Dark Developments Where Knowledge Meets Power

7Nov/120

AD – Active Directory, What is it ?

Posted by Dark#Basics

ActiveDirectory

What is it ?

Active Directory enables administrators to force policies and settings in a company network.  You can think of AD as a certain catalogue or a book that holds all the information regarding users, computers, resources, etc. but also settings for the company domain. It makes it possible to provide access and set permission based on that information stored in the catalogue by using different methods like for example a security group.

The most important role of Active Directory is providing the authentication information for users, computers and the resources that are part of the network.

Forests and Domains

When installing Active Directory the first time you need to think of Domains and Forests. A forest is a security boundary. Objects in separate forests are not able to interact with each other, unless the administrators of each separate forest create a trust between them. For example, an Enterprise Administrator account for domain1.com, which is normally the most privileged account of a forest, will have, no permissions at all in a second forest named domain2.com, even if those forests exist within the same LAN, unless there is a trust in place.

A domain is a management boundary. Domains are part of a forest. The first domain in a forest is known as the forest root domain. In many small and medium organizations (and even some large ones), you will only find a single domain in a single forest. The forest root domain defines the default namespace for the forest. For example, if the first domain in a new forest is named domain1.com, then that is the forest root domain. If you have a business need for a child domain, for example - a branch office in Chicago, you might name the child domain chi. The FQDN of the child domain would be chi.domain1.com. You can see that the child domain's name was prepended forest root domain's name. This is typically how it works. You can have disjoint namespaces in the same forest, but that's a whole separate can of worms for a different time.

In most cases, you'll want to try and do everything possible to have a single AD domain. It simplifies management, and modern versions of AD make it very easy to delegate control based on OU, which lessens the need for child domains.

Domain Names

I can name my domain whatever I want, right? Not really. dcpromo.exe, the tool that handles the promotion of a server to a DC isn't idiot-proof. It does let you make bad decisions with your naming, so pay attention to this section if you are unsure.

First of all, don't use made up TLDs like .local, .lan, .corp, or any of that other crap. Those TLDs are not reserved. ICANN is selling TLDs now, so your mycompany.corp that you're using today could actually belong to someone tomorrow. If you own mycompany.com, then the smart thing to do is use something like internal.mycompany.com or ad.mycompany.com for your internal AD name. If you use mycompany.com as an externally resolvable website, you should avoid using that as your internal AD name as well, since you'll end up with a split-brain DNS.

FSMO Roles

When a user tries to log in to a computer that is joined to AD using their AD credentials, the salted and hashed username and password combination are sent to the DC for both the user account and the computer account that are logging in. Yes, the computer logs in too. This is important, because if something happens to the computer account in AD, like someone resets the account or deletes it, you may get an error that say that a trust relationship doesn't exist between the computer and the domain. Even though your network credentials are fine, the computer is no longer trusted to log into the domain.

A server that responds to authentication or authorization requests is a Domain Controller (DC). In most cases, a Domain Controller will hold a copy of the Global Catalog. A Global Catalog (GC) is a partial set of objects in all domains in a forest. It is directly searchable, which means that cross-domain queries can usually be performed on a GC without needing a referral to a DC in the target domain. If a DC is queried on port 3268 (3269 if using SSL), then the GC is being queried. If port 389 (636 if using SSL) is queried, then a standard LDAP query is being used and objects existing in other domains may require a referral.

In general there are five functions that are needed to provide a fully functional Active Directory. The 5 roles and their function are:

  • Domain Naming Master - There is only one Domain Naming Master per forest. The Domain Naming Master makes sure that when a new domain is added to a forest that it is unique. If the server holding this role is offline, you won't be able to make changes to the AD namespace, which includes things like adding new child domains.
  • Schema Master - There is only one Schema Operations Master in a forest. It is responsible for updating the Active Directory Schema. Tasks that require this, such as preparing AD for a new version of Windows Server functioning as a DC or the installation of Exchange, require Schema modifications. These modifications must be done from the Schema Master.
  • Infrastructure Master - There is one Infrastructure Master per domain. If you only have a single domain in your forest, you don't really need to worry about it. If you have multiple forests, then you should make sure that this role is not held by a server that is also a GC holder. The infrastructure master is responsible for making sure that cross-domain references are handled properly. If a user in one domain is added to a group in another domain, the infrastructure master for the domains in question make sure that it is handled properly. This role will not function correctly if it is on a global catalog.
  • RID Master - The Relative ID Master (RID Master) is responsible for issuing RID pools to DCs. There is one RID master per domain. Any object in an AD domain has a unique Security Identifier (SID). This is made up of a combination of the domain identifier and a relative identifier. Every object in a given domain has the same domain identifier, so the relative identifier is what makes objects unique. Each DC has a pool of relative IDs to use, so when that DC creates a new object, it appends a RID that it hasn't used yet. Since DCs are issued non-overlapping pools, each RID should remain unique for the duration of the life of the domain. When a DC gets to ~100 RIDs left in its pool, it requests a new pool from the RID master. If the RID master is offline for an extended period of time, object creation may fail.
  • PDC Emulator - Finally, we get to the most widely misunderstood role of them all, the PDC Emulator role. There is one PDC Emulator per domain. If there is a failed authentication attempt, it is forwarded to the PDC Emulator. The PDC Emulator functions as the "tie-breaker" if a password was updated on one DC and hasn't yet replicated to the others. The PDC Emulator is also the server that controls time sync across the domain. All other DCs sync their time from the PDC Emulator. All clients sync their time from the DC that they logged in to. It's important that everything remain within 5 minutes of each other, otherwise Kerberos breaks and when that happens, everyone cries.

The important thing to remember is that the servers that these roles run on is not set in stone. It's usually trivial to move these roles around, so while some DCs do slightly more than others, if they go down for short periods of time, everything will usually function normally.

Primary and Secondary DC’s

The concept of PDCs and BDCs died with Windows NT4. If you create a secondary DC it will also be capable of offering authentication services. It’s best practice to have atleast two DCs per domain. These DCs should both have a copy of the GC and should both be DNS servers so that the network resources (Clients, Computers,..) are still able to query the DC.

The DCs belonging to the same domain in the same site will replicate their data to each other at a 15 second interval. Do note that there are urgent event that trigger replication after the data has been changed. Think things like password resets, account lockouts.

How can clients find the domain ?

Client and other resources can find the DCs by using DNS. It’s the most critical role that needs to function properly to have a functioning AD. Do note that while it is possible to use any type of DNS service it’s best to stick with using AD integrated DNS zones to avoid any DNS related problems.

When adding a client to the domain the first thing you always need to check is the DNS servers that client is using. Make sure it’s using the in house DNS servers because when trying to add the client to the domain it will try to resolve the domain name to locate the domain controller.

Each FSMO role will have a SRV DNS record that will point to client to the correct DC.

  • _ldap._tcp.<DNSDomainName> - Enables a client to locate a W2K domain controller in the domain named by <DNSDomainName>. A client searching for a domain controller in the domain dpetri.net would query the DNS server for _ldap._tcp.domain1.com.
  •  _ldap._tcp.<SiteName>._sites.<DNSDomainName> - Enables a client to find a W2K domain controller in the domain and site specified (e.g., _ldap._tcp.lab._sites. domain1.com for a domain controller in the Lab site).
  • _ldap._tcp.pdc._ms-dcs.<DNSDomainName> - Enables a client to find the PDC flexible single master object (FSMO) role holder of a mixed-mode domain. Only the PDC of the domain registers this record.
  •  _ldap._tcp.gc._msdcs.<DNSTreeName> - Enables a client to find a Global Catalog (GC) server. Only domain controllers serving as GC servers for the tree will register this name. If a server ceases to be a GC server, the server will deregister the record.
  •  _ldap._tcp. ._sites.gc._msdcs.<DNSTreeName> - Enables a client to find a GC server in the specified site (e.g., _ldap._tcp.lab._sites.gc._msdcs. domain1.com).
  •  _ldap._tcp.<DomainGuid>.domains._msdcs.<DNSTreeName> - Enables a client to find a domain controller in a domain based on the domain controller’s globally unique ID. A GUID is a 128-bit (8 byte) number that generates automatically for referencing Active Directory objects.
  • <DNSDomainName> - Enables a client to find a domain controller through a normal Host record.

Installation and backup of Active Directory.

More information regarding installation of Active Directory can be found here darkdevelopments.org/2011/08/30/win2008-install-active-directory/. Regarding the backup procedure of Active Directory more information can be found here darkdevelopments.org/2011/07/18/db-backuprecovery-notes-part1-active-directory-2/

[1] serverfault.com/questions/402580/what-is-active-directory-and-how-does-it-work
[2] www.petri.co.il/active_directory_srv_records.htm

30Aug/110

WIN2008 – Install Active Directory

Posted by Dark#Basics

Windows Server 2008 - Installing Active Directory
Active Directory is one of the core elements when using Windows Server. Active Directory provides the structure to centralize the network management and store information regarding the network resources across a domain. Domain Controllers keep al this information centralized and available to all network users.

Using the Graphical User Interface
In Windows Server 2008, just like previous server operating Systems, you can run DCPROMO to promote the server to Domain Controller and install Active Directory. Do note that Windows Server 2008 does require the server role Active Directory Domain Services. This is also installed using DCPROMO or pre-adding the role using Server Manager.

To run DCPROMO, enter Run and open DCPROMO. Alternative you can click on the DCPROMO link from Server Manager.

If AD-DS is already installed, the Active Direcotry Domain Services Installation Wizard will appear immediately or after a short while. If AD-DS isn't installed, this Active Directory Domain Services will be installed before the Active Directory Domain Services Installation wizard will appear.

Click Next on the welcome screen to start the wizard.

In the Operating System Compatibility window, read the information and click Next to continue.

Next is the Deployment Configuration window. Depending on what you are planning to do you'll need to select an option.

  • Existing forest - Add a domain controller to an existing domain - When there already is a forest and you want a backup domain controller.
  • Existing forest - Create a new domain in an existing forest (This server will become the first domain controller in the new domain). - If you want the new domain to be a child of an existing domain, select this option. For example, you could create a new domain named hq.root.local as a child domain of the domain root.local.
  • Create a new domain in a new forest - Select this option if this is the first domain in your organization or if you want the new domain the be completely independent of your current forest.

Enter a name for the new domain and click Next. Do not use single label domain names such as "mydomain" or similar. You MUST pick a full domain name such as "mydomain.local" or "mydomain.com" and so on.

Select the appropriate forest function level. Windows 2000 is selected by default, this means you can add Windows 2000, Windows Server 2003 and Windows Server 2008 Domain Controllers to the forest you're creating. The Windows 2000 forest functional level provides all Active Directory Domain Services features that are available in Windows 2000 Server. If you have domain controllers running later versions of Windows Server, some advanced features will not be available on those domain controllers while this forest is at the Windows 2000 functional level. The Windows Server 2003 forest functional level provides all features that are available in Windows 2000 forest functional level, and the following additional Domain Controller running Windows Server 2003 and Windows Server 2008. Windows Server 2008 functional level does not provide any new features over the Windows 2003 forest functional level. However, it ensures that any new Domain Controller is running Windows Server 2008, which does provide unique features.

If no DNS server has been configured, the wizard will offer to automatically install DNS on this server. The first DCs must also be a Global Catalog. Also, the first DCs in a forest cannot be a Read Only Domain controller.

You'll get a warning telling you that the server has dynamically assigned IP address(es). Mostly because IPv4 isn't manually configured or we IPv6 did not manually configure the IPv6 Address, hence the warning. In a network where IPv6 is not used, you can safely ignore this warning.

You'll probably get a warning about DNS delegation. Since no DNS has been configured yet, you can ignore the message and click Yes.

If necessary change the paths of the AD database, log files and SYSVOL folder. For example for large deployments use a different disk, RAID,... Carefully plan your DC configuration to get the maximum performance.

Enter the Restore Mode Administrator Password. Do not use the regular administrator's password and securely store it. With this password you'll be able to restore Active Directory when things go bad.

Review your selections and click Next. It is also possible to export the settings for future use in unattended installs.

The wizard will create the domain, when finished you'll need to press Finish and reboot the computer.

Using the Command Line Interface
DCPROMO will accept command line switches, and if provided correctly, it will use them to perform the required tasks.

Select All Code:
1
DCPROMO /unattend /replicaOrnewDomain:newDomain /replicaDomainDNSName:root.local /ConfirmGC:yes /username:root.local'administrator /Password:P@ssw0rd /safeModeAdminPassword:P@ssw0rd1

It is also possible to use an unattended or answer file. The file is a text file that provides automated user input for each page of the Active Directory Installation Wizard.

Select All Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
[DCINSTALL]
UserName=administrator
UserDomain=root.local
Password=P@ssw0rd1
SiteName=Default-First-Site-Name
ReplicaOrNewDomain=NewDomain
DatabasePath="%systemroot%'NTDS"
LogPath="%systemroot%'NTDS"
SYSVOLPath="%systemroot%'SYSVOL"
InstallDNS=yes
ConfirmGC=yes
SafeModeAdminPassword=P@ssw0rd1
RebootOnCompletion=yes

After creating the unattended file start the DCPROMO process.

Select All Code:
1
DCPROMO /unattend:C:\
25Jul/110

D#B Backup&Recovery Notes [PART3]: Printer Services, IIS, NPS and ADCS

Posted by Dark#Basics

Printer Services

Printer Services - Backup

Making backups of the network printer services is really handy. When for some reason the service needs to be reinstalled on another server you will be able te restore lost of settings and drivers.
When preforming a backup of the Printer Services you'll backup the configurations and the drivers for all the configured printers.

A backup can be made by the CLI-tool Printbrm. It's a CLI-tool that is only available when you install the Printer Services-Role on that server. The tool enabled us to not only preform a backup but also to migrate to a new server.

Exporting the drivers and configuration can be done with the following syntax.

Printbrm -B -F <filename>.<extension>

The allowed extensions are .cab and .printerExport .

Printer Services - Recovery

A recovery can be done with the same CLI-tool using following syntax or by using the Printer Services Management Snapin.

Printbrm -r -F <filename>.<extension>

IIS

Internet Information Services (IIS) – formerly called Internet Information Server – is a web server application and set of feature extension modules created by Microsoft for use with Microsoft Windows. It is the most used web server after Apache HTTP Server: As of March 2010, it served 22.7% of all websites on the Internet. IIS 7.5 supports HTTP, HTTPS, FTP, FTPS, SMTP and NNTP. It is an integral part of Windows Server family of products, as well as all editions of Windows Vista and Windows 7, although some features are not supported on client versions of Windows. IIS is not turned on by default when Windows is installed.

IIS - Backup

Making a backup of all the IIS-settings like application pool configurations, bindings,... (this does not include the websites) can be done by the integrated IIS-CLI tool called appcmd.

appcmd add backup <filename>

If you want to make sure that the websites are also available for restore I suggest you use Robocopy for these website folders (ex.: wwwroot).

IIS - Recovery

Recovering the settings is as easy as preforming the backup with the CLI-tool.

appcmd restore backup <filename> /stop:false

NPS & ADCS

Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2008. NPS is the replacement for Internet Authentication Service (IAS) in Windows Server 2003.

As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers. NPS also acts as a health evaluation server for Network Access Protection (NAP).

Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies. AD CS is available as a server role in Windows Server 2008 and Windows Server 2008 R2.

NPS & ADCS - Backup
Exporting ADCS can be done with the certutil CLI-command. When using this command the whole database en the certificate is exported to the location specified.

certutil -backup -p "<apassword>" -f -seconds -v <destination>

NPS can be exported using netsh, the NPS-configuration will be exported to an XML-file.

netsh nps export filename=<filename>

NPS & ADCS - Recovery
Recovering the ADCS configuration and certificate can be done with certuril.

certutil -restore <filename>

Recovering the NPS configration by using the XML-file can be done by using netsh or the Network Policy Server GUI.

netsh nps import filename=<filename>

Source:

25Jul/110

D#B Backup&Recovery Notes [PART2]: DNS, DHCP & GPO’s

Posted by Dark#Basics

DHCP

The Dynamic Host Configuration Protocol (DHCP) is an auto configuration protocol used on IP networks. Computers that are connected to IP networks must be configured before they can communicate with other computers on the network. DHCP allows a computer to be configured automatically, eliminating the need for intervention by a network administrator. It also provides a central database for keeping track of computers that have been connected to the network. This prevents two computers from accidentally being configured with the same IP address.

DHCP - Backup
Making a backup of DHCP is handy for the configuration of the pools (range, subnet,...) and the reserved IP's. DHCP servers permit you to reserve an IP address for a client. This means that the specific network client will have the same IP for as long as you wanted it to.

A backup can be done through CLI with the netsh-command.

netsh dhcp server dump > <filename>

DHCP - Recovery
Running a recovery of the DHCP-settings can be done with the exact same CLI-command.

netsh exec <filename>

Do note that it's also possible to preform a recovery from the DHCP Management snap-in.

 

 

 

 

 

 

Source:

DNS

DNS - Backup
DNS-records can be dumped to a file using the dnscmd-command. If DNS is integrated in the domain controller a backup of the DNS records can be made with dnscmd but also with the System State backup (Previous Paper).

dnscmd /zoneprint <zonename> > <filename>

DNS - Recovery
Recovering the DNS-records can be done with the same CLI-command.

dnscmd /zoneadd <zonename> /primary /file <filename> /load

Source:

GPO's
Group Policy is a feature of the Microsoft Windows NT family of operating systems. Group Policy is a set of rules which control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications and users' settings in an Active Directory environment. In other words, Group Policy in part controls what users can and can't do on a computer system. Although Group Policy is more often seen in use for enterprise environments, it is also common in schools, smaller businesses and other kinds of smaller organizations. Group Policy is often used to restrict certain actions that may pose potential security risks, for example: to block access to the Task Manager, restrict access to certain folders, disable the downloading of executable files and so on.

GPO's - Backup
Backup of the GPO's can be done with two methods. The first one is through the System State backup, second method is by using VBScript's. These VBScript's are originally created for Windows Server 2003 when the Group Policy Management Console was installed.

These scripts are not available by default in Windows Server 2008 but can be downloaded from the Windows Download Center. With one of these scripts it is possible to preform a full backup of the GPO's.

cscript.exe BackupAllGPOss.wsf <destination>

GPO's - Recovery
GPO's can be recovered using various methods. First method is by using the Group Policy Management snap-in and selecting the Manage Backups option.

The second method is by using another VBScript called RestoreAllGPOs.

cscript.exe RestoreAllGPOs.wsf <location>

Source:

18Jul/110

D#B Backup&Recovery Notes [PART1]: Active Directory

Posted by Dark#Basics

Active Directory

Backup

With Windows Server 2003 you can make a backup with NTBackup and the corresponding GUI. With this tool it's possible to make a backup from the System State of the machine. System State holds every setting, registry entries, Active Directory and other important system files that can recover a crashed server. In Windows Server 2008 R2 NTBackup this tool isn't available anymore and has been replaced with the Windows Server Backup role. Before you can perform a backup with Windows Server Backup, you have to install the feature, using either Server Manager, or the SERVERMANAGERCMD command-line utility.

servermanagercmd -install Backup-Features

If you are installing Windows Server Backup on a Windows Server 2008 Server Core installation, use the OCSETUP command (it's important to note that the OCSETUP command is case-sensitive):

ocsetup WindowsServerBackup

System state backups, which include only select files and some application databases (rather than entire volumes) is handy and often essential. But early builds of Windows Server 2008 didn't support system state backups and restores. Instead, the backup tool just backed up critical system volumes (meaning any volumes necessary for recovering and rebooting the OS and key applications). These critical system volumes were the volume-oriented equivalent of a system state backup. You can only perform a system state backup using the WBADMIN.EXE command-line program—the MMC snap-in doesn't provide this option. To perform a system state backup, you use this command:

wbadmin start systemstatebackup -backuptarget:<destination>

With this created image you can do a System State recovery. However if you want to be safe and be able to preform a bare metal recovery you'll have to use the allcritical option when running a System State backup.

wbadmin start backup -allcritical -backuptarget:<destination>

Recovery of System State

If you need to recover from some sort of Active Directory-related problem—such as recovering a deleted OU from backup—you should restore the Active Directory Domain Services (ADDS) database to an earlier state, rather than restore the entire system. Even though you can stop ADDS like a service in Windows Server 2008, you still need to boot the server into Directory Services Restore Mode (DSRM) to perform a system state restore on a domain controller. You can boot in Recovery Mode using the BCEDIT-command.

bcdedit /set safeboot dsrepair

Before you use WBADMIN to start a system state restore, you must identify the backup from which you want to restore. WBADMIN can perform a system state restore from either a full system backup, a backup that contains just the critical system volumes, or a system state backup. In any of these cases, you have to specify the version of the backup you want to use.

wbadmin get versions

wbadmin 1.0 - Backup command-line tool

(C) Copyright 2004 Microsoft Corp.
Backup time: 22/2/2007 5:58 PM
Backup target: Fixed Disk labeled Backup(E:)
Version identifier: 12/03/2007-00:58
Can Recover: Volume(s), File(s), Application(s), Bare Metal Recovery, System State

After selecting the backup for you System State backup we'll start the process.

wbadmin start systemstaterecovery -version:12/03/2007-00:58

When the backup is done don't forget to remove the Recovery Flag that we set in the beginning.

bcdedit /deletevalue safeboot

Bare Metal Recovery

When preforming a Bare Metal recovery you will have to boot form the CD-ROM. But instead of clicking on Install Now, you'll have to select the Repair My Computer option, can be found in the lower left corner of the window. When you are asked to select a recovery mode, you'll have to pick Windows Complete Restore.

 

 

 

 

 

Followed by this you will have to select the correct backup image from which you will restore the system. It is also possible to select a network share, USB-drive,.. by using the Restore a different backup option and selecting the Advanced button. You can set additional parameters for the recovery: format all drives, restart after recovery, setup drivers,... in the next screen of the wizard.

 

 

 

 

 

 

After that just browse through the wizard and select Finish. You'll system will start the recovery process.

Source: