Wednesday, December 31, 2014

computer account secure channel

computers have sid, username, pw

logging onto domain with user/pass creates secure channel

secure channel brokem (do not join workgroup then domain. creates new sid, lose group member)

  • > 30day PW reset
  • os reinstall
  • LSA out of sync



fixes


  • ADUC reset compute, rejoin
  • DSMOD computer-reset, rejoin
  • NLtest (no rejoin or reboot)
  • powershell: test-coomputersecurechannel -repair



DSMOD command to reset computer acct







NLtest command to reset. issue on the PC

"server" is name of computer to reset computer acct












Powershell command. issue on the PC





Posted by at No comments:

Automated Methods Managing accounts














User acct and secuirty identifier - each user acct has unique SI even after same named acct is deleted and created.


ADSIedit tool to view AD attributes.



Automated methods

LDIFDE
CSVDE


















creating accounts automatically (bulk) using CSV file






















DSADD - creates un protected objects.  case sensitive in object names.





















Use excel spreadsheet using concatenate function






















  • DSMOD
  • DSQUERY/DSGET
add or remove user to group



find department name of users







Using ADAC UI, modify multiple users property




















  • DSMOVE
  • DSRM















Powershell


new-aduser command














































Posted by at No comments:

disabled , inactive accounts




Locating disabled/inactive accts using ADAC

































LDAP search string.











Posted by at No comments:

offline domain join

normally a DJ is manual local process

offline DJ benefits

  • save time and effort for large deployments (datacenters, labs, new dept, large scale PC deployment)
  • doesn't require network connectivity
  • auto-joined @ first boot and no reboot
  • unattended.xml if wanted
  • "/downlevel" for pre-R2 DCs
  • new in win-12: allows direct access config


Provisioning command to add computer to domain:

from DC, create Base64 security file valid only for computer named specified.















copy blob.txt (base64 security file) created in command above to target computer 




Djoin command:

from the computer to join, issue command then restart.



Posted by at No comments:

New in AD

http://cbt.gg/M6vHml
http;//cbt.gg/MfofRw

dcpromo


  • deprecated now built into UI
  • adprep and other showstioppers handled in pre-requisites checks.
  • /unattended:<file> - custom files for installations


ADAM: UI improvements, PS History






























AD recycle bin UI -done forest -wide.  Once enabled, it can't be disabled and requires all DC to be refreshed.

From ADAC 




From Powershell




















































To restore from recycle bin - restores all attributes











Activation via AD - no need to activate wuth KMS server but now with AD

Dynamic access control improvements

Virtualizing DCs - fixed issues with reverting to snapshots caused AD sync issue.


UI for fine grained PW - seperate passord policy within single domain

Flexible and secure tunneling

ADFS included

Domain join via direct access

Posted by at No comments:

srv records


  • DNS 'SRv" entries
  • critical to proper function of AD
  • locates DCs
  • locate other services (ie lnyc servers)


srv records can be replicated to DNS servers in forest or domain by right clicking on the zones.























To recreate srv resource records in the event of accidental deletion




















Posted by at No comments:

Trusts and federations

four types of trusts


  • external - allow other domain to resources in another domain

  • shortcut -  direct trust to deep child level domain for quicker access without "walking the tree"

  • realm - non-windows domain (kerberos) interoperate with windows domain
  • forest - creates transitivity trust as in a normal forest domain trust 


federation - not a trust.  access to apparitions on different domain without a trust.



Posted by at No comments:

Global Catalog

Full copy of host domain objects
partial read-only of other domains in same forest

Benefits


  • simpler searches across domains
  • no need to contact source DCs
  • UPN authentication
  • validates forest objects
  • universal group membership info


single domain-no burden

multi-domain - consider added replication


enabling GC 




















if only GC is removed no one can log on























de-commissioned DCs need to be manually deleted from sites
















Posted by at No comments:

Planning AD upgrade

prerequisites


  • usual win-12
  • dc upgrade (http://cbt.gg/McK6Jc


forest functional level

  • no changes but still require /forestprep to upgrade to latest forst level


domain functional level (http://cbt.gg/T3CPAy)

  • w2k3 or greater
  • new win-12 for dynamic access control (http;//cbt.gg/PuVctE



identify domain functional level





















identify forest functional level















forestprep and domainprep

adprep on media CD.  Issue command only on one DC as enterprise admn


























launch win012 media CD within OS to upgrade





















Posted by at No comments:

uninstalling AD and DC

Remove Role










De-select AD Domain service to remove.  It will prompt you to demote DC first















































Must demote DC before removing AD.

























Also force removal of DC but use only in extreme cases


ensure that another DNS and GC exists































enter new local administrator password









































From a COre install












enter local admin password for the member server.




















Posted by at No comments:
Subscribe to: Posts (Atom)