Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Module10:ImprovingtheSecurityofAuthenticationin anADDSDomain
Contents: Lesson1: LabA: Lesson2: LabB: Lesson3: LabC: ConfigurePasswordandLockoutPolicies ConfigurePasswordandAccountLockoutPolicies AuditAuthentication AuditAuthentication ConfigureReadOnlyDomainControllers ConfigureReadOnlyDomainControllers
Module Overview
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
1/90
07/06/13
WhenuserslogontoanActiveDirectory domain,theyentertheirusernameand password.Then,theclientcomputerusesthosecredentialstoauthenticatetheusers identitiesagainsttheirActiveDirectoryaccounts.InModule3,youlearnedhowto createandmanageuseraccountsandtheirproperties,includingpasswords.Inthis module,youwillexplorethedomainsidecomponentsofauthentication,includingthe policiesthatspecifypasswordrequirementsandtheauditingofauthenticationrelated activities.YouwillalsodiscovertwofeaturesintroducedbyWindowsServer2008 thatcansignificantlyimprovethesecurityofauthenticationinanActiveDirectory DomainServices(ADDS)domain,passwordsettingsobjects(betterknownasfine grainedpasswordpolicy)andreadonlydomaincontrollers(RODCs).
Objectives
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 2/90
07/06/13
Bydefault,inaWindowsServer2008orWindowsServer2008R2domain,users
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 3/90
07/06/13
needtochangetheirpasswordevery42days,andapasswordmustbeatleastseven characterslongandmeetcomplexrequirements,includingtheuseofthreeoffour charactertypes:uppercase,lowercase,numeric,andnonalphanumeric.Typically,in anActiveDirectorydomain,administratorsandusersfirstencounterthreepassword policiesmaximumpasswordage,passwordlength,andpasswordcomplexity.Rarely dothesedefaultsettingsalignpreciselywithanorganizationspasswordsecurity requirements.Yourorganizationmightrequirepasswordstobechangedmoreorless frequently,ortobelonger.Inthislesson,youwilllearntoimplementyour enterprisespasswordandlockoutpoliciesbymodifyingtheDefaultDomainPolicy GroupPolicyobject(GPO). Asyouknow,thereareexceptionstoeveryrule,andyoumayrequireexceptionsto yourpasswordpolicies.Toenhanceyourdomainssecurity,youcanplacemore restrictivepasswordrequirementsforaccountsassignedtoadministrators,for accountsusedbyservicessuchasMicrosoftSQLServer,orforabackuputility. InearlierversionsofWindows,thiswasnotpossibleasinglepasswordpolicy appliedtoallaccountsinthedomain.Inthislesson,youwilllearntoconfigurefine grainedpasswordpolicies.ThisisanewfeatureinWindowsServer2008thatallows youtoassigndifferentpasswordpoliciestousersandgroupsinyourdomain.
Objectives
Aftercompletingthislesson,youwillbeableto: Understandpasswordandaccountlockoutpolicies.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 4/90
07/06/13
Implementyourdomainpasswordandaccountlockoutpolicy. Configureandassignfinegrainedpasswordpolicies.
07/06/13
followingscreenshot.
Youcanunderstandtheeffectofthepoliciesbyconsideringthelifecycleofauser password.Auserneedstochangethepasswordwithinthenumberofdaysspecified bytheMaximumPasswordAgepolicysetting.Whentheuserentersanewpassword, thelengthofthenewpasswordwillbecomparedwiththenumberofcharactersin theMinimumPasswordLengthpolicy. IfthePasswordandMustMeetComplexityRequirementspolicyisenabled,the passwordmustcontainatleastthreeofthefollowingfourcharactertypes: Uppercase:AtoZ Lowercase:atoz Numeric:0to9
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 6/90
07/06/13
Nonalphanumericsymbols:!,#,%,or&
Ifthenewpasswordmeetsrequirements,ActiveDirectoryputsthepasswordthrough amathematicalalgorithmthatproducesarepresentationofthepasswordcalledthe hashcode.Thehashcodeisuniquenotwodifferentpasswordscancreatethesame hashcode.Thealgorithmusedtocreatethehashcodeiscalledaonewayfunction. Youcannotputthehashcodethroughareversefunctiontoderivethepassword.The factthatitisahashcodeandnotthepassworditselfthatisstoredinActiveDirectory helpsincreasetheuseraccountssecurity. Occasionally,someapplicationsrequiretheabilitytoreadauser'spassword.Thisis notpossiblebecause,bydefault,onlythehashcodeisstoredinActiveDirectory.To supportsuchapplications,youcanenabletheStorePasswordsUsingReversible Encryptionpolicysetting.Thispolicysettingisnotenabledbydefault.Ifyouenable thepolicy,userpasswordsarestoredinanencryptedformthatcanbedecryptedby theapplication.Reversibleencryptionsignificantlyreducesadomainssecurity,soitis disabledbydefault,andyoushouldstrivetoeliminateapplicationsthatrequiredirect accesstopasswords. Additionally,ActiveDirectorycancheckthecacheoftheusersprevioushashcodesto ensurethatthenewpasswordisnotthesameastheuserspreviouspasswords.The numberofpreviouspasswordsagainstwhichanewpasswordisevaluatedis determinedbytheEnforcePasswordHistorypolicy.Bydefault,Windowsmaintains
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 7/90
07/06/13
theprevious24hashcodes,whichmeansthatausercannotusethelast24 passwordswhenenteringanewone. Ifauserisdeterminedtoreusethesamepasswordwhenthepasswordexpiration periodoccurs,theusercouldsimplychangethepassword25timestoworkaround thepasswordhistory.Topreventthatfromhappening,theMinimumPasswordAge policyspecifiesanamountoftimethatmustpassbetweenpasswordchanges.By default,itisoneday.Therefore,thedetermineduserwouldhavetochangethe passwordonceperdayfor25daystoreuseapassword.Thisservesasaneffective deterrentofsuchbehavior. Thesepolicysettingshistory,minimumage,andmaximumageaffectonlyauser whochangesthepassword.Thesettingsdonotaffectanadministratorwhousesthe ResetPasswordcommandtochangeanotheruser'spassword.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
8/90
07/06/13
Anintrudercangainaccesstotheresourcesinyourdomainbydeterminingavalid usernameandpassword.Usernamesarerelativelyeasytoidentify,becausemost organizationscreateusernamesfromanemployee'semailaddress,initials, combinationsoffirstandlastnames,oremployeeIDs.Afterausernameisknown, theintrudermustdeterminethecorrectpassword.Thiscanbedonebyguessing,or byrepeatedlyloggingonwithcombinationsofcharactersorwordsuntilthelogonis successful. Thistypeofattack,calledbruteforce,canbethwartedbylimitingthenumberof incorrectlogonsthatareallowed.Thatiswhataccountlockoutpoliciesachieve. AccountlockoutpoliciesarelocatedinthenodeoftheGPOdirectlybelowthe PasswordPolicy.TheAccountLockoutPolicynodeisshowninthefollowingscreen
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 9/90
07/06/13
shot.
Therearethreesettingsrelatedtoaccountlockout.TheAccountLockoutThreshold settingdeterminesthenumberofinvalidlogonattemptspermittedwithinatime specifiedbytheResetaccountlockoutcounterafterpolicy.Ifanattackresultsin moreunsuccessfullogonswithinthattimeframe,theuseraccountislockedout. Whenanaccountislockedout,ActiveDirectorydenieslogontothataccount,evenif thecorrectpasswordisspecified.Theaccountwillremainlockedoutfortheperiodof timespecifiedintheAccountlockoutdurationsetting.Ifyousetthistoavalueof0, onlytheadministratorcanmanuallyunlockalockeduseraccountbyusingtheActive DirectoryUsersandComputersconsole. NoteAlthoughaccountlockoutpoliciescanbeusefulinpreventingbrute forceattacks,someorganizationschoosenottodefineaccountlockout policies,becausetheycanactuallycreatedenialofservicescenarios.Ifa hackerperformsabruteforceattackagainstan
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
10/90
07/06/13
07/06/13
policies.YoucanchangethesettingsbyeditingtheDefaultDomainPolicyGPO. ThebestpracticeistoedittheDefaultDomainPolicyGPOtospecifythepassword policysettingsforyourorganization.YoushouldalsousetheDefaultDomainPolicy GPOtospecifyaccountlockoutpoliciesandKerberospolicies.DonotusetheDefault DomainPolicyGPOtodeployanyothercustompolicysettings.Inotherwords,the DefaultDomainPolicyGPOonlydefinesthepassword,accountlockout,andKerberos policiesforthedomain.Additionally,donotdefinepassword,accountlockout,or KerberospoliciesforthedomaininanyotherGPO. ThepasswordsettingsconfiguredintheDefaultDomainPolicyaffectalluser accountsinthedomain.Thesettingscanbeoverridden,however,bythepassword relatedpropertiesoftheindividualuseraccounts.OntheAccounttabofauser's Propertiesdialogbox,youcanspecifysettingssuchasPasswordNeverExpiresor StorePasswordsUsingReversibleEncryption.Forexample,iffiveusershavean applicationthatrequiresdirectaccesstotheirpasswords,youcanconfigurethe accountsforthoseuserstostoretheirpasswordsbyusingreversibleencryption.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
12/90
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
13/90
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
14/90
07/06/13
Demonstration Steps
1. IntheGroupPolicyManagementconsole,intheconsoletree,expand Forest:contoso.com,Domains,andcontoso.com. 2. RightclickDefaultDomainPolicyunderneaththedomain,contoso.com,and thenclickEdit. 3. IntheGroupPolicyManagementEditorconsoletree,expandComputer Configuration,Policies,WindowsSettings,SecuritySettings,and AccountPolicies,andthenclickPasswordPolicy. 4. Doubleclickthefollowingpolicysettingsintheconsoledetailspaneand configurethesettingsasindicated: Enforcepasswordhistory:53passwordsremembered Maximumpasswordage:90days Minimumpasswordage:7days Minimumpasswordlength:8characters Passwordmustmeetcomplexityrequirements:Enabled 5. 6. ClosetheGroupPolicyManagementEditorwindow. ClosetheGroupPolicyManagementwindow.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
15/90
07/06/13
IntheWindowsServer2003ActiveDirectoryenvironment,itwasnotpossibleto havemorethanonepasswordandaccountlockoutpolicyperdomain.Becauseofthis limitationintheearlierWindowsServerversions,youhadtocreatemorethanone domainintheActiveDirectoryforestfordifferentpasswordrequirementsinasingle organization.Forexample,considerascenariowhereyouwantyouradministratorsto havepasswordswithaminimumlengthof14charactersandotheruserstohaveat least7ormorecharacters.Theonlywaytoaccomplishthisistomoveadministrators (orusers)toanotherdomain.Insuchscenarios,administratorsusuallycreatetwo domainssuchascontoso.comandusers.contoso.com.However,itcancause additionalmaintenanceandadministrativecosttosupporttwodomainstructures.You
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 16/90
07/06/13
cansolvethisproblembyusingWindowsServer2008.Youcanoverridethedomain passwordandlockoutpolicybyusinganewfeatureofWindowsServer2008called finegrainedpasswordandlockoutpolicy,oftenshortenedtosimplyfinegrained passwordpolicy.Afinegrainedpasswordpolicyallowsyoutoconfigureapolicythat appliestooneormoregroupsorusersinyourdomain.However,youcannotapply thisfunctionalitybyusingGroupPolicy.Youcanapplyitonlybydefininganewtype ofobjectandsomeadditionalattributestouserandgroupobjects. AfinegrainedpasswordpolicyisahighlyanticipatedadditiontoActiveDirectory. Thereareseveralscenariosforwhichafinegrainedpasswordpolicycanbeusedto increaseyourdomainsecurity. AccountsusedbyadministratorsaredelegatedprivilegestomodifyobjectsinActive Directory.Therefore,ifanintrudercompromisesanadministrator'saccount,more damagecanbedonetothedomainthancouldbedonewiththeaccountofa standarduser.Therefore,considerimplementingstricterpasswordrequirementsfor administrativeaccounts.Forexample,youmightrequireagreaterpasswordlength andmorefrequentpasswordchanges. Anothertypeofaccountthatrequiresspecialtreatmentinadomainisanaccount usedbyservicessuchasSQLServer.Aserviceperformsitstaskswithcredentialsthat mustbeauthenticatedwithausernameandpasswordjustlikethoseofahuman user.However,mostservicesarenotcapableofchangingtheirownpassword,so administratorsconfigureserviceaccountswiththePasswordNeverExpiresoption
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 17/90
07/06/13
07/06/13
MostActiveDirectoryobjectscanbemanagedwithuserfriendlygraphicaluser interface(GUI)tools,suchastheActiveDirectoryUsersandComputerssnapin.You managePSOs,however,withlowleveltools,includingActiveDirectoryService InterfaceEditor(ADSIEdit). YoucancreateoneormorePSOsinyourdomain.EachPSOcontainsacompleteset ofpasswordandlockoutpolicysettings.APSOisappliedbylinkingthePSOtoone ormoreglobalsecuritygroupsorusers.Actually,bylinkingaPSOtoauserora group,youremodifyinganattributecalledmsDSPSOApplied,whichisemptyby default.Thisapproachnowtreatspasswordandaccountlockoutsettingsnotas domainwiderequirements,butasattributestoaspecificuseroragroup.For example,toconfigureastrictpasswordpolicyforadministrativeaccounts,createa globalsecuritygroup,addtheserviceuseraccountsasmembers,andlinkaPSOto thegroup.Applyingfinegrainedpasswordpoliciestoagroupinthismannerismore manageablethanapplyingthepoliciestoeachindividualuseraccount.Ifyoucreatea newserviceaccount,yousimplyaddittothegroup,andtheaccountbecomes managedbythePSO. Touseafinegrainedpasswordpolicy,yourdomainmustbeattheWindowsServer 2008domainfunctionallevel,whichmeansthatallofyourdomaincontrollersinthe domainarerunningWindowsServer2008,andthedomainfunctionallevelhasbeen raisedtoWindowsServer2008. Toconfirmandmodifythedomainfunctionallevel:
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 19/90
07/06/13
1. 2.
3.
Rightclickthedomain,andthenclickRaisedomainfunctionallevel.
Inthisdemonstration,youwillseehowtoconfigureafinegrainedpasswordpolicyto enhancethesecurityofaccountsintheDomainAdminsgroup.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
20/90
07/06/13
Demonstration Steps
1. 2. 3. VerifythatthedomainfunctionallevelisWindowsServer2008. RuntheADSIEditutilityonadomaincontroller. CreateanewPSO,namedMyDomainAdminsPSOinDC=Contoso>DC=com >CN=System>CN=PasswordSettingsContainer,withfollowingsettings: Passwordstoredwithreversibleencryption:False Passwordhistory:Enabled Passwordcomplexityrequirement:Enabled Minimumpasswordage:1day Maximumpasswordage:45days Accountlockoutthreshold:5 Accountlockoutduration:1day Accountlockoutcounterreset:1hour 4. AssignanewPSOtoDomainAdminsgroup.
07/06/13
APSOcanbelinkedtomorethanonegrouporuser,anindividualgrouporusercan havemorethanonePSOlinkedtoit,andausercanbelongtomultiplegroups.So, whichfinegrainedpasswordandlockoutpolicysettingsapplytoauser?Oneand onlyonePSOdeterminesthepasswordandlockoutsettingsforauser,whichiscalled theresultantPSO.EachPSOhasanattributethatdeterminesthePSOsprecedence. Theprecedencevalueisanynumbergreaterthan0,wherethenumber1indicates thehighestprecedence.IfmultiplePSOsapplytoauser,thePSOwiththehighest precedencetakeseffect.Therulesthatdetermineprecedenceareasfollows: IfmultiplePSOsapplytogroupstowhichtheuserbelongs,thePSOwiththe highestprecedencewins.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 22/90
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
07/06/13
5.
LocatethemsDSResultantPSOattribute.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
24/90
07/06/13
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
25/90
07/06/13
4.
Lab Scenario
ThesecurityteamatContoso,Ltdhastaskedyouwithincreasingthesecurityand monitoringofauthenticationagainsttheenterprisesADDSdomain.Specifically,you mustenforceaspecifiedpasswordpolicyforalluseraccounts,andamorestringent passwordpolicyforsecuritysensitive,administrativeaccounts.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
26/90
07/06/13
1.
RunGroupPolicyManagementasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
2. 3.
4.
5.
CloseGroupPolicyManagementEditorandGroupPolicyManagement.
Results:Inthisexercise,youconfigurednewsettingsforthedomainaccount policies.
07/06/13
1.
ClickStart,pointtoAdministrativeTools,rightclickADSIEdit,andclick Runasadministrator.
2. 3. 4.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
28/90
07/06/13
5. 6. 7. 8. 9.
msDSPasswordSettingsthetechnicalnamefortheobjectclassreferredtoasa
PSO. 12. ClickNext.YouarethenpromptedforthevalueforeachattributeofaPSO. Theattributesaresimilartothosefoundinthedomainaccountpolicies. 13. Configureeachattributeasindicatedbelow.ClickNextaftereachattribute. cn:MyDomainAdminsPSO.ThisisthefriendlynameofthePSO. msDSPasswordSettingsPrecedence:1.ThisPSOhasthehighestpossible precedence.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 29/90
07/06/13
msDSPasswordReversibleEncryptionEnabled:False.Thepasswordis notstoredbyusingreversibleencryption. msDSPasswordHistoryLength:30.Theusercannotreuseanyofthelast 30passwords. msDSPasswordComplexityEnabled:True.Passwordcomplexityrulesare enforced. msDSMinimumPasswordLength:15.Passwordsmustbeatleast15 characterslong. msDSMinimumPasswordAge:1:00:00:00.Ausercannotchangethe passwordwithinonedayofapreviouschange.Theformatisd:hh:mm:ss (days,hours,minutes,seconds). msDSMaximumPasswordAge:45:00:00:00.Thepasswordmustbe changedevery45days. msDSLockoutThreshold:5.Fiveinvalidlogonswithinthetimeframe specifiedbyXXX(thenextattribute)willresultinaccountlockout. msDSLockoutObservationWindow:0:01:00:00.Fiveinvalidlogons (specifiedbythepreviousattribute)withinonehourwillresultinaccount lockout. msDSLockoutDuration:1:00:00:00.Anaccount,iflockedout,willremain lockedforoneday,oruntilitisunlockedmanually.Avalueofzerowillresult
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 30/90
07/06/13
1.
RunActiveDirectoryUsersandComputerswithadministrativecredentials. UsetheaccountPat.Coleman_AdminwiththepasswordPa$$w0rd.
2.
3. 4. 5.
6.
ClickAddWindowsAccount.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
31/90
07/06/13
1.
RunActiveDirectoryUsersandComputersasanadministratorwiththeuser namePat.Coleman_AdminandthepasswordPa$$w0rd.
2.
OpenAttributeEditorinthePropertiesdialogboxfortheaccount Pat.Coleman_Admin.
3.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
32/90
07/06/13
1.
2.
DeletetheMyDomainAdminsPSO,whichyoucreated.
Results:Inthisexercise,youcreatedaPSO,appliedittoDomainAdminsand confirmeditsapplication,andthendeletedthePSO.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
33/90
07/06/13
Objectives
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 34/90
07/06/13
Thislessonexaminestwospecificpolicysettings,AuditAccountLogonEventsand AuditLogonEvents.Youneedtounderstandthedifferencebetweenthesetwo
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 35/90
07/06/13
similarlynamedpolicysettings. Whenauserlogsontoanycomputerinthedomainbyusingadomainuseraccount, adomaincontrollerauthenticatestheattempttologontothedomainaccount.This generatesanaccountlogoneventonthedomaincontroller. Thecomputertowhichtheuserlogsonforexample,theuserslaptopgeneratesa logonevent.Thecomputerdidnotauthenticatetheuseragainsttheaccountit passedtheaccounttoadomaincontrollerforvalidation.Thecomputerdid,however, allowtheusertologoninteractivelytothecomputer. Therefore,theeventisalogonevent. Whentheuserconnectstoafolderonaserverinthedomain,thatserverauthorizes theuserforatypeoflogoncalledanetworklogon.Again,theserverdoesnot authenticatetheuseritreliesontheticketgiventotheuserbythedomain controller.But,theconnectionbytheusergeneratesalogoneventontheserver. NoteThecontentinthefollowingsectionisspecifictoWindowsServer2008 R2.
07/06/13
categoriesinGroupPolicyforauditinglogonandaccountlogonevents.Youlearned abouttheseadvancedauditpoliciesinModule9.Thisprovidesadministratorswith theabilitytohavemuchmoregranularandmoredetailedcontroloverthelogon processandobtaininformationaboutveryspecificeventsthathappenduringthe logonorlogoffprocess. Foranaccountlogonevent,youcannowdefinefourdifferentsettingsforaudit: CredentialValidation.Auditeventsgeneratedbyvalidationtestsonuseraccount logoncredentials. KerberosServiceTicketOperations.AuditeventsgeneratedbyKerberosservice ticketrequests. OtherAccountLogonEvents.Auditeventsgeneratedbyresponsestocredential requestssubmittedforauseraccountlogonthatarenotcredentialvalidationor Kerberostickets. KerberosAuthenticationService.AuditeventsgeneratedbyKerberosauthentication ticketgrantingticket(TGT)requests.
Youcanauditthefollowinglogonandlogoffevents: Logon.Auditeventsgeneratedbyuseraccountlogonattemptsonacomputer.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 37/90
07/06/13
Logoff.Auditeventsgeneratedbyclosingalogonsession.Theseeventsoccuron thecomputerthatwasaccessed.Foraninteractivelogon,thesecurityauditevent isgeneratedonthecomputerthattheuseraccountloggedonto. AccountLockout.Auditeventsgeneratedbyafailedattempttologontoan accountthatislockedout. IPsecMainMode.AuditeventsgeneratedbyInternetKeyExchangeprotocol(IKE) andAuthenticatedInternetProtocol(AuthIP)duringMainModenegotiations. IPsecQuickMode.AuditeventsgeneratedbyIKEandAuthIPduringQuickMode negotiations. IPsecExtendedMode.AuditeventsgeneratedbyIKEandAuthIPduringExtended Modenegotiations. SpecialLogon.Auditeventsgeneratedbyspeciallogons. OtherLogon/LogoffEvents.Auditothereventsrelatedtologonandlogoffthatare notincludedintheLogon/Logoffcategory. NetworkPolicyServer.AuditeventsgeneratedbyRADIUS(IAS)andNetwork AccessProtection(NAP)useraccessrequests.TheserequestscanbeGrant,Deny, Discard,Quarantine,Lock,andUnlock.
07/06/13
InWindowsServer2008R2,youcanconfigureadditionalauditpoliciesinthe
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 39/90
07/06/13
AdvancedAuditPolicyConfigurationnode,asshowninthefollowingscreenshot:
Toconfigureanauditpolicy,bothbasicandadvanced,doubleclickthepolicy.Then, itspropertiesdialogboxappears.TheAuditAccountLogonEventsPropertiesdialog boxisshowninthefollowingscreenshot.Thepolicysettingcanbeconfiguredto oneofthefollowingfourstates: NotDefined:IftheDefineThesePolicySettingscheckboxiscleared,the policysettingisnotdefined.Inthiscase,theserverwillaudittheeventbasedon itsdefaultsettingsoronthesettingsspecifiedinanotherGPO. Definedfornoauditing:IftheDefineThesePolicySettingscheckboxis selected,buttheSuccessandFailurecheckboxesarecleared,theserverwillnot audittheevent. Auditsuccessfulevents:IftheDefineThesePolicySettingscheckboxis selected,andtheSuccesscheckboxisselected,theserverwilllogsuccessful eventsinitsSecuritylog.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 40/90
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
41/90
07/06/13
Aswithallpolicysettings,youshouldbecarefultoscopesettingssothattheyaffect thecorrectsystems.Forexample,ifyouwanttoauditattemptsbyuserstoconnect toremotedesktopserversinyourenterprise,youcanconfigurelogonevent,auditing inaGPOlinkedtotheOUthatcontainsyourremotedesktopservers.If,ontheother hand,youwanttoauditlogonsbyuserstodesktopsinyourhumanresources department,youcanconfigurelogoneventauditinginaGPOlinkedtotheOU containinghumanresourcescomputerobjects.Rememberthatdomainuserslogging ontoaclientcomputerorconnectingtoaserverwillgeneratealogoneventnotan accountlogoneventonthatsystem. Onlydomaincontrollersgenerateaccountlogoneventsfordomainusers.Remember thatanaccountlogoneventoccursonthedomaincontrollerthatauthenticatesa
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 42/90
07/06/13
Accountlogonandlogonevents,ifaudited,appearintheSecuritylogofthesystem thatgeneratedtheevent.Anexampleisshowninthefollowingscreenshot.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
43/90
07/06/13
So,ifyouareauditinglogonstocomputersinthehumanresourcesdepartment,the eventsareenteredineachcomputersSecuritylog.Similarly,ifyouareauditing unsuccessfulaccountlogonstoidentifypotentialintrusionattempts,theeventsare enteredineachdomaincontrollersSecuritylog.Thismeans,bydefault,youwillneed toexaminetheSecuritylogsofalldomaincontrollerstogetacompletepictureof accountlogoneventsinyourdomain. Asyoucanimagine,inacomplexenvironmentwithmultipledomaincontrollersand manyusers,auditingaccountlogonsorlogonscangenerateatremendousnumberof events.Iftherearetoomanyevents,itcanbedifficulttoidentifyproblematicevents worthyofcloserinvestigation.Youshouldbalancetheamountofloggingyou performwiththesecurityrequirementsofyourbusinessandtheresourcesyouhave availabletoanalyzeloggedevents.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
44/90
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
45/90
07/06/13
5. 6.
Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue. ClosetheWindowsExplorerwindow,Lab10b.
Lab Scenario
ThesecurityteamatContoso,Ltdhastaskedyouwithincreasingthesecurityand monitoringofauthenticationagainsttheenterprisesADDSdomain.Specifically,you needtocreateanaudittrailoflogons.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
46/90
07/06/13
4. 5. 6.
1.
RunGroupPolicyManagementasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
2.
ModifytheDefaultDomainControllersPolicyGPOtoenableauditingevents forbothsuccessfulandfailedaccountlogonevents.
3.
CloseGroupPolicyManagementEditor.
1.
CreateaGroupPolicyObject(GPO)linkedtotheServers\Important ProjectOU.NametheGPOServerLockdownPolicy.
2.
ModifytheServerLockdownPolicytoenableauditingeventsforboth successfulandfailedlogonevents.
3.
CloseGroupPolicyManagementEditorandGroupPolicyManagement.
47/90
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
07/06/13
1.
Start6425CNYCSVR1.Asthecomputerstarts,itwillapplythechangesyou madetoGroupPolicy.
2.
1.
LogontoNYCSVR1asPat.Coleman,butenteranincorrectpassword.The followingmessageappears:Theusernameorpasswordisincorrect.
2.
Afteryouhavebeendeniedlogon,logonagainwiththecorrectpassword, Pa$$w0rd.
1.
OnNYCDC1,runEventViewerasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
48/90
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
07/06/13
2.
1.
OnNYCSVR1,runEventViewerasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
2.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
49/90
07/06/13
Results:Inthisexercise,youestablishedandreviewedauditingforsuccessfuland failedlogonstothedomainandtoserversintheImportantProjectOU.
NoteDonotshutdownthevirtualmachineafteryoufinishthislabbecause thesettings
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
50/90
07/06/13
youset,andinwhatGPO(s)?
07/06/13
relatedtobranchofficeauthenticationanddomaincontrollerplacement,andyouwill learnhowtoimplementandsupportabranchofficeRODC.
Objectives
Aftercompletingthislesson,youwillbeableto: IdentifythebusinessrequirementsforRODCs. InstallanRODC. Configurepasswordreplicationpolicy. ConfigurepasswordRODCcredentialscaching. MonitorthecachingofcredentialsonanRODC.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
52/90
07/06/13
Considerascenarioinwhichanenterpriseischaracterizedbyahubsiteandseveral branchoffices.ThebranchofficesconnecttothehubsiteoverWANlinksthatmay becongested,expensive,slow,orunreliable.Usersinthebranchofficemustbe authenticatedbyActiveDirectorytoaccessresourcesinthedomain.Shouldadomain controllerbeplacedinthebranchoffice? Inbranchofficescenarios,manyoftheITservicesarecentralizedinthehubsite, whichiscarefullymaintainedbytheITstaff.Inlargerorganizations,thehubsitemay includearobustdatacenter.Branchoffices,however,areoftensmallersitesinwhich nodatacenterexists.Infact,manybranchofficeshavenosignificantITpresence otherthanahandfulofservers.Theremaybenophysicallysecurefacilitytohouse branchofficeservers.Theremaybefew,ifany,localITstafftosupporttheservers.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 53/90
07/06/13
Ifadomaincontrollerisnotplacedinthebranchoffice,authenticationandservice ticketactivitieswillbedirectedtothehubsiteovertheWANlink.Authentication occurswhenusersfirstlogontotheircomputersinthemorning.Serviceticketsarea componentoftheKerberosauthenticationmechanismusedbytheWindowsServer 2008domains.Youcanthinkofaserviceticketasakeyissuedbythedomain controllertoauser.Thekeyallowstheusertoconnecttoaservice,suchastheFile andPrintservice,onafileserver.Whenauserfirsttriestoaccessaspecificservice, theusersclientrequestswhatiscalledaserviceticketfromthedomaincontroller. Becauseuserstypicallyconnecttomultipleservicesduringaworkday,serviceticket activityhappensregularly.AuthenticationandserviceticketactivityovertheWANlink betweenabranchofficeandahubsitecanresultinsloworunreliableperformance. Ifadomaincontrollerisplacedinthebranchoffice,authenticationismuchmore efficientbutthereareseveralpotentiallysignificantrisks.Adomaincontroller maintainsacopyofallattributesofallobjectsinitsdomain,includingsecretssuchas informationrelatedtouserpasswords.Ifadomaincontrollerisaccessedorstolen,it becomespossibleforadeterminedexperttoidentifyvalidusernamesand passwords,atwhichpointtheentiredomainiscompromised.Youmustatleastreset thepasswordsofeveryuseraccountinthedomain.Becausethesecurityofserversat branchofficesisoftenlessthanideal,abranchofficedomaincontrollerposesa considerablesecurityrisk. AsecondconcernisthatchangestotheActiveDirectorydatabaseonabranchoffice domaincontrollerreplicatetothehubsiteandtoallotherDCsintheenvironment.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 54/90
07/06/13
Therefore,corruptiontothebranchofficedomaincontrollerposesarisktothe integrityoftheenterprisedirectoryservice.Forexample,ifabranchoffice administratorperformsarestoreofthedomaincontrollerfromanoutdatedbackup, therecanbesignificantrepercussionsfortheentiredomain. Thethirdconcernrelatestoadministration.Abranchofficedomaincontrollermay requiremaintenancesuchasanewdevicedriver.Toperformmaintenanceona standarddomaincontroller,youmustlogonasamemberoftheAdministrators grouponthedomaincontroller,whichmeansyouareeffectivelyanadministratorof thedomain.Itmaynotbeappropriatetograntthatlevelofcapabilitytoasupport teamatabranchoffice.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
55/90
07/06/13
Thesecurity,directoryserviceintegrity,andadministrationconcernsleftmany enterpriseswithadifficultchoicetomake.WindowsServer2008introducesthe RODC,whichisdesignedspecificallytoaddressthebranchofficescenario.AnRODC isadomaincontroller,typicallyplacedinthebranchoffice,whichmaintainsacopyof allobjectsinthedomainandallattributesexceptforsecretssuchaspassword relatedproperties.Ifyoudonotconfigurecaching,whenauserinthebranchoffice logson,theRODCreceivestherequestandforwardsittoadomaincontrollerinthe hubsiteforauthentication. YoucanconfigureapasswordreplicationpolicyfortheRODCthatspecifiesuser accountstheRODCisallowedtocache.Iftheuserloggingonisincludedinthe passwordreplicationpolicy,theRODCcachesthatuserscredentials,sothenexttime
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 56/90
07/06/13
authenticationisrequested,theRODCcanperformthetasklocally.Asuserswhoare includedinthepasswordreplicationpolicylogon,theRODCbuildsitscacheof credentialssothatitcanperformauthenticationlocallyforthoseusers.Usually,you willadduserslocatedinthesamephysicalsiteasanRODCtothepassword replicationpolicy. BecausetheRODCmaintainsonlyasubsetofusercredentials,iftheRODCis compromisedorstolen,theeffectofthesecurityexposureislimited.Onlytheuser accountsthathadbeencachedontheRODCmusthavetheirpasswordschanged. TheRODCreplicateschangestoActiveDirectoryfromdomaincontrollersinthehub site.Replicationisoneway.NochangestotheRODCarereplicatedtoanyother domaincontroller.Thiseliminatestheexposureofthedirectoryservicetocorruption duetochangesmadetoacompromisedbranchofficedomaincontroller.Finally, RODCshavetheequivalentofalocalAdministratorsgroup.Youcangiveoneormore localsupportpersonneltheabilitytofullymaintainanRODCwithoutgrantingthem theequivalentrightsofDomainAdmins.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
57/90
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
58/90
07/06/13
Eachofthesestepsisdetailedinthefollowingsections.
Verifying and Configuring Forest Functional Level of Windows Server 2003 or Later
FunctionallevelsenablefeaturesuniquetospecificversionsofWindows,andare thereforedependentontheversionsofWindowsrunningondomaincontrollers.Ifall domaincontrollersareWindowsServer2003orlater,thedomainfunctionallevelcan besettoWindowsServer2003.IfalldomainsareattheWindowsServer2003 domainfunctionallevel,theforestfunctionallevelcanbesettoWindowsServer 2003.Domainandforestfunctionallevelsarediscussedindetailinanothermodule. RODCsrequirethattheforestfunctionallevelisWindowsServer2003orlatersothat thelinkedvaluereplication(LVR)isavailable.Thisprovidesahigherlevelof replicationconsistency.ThedomainfunctionallevelmustbeWindowsServer2003or latersothatKerberosconstraineddelegationisavailable.Thismeansalldomain controllersintheentireforestmustberunningWindowsServer2003orlater. Constraineddelegationsupportssecuritycallsthatmustbeimpersonatedunderthe contextofthecaller.Delegationmakesitpossibleforapplicationsandservicesto authenticatetoaremoteresourceonbehalfofauser.Becausedelegationprovides powerfulcapabilities,typicallyonlydomaincontrollersareenabledforit.ForRODCs, applicationsandservicesmustbeabletodelegate,butonlyconstraineddelegationis allowedbecauseitpreventsthetargetfromimpersonatingagainandmakinganother hop.TheuserorcomputermustbecacheableattheRODCforconstraineddelegation
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 59/90
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
60/90
07/06/13
IftheforestfunctionallevelisnotatleastWindowsServer2003,examinethe propertiesofeachdomaintoidentifyanydomainsforwhichthedomainfunctional levelisnotatleastWindowsServer2003.Ifyoufindsuchadomain,ensurethatall domaincontrollersinthedomainarerunningWindowsServer2003.Then,inActive DirectoryDomainsandTrusts,rightclickthedomainandclickRaiseDomain FunctionalLevel.Afteryouhaveraisedeachdomainfunctionalleveltoatleast WindowsServer2003,rightclicktherootnodeoftheActiveDirectoryDomainsAnd TrustssnapinandclickRaiseForestFunctionalLevel.IntheSelectAn AvailableForestFunctionalLeveldropdownlist,clickWindowsServer2003, andclickRaise.Youmustbeanadministratorofadomaintoraisethedomain's functionallevel.Toraisetheforestfunctionallevel,youmustbeeitheramemberof theDomainAdminsgroupintheforestrootdomainoramemberoftheEnterprise Adminsgroup.
07/06/13
Installing an RODC
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
62/90
07/06/13
Aftercompletingthepreparatorysteps,youcaninstallanRODC.AnRODCcanbe eitherafullorServerCoreinstallationofWindowsServer2008.Withafullinstallation ofWindowsServer2008,youcanusetheActiveDirectoryDomainServices InstallationWizardtocreateanRODC.SimplyclickReadonlyDomainController (RODC)ontheAdditionalDomainControllerOptionspageofthewizard,as showninthefollowingscreenshot. Alternatively,youcanusethedcpromo.execommandwiththe/unattendswitchto createtheRODC.OnaServerCoreinstallationofWindowsServer2008,youmust usethedcpromo.exe/unattendcommand. YoucancompletetheinstallationofanRODCintwostages,eachperformedbya
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 63/90
07/06/13
differentindividual.Thefirststageoftheinstallation,whichrequiresDomainAdmin credentials,createsanaccountfortheRODCinADDS.Thesecondstageofthe installationattachestheactualserverthatwillbetheRODCinaremotelocation,such asabranchoffice,totheaccountthatwaspreviouslycreatedforit.Youcandelegate theabilitytoattachtheservertoanonadministrativegrouporuser. Duringthisfirststage,theActiveDirectoryDomainServicesInstallationWizard recordsalldataabouttheRODCthatwillbestoredinthedistributedActiveDirectory database,suchasitsdomaincontrolleraccountnameandthesiteinwhichitwillbe placed.ThisstagemustbeperformedbyamemberoftheDomainAdminsgroup. TheadministratorwhocreatestheRODCaccountcanalsospecifyatthattimewhich usersorgroupscancompletethenextstageoftheinstallation.Thenextstageofthe installationcanbeperformedinthebranchofficebyanyuserorgroupwhowas delegatedtherighttocompletetheinstallationwhentheaccountwascreated.This stagedoesnotrequireanymembershipinbuiltingroups,suchastheDomain Adminsgroup.IftheuserwhocreatestheRODCaccountdoesnotspecifyany delegatetocompletetheinstallationandadministertheRODC,onlyamemberofthe DomainAdminsorEnterpriseAdminsgroupscancompletetheinstallation. YoucanperformastagedinstallationofanRODCbyusingseveralapproaches.You canprecreateanRODCaccountbyusingActiveDirectoryUsersandComputers console,whichisappropriateforasmallernumberofaccounts.Youcanalsousethe dcpromocommandlineutilitywithappropriateswitches,oryoucanusetheanswer
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 64/90
07/06/13
filetoperformanunattendedinstallationofanRODC.
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
66/90
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
67/90
07/06/13
Demonstration Steps
1. RunActiveDirectoryUsersandComputerswithadministrativecredentials. UsetheaccountPat.Coleman_AdminwiththepasswordPa$$w0rd. 2. 3. 4. 5. IntheDomainControllersOUopenthepropertiesofBRANCHDC01. ClickthePasswordReplicationPolicytabandviewthedefaultpolicy. ClosetheBRANCHDC01properties. IntheActiveDirectoryUsersandComputersconsoletree,clicktheUsers container.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
68/90
07/06/13
6.
7. 8.
9.
ClickCanceltoclosetheDeniedRODCPasswordReplicationGroup properties.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
69/90
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
70/90
07/06/13
ThedropdownlistatthetopofthePolicyUsagetaballowsyoutoselectoneof tworeportsfortheRODC: AccountswhosepasswordsarestoredonthisReadOnlyDomain Controller:Displaythelistofuserandcomputercredentialsthatarecurrently cachedontheRODC.Usethislisttodeterminewhethernotrequiredcredentialsare beingcachedontheRODC,andmodifythepasswordreplicationpolicyaccordingly. AccountsthathavebeenauthenticatedtothisReadOnlyDomain Controller:Displaythelistofuserandcomputercredentialsthathavebeen referredtoawritabledomaincontrollerfor authenticationorserviceticketprocessing.Usethislisttoidentifyusersor computersthatareattemptingtoauthenticatewiththeRODC.Ifanyofthese accountsarenotbeingcached,consideraddingthemtothepasswordreplication policy.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
71/90
07/06/13
Inthesamedialogbox,theResultantPolicytaballowsyoutoevaluatethe effectivecachingpolicyforanindividualuserorcomputer.ClicktheAddbuttonto selectauserorcomputeraccountforevaluation. YoucanalsousetheAdvancedPasswordReplicationPolicydialogboxto prepopulatecredentialsintheRODCcache.IfauserorcomputerisontheAllowlist ofanRODC,theaccountcredentialscanbecachedontheRODC,butwillnotbe cacheduntiltheauthenticationorserviceticketeventscausestheRODCtoreplicate thecredentialsfromawritabledomaincontroller.Byprepopulatingcredentialsinthe RODCcache,forusersandcomputersinthebranchofficeforexample,youcan ensurethatauthenticationandserviceticketactivitywillbeprocessedlocallybythe RODCevenwhentheuserorcomputerisauthenticatingforthefirsttime.To prepopulatecredentials,clickPrepopulatePasswordsandselecttheappropriate usersandcomputers. DemonstrationSteps: 1. OnNYCDC1,intheActiveDirectoryUsersandComputersconsoletree, clicktheDomainControllersOUandopenthepropertiesofBRANCHDC01. 2. 3. ClickPasswordReplicationPolicy. ClickAdvanced. TheAdvancedPasswordReplicationPolicyforBRANCHDC01dialogbox appears.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 72/90
07/06/13
ThePolicyUsagetabdisplaysaccountswhosepasswordsarestoredonthis ReadOnlyDomainController. 4. Fromthedropdownlist,selectAccountsWhosePasswordsAreStoredOn ThisReadOnlyDomainController. 5. Fromthedropdownlist,selectAccountsthathavebeenauthenticatedto thisReadonlyDomainController. 6. ClicktheResultantPolicytab,andthenclickAdd. TheSelectUsersorComputersdialogboxappears. 7. 8. 9. TypeChris.Gallagher,andthenpressEnter. ClickPolicyUsage. ClickPrepopulatePasswords. TheSelectUsersorComputersdialogboxappears. 10. Typethenameoftheaccountyouwanttoprepopulate(forexample,type Chris.Gallagher),andthenclickOK. 11. ClickYestoconfirmthatyouwanttosendthecredentialstotheRODC. Thefollowingmessageappears:Passwordsforallaccountsweresuccessfully prepopulated.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
73/90
07/06/13
RODCsinbranchofficesmayrequiremaintenancesuchasanupdateddevicedriver. Additionally,smallbranchofficesmaycombinetheRODCrolledwiththefileserver roleonasinglesystem,inwhichcaseitwillbeimportanttobeabletobackupthe system.RODCssupportlocaladministrationthroughafeaturecalledadministrative roleseparation.Thisfeaturespecifiesthatanydomainuserorsecuritygroupcanbe delegatedtobethelocaladministratorofanRODCwithoutgrantingthatuseror grouprightsforthedomainorotherdomaincontrollers.Therefore,adelegated administratorcanlogontoanRODCtoperformmaintenancework,suchas upgradingadriver,ontheserver.Butthedelegatedadministratorcannotlogonto anyotherdomaincontrollerorperformanyotheradministrativetaskinthedomain.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 74/90
07/06/13
EachRODCmaintainsalocaldatabaseofgroupsforspecificadministrativepurposes. Youcanaddadomainuseraccounttotheselocalrolestoallowsupportofaspecific RODC. Youcanconfigureadministrativeroleseparationbyusingthedsmgmt.execommand. ToaddausertotheAdministratorsroleonanRODC,followthesesteps: 1. 2. 3. OpenacommandpromptontheRODC. Typedsmgmt,andthenpressEnter. Typelocalroles,andthenpressEnter. Atthelocalrolesprompt,youcantype?andpressEnterforalistofcommands. YoucanalsotypelistrolesandpressEnterforalistoflocalroles. 4. Typeaddusernameadministrators,whereusernameisthepreWindows2000 logonnameofadomainuser,andthenpressEnter.
YoucanrepeatthisprocesstoaddotheruserstothevariouslocalrolesonanRODC.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
75/90
07/06/13
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
76/90
07/06/13
4.
5. 6.
7. 8.
Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue. ClosetheWindowsExplorerwindow,Lab10c.
Lab Scenario
ThesecurityteamatContoso,Ltdhastaskedyouwithincreasingthesecurityand monitoringofauthenticationagainsttheenterprisesADDSdomain.Specifically,you aretoimprovethesecurityofdomaincontrollersinbranchoffices.
07/06/13
thedistantbranchoffice.Toavoidtravelcosts,youdecidetodothe conversionremotelywiththeassistanceofAaronPainter,thedesktop supporttechnicianandonlyITstaffmemberatthebranch.AaronPainter hasalreadyinstalledaWindowsServer2008computernamed BRANCHDC01asaserverinaworkgroup.Youwillstageadelegated installationofanRODCsothatAaronPaintercancompletetheinstallation. Themaintasksforthisexerciseareasfollows: 1. 2. StageadelegatedinstallationofanRODC. RuntheActiveDirectoryDomainServicesInstallationWizardonaworkgroup server.
1.
RunActiveDirectoryUsersandComputersasanadministrator,withthe usernamePat.Coleman_AdminandthepasswordPa$$w0rd.
2.
RightclicktheDomainControllersOU,andthenclickPrecreateReadonly DomainControlleraccount.
3.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
78/90
07/06/13
Aaron.Painter_Admin.
Task 2: Run the Active Directory Domain Services Installation Wizard on a workgroup server. 1. 2. 3. 4. Start6425CBRANCHDC01. LogontoBRANCHDC01asAdministratorwiththepasswordPa$$w0rd. ClickStart,andthenclickRun. Typedcpromo,andthenpressEnter. AwindowappearsthatinformsyouthattheADDSbinariesarebeinginstalled. Wheninstallationiscompleted,theActiveDirectoryDomainServicesInstallation Wizardappears. 5. 6. ClickNext. OntheOperatingSystemCompatibilitypage,clickNext.
79/90
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
07/06/13
7.
8. 9.
10. IntheUserNamebox,typeAaron.Painter_Admin. 11. InthePasswordbox,typePa$$w0rd,andthenpressEnter. 12. ClickNext. 13. OntheSelectaDomainpage,selectcontoso.com,andthenclickNext. Amessageappearstoinformyouthatyourcredentialsdonotbelongtothe DomainAdminsorEnterpriseAdminsgroups.Becauseyouhaveprestagedand delegatedadministrationoftheRODC,youcanproceedwiththedelegated credentials. 14. ClickYes. AmessageappearstoinformyouthattheaccountforBRANCHDC01hasbeen prestagedinActiveDirectoryasanRODC. 15. ClickOK.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 80/90
07/06/13
16. OntheLocationForDatabase,LogFiles,andSYSVOLpage,clickNext. 17. OntheDirectoryServicesRestoreModeAdministratorPasswordpage, typePa$$w0rd12345inthePasswordandConfirmPasswordboxes,and thenclickNext. Inaproductionenvironment,youshouldassignacomplexandsecurepassword totheDirectoryServicesRestoreModeAdministratoraccount. Also,notethatwemodifiedtheminimumpasswordlengthinLabAandassuch needtomeetthenewminimumpasswordlengthrequirements. 18. OntheSummarypage,clickNext. 19. Intheprogresswindow,selecttheRebootOnCompletioncheckbox.Active DirectoryDomainServicesisinstalledonBRANCHDC01,theserverreboots.
Results:Inthisexercise,youcreatedanewRODCnamedBRANCHDC01inthe contoso.comdomain.
07/06/13
Task 2: Create a group to manage password replication to the branch office RODC.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 82/90
07/06/13
1.
IntheGroups\RoleOU,createanewglobalsecuritygroupcalledBranch OfficeUsers.
2.
Task 3: Configure password replication policy for the branch office RODC.
ConfigureBRANCHDC01sothatitcachespasswordsforusersintheBranch OfficeUsersgroup.
OpentheResultantPolicyforBRANCHDC01'spasswordreplicationpolicy. Question:WhatistheresultantpolicyforChris.Gallagher?
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
83/90
07/06/13
1.
LogontoBRANCHDC01asChris.GallagherwiththepasswordPa$$w0rd andthenlogoff.
2.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
84/90
07/06/13
InthepasswordreplicationpolicyforBRANCHDC01,prepopulatethepasswordfor ChristaGeller.
07/06/13
Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis, completethefollowingsteps:
1. 2.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
86/90
07/06/13
3. 4.
IntheRevertVirtualMachinedialogbox,clickRevert. Repeatthesestepsfor6425CNYCSVR1and6425CBRANCHDC01.
Review Questions
Question:Inyourorganization,anumberofusersdealwithconfidentialfiles onaregular
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
87/90
07/06/13
basis.Youneedtoensurethatalltheseusershavestrictaccountpolicesenforced. TheuseraccountsarescatteredacrossmultipleOUs.Howwouldyouaccomplishthis withtheleastadministrativeeffort? Question:Whereshouldyoudefinethedefaultpasswordandaccountlockout policiesfor useraccountsinthedomain? Question:Whatwouldbethedisadvantageofauditingallsuccessfulandfailed logonsonallmachinesinyourdomain? Question:Whataretheadvantagesanddisadvantagesofprepopulatingthe credentialsfor allusersandcomputersinabranchofficetothatbranch'sRODC?
Troubleshootingtip
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
07/06/13
rightPSOapplied. YoucannotdeployanRODC.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
89/90
07/06/13
Tools
Tool
GroupPolicy Managementconsole
Usedfor
Editingandmanaging grouppolicyobjects
Wheretofindit
AdministrativeTools
ADSIEdit
CreatingPassword SettingObjects
AdministrativeTools
Dcpromo
Creatingandmanaging domaincontrollers
Commandlineutility
Description
NewsettingsinGroupPolicyobjectformoredetailedauditingofvarious systemevents
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
90/90