Session Objectives and Takeaways

Transcription

1

2

3

4

5 Session Objectives and Takeaways

6 Session Objectives and Takeaways

7

8

9 Active Directory Forest Step1: run: ADPREP /ForestPrep Schema Master Infrastructure Master WS 2008 R2 Domain Controller Step 2: run: ADPREP /DomainPrep (each domain) run: ADPREP /DomainPrep /GPPrep (each domain) run: ADPREP /DomainPrep /RODCPREP (optional, depends on using RODC or not) Step 3: Install Fresh or Upgrade

10

11

12

13

14

15

16

17

18

19

20

21 Demote the original DC gracefully and disconnect from network Fresh install a Windows server 2008 R2 on a new hardware Rename to the original name and join to domain Promote to Windows server 2008 R2 DC Transfer back all the FSMO roles

22 Demote the original DC gracefully and disconnect from network Fresh install a Windows server 2008 R2 on a new hardware Rename to the original name and join to domain Promote to Windows server 2008 R2 DC Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before

23 Demote the original DC gracefully and disconnect from network Fresh install a Windows server 2008 R2 on a new hardware Rename to the original name and join to domain Promote to Windows server 2008 R2 DC Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade DC one by one

24 Demote the original DC gracefully and disconnect from network Fresh install a Windows server 2008 R2 on a new hardware Rename to the original name and join to domain Promote to Windows server 2008 R2 DC Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade DC one by one 10. Change domain and forest functional mode

25 Considerations netsh Printbrm.exe CA backup and restore

26 New Domain Functional Level

27 New Forest Functional Level

28

29 DES Encryption For Kerberos

30 DES Encryption For Kerberos

31 DES Encryption For Kerberos

32 Encryption Criteria for Kerberos Role O.S Supported encryption level for Kerberos DC Windows 2003 RC4 and DES Client Windows XP DES and RC4 Resource Server Non Windows Kerberos Server DES

33 DES Encryption is Disabled So, what? Role O.S Supported encryption level for Kerberos DC Windows 2003 RC4 and DES Client Windows 7 AES and RC4 Resource Server Non Windows Kerberos Server DES

34 Authoritative Restore of the Krbtgt

35 Authoritative Restore of the Krbtgt

36 Authoritative Restore of the Krbtgt

37 Authoritative Restore of the Krbtgt

38 Invalid FSMO Role Holder

39 Invalid FSMO Role Holder

40 Invalid FSMO Role Holder

41 Invalid FSMO Role Holder

42 LDAP Query Policy Hard Limits

43 LDAP Query Policy Hard Limits

44 LDAP Query Policy Hard Limits

45 LDAP Query Policy Hard Limits

46 LDAP Query Policy Hard Limits

47 NT4 Crypto

48 Dynamic Port Range

49 Dynamic Port Range

50 Dynamic Port Range

51 Miscellaneous

52 Considerations before Upgrade

53 Considerations before Upgrade

54

55 RODC Benefits

56 Branch office.

57 RODC Features

58 58 RODC Authentication and Client Operations How it works: Password caching during first logon Hub Branch Hub Writable DC Read Only DC `

59 59 RODC Authentication and Client Operations How it works: Password caching during first logon Hub Branch 1. AS_Req sent to RODC (request for TGT) Hub Writable DC Read Only DC 1 `

60 60 RODC Authentication and Client Operations How it works: Password caching during first logon Hub 1. AS_Req sent to RODC (request for TGT) Branch 2. RODC: Looks in DB: "I don't have the users password " Hub Writable DC Read Only DC 2 1 `

61 61 RODC Authentication and Client Operations How it works: Password caching during first logon Hub 1. AS_Req sent to RODC (request for TGT) Branch 2. RODC: Looks in DB: "I don't have the users password " 3. Forwards Request to a writeable DC Hub Writable DC 3 Read Only DC 2 1 `

62 62 RODC Authentication and Client Operations How it works: Password caching during first logon Hub Hub Writable DC 3 Branch 2. RODC: Looks in DB: "I don't have the users password " 3. Forwards Request to a writeable DC Read Only DC 1. AS_Req sent to RODC (request for TGT) 4. Writeable DC authenticates request `

63 63 RODC Authentication and Client Operations How it works: Password caching during first logon 4 Hub Hub Writable DC 5 3 Branch 2. RODC: Looks in DB: "I don't have the users password " 3. Forwards Request to a writeable DC Read Only DC 2 1. AS_Req sent to RODC (request for TGT) 4. Writeable DC authenticates request 5. Returns authentication response and TGT back to the RODC 1 `

64 64 RODC Authentication and Client Operations How it works: Password caching during first logon 4 Hub Hub Writable DC Branch 2. RODC: Looks in DB: "I don't have the users password " 3. Forwards Request to a writeable DC Read Only DC AS_Req sent to RODC (request for TGT) 4. Writeable DC authenticates request 5. Returns authentication response and TGT back to the RODC 6. RODC gives TGT to User and Queues a replication request for the password `

65 65 RODC Authentication and Client Operations How it works: Password caching during first logon 4 7 Hub Hub Writable DC Branch 2. RODC: Looks in DB: "I don't have the users password " 3. Forwards Request to a writeable DC Read Only DC AS_Req sent to RODC (request for TGT) 4. Writeable DC authenticates request 5. Returns authentication response and TGT back to the RODC 6. RODC gives TGT to User and Queues a replication request for the password ` 7) Hub DC checks Password Replication Policy to see if Password can be replicated Note: At this point the user will have a hub signed TGT

66 RODC Limitations

67 RODC Considerations

68 Fine Grain Password Policy (FGPP)

69 Creating a Fine Grain Password Policy

70 FGPP Implementation Considerations

71 FGPP Defining Scope

72 FGPP Best Practices

73 Active Directory Web Services Listens on port 9389 Advertised via DC Locator nltest /dsgetdc:domain /ws

74 C GUI ADUC/ADSS/ADDT L I E MMC ADSI WSH CLI N T DS RPC-Based Protocols SAM DSR LDAP S E R V E R DS RPC-Based Protocols SAM DSR AD Core.NET S.DS.P / S.DS.AM / S.DS.AD LDAP

75 C L I E N T GUI MMC ADUC/ADSS/ADDT DS RPC-Based Protocols SAM DSR ADSI LDAP WSH CLI.NET BPA AD PowerShell WCF AD Admin Center MUX WPF GUI.NET WCF.NET S E R V E R DS RPC-Based Protocols SAM DSR AD Core.NET AD Web Services S.DS.P / S.DS.AM / S.DS.AD LDAP

76 Recycle Bin Windows Server 2008 No Recycle bin feature Delete Live Object Tombstone Object Garbage Collection Windows Server 2008 R2 with Recycle Bin enabled Auth Restore Tombstone Lifetime 180 Days Delete Live Object Deleted Object Recycled Object Garbage Collection Undelete Deleted Object Lifetime 180 Days Tombstone Lifetime 180 Days

77 Recovering Multiple Objects Deleted Objects container A flat list of all objects in the Deleted state DN is mangled, attributes preserved, lastknownparent Restore objects to live parent Deleted objects must be restored to a live parent Perform restore in top-down order lastknownparent and lastknownrdn properties useful in rebuilding hierarchy RDN over 128 chars truncated \0ADEL:

78 Recovering Multiple Objects Deleted Objects container A flat list of all objects in the Deleted state DN is mangled, attributes preserved, lastknownparent Restore objects to live parent Deleted objects must be restored to a live parent Perform restore in top-down order lastknownparent and lastknownrdn properties useful in rebuilding hierarchy RDN over 128 chars truncated Delete \0ADEL: \0ADEL: \0ADEL: \0ADEL: \0ADEL: \0ADEL:...

79 Recovering Multiple Objects Deleted Objects container A flat list of all objects in the Deleted state DN is mangled, attributes preserved, lastknownparent Restore objects to live parent Deleted objects must be restored to a live parent Perform restore in top-down order lastknownparent and lastknownrdn properties useful in rebuilding hierarchy RDN over 128 chars truncated \0ADEL: \0ADEL: \0ADEL: \0ADEL: \0ADEL: \0ADEL:...

80 Recovering Multiple Objects Deleted Objects container A flat list of all objects in the Deleted state DN is mangled, attributes preserved, lastknownparent Restore objects to live parent Deleted objects must be restored to a live parent Perform restore in top-down order lastknownparent and lastknownrdn properties useful in rebuilding hierarchy RDN over 128 chars truncated Undelete \0ADEL: \0ADEL: \0ADEL: \0ADEL: \0ADEL: \0ADEL:...

81 Recovering Multiple Objects Deleted Objects container A flat list of all objects in the Deleted state DN is mangled, attributes preserved, lastknownparent Restore objects to live parent Deleted objects must be restored to a live parent Perform restore in top-down order lastknownparent and lastknownrdn properties useful in rebuilding hierarchy RDN over 128 chars truncated Undelete \0ADEL: \0ADEL:

82 Recovering Multiple Objects Deleted Objects container A flat list of all objects in the Deleted state DN is mangled, attributes preserved, lastknownparent Restore objects to live parent Deleted objects must be restored to a live parent Perform restore in top-down order lastknownparent and lastknownrdn properties useful in rebuilding hierarchy RDN over 128 chars truncated \0ADEL:

83 Recycle Bin Considerations

84 Key new features overview

85

86