Archive for the ‘Active Directory Domain Services (ADDS)’ Category

(2012-03-28) Managing The ‘Protect From Accidental Deletion’ Option On AD Objects Through PowerShell

Posted by Jorge on 2012-03-28

In this post I explain the “Protect From Accidental Deletion” feature that is made accessible through both “Active Directory Users And Computers” and “Active Directory Administrative Center”. Under the hood that feature in reality is implemented through a combination of ACEs on objects. If you wanted to script the addition or removal of the protection you had to screw with ACEs and that was not always a fun thing to do as it could be quite complex to achieve a simple configuration.

Let’s say you want to create and protect the OU "OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB". The OU "OU=TOPLevel,DC=ADCORP,DC=LAB" already exists and is already protected!

[1] Using ADMOD and DSACLS

Creating the OU:

ADMOD -sc adaou:1;OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB

Adding the protection:

DSACLS "OU=TOPLevel,DC=ADCORP,DC=LAB" /D "EVERYONE:DC" (DENY ACE for Everyone to DELETE CHILD with the This object only scope)
DSACLS "OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB" /D "EVERYONE:SDDT" (DENY ACE for Everyone to DELETE and DELETE TREE with the This object only scope)

[2] Using the Microsoft AD PowerShell CMDlets And Configuring The Correct ACEs

Creating the OU (I know I could use the CMDlet “New-ADOrganizationalUnit”…):

$objParent = [ADSI]"LDAP://ADCORP.LAB/OU=TOPLevel,DC=ADCORP,DC=LAB"
$objOU = $objParent.Create("organizationalUnit","OU=MyProtectedOU")
$objOU.SetInfo()

Adding the protection:

Import-Module ActiveDirectory
$sidEVERYONE = [System.Security.Principal.SecurityIdentifier]‘S-1-1-0′
$ACLParent = Get-Acl "AD:\OU=TOPLevel,DC=ADCORP,DC=LAB"
$ACEParent = $sidEVERYONE,"DeleteChild","Deny"
$AccessRuleParent = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $ACEParent
$ACLParent.AddAccessRule($AccessRuleParent)
Set-Acl -ACLObject $ACLParent -Path "AD:\OU=TOPLevel,DC=ADCORP,DC=LAB"
$ACLOU = Get-Acl "AD:\OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB"
$ACEOU = $sidEVERYONE,"Delete,DeleteTree","Deny"
$AccessRuleOU = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $ACEOU
$ACLOU.AddAccessRule($AccessRuleOU)
Set-Acl -ACLObject $ACLOU -Path "AD:\OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB"

Removing the protection:

Import-Module ActiveDirectory
$sidEVERYONE = [System.Security.Principal.SecurityIdentifier]‘S-1-1-0′
$ACLOU = Get-Acl "AD:\OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB"
$ACEOU = $sidEVERYONE,"Delete,DeleteTree","Deny"
$AccessRuleOU = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $ACEOU
$ACLOU.RemoveAccessRule($AccessRuleOU)
Set-Acl -ACLObject $ACLOU -Path "AD:\OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB"

[3] Using the Microsoft AD PowerShell CMDlets And Using The Exposed Property

Creating the OU:

Import-Module ActiveDirectory
New-ADOrganizationalUnit -Name ‘MyProtectedOU’ -Path ‘OU=TOPLevel,DC=ADCORP,DC=LAB’

REMARK: when using this CMDlet, the default behavior is to protect the created OU

Adding the protection:

Import-Module ActiveDirectory
Set-ADOrganizationalUnit "OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB" -ProtectedFromAccidentalDeletion:$true

Removing the protection:

Import-Module ActiveDirectory
Set-ADOrganizationalUnit "OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB" -ProtectedFromAccidentalDeletion:$false

[4] Using the Quest AD PowerShell CMDlets

Creating the OU:

Add-PSSnapin Quest.ActiveRoles.ADManagement
New-ADOrganizationalUnit -Name ‘MyProtectedOU’ -Path ‘OU=TOPLevel,DC=ADCORP,DC=LAB’

Adding the protection:

Add-PSSnapin Quest.ActiveRoles.ADManagement
Add-QADPermission -identity ‘OU=TOPLevel,DC=ADCORP,DC=LAB’ -Deny -Account ‘EVERYONE’ -Right ‘DeleteChild’ -ApplyTo ThisObjectOnly
Add-QADPermission -identity ‘OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB’ -Deny -Account ‘EVERYONE’ -Right ‘Delete,DeleteTree’ -ApplyTo ThisObjectOnly

Removing the protection:

Add-PSSnapin Quest.ActiveRoles.ADManagement
Get-QADPermission -identity ‘OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB’ -Deny -Account ‘EVERYONE’ -Right ‘Delete,DeleteTree’ -ApplyTo ThisObjectOnly | Remove-QADPermission

[5] Adjusting the default security descriptor for OUs

When you create any object, that object will receive the default explicit permissions as configured in the AD schema. So, by adjusting the default explicit permissions (a.k.a. the default Security Descriptor) for the organizationalUnit objectClass any newly created organizational unit from that point on will receive the new default security descriptor. The change to the default security descriptor can be undone if you desire so! However, just making the change is not enough as the schema is cached for performance reasons. Therefore any changes to the AD schema will be refreshed into the cache within five minutes after the change has been committed into the database. If you cannot wait and you want to reload the schema right away you can follow either of the following procedures:

Start the Active Directory Schema MMC, right-click “Active Directory Schema” and then click “Reload the Schema”
OR
Add the “schemaUpdateNow” operational attribute to rootDSE with a value of 1

For more detailed information about the schema please see: How the Active Directory Schema Works

To adjust the default security descriptor for the organizationalUnit objectClass perform the following steps:

Open ADSIEDIT.MSC and connect to the SCHEMA naming context
Find the object “CN=Organizatinal-Unit” and adjust the value of the “defaultSecurityDescriptor” property

From the default value:

D:(D;;DCDTSD;;;WD)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(A;;LCRPLORC;;;ED)(OA;;CCDC;4828CC14-1437-45bc-9B07-AD6F015E5F28;;AO)

To the custom value (difference with the default has been highlighted in yellow):

D:(D;;DCDTSD;;;WD)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(A;;LCRPLORC;;;ED)(OA;;CCDC;4828CC14-1437-45bc-9B07-AD6F015E5F28;;AO)

Figure 1: Adjusting The Default Security Descriptor Of The ObjectClass OrganizationalUnit

REMARK: During my testing with Windows Server “8” Beta, I discovered that there is a difference in behavior between ADUC and ADAC if you select to NOT protect the if the above custom configuration for the default security descriptor is in place. In ADAC, after the new object has been created/instantiated it will in addition remove the protection as expected. However, in ADUC it will not be removed as requested. I’m not sure if Microsoft will change this unexpected behavior for ADUC in the official release of Windows Server “8”. Just be aware of this!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Object Deletion/Restore, PowerShell | 4 Comments »

(2012-01-26) Troubleshooting Authentication Problems – Kerberos Or NTLM

Posted by Jorge on 2012-01-26

Over the years I have written a few blog posts about or related to Kerberos or NTLM authentication. These blog posts are summarized here for your convenience:

However, in addition to what I have written, the guys at AskDS have written a bunch of excellent Kerberos related blog posts. These blog posts are summarized here for your convenience:

A guy from WebTopics also has written a very good blog post about Kerberos in IIS. This blog post is also here for your convenience:

Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5

Read all these blog posts, and you are up to speed in no time when the need arises to troubleshoot authentication problems. Have fun!

Posted in Active Directory Domain Services (ADDS), Kerberos AuthN, NTLM AuthN | Leave a Comment »

Troubleshooting Authentication Problems – Kerberos Or NTLM

Posted by Jorge on 2012-01-26

Over the years I have written a few blog posts about or related to Kerberos or NTLM authentication. These blog posts are summarized here for your convenience:

However, in addition to what I have written, the guys at AskDS have written a bunch of excellent Kerberos related blog posts. These blog posts are summarized here for your convenience:

A guy from WebTopics also has written a very good blog post about Kerberos in IIS. This blog post is also here for your convenience:

Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5

Read all these blog posts, and you are up to speed in no time when the need arises to troubleshoot authentication problems. Have fun!

Posted in Active Directory Domain Services (ADDS), Kerberos AuthN, NTLM AuthN | Leave a Comment »

(2011-12-14) Active Directory PowerShell Module CMDlets

Posted by Jorge on 2011-12-14

Figure 1: The AD PowerShell Module CMDlets Posted

More information about the AD Powershell Module CMDlets:

Windows Server 8 provides the following CMDlets to support AD/DCs:

PS C:\> Get-Command | Where-Object{$_.ModuleName -eq "ActiveDirectory"} | Select CommandType,Name,ModuleName | FT -AutoSize

CommandType Name                                                 ModuleName
———– —-                                                 ———-
Cmdlet      Add-ADCentralAccessPolicyMember                      ActiveDirectory
Cmdlet      Add-ADComputerServiceAccount                         ActiveDirectory
Cmdlet      Add-ADDomainControllerPasswordReplicationPolicy      ActiveDirectory
Cmdlet      Add-ADFineGrainedPasswordPolicySubject               ActiveDirectory
Cmdlet      Add-ADGroupMember                                    ActiveDirectory
Cmdlet      Add-ADPrincipalGroupMembership                       ActiveDirectory
Cmdlet      Add-ADResourcePropertyListMember                     ActiveDirectory
Cmdlet      Clear-ADAccountExpiration                            ActiveDirectory
Cmdlet      Clear-ADClaimTransformLink                           ActiveDirectory
Cmdlet      Disable-ADAccount                                    ActiveDirectory
Cmdlet      Disable-ADOptionalFeature                            ActiveDirectory
Cmdlet      Enable-ADAccount                                     ActiveDirectory
Cmdlet      Enable-ADOptionalFeature                             ActiveDirectory
Cmdlet      Get-ADAccountAuthorizationGroup                      ActiveDirectory
Cmdlet      Get-ADAccountResultantPasswordReplicationPolicy      ActiveDirectory
Cmdlet      Get-ADCentralAccessPolicy                            ActiveDirectory
Cmdlet      Get-ADCentralAccessRule                              ActiveDirectory
Cmdlet      Get-ADClaimTransformPolicy                           ActiveDirectory
Cmdlet      Get-ADClaimType                                      ActiveDirectory
Cmdlet      Get-ADComputer                                       ActiveDirectory
Cmdlet      Get-ADComputerServiceAccount                         ActiveDirectory
Cmdlet      Get-ADDCCloningExcludedApplicationList               ActiveDirectory
Cmdlet      Get-ADDefaultDomainPasswordPolicy                    ActiveDirectory
Cmdlet      Get-ADDomain                                         ActiveDirectory
Cmdlet      Get-ADDomainController                               ActiveDirectory
Cmdlet      Get-ADDomainControllerPasswordReplicationPolicy      ActiveDirectory
Cmdlet      Get-ADDomainControllerPasswordReplicationPolicyUsage ActiveDirectory
Cmdlet      Get-ADFineGrainedPasswordPolicy                      ActiveDirectory
Cmdlet      Get-ADFineGrainedPasswordPolicySubject               ActiveDirectory
Cmdlet      Get-ADForest                                         ActiveDirectory
Cmdlet      Get-ADGroup                                          ActiveDirectory
Cmdlet      Get-ADGroupMember                                    ActiveDirectory
Cmdlet      Get-ADObject                                         ActiveDirectory
Cmdlet      Get-ADOptionalFeature                                ActiveDirectory
Cmdlet      Get-ADOrganizationalUnit                             ActiveDirectory
Cmdlet      Get-ADPrincipalGroupMembership                       ActiveDirectory
Cmdlet      Get-ADReplicationAttributeMetadata                   ActiveDirectory
Cmdlet      Get-ADReplicationConnection                          ActiveDirectory
Cmdlet      Get-ADReplicationFailure                             ActiveDirectory
Cmdlet      Get-ADReplicationPartnerMetadata                     ActiveDirectory
Cmdlet      Get-ADReplicationQueueOperation                      ActiveDirectory
Cmdlet      Get-ADReplicationSite                                ActiveDirectory
Cmdlet      Get-ADReplicationSiteLink                            ActiveDirectory
Cmdlet      Get-ADReplicationSiteLinkBridge                      ActiveDirectory
Cmdlet      Get-ADReplicationSubnet                              ActiveDirectory
Cmdlet      Get-ADReplicationUpToDatenessVectorTable             ActiveDirectory
Cmdlet      Get-ADResourceProperty                               ActiveDirectory
Cmdlet      Get-ADResourcePropertyList                           ActiveDirectory
Cmdlet      Get-ADResourcePropertyValueType                      ActiveDirectory
Cmdlet      Get-ADRootDSE                                        ActiveDirectory
Cmdlet      Get-ADServiceAccount                                 ActiveDirectory
Cmdlet      Get-ADTrust                                          ActiveDirectory
Cmdlet      Get-ADUser                                           ActiveDirectory
Cmdlet      Get-ADUserResultantPasswordPolicy                    ActiveDirectory
Cmdlet      Install-ADServiceAccount                             ActiveDirectory
Cmdlet      Move-ADDirectoryServer                               ActiveDirectory
Cmdlet      Move-ADDirectoryServerOperationMasterRole            ActiveDirectory
Cmdlet      Move-ADObject                                        ActiveDirectory
Cmdlet      New-ADCentralAccessPolicy                            ActiveDirectory
Cmdlet      New-ADCentralAccessRule                              ActiveDirectory
Cmdlet      New-ADClaimTransformPolicy                           ActiveDirectory
Cmdlet      New-ADClaimType                                      ActiveDirectory
Cmdlet      New-ADComputer                                       ActiveDirectory
Cmdlet      New-ADFineGrainedPasswordPolicy                      ActiveDirectory
Cmdlet      New-ADGroup                                          ActiveDirectory
Cmdlet      New-ADObject                                         ActiveDirectory
Cmdlet      New-ADOrganizationalUnit                             ActiveDirectory
Cmdlet      New-ADReplicationSite                                ActiveDirectory
Cmdlet      New-ADReplicationSiteLink                            ActiveDirectory
Cmdlet      New-ADReplicationSiteLinkBridge                      ActiveDirectory
Cmdlet      New-ADReplicationSubnet                              ActiveDirectory
Cmdlet      New-ADResourceProperty                               ActiveDirectory
Cmdlet      New-ADResourcePropertyList                           ActiveDirectory
Cmdlet      New-ADServiceAccount                                 ActiveDirectory
Cmdlet      New-ADUser                                           ActiveDirectory
Cmdlet      Remove-ADCentralAccessPolicy                         ActiveDirectory
Cmdlet      Remove-ADCentralAccessPolicyMember                   ActiveDirectory
Cmdlet      Remove-ADCentralAccessRule                           ActiveDirectory
Cmdlet      Remove-ADClaimTransformPolicy                        ActiveDirectory
Cmdlet      Remove-ADClaimType                                   ActiveDirectory
Cmdlet      Remove-ADComputer                                    ActiveDirectory
Cmdlet      Remove-ADComputerServiceAccount                      ActiveDirectory
Cmdlet      Remove-ADDomainControllerPasswordReplicationPolicy   ActiveDirectory
Cmdlet      Remove-ADFineGrainedPasswordPolicy                   ActiveDirectory
Cmdlet      Remove-ADFineGrainedPasswordPolicySubject            ActiveDirectory
Cmdlet      Remove-ADGroup                                       ActiveDirectory
Cmdlet      Remove-ADGroupMember                                 ActiveDirectory
Cmdlet      Remove-ADObject                                      ActiveDirectory
Cmdlet      Remove-ADOrganizationalUnit                          ActiveDirectory
Cmdlet      Remove-ADPrincipalGroupMembership                    ActiveDirectory
Cmdlet      Remove-ADReplicationSite                             ActiveDirectory
Cmdlet      Remove-ADReplicationSiteLink                         ActiveDirectory
Cmdlet      Remove-ADReplicationSiteLinkBridge                   ActiveDirectory
Cmdlet      Remove-ADReplicationSubnet                           ActiveDirectory
Cmdlet      Remove-ADResourceProperty                            ActiveDirectory
Cmdlet      Remove-ADResourcePropertyList                        ActiveDirectory
Cmdlet      Remove-ADResourcePropertyListMember                  ActiveDirectory
Cmdlet      Remove-ADServiceAccount                              ActiveDirectory
Cmdlet      Remove-ADUser                                        ActiveDirectory
Cmdlet      Rename-ADObject                                      ActiveDirectory
Cmdlet      Reset-ADServiceAccountPassword                       ActiveDirectory
Cmdlet      Restore-ADObject                                     ActiveDirectory
Cmdlet      Search-ADAccount                                     ActiveDirectory
Cmdlet      Set-ADAccountControl                                 ActiveDirectory
Cmdlet      Set-ADAccountExpiration                              ActiveDirectory
Cmdlet      Set-ADAccountPassword                                ActiveDirectory
Cmdlet      Set-ADCentralAccessPolicy                            ActiveDirectory
Cmdlet      Set-ADCentralAccessRule                              ActiveDirectory
Cmdlet      Set-ADClaimTransformLink                             ActiveDirectory
Cmdlet      Set-ADClaimTransformPolicy                           ActiveDirectory
Cmdlet      Set-ADClaimType                                      ActiveDirectory
Cmdlet      Set-ADComputer                                       ActiveDirectory
Cmdlet      Set-ADDefaultDomainPasswordPolicy                    ActiveDirectory
Cmdlet      Set-ADDomain                                         ActiveDirectory
Cmdlet      Set-ADDomainMode                                     ActiveDirectory
Cmdlet      Set-ADFineGrainedPasswordPolicy                      ActiveDirectory
Cmdlet      Set-ADForest                                         ActiveDirectory
Cmdlet      Set-ADForestMode                                     ActiveDirectory
Cmdlet      Set-ADGroup                                          ActiveDirectory
Cmdlet      Set-ADObject                                         ActiveDirectory
Cmdlet      Set-ADOrganizationalUnit                             ActiveDirectory
Cmdlet      Set-ADReplicationConnection                          ActiveDirectory
Cmdlet      Set-ADReplicationSite                                ActiveDirectory
Cmdlet      Set-ADReplicationSiteLink                            ActiveDirectory
Cmdlet      Set-ADReplicationSiteLinkBridge                      ActiveDirectory
Cmdlet      Set-ADReplicationSubnet                              ActiveDirectory
Cmdlet      Set-ADResourceProperty                               ActiveDirectory
Cmdlet      Set-ADResourcePropertyList                           ActiveDirectory
Cmdlet      Set-ADServiceAccount                                 ActiveDirectory
Cmdlet      Set-ADUser                                           ActiveDirectory
Cmdlet      Sync-ADObject                                        ActiveDirectory
Cmdlet      Test-ADServiceAccount                                ActiveDirectory
Cmdlet      Uninstall-ADServiceAccount                           ActiveDirectory
Cmdlet      Unlock-ADAccount                                     ActiveDirectory

PS C:\> Get-Command | Where-Object{$_.ModuleName -eq "ADDSDeployment"} | Select CommandType,Name,ModuleName | FT -AutoSize

CommandType Name                                                        ModuleName
———– —-                                                        ———-
Function    Get-ActiveDirectoryDomainNames                              ADDSDeployment
Function    Get-ActiveDirectorySiteNames                                ADDSDeployment
Function    Invoke-ADDSCanContactOtherDCsinDomain                       ADDSDeployment
Function    Invoke-ADDSDoesDCHostOperationMasterRole                    ADDSDeployment
Function    Invoke-ADDSDoesDNSDelegationForThisMachineExistInParentZone ADDSDeployment
Function    Invoke-ADDSDoesDomainNamingContextExist                     ADDSDeployment
Function    Invoke-ADDSGetAllowedRodcReplicationAccounts                ADDSDeployment
Function    Invoke-ADDSGetApplicationPartitionsInForest                 ADDSDeployment
Function    Invoke-ADDSGetDatabaseFacts                                 ADDSDeployment
Function    Invoke-ADDSGetDefaultDNSOption                              ADDSDeployment
Function    Invoke-ADDSGetDefaultSiteName                               ADDSDeployment
Function    Invoke-ADDSGetDeniedRodcReplicationAccounts                 ADDSDeployment
Function    Invoke-ADDSGetDnsDelegationOptions                          ADDSDeployment
Function    Invoke-ADDSGetDomainControllersInDomain                     ADDSDeployment
Function    Invoke-ADDSGetExistingDCAccountInfo                         ADDSDeployment
Function    Invoke-ADDSGetForestFunctionalLevel                         ADDSDeployment
Function    Invoke-ADDSGetGeneratedNetbiosName                          ADDSDeployment
Function    Invoke-ADDSGetNDNCListWithNoOtherReplicas                   ADDSDeployment
Function    Invoke-ADDSGetSuitableHelperDomainController                ADDSDeployment
Function    Invoke-ADDSIsDc                                             ADDSDeployment
Function    Invoke-ADDSIsRodc                                           ADDSDeployment
Function    Invoke-ExpandEnvironmentVariables                           ADDSDeployment
Function    Restart-DeploymentTarget                                    ADDSDeployment
Function    Test-VerifyADPrepCredential                                 ADDSDeployment
Function    Test-VerifyAppPartitionRemoval                              ADDSDeployment
Function    Test-VerifyAvailableWinDirSpace                             ADDSDeployment
Function    Test-VerifyCertServiceExists                                ADDSDeployment
Function    Test-VerifyChild                                            ADDSDeployment
Function    Test-VerifyComputerName                                     ADDSDeployment
Function    Test-VerifyComputerWasRenamedAndNeedsReboot                 ADDSDeployment
Function    Test-VerifyCurrentUserIsAdministrator                       ADDSDeployment
Function    Test-VerifyDCServiceAvailableForDemotion                    ADDSDeployment
Function    Test-VerifyDemote                                           ADDSDeployment
Function    Test-VerifyDnsConfigOptions                                 ADDSDeployment
Function    Test-VerifyDnsDelegationRemoval                             ADDSDeployment
Function    Test-VerifyDnsRegistration                                  ADDSDeployment
Function    Test-VerifyDomainUpgradeStatus                              ADDSDeployment
Function    Test-VerifyForestName                                       ADDSDeployment
Function    Test-VerifyForestUpgradeStatus                              ADDSDeployment
Function    Test-VerifyFsmoForceRemoval                                 ADDSDeployment
Function    Test-VerifyInfrastructureMasterOnline                       ADDSDeployment
Function    Test-VerifyIsComputerNameValid                              ADDSDeployment
Function    Test-VerifyMachineAdminPassword                             ADDSDeployment
Function    Test-VerifyNamingMasterOnline                               ADDSDeployment
Function    Test-VerifyNetBiosName                                      ADDSDeployment
Function    Test-VerifyNotInSafeBootMode                                ADDSDeployment
Function    Test-VerifyNtfs5DriveAvailable                              ADDSDeployment
Function    Test-VerifyPaths                                            ADDSDeployment
Function    Test-VerifyReplica                                          ADDSDeployment
Function    Test-VerifyReplicateFromMedia                               ADDSDeployment
Function    Test-VerifyReplicationPartner                               ADDSDeployment
Function    Test-VerifyRequiredPortsAreAvailable                        ADDSDeployment
Function    Test-VerifyRODCUpgradeStatus                                ADDSDeployment
Function    Test-VerifySafeModePassword                                 ADDSDeployment
Function    Test-VerifySchemaMasterOnline                               ADDSDeployment
Function    Test-VerifySelectedDcAccount                                ADDSDeployment
Function    Test-VerifySiteSelection                                    ADDSDeployment
Function    Test-VerifySupportedPlatform                                ADDSDeployment
Function    Test-VerifyTcpIPIsInstalledAndFunctioning                   ADDSDeployment
Function    Test-VerifyTree                                             ADDSDeployment
Function    Test-VerifyUserCredentialPermissions                        ADDSDeployment
Function    Test-VerifyUserCredentials                                  ADDSDeployment
Function    Test-VerifyValidRoleChangeState                             ADDSDeployment
Cmdlet      Add-ADDSReadOnlyDomainControllerAccount                     ADDSDeployment
Cmdlet      Install-ADDSDomain                                          ADDSDeployment
Cmdlet      Install-ADDSDomainController                                ADDSDeployment
Cmdlet      Install-ADDSForest                                          ADDSDeployment
Cmdlet      Test-ADDSDomainControllerInstallation                       ADDSDeployment
Cmdlet      Test-ADDSDomainControllerUninstallation                     ADDSDeployment
Cmdlet      Test-ADDSDomainInstallation                                 ADDSDeployment
Cmdlet      Test-ADDSForestInstallation                                 ADDSDeployment
Cmdlet      Test-ADDSReadOnlyDomainControllerAccountCreation            ADDSDeployment
Cmdlet      Uninstall-ADDSDomainController                              ADDSDeployment

PS C:\> Get-Command | Where-Object{$_.ModuleName -eq "ADDeploymentWF"} | Select CommandType,Name,ModuleName | FT -AutoSize

CommandType Name             ModuleName
———– —-             ———-
Function    Invoke-ADCommand ADDeploymentWF

Posted in Active Directory Domain Services (ADDS), Beta/RC Stuff, PowerShell, Windows Server | 2 Comments »

(2011-12-13) Active Directory Replication Over Firewalls

Posted by Jorge on 2011-12-13

I found the following information on a MSFT Wiki page. Interesting read!

Active Directory Replication Over Firewalls

Posted in Active Directory Domain Services (ADDS), Networking | Leave a Comment »

(2011-12-13) AD Design Metrics During Reviewing

Posted by Jorge on 2011-12-13

On Brian Puhl’s blog I found the following which cracked me up! I love it!

Figure 1: The AD Design Metrics During A Review Session

Posted in Active Directory Domain Services (ADDS), Day-To-Day Stuff | Leave a Comment »

(2011-12-12) The Active Directory Web Service (ADWS)

Posted by Jorge on 2011-12-12

Windows Server 2008 R2 (W2K8R2) introduces a new service called the “Active Directory Web Service (ADWS)” to support remote management of running directory services through the WS-* protocols. The AD PowerShell Module (also see: Active Directory Administration with Windows PowerShell and Active Directory Powershell Blog) and the Active Directory Administrative Center (ADAC) are components that require the usage of ADWS. The ADWS is installed automatically when either promoting a W2K8R2 server to a DC (both RWDC and RODC) or installing the first ADLDS instance on a W2K8R2 server. It also supports directory services instances loaded with DSAMAIN (only when on W2K8R2 and not on W2K8!). To find a W2K8R2 DC/server with the ADWS installed DC locator uses a special flag called “DS_WEB_SERVICE_REQUIRED”. The server where the AD PowerShell Modules are being executed or where the ADAC has been started communicates with the DC/server with the ADWS installed over TCP:9389.

Of course it is possible to have the RSAT installed on Win7 workstation or W2K8R2 member server while your AD infrastructure is still running on W2K3 or W2K8. To support both scenarios Microsoft released an out-of-band version of the ADWS which can be downloaded from here.

To install the out-of-band version of the ADWS on W2K3 you must meet the following requirements:

Operating system is at least W2K3 (R2) with SP2
The following hotfix must be installed for .NET Framework 3.5 SP1 “A hotfix rollup package for Active Directory Web Service is available for the .NET Framework 3.5 SP1” (might already be included in .NET Framework 4.0)
The following hotfix must be installed on the W2K3 (R2) DCs so that these understand the new DC Locator Flag “DS_WEB_SERVICE_REQUIRED”. “Windows 7 clients cannot locate the Active Directory Management Gateway service that is installed on Windows Server 2003-based domain controllers”

To install the out-of-band version of the ADWS on W2K3 you must meet the following requirements:

Operating system is at least W2K8 or W2K8 with SP2
The following hotfix must be installed for .NET Framework 3.5 SP1 “A hotfix rollup package for Active Directory Web Service is available for the .NET Framework 3.5 SP1” (might already be included in .NET Framework 4.0)
The following hotfix must be installed on the W2K8 DCs so that these understand the new DC Locator Flag “DS_WEB_SERVICE_REQUIRED”. “Windows 7 clients cannot locate the Active Directory Management Gateway service that is installed on Windows Server 2008-based domain controllers” (is already included in SP2 for W2K8)

Figure 1: The Network Trace On A W2K8R2 DC Reporting It Supports The ADWS

Additional information about the ADWS can be found through the following links:

Posted in Active Directory Domain Services (ADDS), PowerShell, Windows Client, Windows Server | 5 Comments »

(2011-12-02) The Long Awaited GUI For Password Settings Objects Is Here!

Posted by Jorge on 2011-12-02

Since Windows Server 2008 it is possible to have multiple Password and Account Lockout Policies within a single AD domain. This cool feature is explained in the post “(2007-08-09) Windows Server 2008 – Fine-Grained Password Policies”. Although the feature is available there is no nice GUI provided by the OS to manage Password Settings Objects (PSO). The only GUI available would be ADSIEDIT, if you call that a GUI. Personally I call that an LDAP editor. The post “(2007-08-09) Windows Server 2008 – Fine-Grained Password Policies” also mentions free third-party tools to manage PSO using a GUI or from the command line. Because you can have multiple PSOs configured and at the same time it is also possible for multiple PSO to target a single AD user account it is also important to quickly determine which PSO will be in effect for that AD user account. Again, there was no default function available through default GUI to determine the effective or resultant PSO. In this case you could either use the Attribute Editor or ADSIEDIT as your GUI. In the post “(2007-09-11) Determining The Effective PSO For A User” I explain how you could add a function to Active Directory Users And Computers (ADUC) to determine the resultant PSO and view its settings at the same time.

Now, as you may know, Microsoft is working hard on Windows 8, the next client and server operating system. Believe it or not, but the RSAT tools in this OS bring you a GUI to manage PSOs easily and also a function to determine the resultant PSO of an AD user account. In addition to that you also get PowerShell CMDLets (already introduced in W2K8R2) to manage PSOs through the command line. Isn’t that cool!?!?.

To see which PowerShell CMDlets are available open a Powershell Prompt Window and execute the following command (without the quotes): “Get-Command *AD*PasswordPolicy* | Select Name” as you can see below.

Figure 1: PowerShell CMDlets Available To Manage PSOs (Already Introduced In W2K8R2)

PowerShell CMDlets to manage PSOs:

The unfortunate part is that the GUI to manage PSOs is only exposed through Active Directory Administration Center (ADAC) and not through Active Directory Users And Computers (ADUC). If you are already using ADAC then you are good to go, but if you are still using ADUC you are not that fortunate and additional stuff and configurations are needed. It is not possible to create a PSO through ADUC. For that you need to either use ADAC or some other tool. To manage other aspects of PSOs (delete and modify) you can either use ADUC or the attribute editor within ADUC. To determine the effective PSO for an AD user account within ADUC, you either need to use the attribute editor or adjust the administration context menu for user objects as shown in the post “(2007-09-11) Determining The Effective PSO For A User”. Instead of using the PSOMGR tool from JOEWARE.NET, you could now use a PowerShell script that calls the “Get-ADUserResultantPasswordPolicy” CMDlet to determine the resultant PSO.

ADAC is a cool tool and if you do not use it already have a look at the following blog post from the ASKDS guys at Microsoft about the ADAC and its interesting features: “Fun with the AD Administrative Center”

Figure 2: Navigating To The Password Settings Container Within ADAC

After navigating to the Password Settings Container you can see the PSO already available within the selected AD domain. By default no PSO exists, and therefore you need to create them yourself. The picture below shows all the PSO I have configured in my test environment. If you want to create a new PSO then select the “New” task in the right pane and after that select “Password Settings”.

Figure 3: Using ADAC To View The Configured Password Settings Objects Within The Selected AD Domain

When creating a new PSO, it is pre-configured with default settings as shown in the picture below. You of course MUST evaluate if the pre-configured settings need to be adjusted to your needs or not. Another setting worth to mention is that when you create a new PSO in ADAC in Windows 8, the PSO by default will be configured with “Protect From Accidental Deletion”. That setting will not allow you to delete the object intentionally or unintentionally. So, before deleting the PSO, you need to uncheck that setting!

Figure 4: The Default Settings When Creating A New PSO Through ADAC In Windows 8

My custom PSOs as shown in figure 3 were create through the PSOMGR tool from JOEWARE.NET. The configuration of one of those PSOs is shown in the picture below. As you can see the option “Protect From Accidental Deletion” has not been configured automatically by that tool.

Please note, that the settings shown are in no way to be considered as best practice settings for PSOs for any purpose! This is just for me to use in a TEST environment!

Figure 5: Configured Settings For A Custom PSO Created Through PSOMGR tool from JOEWARE.NET

Now to determine the resultant PSO for any given AD user account you just need to select an AD user account as shown in the picture below. As soon as you select an AD user account, the right pane immediately shows the available actions for that object that are exactly the same when you would right-click the AD user account. Selecting the action “View resultant password settings…” will tell you which PSO has an effect on that specific AD user account.

Figure 6: Determining The Resultant PSO For Any Given AD User Account

The system does not only tell which PSO is in effect for the selected AD user account, it will also show you the settings of the PSO that has an effect on that AD user account. The picture below shows the settings of the PSO that has an effect on the selected AD user account in figure 6.

Please note, that the settings shown are in no way to be considered as best practice settings for PSOs for any purpose! This is just for me to use in a TEST environment!

Figure 7: The Settings Of The PSO That Has An Effect On The AD User Account Selected In Figure 6

Have fun!

Posted in Active Directory Domain Services (ADDS), Beta/RC Stuff, Windows Server | Leave a Comment »

(2011-11-04) Installing And Uninstalling AD On Windows Server 8 As An RWDC And As An RODC – Part 5

Posted by Jorge on 2011-11-04

In the previous posts I have shown how to install AD. Now it is time to show how to uninstall AD from a DC. In this case I’m going to do everything with Powershell as that’s the new stuff in Windows Server 8. For previous versions of Windows you can read in the following blog post how to (un)install AD: “(2007-03-18) Windows Server Longhorn – Installing, Removing And Upgrading To AD”

We first need to open a Powershell command window, import the correct powershell module and execute the correct CMDlet. At this moment I’m logged on to RODC as a delegated admin that has admin permissions on the RODC but nothing in AD. You can see the result below.

Import-Module ADDSDeployment
Uninstall-ADDSDomainController -LocalAdministratorPassword $(ConvertTo-SecureString "Pa$$w0rd" -AsPlainText -Force) | FL

I’m demoting the RODC using the delegated admin credentials. Because of this I will only be able to demote the RODC. I will not be able to delete the RODC metadata as for that you need to have either “Enterprise Admins” or “Domain Admins” equivalent permissions. It should end up as a member server in the AD domain after the demotion when using “Enterprise Admins” or “Domain Admins” equivalent permissions and it should end up as a stand alone server when using Delegated Admin equivalent permissions.

Figure 1: Credentials Used For The Demotion And The Actual Powershell Command

Below you see the demotion almost being completed.

Figure 2: Uninstalling AD From The DC To Become A Member Server

Because I used Delegated Admin equivalent permissions the RODC ended up as a stand alone server and the metadata of the RODC was kept in AD as unused RODC objects. That metadata could be reused for another RODC to attach to. just MAKE SURE the already configured delegated administration configuration and the password replication policy configuration meets your needs. If not, change it accordingly!

The password specified for the local administrator did not work afterwards. Most likely a bug.

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Beta/RC Stuff, Windows Server | 3 Comments »

(2011-11-04) Installing And Uninstalling AD On Windows Server 8 As An RWDC And As An RODC – Part 4

Posted by Jorge on 2011-11-04

We have installed AD on an RWDC and now it is time to install AD on an RODC. Again the Server Manager or Powershell are the key tools here to achieve that goal! For completeness, let’s go through it again end-to-end to make sure you do not miss anything. Server Manager starts by default after logging on. This can be changed if you want that. When Server Manager starts it looks like as shown below. To install AD on the local server you need to choose the option “add roles”. In previous versions of Windows, you had the options “add roles” and “add features”. In this new version of Windows there is no difference anymore as you are going to install “something”. There is still a difference between roles and features, but there no difference anymore how to install either.

Figure 1: Server Manager Dashboard

The following page provides basic information.

Figure 2: The “Before You Begin” Page

As you can read below, you will most likely choose the first option as the second option is only supported by the Remote Desktop Services role.

Figure 3: The “Installation Type” Page

All servers added to the dashboard of the local server will be shown in the list below. In this case only the local server is listed. If multiple remote servers were listed I could add roles/features to those remote servers from this server. Isn’t that cool!!!???

Figure 4: The “Server Selection” Page

To install AD on this version of Windows through the Server Manager you need to select the role called “Active Directory Domain Services” (no shit!, Sherlock! Smile )

Figure 5: The “Server Roles” Page

As soon as you tick the role called “Active Directory Domain Services”, you will see the following window pop-up to also add the AD related tools.

Figure 6: Confirmation To Also Install The RSAT For AD

After clicking “Add Required Features” above, you will be able to click “Next >” as shown in the screen below. As you can see I now did select DNS explicitly.

Figure 7: The “Server Roles” Page

In the following screen you can select features you want to install in addition as needed. I explicitly did not select the “Group Policy Management” feature to be installed. The system will install it automatically during the promotion as the server will become a DC.

Figure 8: The “Features” Page

In the following screen you can read basic information about the “Active Directory Domain Services” role

Figure 9: The “Active Directory Domain Services” Role Specific Information Page

In the following screen you can also read basic information about the “DNS” role because this role was also selected to be installed.

Figure 10: The “DNS Server” Role Specific Information Page

In the following screen you can find a summary of what is going to happen. You need to confirm this to continue. If you want you can have the server to be restarted automatically as required.

Figure 11: The “Confirmation” Page

After clicking “Install” the selected role binaries will be installed on the server.

Figure12: The Installation Of The Roles/Features In Progress

As was already introduced with Windows Server 2008, the role binaries are first installed and afterwards the server has to be promoted to get a DC up and running. In part 2 of this series I clicked the link to promote the server to an RWDC. In this case for the promotion of the server to an RODC I will use Server Manager and Powershell to perform the second stage of the promotion (the first stage of the RODC promotion was done in part 3).To promote to a DC using Server Manager click on the link called “Promote this server to a domain controller”. Note the remark below the installation progress. If for whatever reason you have closed the “add roles and features wizard” window, you can get it back by clicking on the flag icon on the upper right corner of figure 1. If you want to promote the server to an RODC using powershell, then go to the next picture,

Figure 13: The Installation Of The Roles/Features Finished

If you want to go the through the Powershell way, you should NOT click on the “Promote this server to a domain controller” link, but instead you need to open a Powershell command window, import the correct Powershell module and execute the correct CMDlets as shown in picture 16 below. It starts by checking the current status and all the prerequisites.

Import-Module ADDSDeployment
$Creds = Get-Credential
Install-ADDSDomainController -DomainName ADCORP.LAB -SafeModeAdministratorPassword $(ConvertTo-SecureString "dsrmPWD!" -AsPlainText -Force) -ApplicationPartitionsToReplicate * -DatabasePath "D:\AD\DB" -LogPath "D:\AD\LOG" -SysvolPath "D:\AD\SYSVOL" -UseExistingAccount -Credential $creds | FL

Figure 14: Validating Input And Checking Prerequisites

After that it starts by configuring the local server to host AD.

Figure 15: The Actual Installation Of AD On The Local Server

As you can see I’m using the FL shortcut CMDlet to output the result in formatted list instead of a formatted table, which is the default. My main reason is that in the formatted table I would not be able to completely read the message. With the FL shortcut CMDlet I can read everything. The only thing you need to do now is reboot the server and you are done! It’s aliiiiiive!

Figure 16: Promotion Of The Server To An RODC Succeeded

If you did click on the “Promote this server to a domain controller” link, the following screen will appear where you need to specify what you want to do. In this case I use the delegated administration credentials. I first clicked on the “Select” button and I was asked to specify credentials. Those credentials should have at least administrator permissions on the new to be RODC. In other words, those credentials should be specified as the delegated admin (directly or indirectly through a security group). The delegated administrators for an RODC as specified on the computer account of the RODC in the “managedBy” attribute (shown in the “Managed By” tab).

Figure 17: Specifying The Credentials Designated As Delegated Administrator

Based upon those credentials (<FQDN DOMAIN>\<DELEGATED ACCOUNT>) the AD domains within the AD forest will be listed. An AD domain needs to be selected where the server will become an RODC using a pre-created account in the first promotion stage.

Figure 18: The List Of AD Domains Within The AD Forest

Required information is collected as shown below.

Figure 19: Choosing The Deployment Configuration Of The DC

As you can see, the process detected that pre-created RODC objects already exists in the selected AD domain. Except for the DSRM administrator password, all the other options (DNS Server, GC, Site Name) are shown that were specified on the first stage of the RODC promotion. In the second stage of the RODC promotion you still need to specify the DSRM administrator password.

Figure 20: The Core Domain Controller Options To Choose From

The next screen is weird and should NOT be even displayed for RODCs as you do not want DNS delegations for RODCs. All DNS delegations should be done for RWDCs only. This is a bug and will be changed in later builds.

Figure 21: Specifying DNS Delegation And Credentials

The next screen is ALSO weird and should ONLY be even displayed for informational purposes only. It should NOT be possible to edit the designated Delegated Administrators and/or the Password Replication Policy. Although you could edit it here, nothing would happen as that was already done in stage 1 and with the delegated credentials you most likely do not have the permissions to change this (and it should not because this is part of the trusted part of the promotion!). This information is specified during the first stage of the RODC promotion. Although the information was specified in the first stage of the RODC promotion, it still does not list the custom configuration, only the default configuration. All of this is a bug and will be changed in later builds.

Figure 22: The Delegated Administrators And The Password Replication Policy

In the next screen you need to specify the AD related folders, the source RWDC (any RWDC or a specific RWDC), the application NCs that should be hosted by the RODC and whether or not you want to use the Install From Media feature. In addition you can select to only replicate critical data only and finish other replication after the reboot. I never choose the option to only replicate critical data only. All the required data needs to be replicated anyway. In the end I do check to automatically reboot the server when done. After the reboot it is a DC and I can use it right away because it has everything it needs.

Figure 23: The AD Related Folders, The Source RWDC, The Application NCs To Host, Usage Of IFM And The Replication Of Critical Data Only Or Not

Below you can see the default application NCs in the AD forest. If you have custom application NCs those would also show in the list

Figure 24: The Application NCs Available In The AD Forest Eligible To Be Hosted On The RODC

All the information specified and selected.

Figure 25: All The Information Selected And Specified

Below you will see a summary of the specified and selected options. Note the fact that it does not show the AD site and it does not list the RODC to be as a GC and also not as a DNS Server. This is most likely a bug. If you remember correctly I did specify that information in the first stage of the RODC promotion. You can also see that in figure 20 above.

Figure 26: Summary Of Selected And Specified Options

When you click the “View Script” button, it will show you the powershell equivalent options to promote the server to an RODC in the second stage.

Figure 27: Powershell Equivalent Options To Promote Server To An RODC In The Second Stage

Below you see the progress and the results of the promotion in the second stage.

Figure 28a: Progress And Results Of The RODC Promotion In The Second Stage

Figure 28b: Progress And Results Of The RODC Promotion In The Second Stage

Figure 28c: Progress And Results Of The RODC Promotion In The Second Stage

Figure 28d: Progress And Results Of The RODC Promotion In The Second Stage

In the NEXT PART we’ll take care of the removal of AD from the DC.

Cheers,

Jorge

* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Beta/RC Stuff, Windows Server | 2 Comments »

« Previous Entries

Jorge's Quest For Knowledge!

All about Windows Server, ADDS, ADFS & ILM/FIM (It is just like an addiction, The more you have, the more you want to have!)

Profiles

Statistics

Other Cool Blogs

Interesting Places To Visit

The Knowledge Archives

RSS Links

Email Subscription

Categories

Archive for the ‘Active Directory Domain Services (ADDS)’ Category

(2012-03-28) Managing The ‘Protect From Accidental Deletion’ Option On AD Objects Through PowerShell

(2012-01-26) Troubleshooting Authentication Problems – Kerberos Or NTLM

Troubleshooting Authentication Problems – Kerberos Or NTLM

(2011-12-14) Active Directory PowerShell Module CMDlets

(2011-12-13) Active Directory Replication Over Firewalls

(2011-12-13) AD Design Metrics During Reviewing

(2011-12-12) The Active Directory Web Service (ADWS)

(2011-12-02) The Long Awaited GUI For Password Settings Objects Is Here!

(2011-11-04) Installing And Uninstalling AD On Windows Server 8 As An RWDC And As An RODC – Part 5

(2011-11-04) Installing And Uninstalling AD On Windows Server 8 As An RWDC And As An RODC – Part 4

All about Windows Server, ADDS, ADFS & ILM/FIM (It is just like an addiction, The more you have, the more you want to have!)

Profiles

Statistics

Other Cool Blogs

Interesting Places To Visit

The Knowledge Archives

RSS Links

Email Subscription

Categories

Archive for the ‘Active Directory Domain Services (ADDS)’ Category

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: