Sunday, January 26, 2020

Powershell - RODC Installation and Password Caching

Try It: RODC Installation and Password Caching

A. Datum is adding a new branch office. You have been asked to configure an RODC to service logon requests at the branch office. You also need to configure password policies that ensure caching only of passwords for local users in the branch office.
In this Try It you will verify requirements for installing a RODC, install the RODC, and configure password replication policies.
Note:  In this lab you will pre-create the RODC computer account. By pre-creating this account, you can delegate the second part of the RODC deployment to a non-administrative user. For example, if the remote site (branch office) doesn't have any IT administrators,  a non-IT user at the site can complete the installation. If your intention is to deploy an RODC yourself and you are a domain administrator, you will often bypass the pre-creation and just go straight to the deployment.
Create the RODC account on LON-DC1
  1. LON-SVR1 should not be on the domain when the RODC account is created on LON-DC1. So, follow these steps to move it temporarily to a Workgroup.
  2. Login to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
  3. In Server Manager, select Local Server, and then next to Domain click Adatum.com
  4. Click Change and put LON-SVR1 in a workgroup named TEMPORARY.
  5. Acknowledge the message that you will need the Administrator’s password to rejoin the domain.
  6. As prompted, restart LON-SVR1.
  7. Log on to LON-DC1 as Adatum\Administrator with password Pa$$w0rd.
  8. In Server Manager, click Tools, and then select Active Directory Users and Computers.
  9. Delete the LON-SVR1 computer account from the Computers container.
  10. Read and acknowledge the subtree deletion information.
  11. Right-click the Domain Controllers OU, and select Pre-create Read-only Domain Controller account.
    • Network credentials: My current logged on credentials
    • Computer name: LON-SVR1
    • Site: Default-first-site-name
    • Leave selected DNS server and Global catalog
    • Delegate to: ADATUM\IT
  1. Finish the Wizard and verify LON-SVR1 has been added to the Domain Controllers OU.
Add the AD DS role to LON-SVR1
  1. Login to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
  2. In the Server Manager Dashboard, click Add roles and features, and then on the Server Roles page, select the Active Directory Domain Services role.
  3. Take all of the default values, and wait for the installation to complete.
  4. In Server Manager, click the Notification flag, and select Promote this server to a domain controller.
  5. Complete the post deployment steps using the default options except those listed below. Notice you are adding a domain controller to an existing domain. Also, you will use the pre-created RODC account.
    • Domain: Adatum.com
    • Network credentials: Adatum.com\Administrator
    • Password: Pa$$w0rd
    • Directory Services restore mode password: Pa$$w0rd
    • Read the Warning message: Use existing RODC account
    • Replicate from: LON-DC1.Adatum.com
    • Take the defaults for the location of the AD DS database.
    • Review your selections and click View Script. Notice the PowerShell commands that are being used.
  1. When the installation is complete, LON-SVR1 will automatically restart.
Configure password replication
  1. On LON-DC1, from Server Manager, open Active Directory Users and Computers.
  2. In the Users container, view the membership of the Allowed RODC Password Replication Group, and verify that there are no current members.
  3. In the Research OU, create a new global security group name Remote Office Users.
  4. On the Members tab, add Aziz, Colin and LON-CL1 to the membership of Remote Office Users.
  5. In the Domain Controllers OU, open the properties of LON-SVR1.
  6. On the Password Replication Policy tab, allow the Remote Office Users group to replicate passwords to LON-SVR1.
  7. Apply your changes.
  8. Click Advanced. On the Resultant Policy tab, add Aziz, and then confirm that Aziz’s password can be cached.
Monitor credential caching
  1. Attempt to sign in to LON-SVR1 as Aziz. This sign-in will fail because Aziz does not have permission to sign in to the RODC, but authentication is performed and the credentials are now cached.
  2. On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the properties of LON-SVR1.
  3. On the Password Replication Policy tab, open the Advanced configuration.
  4. On the Policy Usage tab, select the Accounts that have been authenticated to this Read-only Domain Controller option. Notice that Aziz’s password has been cached.
Populate credential caching

  1. On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, right-click LON-SVR1, and then click Properties.
  2. On the Password Replication Policy tab, click Advanced.
  3. On the Policy Usage tab, prepopulate the password for Colin and LON-CL1.
  4. Read the list of cached passwords, and then confirm that Colin and LON-CL1 have been added.
  5. Close all open windows on LON-DC1.
at
Labels: , ,

1 comment:

  1. emailtaaiJanuary 29, 2021 at 1:29 AM

    microsoft windows server 2016 Essentials, ideal for small businesses running low production workloads as this edition can serve only up to 25 users and 50 devices. It can be deployed as a first server (for inexperienced users) or a primary server (for building a multi-server environment to be used by SMBs).

    ReplyDelete

Subscribe to: Post Comments (Atom)