1. Install and configure Active Directory Domain Services (AD DS) (20–25%)

Install Active Directory

Know the PowerShell commands:

– Add the binaries

Add-WindowsFeature -name ad-domain-services—lncludeManagementTools -Restart

– Add a new forest

Install-ADDSForest —DomainName ‘corp.contoso.com’

– Add a new domain in an existing forest

Install-ADDSDomain -NewDomainName amer ParentDomainName ‘corp.contoso.com’

– Add a new domain controller in an existing domain

Install-ADDSDomainController —DomainName ‘amer. corp.contoso.com’

– Perform a staged read-only domain controller (RODC) installation

Install-ADDSReadOnlyDomainControl|erAccount –DomainControllerAccountName RODC1 -DomainName amercorp contoso com -SiteName Boston

* Then on RODC1: add the ad-domain-services feature, and domain controller role

 

Transferring and seizing FSMO roles

Exam Topic – What you should know!

Transfer FSMO Roles

• Perform this on a domain controller which will be down for maintenance for a period of time, to ensure there is no loss of the fsmo service

• Move-ADDirectoryServerOperationMasterRo|e -Identity “Target-DC” -OperationMasterRole SchemaMaster,RlDMaster,InfrastructureMaster, DomainNamingMaster,PDCEmulator

Seize FSMO Roles

• Perform this if a domain controller is down and cannot be recovered, to ensure there is no loss of the FSMO service

• Move-ADDirectoryServerOperationMasterRole -ldentity “Target-DC’ -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator -Force

FSMO roles can be represented by numbers

• Move-ADDirectoryServerOperationMasterRole -Identity “Target-DC” -OperationMasterRole 0,1,2,3,4 -Force

– 0: PDC Emulator

– 1: RID Master

– 2: Infrastructure Master

– 3: Schema Master

– 4: Domain Naming Master

 

Additional common active directory install functions

Install from media

• Useful when the database is on a domain controller across a slow WAN link

• Install-ADDSDomainController —DomainName ‘amer.corp.contoso.com” -lnstallationMediaPath C:\ADMedia

Configure a domain controller to not be global catalog server

• InstalI-ADDSDomainController —DomainName ‘amer.corp.contoso.com” —NoGlobalCatalog

Move the Infrastructure Master FSMO role

• Needed if the domain controller will be a global catalog server

• Install-ADDSDomainController —DomainName ‘amer.corp.contoso.com” -MovelnfrastructureMasterRolelfNecessary

Uninstall active directory and demote to a server

• Uninstall-ADDSDomainController

Time-limited Group Memberships

Users can be added to a security group with time-to-live (TTL)

• When the TTL expires, the user’s membership in that group disappears

Kerberos token lifetime will be determined by TTL of the user’s memberships

• TGT (Ticket Generated Ticket) based on shortest group membership
• ST (Shortest time) based on TGT and resource local domain group membership

Requires new FFL (Force Functional Level)

• Scavenger thread takes care of cleaning up group memberships

 

Way to join a computer to the domain

System Control Panel

• System added to default container unless pre—staged

Windows PowerShell

• Add-Computer -ComputerName ‘Server1′ -DomainName ‘amer.corp.contoso.com’ -Credential Get-Credential -Restart

• System added to default container unless pre-staged

Desired State Configuration (DSC)

• Joins a computer to the domain, and re-joins if it ‘falls out‘ of the domain
• Uses Start-DscConfiguration cmdlet, and can be set to check compliance every x minutes

Offline domain join

• Run djoin.exe on a domain controller to pre-stage the object and create provisioning file
• Run djoin.exe on target computer and point to the provisioning file

Tips

1. Know the PowerShell commands for installing and managing Active Directory
2. Active Directory, FSMO Roles, DNS. Group Types and scopes haven’t really changed, but if you haven’t managed them lately, brush up
3. Desired State Configuration (DSC) can be used to join a server to the domain and rejoin it if necessary

 

2. Manage and Maintain AD DS (15-20%)

Configure service authentication

Service Accounts

• Used to enhance security but the pain point is the password management and SPN mgmt.
• Two types: Managed Service Accounts and Group Managed Service Accounts

Create/configure Managed Service Accounts

• Used for a single computer or server
• New-ADServiceAccount with the —RestrictToSingleComputer parameter
• Not supported for scheduled tasks, Exchange, SQL

Create/configure Group Managed Service Accounts

• Used for multiple servers
• Minimum of one DC that runs at least Windows Server 2012
• Before you begin, must create KDS Root Key: Add-KDSRootKey -Effectivelmmediately
• New-ADServiceAccount and Set-ADServiceAccount

Configure Kerberos delegation

• IIS may require the Trust this computer for delegation to any service (Kerberos only) option

Manage Service Principal Names (SPNs)

• Use SetSPN <service type>/<instance name>:<port number>/<service name>