Windows Server: Active Directory and its Fundamentals

Active Directory
Microsoft developed a directory service for a Microsoft Domain network and this directory service is referred to as Active Directory. It is included in most Windows Server Operating Systems as a set of processes and services.
Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.


To understand above sentences we need to understand what Directory Service, Microsoft Domain, Domain Controller is. Lets find out what it is.

Directory Service
To administer, manage, locate and organize everyday items and network resources we require a share information infrastructure. Everyday items and network resources can include any or all of files, folders, users, groups, printers, volumes, devices, telephone numbers and other objects. 
Directory Service is a service or infrastructure to map the names of network resources to their respective network addresses. It is a critical component of a network operating system. Such service is provided by a server and that server is known as directory server. Each network resources is called object.
What directory service does is, it defines a namespace for the network. Namespace assigns a name, called unique identifier, to each of above mentioned objects. Directories have a set of rules determining how network resources are named and identified; basic requirement is that the identifiers need to be unique and unambiguous.
When user uses a directory services there is no need for user to remember the physical address of a network resource. User can locate the resource using name. However, some directory services may include access control mechanism which could limit the accessibility and availability of directory information to authorized users.

 

Microsoft Domain
Microsoft domain is a computer network in which all user accounts, computers, printers and other security principals are registered with a central database located on one or more clusters of central computers known as domain controllers. Authentication takes place on domain controllers.
Each user who uses computers within a domain receives a unique user account that can be assigned access to resources within the domain. Active directory is the Windows component in charge of maintaining that central database.

Domain Controller
On Microsoft Servers, a domain controller (DC) is a server computer that responds to security authentication requests (logging in, checking permissions, etc.) within a Windows domain.
In other words, a server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows Domain type network. It assigns and enforces security policies for all computers and installing or updating software.

 

Example: 
When a user logs into a computer that is part of windows domain, Active Directory is the one that checks thus submitted password and determines whether the user is a system administrator or normal user. Also, it allows management and storage of information at admin level and provides authentication and authorization mechanisms.

Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

Windows Server - Offline Domain Join

What is offline domain join?

Offline domain join does not require a connection

Typically, when you want to join a computer to a domain, the computer must be able to communicate with a domain controller. However, offline domain join makes it possible for you to join an offline computer to a domain. In fact, all preparation steps are performed on a domain controller and the computer while the computer is offline. After the computer connects a trust relationship with the domain is established without any user intervention.

• Large-scale computer deployments. For example, you have a large number of physical or virtual machines to install in the datacenter. You want to configure the computers so they can automatically join the domain after the operating system is installed. This will save time from you having to manually add each computer to the domain.
• Remote site installs. For example, you have a secure site or a remote site that makes it difficult for you to physically go to the site. You will not have to visit the site and add each computer to the domain.

How do you setup offline domain join?

Offline domain join steps

1. Provision a computer account in AD DS and create the domain join file.

djoin.exe /provision /domain <domainname> /machine <machinename> /savefile <save path> /reuse

• The /provision option sets up the computer account in AD DS.
• The /savefile option specifies a text file (blob) file will all the necessary information such as machine account password, domain name, domain controller name, and domain SID.
• The /reuse option (optional) indicates the computer has been pre-staged and an existing computer account exists in the domain.

1. Transfer the provisioning information to the provisioned computer. This inserts the blob into the operating system of the computer that is being joined.

djoin.exe /requestODJ /‍loadfile <file path> /‍windowspath %‍systemroot‍% /‍localos

• The /requestODJ option requests an offline domain join at the next start.
• The /windowspath option specifies the path to the Windows directory of the offline image.
• The /localos targets the local operating system installation, instead of an offline image.   

Start or reboot the computer to complete the domain join operation. The offline domain join does not have to be completed within a specific time period. The computer account that is provisioned remains in AD DS unless an administrator intervenes.

Concepts of Computer Forensics

Some examples of modern cybercrime

• child pornography; 
• fraud; 
• terrorism; 
• extortion; 
• cyberstalking; 
• money laundering; 
• forgery;
• identify theft etc.

Cybercrime investigations heavily relies upon digital evidences such as
Media Analysis

• Magnetic media (e.g., hard disks, tapes)
• Optical media (e.g., compact discs (CDs), digital versatile discs (DVDs), Blu-ray discs)
• Memory (e.g., random-access memory (RAM), solid-state storage)

Network analysis

• Intrusion detection and prevention system logs   
• Network flow data captured by a flow monitoring system
• Packet captures deliberately collected during an incident
• Logs from firewalls and other network security devices

Software Analysis

• In some cases, when malicious insiders are suspected, the forensic analyst may be asked to conduct a review of software code, looking for back doors, logic bombs, or other security vulnerabilities.
• In other cases, forensic analysts may be asked to review and interpret the log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks.

Hardware/Embedded Device Analysis

• Personal computers
• Smartphones
• Tablet computers
• Embedded computers in cars, security systems, and other devices

Computer forensics can be defined as gathering and analyzing data in a manner as free from distortion or bias as possible, to reconstruct data or what has happened in the past on a system. Thus, the ultimate goal of a forensic investigation is to identify, analyze, reconstruct past events or activities, and to present admissible evidence to court. There are basically three criteria for an evidence to be admissible to court

• The evidence must be relevant to determining a fact.
• The fact that the evidence seeks to determine must be material (that is, related) to the case.
• The evidence must be competent, meaning it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.

Forensic investigators use forensic tools and follow appropriate procedures to collect, preserve, analyze, and report admissible evidence to court providing his or her critical judgments of exactly what has happened. It is very important to prove that evidence presented to court has never been modified.

How evidence was collected, stored, and analyzed? could potentially taint digital evidence. Example: suppose you copy a file using Linux command CP. This results in modification of files' time of access, accidentally tainting the evidence.

Where are evidence collected from?
Basically everywhere. Data can be in one of the three states:

• At rest, which means stored in a computer drive, the Cloud, or a USB drive, etc, a mobile phone; 
• data in use, which means data is in a computer's memory currently in use; 
• data in transit, which means moving through a network.

It is to be noted that the tool to collect/analyze data at rest are different from tools used for data in transit. Moreover, there are tools and technologies, called anti-digital forensics or ADF, which are designed to thwart discovery of such information. The main aim of ADF is to erase, obfuscase, or manipulate digital data, which makes forensic investigation much more difficult, time-consuming, and/or virtually impossible.
Example:

• renaming files by changing file extensions; 
• data hiding by associating good blocks with the bad block inodes; 
• overwriting data and metadata, sometimes called wiping; 
• hide or obfuscating data through steganography, cryptography, and other methods.

Windows Server - Group Policy Objects

What are Group Policy Objects (GPOs)?

GPOs standardize your organization’s settings

A GPO is an object that contains one or more policy settings for configuring users or computers.  Group Policy settings allow administrators to enforce settings by modifying the computer‑specific and user‑specific settings on domain‑based computers. You configure Group Policy settings in GPOs, which you can then link to containers or organizational units that contain users or computers.

GPOs have Computer and User settings

The Group Policy Management Editor window displays the individual Group Policy settings that are available in a GPO. The window displays the settings in an organized hierarchy that is divided into Computer Configuration and User Configuration nodes. Settings that are user-centric are in the User Configuration Node. Settings that are computer-centric are in the Computer Configuration Node.

Windows Server - Delegating Permission

Delegating permissions

Certain groups have computer permissions

It is important that you control who will be able to create and delete computers in the domain. By default, the Enterprise Admins, Domain Admins,Administrators, and Account Operators groups have permissions to perform some management of computer objects.

Delegate access to a smaller computer group

We recommend you delegate the Computer Objects permission to a smaller group of administrators or support personnel. For example, you might create a group containing just the desktop support team and the file server administrators. Then you could give permissions to allow your desktop support team to create computer objects in a Clients OU, and your file server administrators to create computer objects in a File Servers OU.

To delegate permissions, you can use the Delegate Control Wizard. Computer objects permissions include Create selected objects in the folder andDelete selected objects. If you want to allow a delegated administrator to move computer accounts, consider that the administrator must have the appropriate permissions both in the source container (where the computer currently exists) and in the target container (where the computer will be moved to).

Pre-staging computers

As a best practice we recommend you create your computer objects in advance. The is called pre-staging a computer. There are several advantages to this method.

• Enforces delegated control. If you have delegated control to your computer OUs, then you ensure only the specific people you have identified will be able to create the computer accounts.
• Enforces the OU structure. When Windows Server attempts to join a computer to the domain it looks for an existing object. If it does not find the object, it creates the computer object in the default Computers container. It is easy to forget to move the computer from the default container into the OUs you took the time to define and create.
• Enforces the Group Policy settings. When you link GPOs to your computer OUs the computer is immediately within scope before the computer joins the domain.  This reduces the chance a computer will be out of compliance once it joins the domain.

Windows Server: Advantage of Server Core

Advantages of Server Core

• There are fewer features so fewer software updates are required. This means less downtime, less administrative overhead, and reduced restart requirements.
• By removing files that are not needed disk space and memory requirements are reduced. This means when virtualized you can deploy more servers on the same host.
• Since fewer files are installed there is less opportunity for security threats. Also, without a GUI, it limits a local user’s ability to interact with it.

Windows Server: Server Manager Roles and Features

 

• Which server role enables you to centrally configure, mange, and provide temporary IP addresses and related information for client computers?Show Answer

Dynamic Host Configuration Protocol (DHCP) Server. The DHCP server enables you to centrally configure, manage, and provide temporary IP addresses and related information for client computers. IP addresses are used to uniquely identify the client computers on your network.

• Which server role provides the services that you can use to create and manage virtual machines and their resources?

Show Answer
Hyper-V Server. The Hyper-V Server provides services to create and manage virtual machines and their resources. Each virtual machine is a virtualized computer system that operates in an isolated execution environment. This allows you to run multiple operating systems simultaneously. etwork.

• Which server role provides a reliable, manageable, and scalable Web application infrastructure?

Show Answer
Web Server (IIS). The Web Server provides a reliable, manageable, and scalable Web application infrastructure. IIS supports hosting of Web content in production environments.etwork.

• Which server role stores information about objects on the network and makes this information available to users and network administrators?

Show Answer
Active Directory Domain Services (AD DS) Server. The AD DS server stores information about objects on the network and makes this information available to users and network administrators. Servers that run the AD DS Server role are called Domain Controllers. These servers provide network users access to resources through a single logon process.

• Which server role allows network administrators to specify the Microsoft updates that should be installed on different computers?

Show Answer
Windows Server Update Services (WSUS) Server. The WSUS server allows network administrators to specify the Microsoft updates that should be installed on different computers. Keeping your computers updated with the latest updates is an important part of securing the network. With WSUS you can automate this process and create different update schedules for your computers.

• Which server feature allows multiple servers to work together to provide high availability of server roles?

Show Answer
Failover Clustering. Failover clustering is often used for File Services, virtual machines, database applications, and mail applications.

• Which server feature includes snap-ins and command line tools for remotely managing roles and features?

Show Answer
Remote Server Administration Tools (RSAT). RSAT Tools are divided into Feature Administration Tools and Role Administration Tools. Feature Administration Tools include Failover Clustering Tools, IPAM Client, and Network Load Balancing Tools. Role Administration Tools include Hyper-V Management Tools, DHCP Server Tools, and Remote Access Management Tools.

• Which server feature distributes network traffic across several servers, using the TCP/IP protocol?

Show Answer
Network Load Balancing (NLB). NLB is particularly useful for ensuring stateless applications, such as Web Servers running IIS, are scalable by adding additional services as the load increases.

• Which server feature includes Windows PowerShell cmdlets that facilitate migration of server roles, operating system settings, files, and shares from computers that are running earlier versions of Windows Server?

Show Answer
Windows Server Migration Tools. Windows Server Migration Tools can also facilitate migration from one computer that is running Windows Server 2012 to another server that is running Windows Server 2012. For example when you are creating a backup server.

• Which server feature provides a central framework for managing your IP address space and DHCP and DNS servers?

Show Answer
IP Address Management Server (IPAM). IPAM supports automated discovery of DHCP and DNS servers in the Active Directory forest. IPAM can also track and monitor IPv4 and IPv6 addresses, as well as providing utilization tools.

Windows Server Editions - How to Choose between Datacenter, Standar, Essentials and Foundation

Windows Server 2012 R2 is available in four editions designed to suit a variety of customers needs.

• Datacenter and Standard are ideal for private cloud. 
• Essentials and Foundations are optimal for small businesses. 

Windows Server 2012 R2 Datacenter
Windows Server 2012 R2 Datacenter will continue to be the ideal edition for highly virtualized private and hybrid cloud environments providing customers with unlimited virtualization rights in all of the enhanced and new features of Windows Server 2012. The licensing for Datacenter will continue to follow a processor + CAL model however now each license will cover up to two physical processors on a server.

Windows Server 2012 R2 Standard
Windows Server 2012 R2 Standard is ideal for physical computing or lightly virtualized environments providing customers with an additional virtual instance than the previous version for total of two virtual instances along with all of the same features as the Datacenter edition but licensing for Standard is now the same as Datacenter with a processor + CAL model with each licensing covering up to two physical processors on a server.

Windows Server 2012 R2 Essentials
Windows Server 2012 R2 Essentials is a cloud connected first server ideal for small businesses with up to 25 users providing customers with the flexibility to have email in the cloud, runtime of business applications, or run email on premises. The licensing for Essentials will continue to be a server model with no CAL requirements.

Windows Server 2012 R2 Foundation
Finally Windows Server 2012 R2 Foundation is an economical general-purpose server for physical computing environments only. It provides customers with a Windows Server experience for up to 15 users the licensing for Foundation will continue to be a server model with no CAL requirement.

Comparisons

Windows Server 2012 core editions Datacenter and Standard are both private cloud optimized solutions providing all the same features and capabilities and cost effective virtualization options. Datacenter is ideal for a highly virtualized environments and provides for unlimited virtualization. This edition is ideally suited for rapidly growing businesses with high density virtualization needs. Standard Edition is optimal for low-density environments or for those without virtualization needs as each license provides for two virtual instances. Both Windows Server 2012 R2 Datacenter and Standard editions are only differentiated by virtualization rights. Datacenter provides for unlimited virtualization and Standard provides customers with two virtual instances with each license . Both editions share a common licensing structure based on a processor + CAL model where each license will cover up to two physical processors on a single server. There is no difference in the available features of these two editions since Standard edition now has all the same features that were previously only available in the Datacenter edition.

Powershell - RODC Installation and Password Caching

Try It: RODC Installation and Password Caching

A. Datum is adding a new branch office. You have been asked to configure an RODC to service logon requests at the branch office. You also need to configure password policies that ensure caching only of passwords for local users in the branch office.

In this Try It you will verify requirements for installing a RODC, install the RODC, and configure password replication policies.

Note:  In this lab you will pre-create the RODC computer account. By pre-creating this account, you can delegate the second part of the RODC deployment to a non-administrative user. For example, if the remote site (branch office) doesn't have any IT administrators,  a non-IT user at the site can complete the installation. If your intention is to deploy an RODC yourself and you are a domain administrator, you will often bypass the pre-creation and just go straight to the deployment.

Create the RODC account on LON-DC1

1. LON-SVR1 should not be on the domain when the RODC account is created on LON-DC1. So, follow these steps to move it temporarily to a Workgroup.
2. Login to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
3. In Server Manager, select Local Server, and then next to Domain click Adatum.com
4. Click Change and put LON-SVR1 in a workgroup named TEMPORARY.
5. Acknowledge the message that you will need the Administrator’s password to rejoin the domain.
6. As prompted, restart LON-SVR1.
7. Log on to LON-DC1 as Adatum\Administrator with password Pa$$w0rd.
8. In Server Manager, click Tools, and then select Active Directory Users and Computers.
9. Delete the LON-SVR1 computer account from the Computers container.
10. Read and acknowledge the subtree deletion information.
11. Right-click the Domain Controllers OU, and select Pre-create Read-only Domain Controller account.

• Network credentials: My current logged on credentials
• Computer name: LON-SVR1
• Site: Default-first-site-name
• Leave selected DNS server and Global catalog
• Delegate to: ADATUM\IT

1. Finish the Wizard and verify LON-SVR1 has been added to the Domain Controllers OU.

Add the AD DS role to LON-SVR1

1. Login to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
2. In the Server Manager Dashboard, click Add roles and features, and then on the Server Roles page, select the Active Directory Domain Services role.
3. Take all of the default values, and wait for the installation to complete.
4. In Server Manager, click the Notification flag, and select Promote this server to a domain controller.
5. Complete the post deployment steps using the default options except those listed below. Notice you are adding a domain controller to an existing domain. Also, you will use the pre-created RODC account.

• Domain: Adatum.com
• Network credentials: Adatum.com\Administrator
• Password: Pa$$w0rd
• Directory Services restore mode password: Pa$$w0rd
• Read the Warning message: Use existing RODC account
• Replicate from: LON-DC1.Adatum.com
• Take the defaults for the location of the AD DS database.
• Review your selections and click View Script. Notice the PowerShell commands that are being used.

1. When the installation is complete, LON-SVR1 will automatically restart.

Configure password replication

1. On LON-DC1, from Server Manager, open Active Directory Users and Computers.
2. In the Users container, view the membership of the Allowed RODC Password Replication Group, and verify that there are no current members.
3. In the Research OU, create a new global security group name Remote Office Users.
4. On the Members tab, add Aziz, Colin and LON-CL1 to the membership of Remote Office Users.
5. In the Domain Controllers OU, open the properties of LON-SVR1.
6. On the Password Replication Policy tab, allow the Remote Office Users group to replicate passwords to LON-SVR1.
7. Apply your changes.
8. Click Advanced. On the Resultant Policy tab, add Aziz, and then confirm that Aziz’s password can be cached.

Monitor credential caching

1. Attempt to sign in to LON-SVR1 as Aziz. This sign-in will fail because Aziz does not have permission to sign in to the RODC, but authentication is performed and the credentials are now cached.
2. On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the properties of LON-SVR1.
3. On the Password Replication Policy tab, open the Advanced configuration.
4. On the Policy Usage tab, select the Accounts that have been authenticated to this Read-only Domain Controller option. Notice that Aziz’s password has been cached.

Populate credential caching

1. On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, right-click LON-SVR1, and then click Properties.
2. On the Password Replication Policy tab, click Advanced.
3. On the Policy Usage tab, prepopulate the password for Colin and LON-CL1.
4. Read the list of cached passwords, and then confirm that Colin and LON-CL1 have been added.
5. Close all open windows on LON-DC1.