Windows Server - trust relationship

What is a trust relationship?

Trust relationships authenticate users between domains

Trust relationships (trusts) are authentication pipelines between different domains. Some trusts are generated automatically as part of the domain installation process, and others are trusts that you create manually for various reasons. Trust relationships form the framework that allows resource sharing between domains, and they also provide the structure that supports authentication between domains. The main purpose of a trust relationship is to provide a user in one domain access to a resource in another domain without needing a user account in both domains.

There are trusting and trusted entities

In any trust relationship, there are two parties involved: the trusting entity and the trusted entity. The trusting entity is the resource holding entity, whereas the trusted entity is the account holding entity. For example, if you lend someone your laptop, you trust them. You are the resource holding entity. They are the account holding entity.

Just because there is a trust between domains that does not necessarily mean that someone from a different domain has access to resources in other domains. Administrators must grant users the rights to resources. By default, there are no user rights.

Parent-Child and Tree-Root trusts

Some trusts are automatically created

Windows Server supports several different trusts for use in different situations. Some trusts are automatically created between domains in the forest.  For example, the parent-child and tree-root trust relationships.

	Trust Type	Description
1	Parent-child	Trust between parent and child domains in the same domain tree.
2	Tree-root	Trust between domain trees in the same forest.

Are there other trust relationships?

Other trust relationships can be manually created as needed

You can configure additional trusts between domains within your forest, between your forest and other forests, and between your forest and other security entities, such as Kerberos realms or an older Active Directory domain.

	Trust Type	Description
3	Shortcut	Use shortcut trusts to improve user logon times between two domains in an Active Directory forest. This is useful when two domains are separated by two domain trees.
4	Forest	Use forest trusts to share resources between forests.
5	Realm	Use realm trusts to form a trust relationship between platforms other than Windows utilizing a Kerberos realm or an Active Directory domain.
6	External	Use external trusts between resources that are located on a domain in another forest that is not joined by a forest trust.

Windows Server Infrastructure - Should you Migrate or Upgrade

Migration lets you to move the configuration of an existing server to a new server computer. Migrations are often selected over upgrades because the process is less destructive and more recoverable. Depending on the services and functionality that you need to migrate to a new server instance, there will be different requirements and actions you need to take. Fundamentally though, migration can be broken down into three phases.

Pre-Migration

• Installing, running migration tools and identifying any prerequisites. For example, drivers and ports.
• Preparing source server. For example, backing up your data.
• Preparing destination server. For example, ensuring drivers and ports are available.

Migration

• Exporting or migrating data from source server.
• Importing or migrating data to destination server.

Post-Migration

• Verify destination server is running successfully.
• Decommission source server.

Why Migrate not Upgrade?
First of all it provides a transition path from x86 to 64 because a lot of people are still running Windows 2003 32 bit applications which can't be upgraded to 2012 since there's no 32 bit version of 2012. Physical to virtual and vice versa so  it's easy to just migrated to a virtual machine. The full server to server core and vice versa.
In Wndows 2008  you could go to install server core and do all the nice stuff on it.  Now with 2012 R2 you can install it with full GUI and remove that if you want later. But all of these components get into  play when you look in at transition paths. Plus it's a clean operating system.

If you are still running Windows 2003 boxes chances are you've got them running for a long time, a very long time. And what happens when you have a system that you keep running for a long time. It starts getting slow. You start getting some installed and removed software on it you may have missed the patch or something. You never end up with a really clean OS. So if you were going to migrate that or do an in place upgrade of that so you are basically migrating all the bad stuff at the same time. So doing a migration instead of an upgrade provides you that opportunity to do a clean system installed and the most important part of that for me specifically is to reduce the risk of the down time. If you are doing a migration your source server is still available so if your migration fails halfway through not a problem. Turn the service back on wipe the machine that was your target machine and then from there on you can try it again figure out what went wrong and fix that. Is it a script is it network bandwidth whatever the problem might be and at that point you can just start going at it again. So the tasks are performed while your service is still live so you have that back out scenario going for that.

Windows Server - Directionality and Transitivity

Trusts can have different directionality and transitivity

There are transitive and nontransitive trusts

Trusts can be transitive or nontransitive. In a transitive trust, A trusts B and B trusts C, and then A also implicitly trusts C. For example, if you lend Steve your laptop, and Steve lends his car to Mary, then you might be willing to lend your mobile phone to Mary.

There are one-way or two-way trusts

A one-way trust means that, although one entity trusts the other, the reciprocal is not true. For example, just because you lend Steve your laptop does not mean that Steve will lend you his car. In a two-way trust, both entities trust one another. In a single forest, all domains trust one another with internal, two-way transitive trusts. Basically, this means that all domains trust all other domains.

Windows Server Infrastructure - Basics

Question: What is an Organizational Unit (OU) and why would you create additional OUs?
Show Answer
An OU is an object in a domain that you can use to store user objects, computer objects, group objects, and other AD DS objects. You typically create additional OUs when you want to delegate control to a specific group or link a Group Policy Object to the OU.


Question: What are the five flexible single master operations (FSMO) roles and where do they exist?
Show Answer
FSMO roles are special roles within a forest and domain. There are two FSMO roles at the forest level: Schema Master and Domain Naming Master. There are three FSMO roles at the domain level: RID Master, Infrastructure Master, and PDC Emulator.

Question: What is a trust relationship and which type of trust relationship is used to improve user logon times between two domains in a forest?
Show Answer
Trust relationships are authentication pipelines between different domains. Shortcut trusts can be used to improve user logon times between two domains in an Active Directory forest.


Question: Which optional AD DS feature enables you to quickly restore objects that have been deleted?
Show Answer
The Active Directory Recycle Bin, an optional feature of AD DS, provides a simplified process for restoring deleted objects.

Question: What is Server Core and what are some advantages of using it?
Show Answer
Server Core is the default Windows Server installation option. Server Core does not have a graphical user interface. Server Core installs fewer components so fewer updates are required. Server Core removes unneeded files so disk space and memory requirements are less. Lastly, fewer files and components means less opportunity for security threats.

Question: Which feature can you use to define different password policies and account lockout settings in a domain?
Show Answer
Fine-grained password policies let you specify different password policies and account lockout policies for different groups of users. For example, executives, administrators, service accounts, or regular users.

Question: Aziz has reported he is unable to sign in to the domain. The error message is, “The trust relationship between this workstation and the primary domain failed.” What is likely the problem and how should you fix it?
Show Answer
Most likely the problem is a broken secure channel. You can use Active Directory Users and Computers or PowerShell to reset the computer account and rejoin the computer to the domain.

Question: What is the global catalog and when is it used?
Show Answer
The global catalog is a central directory of every object in the forest. The global catalog is commonly used to provide Exchange email account information and a user’s Universal group memberships.

Question: What is the global catalog and when is it used?
Show Answer
The global catalog is a central directory of every object in the forest. The global catalog is commonly used to provide Exchange email account information and a user’s Universal group memberships.

Question: What is an AD DS site and when should you consider creating a site?
Show Answer
An AD DS site represents the physical structure, or topology, of your network. There are several reasons to consider creating additional sites such as: number of users at a location, slow links between locations, service localization, and AD DS database replication.


Question: When should you use an authoritative restore?
Show Answer
An authoritative restore is necessary when a known good copy of AD DS has been restored that contains objects that must override the existing state of other objects in the AD DS database.

Question: How are Group Policy settings and a Group Policy preferences different?
Show Answer
Group policy settings and group policy preferences are different. Preferences are not enforced, can reapply automatically, and can use item-level targeting.

Windows Server: Active Directory Servce

Active Directory
Microsoft developed a directory service for a Microsoft Domain network and this directory service is referred to as Active Directory. It is included in most Windows Server Operating Systems as a set of processes and services.
A server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows Domain type network. It assigns and enforces security policies for all computers and installing or updating software.
Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.

Active Directory Services
There are 5 active directory services:

1. Active Directory Certificate Services.
   Active Directory Certificate Services (AD CS) allows to create, distribute, and manage customized public key certificates. It is an Identity and Access Control security technology that provides customizable services for creating and managing public key certificates used in software security systems that employ public key technologies.
   It establishes an on-premises public key infrastructure. It can create, validate and revoke public key certificates for internal uses of an organization. These certificates can be used to encrypt files (when used with Encrypting File System), emails (per S/MIME standard), network traffic (when used by virtual private networks, Transport Layer Security protocol or IPSec protocol).
2. Active Directory Domain Services.
   Active Directory Domain Services (AD DS) stores directory data and manages communication between users and domains, including user logon processes, authentication, and directory searches. An Active Directory domain controller is a server that is running AD DS.
   AD DS is important part of every Windows domain network. It stores information about members of the domain, including devices and users, verifies their credentials and defines their access rights. A domain controller is contacted when a user logs into a device, accesses another device across the network, or runs an app sideloaded into a device.
   
    
3. Active Directory Federation Services.
   Active Directory Federation Services (AD FS) provides Web single-sign-on (SSO) technologies to authenticate a user to multiple Web applications over the life of a single online session.
   With an AD FS infrastructure in place, users may use several web-based services (e.g. internet forum, blog, online shopping, webmail) or network resources using only one set of credentials stored at a central location, as opposed to having to be granted a dedicated set of credentials for each service. AD FS's purpose is an extension of that of AD DS: The latter enables users to authenticate with and use the devices that are part of the same network, using one set of credentials. The former enables them use this same set in a different network.
   
    
4. Active Directory Lightweight Directory Services.
   Active Directory Lightweight Directory Services (AD LDS), which is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the restrictions of Active Directory Domain Services (AD DS).
   AD LDS shares the code base with AD DS and provides the same functionality, including an identical API, but does not require the creation of domains or domain controllers. It provides a Data Store for storage of directory data and a Directory Service with an LDAP Directory Service Interface. Unlike AD DS, however, multiple AD LDS instances can run on the same server.
   
    
5. Active Directory Rights Management Services.
   Active Directory Rights Management Services (AD RMS) protects your information and works with AD RMS-enabled applications to help safeguard digital information from unauthorized use. Content owners can define who can open, modify, print, forward, or take other actions with the information.
   It uses encryption and a form of selective functionality denial for limiting access to documents such as corporate e-mails, Microsoft Word documents, and web pages, and the operations authorized users can perform on them.

AD DS - User Account Template

How to create user account templates

Consider creating user templates

User templates allow administrators to create a default user account and use that account to create all the other users that match it. For example, a user account template named _LondonSales could be used to create all the other sales accounts in the London office. User templates can save you a lot of time and resources especially if you have to create a large number of users or fill out many of the same attribute fields over and over again.

• Not all information gets copied from a template. For example, Name, Logon Name, Password, Email, and Phone Number do not get copied.
• Always ensure you disable the template account. You wouldn't want someone using it to access your network.

User account best practices

User accounts require planning

- Have a plan. Plan the accounts policy carefully to make sure that the plan meets the security needs of your organization. Your user accounts policy should include password length, password complexity rules, and the maximum password age for user accounts.
- Unique accounts. Create a user account for every user who has to access your forest. Don't let users share user accounts.
- Naming convention. Implement a naming convention that yields simple-to-remember, unique user names. Consider that the more users you have, the more likely there are to be duplicates within your organization.
- Special characters. User names can contain special characters, including periods, hyphens, and apostrophes. However, these special characters may not be compatible with all programs and applications. Before you use special characters, such as an apostrophe, test with other applications your organization uses.

- Temporary accounts. Create accounts for temporary or contract staff with the same naming convention that you use for other users. For example, don't use generic account names such as Temp1 or Tester2.