7

In the features selection will keep the default selection and then click next to continue.

2016dc8

Then it gives description window about AD DS. Click next to proceed.

2016dc9

Then in next window click on install button to install AD DS role.

2016dc10

Once it is finished, click on link “Promote this server to a domain controller”

2016dc11

Then it will open up the new wizard for the AD DS configuration. In here I am going to deploy new forest, so do the relevant selection and fill information and click on next.

2016dc12

In next window select the forest function and domain function level, to “Windows server technical preview” and then add the domain controller capabilities such as DNS, then submit the DSRM password and click next.

2016dc13

Then click next to complete DNS delegation.

2016dc14

In next window we can specify the Netbios name and then click next to continue.

2016dc15

In next window select the paths for database installation etc. then click next.

2016dc16

Then it gives option to review the configuration, and click next to continue.

2016dc17

Once prerequisite check is done, click on install to proceed.

2016dc18

Then it starts the installation process. It will reboot server automatically once completed.
Once reboot, we can see AD DS is configured and functioning as expected.

2016dc19

This completes installation process. The steps are very similar to with AD DS installation on windows server 2012.

If you have any issues feel free to contact me on rebeladm@live.com