Group Policy Management – Organizational Unit (OU) Design and Group Policy Objects (GPO) Implementation

First thing to keep in mind when it comes to group policy management is that organizational units are not the same as security groups. The key thing to remember is that a security group is used to assign permissions whereas a OU is just a container of objects.

Take care of properly designing your OU structure by considering the geographical or departmental location and needs of your users.

As you will probably know, OUs most likely contain one or more child OUs which by default inherit security stings from the parent OU.

As usual, no matter the size of your company, try to keep it simple. The concept is very similar to AD design where a single domain in a single forest is the easiest to administer.

Windows 7 Group Policy Management

The same goes for OU structure, try to minimize the amount of OUs  in order to avoid too much complexity. Avoid creating additional administrative overhead by creating multiple OUs that are subject  to the same GPO or security settings.

OUs are designed to make administration more easy. Of course, also do not oversimplify your OU structure as this might very easily override GPO settings required for specific users or computers.

Group Policy Management Console – http://www.microsoft.com/en-us/download/details.aspx?id=21895

What is Group Policy – Group Policy Management Editor

The first thing to keep in mind is that GPOs are either applied to users or computers.

Starter GPOs

Multiple pre-configured GPO settings (3000 +) are available in Windows server 2008 R2. If you are not sure of the template you want just right click on a folder icon in the group policy management editor and choose Filter Options to enter your search criteria.

Multiple local group policy objects (MLGPO)

Whereas in the past, when you applied a local group policy restriction all users including administrators would be affected by the GPO. MLGPO enables you to enforce different GPOs based on the group the user is a member or any individual user account.

Site GPO

• GPO must already exist to link it to a site
• Not very common except to define network settings

Domain Linked GPO

General advice is to leave the default domain policy alone as any changes made to this policy are Doman wide

It is better to create a separate policy and scope and not touch the default domain policy.
Order of Inheritance (Screenshot)

Group Policy Management Scopes

As a rule child Ou settings will take precedence over domain or site settings GPOs There are ways to override this behavior, but they should only be used if all other options are not fit for your strategy.

One way would be to “Block Inheritance” Be very careful with this setting as it will block any other policies from being applied to the OU..
Enoforce GPO Settings will do just the opposite and should also be used sparingly.

Advanced Group Policy Management

Filtering

Very similar to using NTFS permissions.  Go to the properties tab and check the Deny Group Policy Setting. (screenshor) As always DENY overrides any other settings.

You should design the scope of management or inheritance  of your OUs properly and only resort to enforce or block inheritance as a rare exception.

WMI Filters allow you to filter GPOs based on

• Hardware
• Software Deployment

If there is anyone out there using Group Policy to distribute software, read on. Suffice to say that it can be accomplished the MS way.

• Assigned – Software gets installed regardless of user consent
• Published – user has the option to install
• Has to be an msi file

Admx vs adm files

In the old days –Win 2000 and earlier – we used to rely on Adm files, which were language dependent. They got replicated to all the SYSVOL folders in the domain so that every policy that is created also has every adm file connected to it stored in the SYSVOL. There often was an inconsistency between different language versions.

Admx and Adml

Admx files contain universal settings whereas the adml files contain language specific settings. These files can be stored in a central store making them a lot more efficient and less bulky than the adm files which had to be present in every SYSVOL volume in previous versions of Windows Server.

The post Group Policy Management Structuring and Design appeared first on pcuserinfo.com.

Domain Name Resolution

Domain name resolution or domain name to IP resolution in Windows can be achieved by using the NetBIOS Extended User Interface (NETBUI) in combination with WINS as well as DNS.

While the former two methods are a bit outdated and are said to become obsolete, they might still be required for some older legacy applications in your company that require single namespace resolution.

DNS resolves hosts names to IP addresses and contains several new features and enhancements in Windows Server 2008 R2 such as:

Stub Zone Support – A zone that only contains a copy of the authoritative servers for a zone like the SOA and NS records without including all the records for the hosts registered in that zone.

Stub zones in Active Directory are useful to hold records of child domains and therefore delegate authority to that child domain for any records it is responsible for.

These are called Delegation or Glue Records. Likewise, you can use stub zones in the child domain to hold records pointing to the parent domain.
To create a stub zone you must have administrator privileges on the target DNS server.

Domain Name Resolution – Conditional Forwarding

Without a stub zone a DNS server will forward a domain name resolution request to an upstream DNS server if it holds no records for the request in its database. This is called a recursive query as the upstream DNS server will contact other DNS servers if it has no record.

Conditional forwarding in Windows Server 2008 R2 means that you can configure a DNS server to forward queries for a particular domain space to one or more specified DNS servers. If no conditional forwarders are configured or the forwarder is unable to resolve the name the DNS server will fall back on its root hints in its attempt to resolve the name.

For Security purposes it is generally recommended to remove the root hints from a domain controller. If the server would use root hints to perform iterative queries it would be vulnerable to attacks from the Internet. Preferred practice would be to use a caching-only forwarder to perform these queries on the public Internet.

DNS Zone Transfers and Replication

As long as the zone is Active Directory-integrated and the DNS service runs on a domain controller, it is automatically replicated to all DNS servers. These DNS servers must be specified to allow for zone transfer.

Read Only Domain Controllers (RODCs)

RODCs contain a primary read-only zone which can only be updated by pulling new DNS records from a writeable domain controller it has access to.

DNS Security Extension (DNSSEC)

Uses digital signatures and certificates to improve domain name resolution security

DNS Cache Locking

A popular method of malicious servers sending the DNS server a response to write or overwrite an entry in the cache.  Cache poisoning involves overwriting the entries in the cache with entries pointing to the attackers’ server. Windows Server 2008 R2 lets you lock down the cache.

DNS Socket Pool

Allows for a randomized pool of source ports as opposed to the known DNS ports and thus helps in reducing attack attempts.

DNS Devolution

Provides host name resolution for child domains. It will first append the domain namespace of the parent domain and subsequently append the namespace for each child domain to facilitate domain name resolution.

Background Zone Loading

While it could take a long time in large organizations to load the DNS data and start servicing clients Windows Server 2008 R2 remedies this situation through background zone loading. Background Zone Loading in Windows Server 2008 R2 allows the server to respond to domain name resolution queries much faster by using information stored in Active Directory.

GlobalNames DNS Zone

While similar to WINS to resolve hostnames to a single namespace the GlobalNames zone is not supported for peer-to-peer name resolution. Instead the zone holds a CNAME resource record mapping a single-label name to a FQDN, usually belonging to corporate servers or websites.

WINS Push and Pull

As soon as a specified number of updated records have been reached in the WINS database the WINS server will push the updates to its peers.

Pull replication lets an administrator specify to allow updates at specific intervals.

Windows Server 2008 R2 – New DNS Features in Domain Name Resolution

• Background zone loading
• RODC support
• GlobalNames DNS Zone
• Full support for IPv6 forward and reverse lookup

Windows Server 2008 R2 DNS Role – http://technet.microsoft.com/en-us/library/cc753635%28v=ws.10%29

The post Domain Name Resolution and New DNS Features in Windows Server 2008 R2 appeared first on pcuserinfo.com.

Windows Deployment Services Infrastructure

The arguably easiest way to deploy a standalone installation of Windows is through a setup DVD or CD. Recent versions of Windows – starting from Windows Vista – are now based on WIM files which are image based. Unlike Ghost or any other third party imaging software that use sector-based images,  WIM files contain disk images of that are file- based.

This means that there is a WIM file containing the basic OS setup which can then access other files to create the different Windows editions. This also explains why since Vista all Windows editions are available on a single DVD.

Another advantage of the WIM file architecture is that it can be modified before, during and after deployment using tools such as ImageX, Dism and Windows SIM.

Also don’t forget that the WIM image file format is hardware independent so it can be used to install on OS on different hardware platforms.

Microsoft Windows Deployment Services requires Windows Server 2008 with the WDS service installed as well as ADDS, DNS, DHCP and the NTFS file system.

For more information on using WIM installation methods visit this link http://pcuserinfo.com/windows-7-virtual-hard-disk-vhd-drive-image-virtual-machine-backup-restore

Windows Deployment Services Configuration

WDS relies on the DHCP PXE boot service or boot disks for clients which do not support this technology  to make a connection to a bare-metal client.

In Windows Server 2008 R2 WDS provides a server based central management solution for installing any OS starting from Windows XP, Windows Server 2003 and later versions.

The easiest way to install WDS is through the Add Roles Wizard. Once the wizard start it will begin by creating the centrasl image store.

Next, it will check whether the server is a DHCP server. If there is another dedicated DHCP server on the network you should accept the default values of  Do not listen on port 67 and Configure DHCP option 60 to PXE client. That way the DHCP server will service all requests for the WDS server while at the same time disabling these services on the WDS server which prevents conflicts by 2 servers trying to listen on the same port.

Next you will be asked how to respond to client requests which can be No response, Respond only to known  (pre-staged) computers or respond to all which is obviously the most insecure.

At the completion of the wizard you are given the option to add boot and install images to the image store. These can be found on the installation DVD. Bear in mind that you do need different boot and install images for an x64 or x86 version of Windows.

After that you will need to create an image group which basically shares the files in the group across a single instance. For more information on fine-tuning WDS through the properties menu visit.

WDS Image Types

• Boot Image – Contain Windows PE and the WDS client and offer a boot menu so the client can select which OS to install

• Install Image – Starts the installation via PXE boot

• Capture Image – Used to make a copy or capture of a master computer

• Discover Image – Used to boot clients that do not have a PXE compatible NIC and start the installation from an Install image

Windows Deplyment Services – http://technet.microsoft.com/en-us/library/dd348502%28v=ws.10%29.aspx

The post Windows Deployment Services (WDS) appeared first on pcuserinfo.com.

Configuring Computer Networking

 None – No Encryption or Authentication

• Some wireless access points require the user to accept a user agreement before being able to log on to the network. You can provide encryption through VPN, DirectAccess or IPsec to enable some form of security.

Wired Equivalent Protection (WEP)

• 64 or 128 bit encryption
• Sufficient to provide basic protection and almost universally supported
• Wi-Fi Protected Access (WPA)
• Offers significantly stronger encryption compared to WEP

WPA – Personal Shared Key (PSK)

• Should be avoided if possible as WPA-PSK uses a static key which is difficult to manage in an enterprise environment.
• WPA – Extensible Authentication Protocol (EAP) or WPA – Enterprise
  Requires a RADIUS server for authentication and allows multiple wireless access points to rely on one central server for authentication.
• Network Policy Server (NPS) can pass authentication requests to a domain controller and allows for flexible authentication without the need for a static key.

Windows Server 2008 R2 Enterprise and Datacenter support NPS without restriction whereas Windows Server 2008 R2 Standard supports a maximum of 50 clients and 2 remote RADIUS server groups.

Use a Public Key Infrastructure (PKI) to deploy certificates to both your RADIUS server and wireless client computers and enable autoenrollment. RADIUS Proxy Servers can be used to interconnect to forward requests to different RADIUS servers in the forest or for load-balance requests across multiple servers

WPA2 (IEEE 802.11i)

• Updated, even more secure version of the original WPA

Network Access Protection (NAP) – http://technet.microsoft.com/en-us/network/bb545879.aspx

Windows Server 2008 R2 Wireless Network Authentication  Modes

Computer or User

Windows uses computer credentials to authenticate prior to logon after which it checks the user credentials before the network can be accessed

Computer Only No user authentication is required as the computer authenticates to the network before displaying the logon screen

Single Sign On (SSO)

Supported by Windows Vista, Windows 7 and Windows Server 2008

Remote Access – Dial-Up and VPN

Dial-Up connections use an analog phone line to establish a connection to the network and are therefore very secure as you are not connected to the Internet.

Dial-Up access is very costly if you have many clients in your network as each is using a dedicated connection with very low bandwidth. Just like wireless networks, you can deploy a RADIUS server to handle authentication requests for Dial-Up clients.

VPNs on the other hand share a single internet connection thereby significantly reducing costs as your organization will already have an Internet connection and all that might be required is to purchase some extra bandwidth.

The drawback is that an Internet connection is mandatory and that you must allow incoming traffic through your firewall. You could use a Dial-Up connection and then create a VPN tunnel but the added overhead of VPN and the poor latency it provides would offer very poor performance.

Point-to-Point Tunneling Protocol (PPTP)

Originally a Microsoft technology that uses Point-to-Point (PPP) authentication for the user and Microsoft Point-to-Point Encryption

(MPPE) for data encryption.  No client certificate is required when using PEAP-MS, EAP_MS, EAP-MS-CHAP or MS-CHAP V2.

Layer Two Tunneling Protocol (L2TP)

An open standard VPN  protocol relying on PPP authentication  for user-level authentication and IPsec for computer-level authentication as well as data authentication, data integrity and data encryption. Requires computer certificates which in the Windows world is achieved by using Active Directory Certificate Services. L2TP is for now the only technology that can be used over the IPv6 Internet.

Secure Socket Tunneling  Protocol (SSTP)

Uses PPP authentication methods on the user-level authentication while relying on HTTP encapsulation over SSL for data authentication,

integrity and encryption. This enables it to travers many firewalls, NAT and proxy servers that would block traditional PPTP or L2TP traffic. SSTP is only supports on Windows Server 2008 and Windows Vista SP 1 and up and requires a CA.

DirectAccess

Only available in Windows 7 Enterprise, Windows 7 Ultimate and Windows Server 2008 R2 and requires the IPv6 protocol. Therefore transitional technologies such as 6to4, Teredo and ISATAP are mandatory in most networks. Also don’t forget to add firewall exeptions when using DirectAccess. For DirectAcces to work you need the following:

A multi-homed DirectAccess Server which is a member of a domain but NOT a domain controller with 2 consecutive IPv4 assigned to the public interface

DirectAccess clients must be joined to a domain and running Windows 7 Enterprise, Ultimate or Windows Server 2008 R2
An AD domain which holds the Network Location Service Role (NLS) including IIS and the SSL certificate service

A PKI through a CA to support IPsec as well as a DNS server running at least Windows Server 2008 SP2.
Application servers and a network infrastructure that support IPv6 or similar transition technologies

End-to-Edge Protection

Clients connect securely –encryption and authentication – to a DirectAccess server and can then communicate on the intranet with servers that do not support IPv6. Application servers however must support IPv6.

End-to-End Protection

Clients connect directly to application servers using IPv6 and IPsec over as well the Internet and the intranet. The DirectAccess server functions very much as a router forwarding traffic without accessing the content. This offers the highest level of security and requires the application servers to be running Windows Server 2008 or higher in combination with IPv6 and IPsec.

The post Configuring Computer Networking appeared first on pcuserinfo.com.

Active Directory DNS Records

When a computer that is part of a domain using Active Directory integrated DNS boots up it queries the Service Record ( SRV) from a Domain Name System ( DNS) server to locate the nearest domain controller. DNS basically enables the translation of IP addresses into Fully Qualified Domain Names (FQDNs).

So instead of contacting a host through its IP address you can just type in a name like somesite.com which is a lot easier to remember for humans than let’s say 158.56.23.45 which of course is an IP address.

DNS plays a major role in Active Directory and can be used to run independently on a perimeter network.

All DNS communication – whether it be on your internal network or the Internet – always uses UDP port 53.

The root of the DNS hierarchy is the dot (.) after which you have the .com, .biz, .net, .info and other suffixes.

Active Directory Domain Name Resolution

Active Directory heavily relies on DNS to match IP addresses to names. DNS therefore provides host records contained in zones specifying a given name resolution for a specific namespace.

DNS and Active Directory – IPv6 Addresses

IPv6 addresses are made up of 128 bits which gives us a lot more addresses than the 32-bit IP4 range that has almost been depleted or used up globally. IPv6 uses 8 16-bit pieces in a hexadecimal format. This should enable us to support addressing on the Internet for a long time.

•    Link-Local – FE80:: – Similar to IPv4 APIPA addresses that get allocated when no DHCP server can be contacted
•    Site-Local – FEC0:: -  Equivalent to IPv4 internal addresses such as 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16
•    Loopback – ::1 – Similar to 127.0.0.1 in IPv4
•    Unspecified – :: – Comparable to 0.0.0.0 in IPv4 and thus indicating an absence of address
•    Global Unicast – Unique addresses that are routable on the Internet

Active Directory DNS Setup – Peer Name Resolution Protocol (PNRP)

The Peer Name Resolution Protocol (PNRP) relies on peer systems to resolve computer names in Windows 7 and Server 2008 R2. This means, that unlike DNS there is no hierarchical structure as each server or computer holds a record for the name to be resolved. The computer just contacts all other computers or servers until it gets an authorative answer thereby greatly improving the security risk of a single-point DNS server failing.

DNS in Active Directory – Global Names Zone (GNZ)

Replaces WINS but must be configured manually and is only suitable when you have a small number of clients to handle. Useful for older applications that cannot work with the more complex FQDN structure. If a multitude of applications or users require single-name resolution then WINS will have to be implemented.

Active Directory DNS Structures

•    Dynamic DNS servers – Default mode when running DCpromo or when installing an AD integrated DNS server. DDNS enables computers and devices to self-register in Active Directory as long as these devices or computers belong to a known entity within AD

•    Read-Write DNS Servers – Usually a primary DNS server that is deployed in perimeter networks and will accept writes from trusted sources

•    Read-Only DNS Servers – Primarily secondary DNS servers that hold a read-only copy of the primary DNS server.

In Windows 2008 we also have the read-only domain controller (RODC) which runs primary read-only zones when integrated in AD DS.

Remember that RODCs provide a copy of the primary zone whereas traditionally  read-only zones are secondary  zones

•    Stub Zones – Contains pointers to other DNS servers

Active Directory DNS Namespaces

It is considered best practices to use different extensions for your internal and external network such as .com for external and maybe .local for you internal network. The segregation of your internal network from the Internet is commonly called Splt-Brain DNS.
For more information on split-brain DNS setups, go to
http://technet.microsoft.com/en-us/library/ee382323(WS.10).aspx

Active Directory DNS Delegation

When you create a domain tree in an existing forest you have to manually configure delegation before the root tree is created. This is because the name of the domain tree is different from the forest root domain. If however you create a child domain in the same forest this process is automated for the same reasons.

Active Directory DNS – Windows Server 2008 R2

DNS Security Extensions

DNS Security Extensions (DNSSEC) provides additional security to spoofing, man-in-the-middle and cache poisoning attacks It uses digitally signed signatures to send its records. To enable DNSSES you will need to edit the registry.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7a005a14-f740-4689-8c43-9952b5c3d36f&displaylang=en

Active Directory DNS Cache Locking

DNS Cache Locking prevents malicious users to poison the DNS cache in order to redirect queries to their servers. In Windows Server 2008 the cache cannot be overwritten until its TTL has expired. TTL  Settings can be changed by running the command dnscmd /Config /CacheLockingPercent percentvalue

Active Directory DNS Socket Pool

When DNS Socket Pools are in use with Windows Server 2008 random ports get picked to perform DNS queries. This protects against attackers and randomizes the ports used. Socket Pools can be configured by editing the registry.

Active Directory DNS Devolution

For more information on devolution behaviour in Windows Server 2008 R2 and Windows 7,
go to http://technet.microsoft.com/en-us/library/ee683928%28WS.10%29.aspx

Active Directory Without DNS – Background Zone Loading

Whenever an AD DS integrated DNS server holds a large number of zones and records, it needs to load all that data before servicing requests. Background loading enables the server to start processing requests while loading its zone data.

The post Active Directory DNS appeared first on pcuserinfo.com.

Group Policy Management in Windows Server 2008 R2

Windows Group Policy management consists of  a setting for defining the configuration, a scope to define the users or computers the policy applies to and finally an application which enforces these settings within the scope. Group Policy is a part of Active Directory and allows you to centrally manage clients and servers alike.

AD Group Policy Management and Group Policy Objects (GPOs)

A Group Policy Object contains one or more policy settings enabling it to apply these configuration settings to a user or computer. GPOs can be managed and created in Active Directory through the use of the Group Policy Management Console (GPMC). You can link a GPO to a site, domain or OU which thereby defines its scope.

Two types of filters for narrowing the scope are security filters which apply to specific global security groups as well as Windows Management Instrumentation (WMI) filters which are linked to the characteristics of the operating system (OS).

Windows Server 2008 comes with a third filter called Preferences.

Install Group Policy Management – Group Policy Configuration

Group Policy is applied to users and/or computers and has 3 states – Not configured, enabled or disabled. The standard setting for a new GPO is Not Configured which means that the policy has no effect on the existing configuration.  It is only by enabling or disabling that you make changes to the existing configuration of a computer or user.

Some policies only affect certain editions of Windows so be sure to read the policy settings explanatory text in the Group Policy Management Editor detail pane.

Group Policy Client-Side Extensions (CSEs)

Several dozen CSEs, such as security CSEs, CSEs that install software or others that process startup and logon scripts, are present in Windows now. They all are client driven and pull the GPO from the domain as opposed to a server driven, push technology triggering the CSE to apply theGPO settings on the client.

Standard CSE behavior is to only apply settings in a GPO if that GPO has changed to eliminate the need for redundant policy processing. Some settings could however be changed on the client computer especially if the user has local administrator rights. If this is the case, consider using CSEs that reapply policy settings at the next Group Policy refresh even when policy settings have not changed.

The only exception to this rule are Security CSEs which are reapplied every 16 hours by default even if a GPO has not changed. Group Policy Refresh happens every 90 minutes to 120 minutes thereafter and can be forced by running the command Gpupdate /force.
Resultant Set of Policy (RSOP)

Advanced Group Policy Management

Computers and users are likely to be within the scope of multiple GPOs linked to the specific site or domain they belong to. RSOP allows you to view the effective policies of these combined GPOs much like effective permissions when dealing with folder rights.

Local GPOs

Starting from Windows 2000 all clients contain at least one local GPO where all policies – except the Security Settings – are set to Not Configured. Once the computer becomes part of a domain local GPOs get overridden by the domain or site GPO in AD.

AD-Based GPOs

When AD DS is installed these two GPOs are created by default

• Default Domain Policy
  Contains no Security groups or WMI filters and affects all users and computers in the domain including servers.
  Takes care of password, account lockout and Kerberos policies
• Default Domain Controllers Policy
  Applied to the domain controllers OU only and should be used for auditing policies.

Group Policy Management Tools – GPO Components

A GPO consists of two components – the Group Policy Container (GPC) linked to the Group Policy Template (GPT) which contains the settings for a particular GPO. The GPC defines the settings for a GPO whereas the GPT contains the specific settings you apply.
Incremental version numbers keep track of the changes you make to any GPO and enable CSEs to discover that a policy has changed and needs updating during a policy refresh.

The GPC is replicated between domain controllers by the Directory Replication Agent (DRA) which in turn relies on the Knowledge Consistency Checker (KCC). The replication can be configured manually but usually happens within seconds between domains and between sites depending on your configuration.

The GPT on the other hand is located in the SYSVOL folder which is replicated by using either the File Replication Service (FRS) or Distributed File System Replication (DFS-R) if all your servers are running Windows Server 2008 or later.

The above also implies that both can be out of sync albeit for a short time. Clients will recognize this and will not process a new GPO until the GPT and GPC are in sync. To avoid conflicts and identify problems or version mismatch you can use gptool available from the Microsoft Download center.

Group Policy Manager – Group Policy Settings Console

• Software Settings
  Provides a way to manage how to install and manage software. Allows for independent software vendors to add templates for configuration.
• Windows Settings
  Includes scripts – startup/shutdown (computer), logon/logoff (user) -, security settings and policy based Qos nodes.
• Administrative Templates
  Contains registry-based Group Policy settings
• Preferences
  Only available since Windows Vista and requires the download of the correct version of the Remote Server Administration Tools (RSAT)
  Contains more than 20 extra CSEs to configure loads of additional settings

Group Policy Management Tool – Group Policy Central Store

Administrative templates used to have an .adm extension in versions prior to Windows Vista and used to be stored as part of a GPT in the SYSVOL folder. If used in multiple GPOs, multiple instances of the same template are stored causing for SYSVOL bloat.

Starting from Windows Vista and Server 2008 administrative templates are defined by two xml files , .admx to identify registry changes and .adml to provide language-specific settings. Any changes to be made can be applied to the .admx file and are automatically applied to all GPOs involved.

Group Policy Management Editor- http://technet.microsoft.com/en-us/windowsserver/bb310732

The post Windows Server 2008 Group Policy Management appeared first on pcuserinfo.com.

Active Directory Groups and Domain Services Administration

Active Directory as a directory service provides information on enterprise resources such as  active directory users and groups as well as computers. To make it easier to manage objects these resources are divided into organizational Units (OUs) providing an Active Directory OU structure. Active  Directory groups on the other hand are meant for controlling access to AD objects.

Active Directory Groups and Domain Services - http://technet.microsoft.com/en-us/library/cc268216.aspx

Organizational Units (OUs) – Active Directory

The best way to think of an Active Directory OU design is by comparing it to the folder hierarchy of a common disk drive. Just as you make folders to group similar documents or other data you would collect similar objects in the same OU for the purpose of easy administration. OUs should therefore reflect the administrative structure of you organization.

Keep in mind that OUs are not used to assign permission to resources as this is what Active Directory groups are for. Users belong to Active Directory security groups which are in turn given permission to resources.

An OU in Active Directory is simply an administrative container enabling you to manage users and groups contained within that OU.

In Windows Server 2008 OUs are automatically protected from accidental deletion. You will not be able to delete an OU unless you disable this protection in advanced features.

Group Objects, Types and Scopes

Groups are meant to create a single point of management for objects in Active Directory such as users, computers or even other groups.

They are commonly used to grant or deny permissions to a shared folder to a group rather than a single user. In order to effectively manage even a simple organization you need to create security groups in Active Directory for 2 distinctive purposes.

• Role Defining Groups – based on common business needs such as location and job type
• Management Rule Defining Groups – based on how the resources need to be managed and accessed

A Security Group can be given permission to resources and can also be configured as an email distribution list

A Distribution Group eliminates the requirement for access to resources and is therefore only used as an email distribution list. This Group does not contain a SID and should be used for email distribution lists to avoid overhead network traffic generating unnecessary access tokens.

A Global Group defines or identifies objects by job roles, location and so forth. Global groups are available t any trusted domains

A Domain Local Group is used to bundle users that need access to similar resources. It is replicated to all domain controllers in the same domain only

A Universal Group contains users and groups from multiple domains and are therefore useful in multi-domain forests.

Group Nesting or IGDLA

Identities (Users and Computers) are members of

Global Groups which represent business roles and are in turn member of

Domain Local Groups representing management roles such as read and write permissions to a folder

Access to Resources is granted by adding the domain local group to the ACL of the folder in question

Shadow Groups

The major difference between an OU and a group is that an object can only exist within the context of a single OU whereas a security principal can belong to many groups.

One of the challenges includes managing an OU where you want to grant all users permission to a folder while this is not possible on the OU level.

This is where shadow Active Directory groups bring relief. You create a group and then just copy all the users of the OU into that group granting them the required permissions. Bear in mind that when you add or remove a user from the OU, you must do the same manually in the shadow group and vice versa.

Default Groups

• Enterprise Admins – full control over any domain controllers in the forest
• Schema Admins – full control over the AD schema
• Administrators (Builtin) – full control over all domain controllers in a domain. Full control in the forest root domain which means they can manage Enterprise, Schema and domain admins
• Domain Admins – Inherits all capabilities of the administrators group in a domain and is added to each client computer
• Server Operators (Builtin) – Can logon locally to perform maintenance tasks on domain controllers. Account has no members by default
• Account Operators – Can perform maintenance tasks on any OU except the Domain Controllers OU . Account has no members by default
• Backup Operators (Builtin) – Account has no members by default
• Print Operators – Can log on locally and shut down domain controllers

Special Identities

• Anonymous Logon – member of the Everyone group in versions prior to Server 2003
• Authenticated Users – Does not include Guest account
• Everyone – Authenticated users and guest
• Interactive – locally logged on users as well as remote desktop users
• Network – users accessing resources over the network

Relative Distinguished Names (RDNs) Common Names (CNs) and Domain Components (DCs)

Each object in Active Directory has a unique Distinguished Name (DN). The DN of an object is unique within the directory whereas the RDN of an object should be unique within its container or OU.

This is similar to not being able to create 2 documents or folders with the same name in the same folder.
As an example – DN CN=Bob Baker OU=User Accounts, DC=baker,DC=com

Name and Account Properties

• Logon Name (Pre-Windows 2000) – the samid should be unique within the organization. The sAMAcountName should therefore be a unique, name-independent logon based on an employee number and soforth
• User Logon Name – the userPrincipalName (UPN) consists of the logon name and the UPN suffix which is by default the DNS name of the domain where the object was created
• Name – Should be unique in the OU and is the first part of the DN attribute which should be unique in the forest
• Relative Distinguished Name (RDN) – Should be unique within an OU meaning the CN attribute must be unique in the OU. Easiest way to accomplish this is by including an employee number for example
• Display Name – No requirement for unique names that appear in the Microsoft Exchange Global Address List (GAL)

DS Command Line Options

• DSQuery to find objects in the directory
• DSAdd to create objects
• DSGet to return specific attributes of an object
• DSMod to modify attributes of an object
• DSMove to move an object to a new container or OU
• DSRm to remove an object and/or all objects in the subtree

Most commands are run by specifying the object type (e.g. user) as well as the object DN in quotes.

Windows PowerShell

Windows PowerShell is the recommended tool for performing and automating administrative tasks in Windows Server R2. System administration tasks can be performed by using command-lets (cmdlets) modules or snap-ins. A module or snap-in is a package of cmdlets and/or other items.

Windows Powershell is also backward compatible with cmd.exe making it easy to perform familiar tasks susch as ipconfig, ping or nslookup for example. Windows Poweshell return objects which can have properties – or attributes – that represent data maintained by the object such as a users first and last name.

Objects include methods which are actions you can perform on the object.

Comma-Separated Values Data Exchange (CSVDE) and LDIFDE

CSVDE is a powerful tool that can assist administrators in importing existing user information – such as user accounts – from MS Excel or MS Access databases. It can import and export AD objects from or to comma-delimited (.csv) text files.

It cannot be used to import passwords so you will need to reset the user password on any account imported as well as enable the account.

The LDAP Data Interchange Format (LDIF) is file format which can be utilized to perform batch operations against directories that conform to LDAP standards. Unlike CSVDE LDIFDE can be used to modify or remove objects in the directory.

LDIFDE is also capable of importing user passwords. Remember that these accounts will be disabled until you reset the passwords and enable the accounts.

Inheritable Permissions

The Discretionary Access Control List (DACL) which is a part of the objects Access Control Entry (ACE) assigned to users and Active Directory groups controls the security principals. This simply means assigning permissions that manage access to objects and properties in Active Directory such as resetting passwords or changing files in a folder.

Note that not every permission is inheritable and inheritance can be scoped to specific object classes. Generally speaking, new objects inherit permissions from the parent OU or container.
This can be manually modified by

• Disabling inheritance in the advanced settings of the new object
• Allowing inheritance while overriding it with an explicit permission assigned to the child object. Explicit permissions always override inherited permissions to the extent that an explicit Allow permission will override an inherited Deny permission
• Scoping the inheritance permission by changing the inheritance properties on the parent object. This is considered best practice as it defines the Access Control List (ACL) at its source rather than overriding permissions further down the line

You can use Delegation of Control Wizard to assign specific administrative tasks to appropriate groups and individuals.

User Account Templates

User account templates are generic user accounts prepopulated with common properties. Take care to disable this account for security purposes. When you create a new user you can just simply copy this template saving you the time of having to fill out each property again. Not all attributes can be copied and following is a list summarizing the attributes that do get copied.

1. General
2. Address
3. Account
4. Profile
5. Organization
6. Member Of

Modifying Properties of Multiple Users Simultaneously

You can select multiple users objects by holding the CTRL key as you click each user. After that you can right-click on any user and select properties from the menu. Properties that can be changed for multiple users are:

1. General
2. Account
3. Address
4. Profile
5. Organization

The post Active Directory Groups and Domain Services appeared first on pcuserinfo.com.

Active Directory Certificate Services (AD CS) Explained

Windows Server 2008 R2 uses Active Directory Certificate Services to build and control a Public Key Infrastructure (PKI) within an organization. AD CS in a Microsoft AD DS environment consists of the following components.

Certificate Authorities (CAs) such as root and child CAs which get their certificates from the root CA. Child CAs usually request a renewal of their certificate from the root CA as soon as their certificate expires. This is also the reason why root certificate durations are normally much longer than the subordinate CAs.

Certificate Revocation Lists (CRLs)

CA Web enrollment enables users to connect to a CA via a web browser and request certificates and Certificate Revocation Lists (CRLs) which is a list of certificates that have been revoked by your organization. A certificate on this list will consequently be refused.

Online Responder (OR)

The Online Responder service replaces the need to download a full CRL list as it responds to specific  certificate validation requests through the Online Certificate Status Protocol (ACSP).

ORs – which are a new feature in Windows Server R2 – are therefore much faster and more efficient than using CRLs.

Network Device Enrollment Service (NDES)

The Network Device Enrollment Service allows devices like routers and switches – that are typically not part of the AD DS system – to participate in the PKI system through the Network Device Enrollment Service (NDES) by using the Simple Certificate Enrollment Protocol (SCEP) developed by Cisco Systems. This protocol allows these low level network devices to be integrated and managed in the PKI hierarchy maintained by the AD CS.

Microsoft Active Directory Certificate Services – Stand-Alone and Enterprise CAs

A Stand-Alone CA can either be running as a member server or a stand-alone server in a workgroup. It is therefore also not necessary to be integrated in an AD DS. Stand-Alone CAs can run on Windows Server 2008 R2 Standard, Enterprise and Data Center editions.

They are used as internal root CAs in a multi-tier environment where the stand-alone CA generates certificates for the child CAs based on standard templates which cannot be modified. A Stand-Alone CA should be taken offline for security purposes after they have generated their certificates for the child CAs. Remember that AD DS directory membership is not a requirement for a Stand-Alone CA.

Enterprise CAs on the other hand must be integrated in an AD DS directory service as they automatically issue and approve certificates when requested by clients or endpoint devices. They are usually member servers in an AD DS domain that hold the role of child CAs. Their certificates are based on templates which can be edited to support specific requirements.

http://social.technet.microsoft.com/wiki/contents/articles/4954.certificate-status-and-revocation-checking.aspx

Install Active Directory Certificate Services – Final Configuration of an Issuing CA

• Configure a certificate revocation policy. This should be completed before starting to issue certificates and includes specifying the Certificate Revocation Lists (CRLs) distribution points as well as the CRL and Delta CRL overlaps and the scheduling of CRL publication. A delta CRL contains only the changes made since the last base CRL update
• Configure certificate templates for EFS, wireless networks, smart card certificates and web server certificates as needed
• Configure enrollment and issuance options

When using Online Responders you need to configure and install an Online Certificate Status Protocol (OCSP) Response Signing certificate and an Authority Information Access (AIA) extension to support it. The final step is to assign this template to a CA and enroll the system to obtain the certificate.

Active Directory Certificate Services 2008 New Features

• Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service to enable certificate enrollment over HTTP
• Certificate Enrollment across forests allowing for consolidation in multi-forest deployments
• Better support for high-Volume CAs such as Network Access Protection (NAP) and other high-volume CAs.

http://technet.microsoft.com/en-us/library/dd448537%28WS.10%29.aspx

AD DS Management Tools for controlling AD CS can be accessed through server manager in Windows Server 2008. To manage a CA, certificates, certificate templates or an Online Responder use the appropriate Microsoft Management Console (MMC) snap-ins. The AD DS tools to add to an MMC in order to manage Active Directory Certificate Services are Certification Authority, Certificates, Certificate Templates and Online Responder.

The post Active Directory Certificate Services appeared first on pcuserinfo.com.