Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Session Objectives and Takeaways
Session Objectives and Takeaways
Active Directory Forest
Schema
Master
Infrastructure
Master
Step1:
run: ADPREP /ForestPrep
Step 2:
run: ADPREP /DomainPrep (each domain)
run: ADPREP /DomainPrep /GPPrep (each
domain)
run: ADPREP /DomainPrep /RODCPREP
(optional, depends on using RODC or not)
Step 3: Install Fresh or
Upgrade
WS 2008 R2
Domain
Controller
Demote the original DC gracefully and disconnect from network
Fresh install a Windows server 2008 R2 on a new hardware
Rename to the original name and join to domain
Promote to Windows server 2008 R2 DC
Transfer back all the FSMO roles
Demote the original DC gracefully and disconnect from network
Fresh install a Windows server 2008 R2 on a new hardware
Rename to the original name and join to domain
Promote to Windows server 2008 R2 DC
Transfer back all the FSMO roles
8. Apply any registry key / DC hardening keys that used before
Demote the original DC gracefully and disconnect from network
Fresh install a Windows server 2008 R2 on a new hardware
Rename to the original name and join to domain
Promote to Windows server 2008 R2 DC
Transfer back all the FSMO roles
8. Apply any registry key / DC hardening keys that used before
9. Upgrade DC one by one
Demote the original DC gracefully and disconnect from network
Fresh install a Windows server 2008 R2 on a new hardware
Rename to the original name and join to domain
Promote to Windows server 2008 R2 DC
Transfer back all the FSMO roles
8. Apply any registry key / DC hardening keys that used before
9. Upgrade DC one by one
10. Change domain and forest functional mode
Considerations
netsh
Printbrm.exe
CA backup and restore
New Domain Functional Level
New Forest Functional Level
DES Encryption For Kerberos
DES Encryption For Kerberos
DES Encryption For Kerberos
Encryption Criteria for Kerberos
Role O.S Supported encryption level for Kerberos
DC Windows 2003 RC4 and DES
Client Windows XP DES and RC4
Resource Server Non Windows Kerberos Server DES
DES Encryption is Disabled – So, what?
Role O.S Supported encryption level for
Kerberos
DC Windows 2003 RC4 and DES
Client Windows 7 AES and RC4
Resource Server Non Windows Kerberos
Server
DES
Authoritative Restore of the Krbtgt
Authoritative Restore of the Krbtgt
Authoritative Restore of the Krbtgt
Authoritative Restore of the Krbtgt
Invalid FSMO Role Holder
Invalid FSMO Role Holder
Invalid FSMO Role Holder
Invalid FSMO Role Holder
LDAP Query Policy Hard Limits
LDAP Query Policy Hard Limits
LDAP Query Policy Hard Limits
LDAP Query Policy Hard Limits
LDAP Query Policy Hard Limits
http://support.microsoft.com/kb/2009267
NT4 Crypto
Dynamic Port Range
Dynamic Port Range
Dynamic Port Range
Miscellaneous
Considerations before Upgrade
Considerations before Upgrade
RODC Benefits
Branch office….
RODC Features
RODC Authentication and Client Operations
58
How it works: Password caching during first logon
Hub
`
Read Only DCHub Writable DC
Branch
RODC Authentication and Client Operations
59
How it works: Password caching during first logon
Hub
`
Read Only DCHub Writable DC
Branch
1. AS_Req sent to RODC
(request for TGT)
1
RODC Authentication and Client Operations
60
How it works: Password caching during first logon
Hub
`
Read Only DCHub Writable DC
Branch 2. RODC: Looks in DB: "I
don't have the users
password "
1. AS_Req sent to RODC
(request for TGT)
1
2
RODC Authentication and Client Operations
61
How it works: Password caching during first logon
Hub
`
Read Only DCHub Writable DC
Branch 2. RODC: Looks in DB: "I
don't have the users
password "
3. Forwards Request to a
writeable DC
1. AS_Req sent to RODC
(request for TGT)
1
2
3
RODC Authentication and Client Operations
62
How it works: Password caching during first logon
Hub
`
Read Only DCHub Writable DC
Branch 2. RODC: Looks in DB: "I
don't have the users
password "
3. Forwards Request to a
writeable DC
4. Writeable DC
authenticates request
1. AS_Req sent to RODC
(request for TGT)
1
2
3
4
RODC Authentication and Client Operations
63
How it works: Password caching during first logon
Hub
`
Read Only DCHub Writable DC
Branch 2. RODC: Looks in DB: "I
don't have the users
password "
3. Forwards Request to a
writeable DC
4. Writeable DC
authenticates request
5. Returns authentication
response and TGT back to
the RODC
1. AS_Req sent to RODC
(request for TGT)
1
2
3
4
5
RODC Authentication and Client Operations
64
How it works: Password caching during first logon
Hub
`
Read Only DCHub Writable DC
Branch 2. RODC: Looks in DB: "I
don't have the users
password "
3. Forwards Request to a
writeable DC
4. Writeable DC
authenticates request
5. Returns authentication
response and TGT back to
the RODC
1. AS_Req sent to RODC
(request for TGT)
1
2
3
4
5
6
6. RODC gives TGT to User
and Queues a replication
request for the password
6
RODC Authentication and Client Operations
65
How it works: Password caching during first logon
Hub
`
Read Only DCHub Writable DC
Branch 2. RODC: Looks in DB: "I
don't have the users
password "
3. Forwards Request to a
writeable DC
4. Writeable DC
authenticates request
5. Returns authentication
response and TGT back to
the RODC
6. RODC gives TGT to User
and Queues a replication
request for the password
7) Hub DC checks
Password Replication
Policy to see if
Password can be
replicated
1. AS_Req sent to RODC
(request for TGT)
1
2
3
4
5
6
6
7
7
Note: At this point the user will have a hub signed TGT
RODC Limitations
RODC Considerations
Fine Grain Password Policy (FGPP)
Creating a Fine Grain Password Policy
FGPP – Implementation Considerations
FGPP – Defining Scope
FGPP – Best Practices
Listens on port 9389
Advertised via DC Locator
nltest /dsgetdc:domain /ws
Active Directory Web Services
AD Core
LDAP
S.DS.P / S.DS.AM / S.DS.AD
.NET
S
E
R
V
E
R
C
L
I
E
N
T
ADUC/ADSS/ADDT
WSH
ADSI
LDAP
MMC
…
GUI
DS RPC-Based Protocols
… DSR SAM
CLI
DS RPC-Based Protocols
… DSR SAM
AD Core
LDAP
AD Web Services
S.DS.P / S.DS.AM / S.DS.AD
AD PowerShell MUX
WCF
.NET
WPF
.NET
.NET
S
E
R
V
E
R
C
L
I
E
N
T
WCF
.NET
AD Core
DS RPC-Based Protocols
… DSR SAM
AD Admin Center
GUI
BPA ADUC/ADSS/ADDT
WSH
ADSI
LDAP
MMC
…
GUI
DS RPC-Based Protocols
… DSR SAM
CLI
Recycle Bin
Tombstone
Object
Recycled
Object
Deleted
Object
Windows Server 2008
No Recycle bin feature
Windows Server 2008 R2 with Recycle Bin enabled
Garbage
Collection
Garbage
Collection
Live
Object
Auth Restore
Delete
Delete
Undelete Deleted Object
Lifetime
180 Days
Tombstone
Lifetime
180 Days
Tombstone
Lifetime
180 Days
Live
Object
Recovering Multiple Objects Deleted Objects container
A flat list of all objects in the Deleted state
DN is mangled, attributes preserved, lastKnownParent
Restore objects to live parent
Deleted objects must be restored to a live parent
Perform restore in top-down order
lastKnownParent and lastKnownRDN properties useful in rebuilding hierarchy
RDN over 128 chars truncated
\0ADEL:…
Recovering Multiple Objects Deleted Objects container
A flat list of all objects in the Deleted state
DN is mangled, attributes preserved, lastKnownParent
Restore objects to live parent
Deleted objects must be restored to a live parent
Perform restore in top-down order
lastKnownParent and lastKnownRDN properties useful in rebuilding hierarchy
RDN over 128 chars truncated
Delete
\0ADEL:…
\0ADEL:…
\0ADEL:…
\0ADEL:…
\0ADEL:...
\0ADEL:…
Recovering Multiple Objects Deleted Objects container
A flat list of all objects in the Deleted state
DN is mangled, attributes preserved, lastKnownParent
Restore objects to live parent
Deleted objects must be restored to a live parent
Perform restore in top-down order
lastKnownParent and lastKnownRDN properties useful in rebuilding hierarchy
RDN over 128 chars truncated
\0ADEL:…
\0ADEL:…
\0ADEL:…
\0ADEL:…
\0ADEL:...
\0ADEL:…
Recovering Multiple Objects Deleted Objects container
A flat list of all objects in the Deleted state
DN is mangled, attributes preserved, lastKnownParent
Restore objects to live parent
Deleted objects must be restored to a live parent
Perform restore in top-down order
lastKnownParent and lastKnownRDN properties useful in rebuilding hierarchy
RDN over 128 chars truncated
\0ADEL:…
\0ADEL:…
\0ADEL:…
\0ADEL:…
\0ADEL:...
\0ADEL:…
Undelete
Recovering Multiple Objects Deleted Objects container
A flat list of all objects in the Deleted state
DN is mangled, attributes preserved, lastKnownParent
Restore objects to live parent
Deleted objects must be restored to a live parent
Perform restore in top-down order
lastKnownParent and lastKnownRDN properties useful in rebuilding hierarchy
RDN over 128 chars truncated
\0ADEL:…
\0ADEL:…
Undelete
Recovering Multiple Objects Deleted Objects container
A flat list of all objects in the Deleted state
DN is mangled, attributes preserved, lastKnownParent
Restore objects to live parent
Deleted objects must be restored to a live parent
Perform restore in top-down order
lastKnownParent and lastKnownRDN properties useful in rebuilding hierarchy
RDN over 128 chars truncated
\0ADEL:…
Recycle Bin Considerations
Key new features overview