module 10_ improving the security of authentication in an ad ds domain

07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 1/90

Module10:ImprovingtheSecurityofAuthenticationinanADDSDomain

Contents:

Lesson1: ConfigurePasswordandLockoutPolicies

LabA: ConfigurePasswordandAccountLockoutPolicies

Lesson2: AuditAuthentication

LabB: AuditAuthentication

Lesson3: ConfigureReadOnlyDomainControllers

LabC: ConfigureReadOnlyDomainControllers

Module Overview



WhenuserslogontoanActiveDirectory domain,theyentertheirusernameandpassword.Then,theclientcomputerusesthosecredentialstoauthenticatetheusersidentitiesagainsttheirActiveDirectoryaccounts.InModule3,youlearnedhowtocreateandmanageuseraccountsandtheirproperties,includingpasswords.Inthismodule,youwillexplorethedomainsidecomponentsofauthentication,includingthepoliciesthatspecifypasswordrequirementsandtheauditingofauthenticationrelatedactivities.YouwillalsodiscovertwofeaturesintroducedbyWindowsServer 2008thatcansignificantlyimprovethesecurityofauthenticationinanActiveDirectoryDomainServices(ADDS)domain,passwordsettingsobjects(betterknownasfinegrainedpasswordpolicy)andreadonlydomaincontrollers(RODCs).

Objectives



Aftercompletingthismodule,youwillbeableto:

Configurepasswordandaccountlockoutpolicies.

Configureauditingofauthenticationrelatedactivity.

ConfigureRODCs.

Lesson 1: Configure Password and Lockout Policies

Bydefault,inaWindowsServer2008orWindowsServer2008R2domain,users



needtochangetheirpasswordevery42days,andapasswordmustbeatleastsevencharacterslongandmeetcomplexrequirements,includingtheuseofthreeoffourcharactertypes:uppercase,lowercase,numeric,andnonalphanumeric.Typically,inanActiveDirectorydomain,administratorsandusersfirstencounterthreepasswordpoliciesmaximumpasswordage,passwordlength,andpasswordcomplexity.Rarelydothesedefaultsettingsalignpreciselywithanorganizationspasswordsecurityrequirements.Yourorganizationmightrequirepasswordstobechangedmoreorlessfrequently,ortobelonger.Inthislesson,youwilllearntoimplementyourenterprisespasswordandlockoutpoliciesbymodifyingtheDefaultDomainPolicyGroupPolicyobject(GPO).

Asyouknow,thereareexceptionstoeveryrule,andyoumayrequireexceptionstoyourpasswordpolicies.Toenhanceyourdomainssecurity,youcanplacemorerestrictivepasswordrequirementsforaccountsassignedtoadministrators,foraccountsusedbyservicessuchasMicrosoftSQLServer,orforabackuputility.InearlierversionsofWindows,thiswasnotpossibleasinglepasswordpolicyappliedtoallaccountsinthedomain.Inthislesson,youwilllearntoconfigurefinegrainedpasswordpolicies.ThisisanewfeatureinWindowsServer2008thatallowsyoutoassigndifferentpasswordpoliciestousersandgroupsinyourdomain.

Objectives

Aftercompletingthislesson,youwillbeableto:

Understandpasswordandaccountlockoutpolicies.



Implementyourdomainpasswordandaccountlockoutpolicy.

Configureandassignfinegrainedpasswordpolicies.

Understand Password Policies

YourdomainspasswordpolicyisconfiguredbyaGPOscopedtothedomain.WithintheGPO,intheGroupPolicyconsoletree,expandComputerConfiguration,Policies,WindowsSettings,SecuritySettings,andthenAccountPolicies.IntheAccountPoliciesnode,accessthePasswordPolicynodetoconfigurethepolicysettingsthatdeterminepasswordrequirements.ThePasswordPolicynodeisshowninthe



followingscreenshot.

Youcanunderstandtheeffectofthepoliciesbyconsideringthelifecycleofauserpassword.AuserneedstochangethepasswordwithinthenumberofdaysspecifiedbytheMaximumPasswordAgepolicysetting.Whentheuserentersanewpassword,thelengthofthenewpasswordwillbecomparedwiththenumberofcharactersintheMinimumPasswordLengthpolicy.

IfthePasswordandMustMeetComplexityRequirementspolicyisenabled,thepasswordmustcontainatleastthreeofthefollowingfourcharactertypes:

Uppercase:AtoZ

Lowercase:atoz

Numeric:0to9



Nonalphanumericsymbols:!,#,%,or&

Ifthenewpasswordmeetsrequirements,ActiveDirectoryputsthepasswordthroughamathematicalalgorithmthatproducesarepresentationofthepasswordcalledthehashcode.Thehashcodeisuniquenotwodifferentpasswordscancreatethesamehashcode.Thealgorithmusedtocreatethehashcodeiscalledaonewayfunction.Youcannotputthehashcodethroughareversefunctiontoderivethepassword.ThefactthatitisahashcodeandnotthepassworditselfthatisstoredinActiveDirectoryhelpsincreasetheuseraccountssecurity.

Occasionally,someapplicationsrequiretheabilitytoreadauser'spassword.Thisisnotpossiblebecause,bydefault,onlythehashcodeisstoredinActiveDirectory.Tosupportsuchapplications,youcanenabletheStorePasswordsUsingReversibleEncryptionpolicysetting.Thispolicysettingisnotenabledbydefault.Ifyouenablethepolicy,userpasswordsarestoredinanencryptedformthatcanbedecryptedbytheapplication.Reversibleencryptionsignificantlyreducesadomainssecurity,soitisdisabledbydefault,andyoushouldstrivetoeliminateapplicationsthatrequiredirectaccesstopasswords.

Additionally,ActiveDirectorycancheckthecacheoftheusersprevioushashcodestoensurethatthenewpasswordisnotthesameastheuserspreviouspasswords.ThenumberofpreviouspasswordsagainstwhichanewpasswordisevaluatedisdeterminedbytheEnforcePasswordHistorypolicy.Bydefault,Windowsmaintains



theprevious24hashcodes,whichmeansthatausercannotusethelast24passwordswhenenteringanewone.

Ifauserisdeterminedtoreusethesamepasswordwhenthepasswordexpirationperiodoccurs,theusercouldsimplychangethepassword25timestoworkaroundthepasswordhistory.Topreventthatfromhappening,theMinimumPasswordAgepolicyspecifiesanamountoftimethatmustpassbetweenpasswordchanges.Bydefault,itisoneday.Therefore,thedetermineduserwouldhavetochangethepasswordonceperdayfor25daystoreuseapassword.Thisservesasaneffectivedeterrentofsuchbehavior.

Thesepolicysettingshistory,minimumage,andmaximumageaffectonlyauserwhochangesthepassword.ThesettingsdonotaffectanadministratorwhousestheResetPasswordcommandtochangeanotheruser'spassword.

Understand Account Lockout Policies



Anintrudercangainaccesstotheresourcesinyourdomainbydeterminingavalidusernameandpassword.Usernamesarerelativelyeasytoidentify,becausemostorganizationscreateusernamesfromanemployee'semailaddress,initials,combinationsoffirstandlastnames,oremployeeIDs.Afterausernameisknown,theintrudermustdeterminethecorrectpassword.Thiscanbedonebyguessing,orbyrepeatedlyloggingonwithcombinationsofcharactersorwordsuntilthelogonissuccessful.

Thistypeofattack,calledbruteforce,canbethwartedbylimitingthenumberofincorrectlogonsthatareallowed.Thatiswhataccountlockoutpoliciesachieve.AccountlockoutpoliciesarelocatedinthenodeoftheGPOdirectlybelowthePasswordPolicy.TheAccountLockoutPolicynodeisshowninthefollowingscreen



shot.

Therearethreesettingsrelatedtoaccountlockout.TheAccountLockoutThresholdsettingdeterminesthenumberofinvalidlogonattemptspermittedwithinatimespecifiedbytheResetaccountlockoutcounterafterpolicy.Ifanattackresultsinmoreunsuccessfullogonswithinthattimeframe,theuseraccountislockedout.Whenanaccountislockedout,ActiveDirectorydenieslogontothataccount,evenifthecorrectpasswordisspecified.TheaccountwillremainlockedoutfortheperiodoftimespecifiedintheAccountlockoutdurationsetting.Ifyousetthistoavalueof0,onlytheadministratorcanmanuallyunlockalockeduseraccountbyusingtheActiveDirectoryUsersandComputersconsole.

NoteAlthoughaccountlockoutpoliciescanbeusefulinpreventingbruteforceattacks,someorganizationschoosenottodefineaccountlockoutpolicies,becausetheycanactuallycreatedenialofservicescenarios.Ifahackerperformsabruteforceattackagainstan



accountusedbyaserviceaccountyourSQLservers,forexampleandtheaccountis

locked,eventuallytheservicewillfail.Manyorganizationschoosetouseauditing,intrusiondetection,andothermonitoringapproachestomitigatebruteforceattacks.

Configure the Domain Password and Lockout Policy

ActiveDirectorysupportsonesetofpasswordandlockoutpoliciesforadomain.ThesepoliciesareconfiguredinaGPOthatisscopedtothedomain.AnewdomaincontainsaGPOcalledtheDefaultDomainPolicythatislinkedtothedomainandthatincludesthedefaultpolicysettingsforpassword,accountlockout,andKerberos



policies.YoucanchangethesettingsbyeditingtheDefaultDomainPolicyGPO.

ThebestpracticeistoedittheDefaultDomainPolicyGPOtospecifythepasswordpolicysettingsforyourorganization.YoushouldalsousetheDefaultDomainPolicyGPOtospecifyaccountlockoutpoliciesandKerberospolicies.DonotusetheDefaultDomainPolicyGPOtodeployanyothercustompolicysettings.Inotherwords,theDefaultDomainPolicyGPOonlydefinesthepassword,accountlockout,andKerberospoliciesforthedomain.Additionally,donotdefinepassword,accountlockout,orKerberospoliciesforthedomaininanyotherGPO.

ThepasswordsettingsconfiguredintheDefaultDomainPolicyaffectalluseraccountsinthedomain.Thesettingscanbeoverridden,however,bythepasswordrelatedpropertiesoftheindividualuseraccounts.OntheAccounttabofauser'sPropertiesdialogbox,youcanspecifysettingssuchasPasswordNeverExpiresorStorePasswordsUsingReversibleEncryption.Forexample,iffiveusershaveanapplicationthatrequiresdirectaccesstotheirpasswords,youcanconfiguretheaccountsforthoseuserstostoretheirpasswordsbyusingreversibleencryption.



Demonstration: Configure Domain Account Policies



Inthisdemonstration,youseehowtoconfigurethedomainaccountpoliciestomeetthefollowingrequirementsforpasswords:

Aminimumofeightcharacterslong.

ComplywithWindowsdefaultcomplexityrequirements.

Usersmustchangetheirpasswordevery90days.

Userscannotchangetheirownpasswordmorethanonceaweek.

Ausercannotreuseapasswordwithinayear.



Demonstration Steps

1. IntheGroupPolicyManagementconsole,intheconsoletree,expandForest:contoso.com,Domains,andcontoso.com.

2. RightclickDefaultDomainPolicyunderneaththedomain,contoso.com,andthenclickEdit.

3. IntheGroupPolicyManagementEditorconsoletree,expandComputerConfiguration,Policies,WindowsSettings,SecuritySettings,andAccountPolicies,andthenclickPasswordPolicy.

4. Doubleclickthefollowingpolicysettingsintheconsoledetailspaneandconfigurethesettingsasindicated:

Enforcepasswordhistory:53passwordsremembered

Maximumpasswordage:90days

Minimumpasswordage:7days

Minimumpasswordlength:8characters

Passwordmustmeetcomplexityrequirements:Enabled

5. ClosetheGroupPolicyManagementEditorwindow.

6. ClosetheGroupPolicyManagementwindow.



Fine-Grained Password and Lockout Policy

IntheWindowsServer2003ActiveDirectoryenvironment,itwasnotpossibletohavemorethanonepasswordandaccountlockoutpolicyperdomain.BecauseofthislimitationintheearlierWindowsServerversions,youhadtocreatemorethanonedomainintheActiveDirectoryforestfordifferentpasswordrequirementsinasingleorganization.Forexample,considerascenariowhereyouwantyouradministratorstohavepasswordswithaminimumlengthof14charactersandotheruserstohaveatleast7ormorecharacters.Theonlywaytoaccomplishthisistomoveadministrators(orusers)toanotherdomain.Insuchscenarios,administratorsusuallycreatetwodomainssuchascontoso.comandusers.contoso.com.However,itcancauseadditionalmaintenanceandadministrativecosttosupporttwodomainstructures.You



cansolvethisproblembyusingWindowsServer2008.YoucanoverridethedomainpasswordandlockoutpolicybyusinganewfeatureofWindowsServer2008calledfinegrainedpasswordandlockoutpolicy,oftenshortenedtosimplyfinegrainedpasswordpolicy.Afinegrainedpasswordpolicyallowsyoutoconfigureapolicythatappliestooneormoregroupsorusersinyourdomain.However,youcannotapplythisfunctionalitybyusingGroupPolicy.Youcanapplyitonlybydefininganewtypeofobjectandsomeadditionalattributestouserandgroupobjects.

AfinegrainedpasswordpolicyisahighlyanticipatedadditiontoActiveDirectory.Thereareseveralscenariosforwhichafinegrainedpasswordpolicycanbeusedtoincreaseyourdomainsecurity.

AccountsusedbyadministratorsaredelegatedprivilegestomodifyobjectsinActiveDirectory.Therefore,ifanintrudercompromisesanadministrator'saccount,moredamagecanbedonetothedomainthancouldbedonewiththeaccountofastandarduser.Therefore,considerimplementingstricterpasswordrequirementsforadministrativeaccounts.Forexample,youmightrequireagreaterpasswordlengthandmorefrequentpasswordchanges.

AnothertypeofaccountthatrequiresspecialtreatmentinadomainisanaccountusedbyservicessuchasSQLServer.Aserviceperformsitstaskswithcredentialsthatmustbeauthenticatedwithausernameandpasswordjustlikethoseofahumanuser.However,mostservicesarenotcapableofchangingtheirownpassword,soadministratorsconfigureserviceaccountswiththePasswordNeverExpiresoption



enabled.Whenanaccountspasswordwillnotbechanged,youshouldensurethatthepasswordisdifficulttocompromise.Youcanusefinegrainedpasswordpoliciestospecifyanextremelylongminimumpasswordlength.

Understand Password Settings Objects

ThesettingsmanagedbyfinegrainedpasswordpolicyareidenticaltothoseinthePasswordPolicyandAccountsPolicynodesofaGPO.However,finegrainedpasswordpoliciesareneitherimplementedaspartofGroupPolicynoraretheyappliedaspartofaGPO.Instead,thereisaseparateclassofobjectinActiveDirectorythatmaintainsthesettingsforfinegrainedpasswordpolicythePasswordSettingsObject(PSO).



MostActiveDirectoryobjectscanbemanagedwithuserfriendlygraphicaluserinterface(GUI)tools,suchastheActiveDirectoryUsersandComputerssnapin.YoumanagePSOs,however,withlowleveltools,includingActiveDirectoryServiceInterfaceEditor(ADSIEdit).

YoucancreateoneormorePSOsinyourdomain.EachPSOcontainsacompletesetofpasswordandlockoutpolicysettings.APSOisappliedbylinkingthePSOtooneormoreglobalsecuritygroupsorusers.Actually,bylinkingaPSOtoauseroragroup,youremodifyinganattributecalledmsDSPSOApplied,whichisemptybydefault.Thisapproachnowtreatspasswordandaccountlockoutsettingsnotasdomainwiderequirements,butasattributestoaspecificuseroragroup.Forexample,toconfigureastrictpasswordpolicyforadministrativeaccounts,createaglobalsecuritygroup,addtheserviceuseraccountsasmembers,andlinkaPSOtothegroup.Applyingfinegrainedpasswordpoliciestoagroupinthismannerismoremanageablethanapplyingthepoliciestoeachindividualuseraccount.Ifyoucreateanewserviceaccount,yousimplyaddittothegroup,andtheaccountbecomesmanagedbythePSO.

Touseafinegrainedpasswordpolicy,yourdomainmustbeattheWindowsServer2008domainfunctionallevel,whichmeansthatallofyourdomaincontrollersinthedomainarerunningWindowsServer2008,andthedomainfunctionallevelhasbeenraisedtoWindowsServer2008.

Toconfirmandmodifythedomainfunctionallevel:



1. OpenActiveDirectoryDomainsandTrusts.

2. Intheconsoletree,expandActiveDirectoryDomainsandTrusts,andthenexpandthetreeuntilyoucanseethedomain.

3. Rightclickthedomain,andthenclickRaisedomainfunctionallevel.

Demonstration: Configure Fine-Grained Password Policy

Inthisdemonstration,youwillseehowtoconfigureafinegrainedpasswordpolicytoenhancethesecurityofaccountsintheDomainAdminsgroup.



Demonstration Steps

1. VerifythatthedomainfunctionallevelisWindowsServer2008.

2. RuntheADSIEditutilityonadomaincontroller.

3. CreateanewPSO,namedMyDomainAdminsPSOinDC=Contoso>DC=com>CN=System>CN=PasswordSettingsContainer,withfollowingsettings:

Passwordstoredwithreversibleencryption:False

Passwordhistory:Enabled

Passwordcomplexityrequirement:Enabled

Minimumpasswordage:1day


Accountlockoutthreshold:5

Accountlockoutduration:1day

Accountlockoutcounterreset:1hour

4. AssignanewPSOtoDomainAdminsgroup.

PSO Precedence and Resultant PSO



APSOcanbelinkedtomorethanonegrouporuser,anindividualgrouporusercanhavemorethanonePSOlinkedtoit,andausercanbelongtomultiplegroups.So,whichfinegrainedpasswordandlockoutpolicysettingsapplytoauser?OneandonlyonePSOdeterminesthepasswordandlockoutsettingsforauser,whichiscalledtheresultantPSO.EachPSOhasanattributethatdeterminesthePSOsprecedence.Theprecedencevalueisanynumbergreaterthan0,wherethenumber1indicatesthehighestprecedence.IfmultiplePSOsapplytoauser,thePSOwiththehighestprecedencetakeseffect.Therulesthatdetermineprecedenceareasfollows:

IfmultiplePSOsapplytogroupstowhichtheuserbelongs,thePSOwiththehighestprecedencewins.



IfoneormorePSOsarelinkeddirectlytotheuser,PSOslinkedtogroupsareignored,regardlessoftheirprecedence.TheuserlinkedPSOwiththehighestprecedencewins.

IfoneormorePSOshavethesameprecedencevalue,ActiveDirectorymustchoose.ItpicksthePSOwiththelowestgloballyuniqueidentifier(GUID).GUIDsarelikeserialnumbersforActiveDirectoryobjectsnotwoobjectshavethesameGUID.GUIDshavenoparticularmeaningtheyarejustidentifierssopickingthePSOwiththelowestGUIDis,ineffect,anarbitrarydecision.YoushouldconfigurePSOswithunique,specificprecedencevaluessothatyouavoidthisscenario.

TheserulesdeterminetheresultantPSO.ActiveDirectoryexposestheresultantPSOinauserobjectattribute,msDSResultantPSO,soyoucanreadilyidentifythePSOthatwillaffectauser.PSOscontainallpasswordandlockoutsettings,sothereisnoinheritanceormergingofsettings.TheresultantPSOistheauthoritativePSO.

ToviewthemsDSResultantPSOattributeofauser:

1. EnsurethatAdvancedFeaturesisenabledontheViewmenu.

2. Openthepropertiesoftheuseraccount.

3. ClicktheAttributeEditortab.

4. ClickFilterandensurethatConstructedisselected.



5. LocatethemsDSResultantPSOattribute.

PSOs, OUs, and Shadow Groups

PSOscanbelinkedtoglobalsecuritygroupsorusers.PSOscannotbelinkedtoorganizationalunits(OUs).IfyouwanttoapplypasswordandlockoutpoliciestousersinanOU,youmustcreateaglobalsecuritygroupthatincludesalloftheusersintheOU.Thistypeofgroupiscalledashadowgroupitsmembershipshadows,ormimics,themembershipofanOU.

NoteThereisnographicaltoolinWindowsServer2008tocreateshadowgroups.However,youcancreateandmanagethembyusingaverysimplescriptthatwillrunperiodically.ThisscriptshouldenumerateuserobjectsinthedesiredOUandputtheminagroup.

Lab A: Configure Password and Account LockoutPolicies



Lab Setup

Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubeginthelab,youmustcompletethefollowingsteps:

1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthenclickHyperVManager.

2. InHyperVManager,click6425CNYCDC1,andintheActionspane,clickStart.

3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.



4. Logonbyusingthefollowingcredentials:

Username:Pat.Coleman

Password:Pa$$w0rd

Domain:Contoso

Lab Scenario

ThesecurityteamatContoso,LtdhastaskedyouwithincreasingthesecurityandmonitoringofauthenticationagainsttheenterprisesADDSdomain.Specifically,youmustenforceaspecifiedpasswordpolicyforalluseraccounts,andamorestringentpasswordpolicyforsecuritysensitive,administrativeaccounts.

Exercise 1: Configure the Domains Password and Lockout Policies

Inthisexercise,youwillmodifytheDefaultDomainPolicyGPOtoimplementapasswordandlockoutpolicyforusersinthecontoso.comdomain.

Themaintasksforthisexerciseareasfollows:

1. Configurethedomainaccountpolicies.



Task: Configure the domain account policies.

1. RunGroupPolicyManagementasanadministrator,withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd.

2. EdittheDefaultDomainPolicyGPO.

3. Configurethefollowingpasswordpolicysettings.Leaveothersettingsattheirdefaultvalues.


Minimumpasswordlength:10characters

4. Configurethefollowingaccountlockoutpolicysetting.Leaveothersettingsattheirdefaultvalues.

Accountlockoutthreshold:5invalidlogonattempts.

5. CloseGroupPolicyManagementEditorandGroupPolicyManagement.

Results:Inthisexercise,youconfigurednewsettingsforthedomainaccountpolicies.

Exercise 2: Configure Fine-Grained Password Policy



Inthisexercise,youwillcreateaPSOthatappliesarestrictive,finegrainedpasswordpolicytouseraccountsintheDomainAdminsgroup.YouwillidentifythePSOthatcontrolsthepasswordandlockoutpoliciesforanindividualuser.Finally,youwilldeletethePSOthatyoucreated.


1. CreateaPSO.

2. LinkaPSOtoagroup.

3. IdentifytheResultantPSOforauser.

4. DeleteaPSO.

Task 1: Create a PSO.

1. ClickStart,pointtoAdministrativeTools,rightclickADSIEdit,andclickRunasadministrator.

2. ClickUseanotheraccount.

3. IntheUsernamebox,typePat.Coleman_Admin.

4. InthePasswordbox,typePa$$w0rd,andthenpressEnter.TheADSIEditconsoleopens.



5. RightclickADSIEditandclickConnectTo.

6. Acceptalldefaults.ClickOK.

7. ClickDefaultNamingContextintheconsoletree.

8. ExpandDefaultNamingContextandclickDC=contoso,DC=com.

9. ExpandDC=contoso,DC=comandclickCN=System.

10. ExpandCN=SystemandclickCN=PasswordSettingsContainer.

AllPSOsarecreatedandstoredinthePasswordSettingsContainer(PSC).

11. RightclickCN=PasswordSettingsContainerandchooseNew,Object.TheCreateObjectdialogboxappears.

Itpromptsyoutoselectthetypeofobjecttocreate.Thereisonlyonechoice:msDSPasswordSettingsthetechnicalnamefortheobjectclassreferredtoasaPSO.

12. ClickNext.YouarethenpromptedforthevalueforeachattributeofaPSO.Theattributesaresimilartothosefoundinthedomainaccountpolicies.

13. Configureeachattributeasindicatedbelow.ClickNextaftereachattribute.

cn:MyDomainAdminsPSO.ThisisthefriendlynameofthePSO.

msDSPasswordSettingsPrecedence:1.ThisPSOhasthehighestpossibleprecedence.



msDSPasswordReversibleEncryptionEnabled:False.Thepasswordisnotstoredbyusingreversibleencryption.

msDSPasswordHistoryLength:30.Theusercannotreuseanyofthelast30passwords.

msDSPasswordComplexityEnabled:True.Passwordcomplexityrulesareenforced.

msDSMinimumPasswordLength:15.Passwordsmustbeatleast15characterslong.

msDSMinimumPasswordAge:1:00:00:00.Ausercannotchangethepasswordwithinonedayofapreviouschange.Theformatisd:hh:mm:ss(days,hours,minutes,seconds).

msDSMaximumPasswordAge:45:00:00:00.Thepasswordmustbechangedevery45days.

msDSLockoutThreshold:5.FiveinvalidlogonswithinthetimeframespecifiedbyXXX(thenextattribute)willresultinaccountlockout.

msDSLockoutObservationWindow:0:01:00:00.Fiveinvalidlogons(specifiedbythepreviousattribute)withinonehourwillresultinaccountlockout.

msDSLockoutDuration:1:00:00:00.Anaccount,iflockedout,willremainlockedforoneday,oruntilitisunlockedmanually.Avalueofzerowillresult



intheaccountremaininglockedoutuntilanadministratorunlocksit.

14. ClickFinish.

15. CloseADSIEdit.

Task 2: Link a PSO to a group.

1. RunActiveDirectoryUsersandComputerswithadministrativecredentials.UsetheaccountPat.Coleman_AdminwiththepasswordPa$$w0rd.

2. Intheconsoletree,expandtheSystemcontainer.

IfyoudonotseetheSystemcontainer,clicktheViewmenuoftheMMCconsole,andensurethatAdvancedFeaturesisselected.

3. Intheconsoletree,clickthePasswordSettingsContainer.

4. RightclickMyDomainAdminsPSO,andthenclickAttributeEditor.

5. IntheAttributeslist,clickmsDSPSOAppliesTo,andthenclickEdit.

TheMultivaluedDistinguishedNameWithSecurityPrincipalEditordialogboxappears.

6. ClickAddWindowsAccount.



TheSelectUsers,Computers,orGroupsdialogboxappears.

7. TypeDomainAdmins,andthenpressEnter.

8. ClickOKtwotimestoclosetheopendialogboxes.

Task 3: Identify the Resultant PSO for a user.

1. RunActiveDirectoryUsersandComputersasanadministratorwiththeusernamePat.Coleman_AdminandthepasswordPa$$w0rd.

2. OpenAttributeEditorinthePropertiesdialogboxfortheaccountPat.Coleman_Admin.

3. ClickFilterandensurethatConstructedisselected.

Theattributeyouwilllocateinthenextstepisaconstructedattribute,meaningthattheresultantPSOisnotahardcodedattributeofauserratheritiscalculatedbyexaminingthePSOslinkedtoauserinrealtime.

Question:WhatistheresultantPSOforPatColeman(Administrator)?

Task 4: Delete a PSO.



1. WithAdvancedFeaturesenabledontheViewmenuofActiveDirectoryUsersandComputers,opentheSystemcontainerandthePasswordSettingsContainer.

2. DeletetheMyDomainAdminsPSO,whichyoucreated.

Results:Inthisexercise,youcreatedaPSO,appliedittoDomainAdminsandconfirmeditsapplication,andthendeletedthePSO.

NoteDonotshutdownthevirtualmachineafteryoufinishthislabbecausethesettingsyouhaveconfiguredherewillbeusedinsubsequentlabsinthismodule

Lab Review Questions

Question:WhatarethebestpracticesformanagingPSOsinadomain?

Question:Howcanyoudefineauniquepasswordpolicyforalltheserviceaccountsinthe

ServiceAccountsOU?



Lesson 2: Audit Authentication

WindowsServer2008allowsyoutoauditthelogonactivityofusersinadomain.Byauditingsuccessfullogons,youcanlookforinstancesinwhichanaccountisusedatunusualtimesorinunexpectedlocations,whichmayindicatethatanintruderisloggingontotheaccount.Auditingfailedlogonscanrevealattemptsbyintruderstocompromiseanaccount.Inthislesson,youwilllearntoconfigureauditinglogonauthentication.

Objectives




Configureauditingofauthenticationrelatedactivity.

Distinguishbetweenaccountlogonandlogonevents.

IdentifyauthenticationrelatedeventsintheSecuritylog.

Account Logon and Logon Events

Thislessonexaminestwospecificpolicysettings,AuditAccountLogonEventsandAuditLogonEvents.Youneedtounderstandthedifferencebetweenthesetwo



similarlynamedpolicysettings.

Whenauserlogsontoanycomputerinthedomainbyusingadomainuseraccount,adomaincontrollerauthenticatestheattempttologontothedomainaccount.Thisgeneratesanaccountlogoneventonthedomaincontroller.

Thecomputertowhichtheuserlogsonforexample,theuserslaptopgeneratesalogonevent.Thecomputerdidnotauthenticatetheuseragainsttheaccountitpassedtheaccounttoadomaincontrollerforvalidation.Thecomputerdid,however,allowtheusertologoninteractivelytothecomputer.

Therefore,theeventisalogonevent.

Whentheuserconnectstoafolderonaserverinthedomain,thatserverauthorizestheuserforatypeoflogoncalledanetworklogon.Again,theserverdoesnotauthenticatetheuseritreliesontheticketgiventotheuserbythedomaincontroller.But,theconnectionbytheusergeneratesalogoneventontheserver.

NoteThecontentinthefollowingsectionisspecifictoWindowsServer2008R2.

Advanced Audit Policies

InWindowsServer2008R2,theAdvancedAuditPolicyconfigurationincludesnew



categoriesinGroupPolicyforauditinglogonandaccountlogonevents.YoulearnedabouttheseadvancedauditpoliciesinModule9.Thisprovidesadministratorswiththeabilitytohavemuchmoregranularandmoredetailedcontroloverthelogonprocessandobtaininformationaboutveryspecificeventsthathappenduringthelogonorlogoffprocess.

Foranaccountlogonevent,youcannowdefinefourdifferentsettingsforaudit:

CredentialValidation.Auditeventsgeneratedbyvalidationtestsonuseraccountlogoncredentials.

KerberosServiceTicketOperations.AuditeventsgeneratedbyKerberosserviceticketrequests.

OtherAccountLogonEvents.AuditeventsgeneratedbyresponsestocredentialrequestssubmittedforauseraccountlogonthatarenotcredentialvalidationorKerberostickets.

KerberosAuthenticationService.AuditeventsgeneratedbyKerberosauthenticationticketgrantingticket(TGT)requests.

Youcanauditthefollowinglogonandlogoffevents:

Logon.Auditeventsgeneratedbyuseraccountlogonattemptsonacomputer.



Logoff.Auditeventsgeneratedbyclosingalogonsession.Theseeventsoccuronthecomputerthatwasaccessed.Foraninteractivelogon,thesecurityauditeventisgeneratedonthecomputerthattheuseraccountloggedonto.

AccountLockout.Auditeventsgeneratedbyafailedattempttologontoanaccountthatislockedout.

IPsecMainMode.AuditeventsgeneratedbyInternetKeyExchangeprotocol(IKE)andAuthenticatedInternetProtocol(AuthIP)duringMainModenegotiations.

IPsecQuickMode.AuditeventsgeneratedbyIKEandAuthIPduringQuickModenegotiations.

IPsecExtendedMode.AuditeventsgeneratedbyIKEandAuthIPduringExtendedModenegotiations.

SpecialLogon.Auditeventsgeneratedbyspeciallogons.

OtherLogon/LogoffEvents.AuditothereventsrelatedtologonandlogoffthatarenotincludedintheLogon/Logoffcategory.

NetworkPolicyServer.AuditeventsgeneratedbyRADIUS(IAS)andNetworkAccessProtection(NAP)useraccessrequests.TheserequestscanbeGrant,Deny,Discard,Quarantine,Lock,andUnlock.

Configure Authentication-Related Audit Policies



AccountlogonandlogoneventscanbeauditedbyWindowsServer2008.ThesesettingsthatmanageauditingarelocatedinaGPOintheComputerConfiguration>Policies>WindowsSettings>SecuritySettings>LocalPolicies>AuditPolicynode.TheAuditPolicynodeandthetwosettingsareshowninthefollowingscreenshot.

InWindowsServer2008R2,youcanconfigureadditionalauditpoliciesinthe



AdvancedAuditPolicyConfigurationnode,asshowninthefollowingscreenshot:

Toconfigureanauditpolicy,bothbasicandadvanced,doubleclickthepolicy.Then,itspropertiesdialogboxappears.TheAuditAccountLogonEventsPropertiesdialogboxisshowninthefollowingscreenshot.Thepolicysettingcanbeconfiguredtooneofthefollowingfourstates:

NotDefined:IftheDefineThesePolicySettingscheckboxiscleared,thepolicysettingisnotdefined.Inthiscase,theserverwillaudittheeventbasedonitsdefaultsettingsoronthesettingsspecifiedinanotherGPO.

Definedfornoauditing:IftheDefineThesePolicySettingscheckboxisselected,buttheSuccessandFailurecheckboxesarecleared,theserverwillnotaudittheevent.

Auditsuccessfulevents:IftheDefineThesePolicySettingscheckboxisselected,andtheSuccesscheckboxisselected,theserverwilllogsuccessfuleventsinitsSecuritylog.



Auditfailedevents:IftheDefineThesePolicySettingscheckboxisselected,andtheFailurecheckboxesselected,theserverwilllogunsuccessfuleventsinitsSecuritylog.

Aserversauditbehaviorisdeterminedbytheoneofthesefoursettingsthatisappliedastheresultantsetofpolicy(RSoP).

InWindowsServer2008,thedefaultsettingistoauditsuccessfulaccountlogoneventsandsuccessfullogonevents.So,bothtypesofeventsare,ifsuccessful,enteredintheserversSecuritylog.Ifyouwanttoauditfailuresortoturnoffauditing,youwillneedtodefinetheappropriatesettingintheauditpolicy.

Scope Audit Policies



Aswithallpolicysettings,youshouldbecarefultoscopesettingssothattheyaffectthecorrectsystems.Forexample,ifyouwanttoauditattemptsbyuserstoconnecttoremotedesktopserversinyourenterprise,youcanconfigurelogonevent,auditinginaGPOlinkedtotheOUthatcontainsyourremotedesktopservers.If,ontheotherhand,youwanttoauditlogonsbyuserstodesktopsinyourhumanresourcesdepartment,youcanconfigurelogoneventauditinginaGPOlinkedtotheOUcontaininghumanresourcescomputerobjects.Rememberthatdomainusersloggingontoaclientcomputerorconnectingtoaserverwillgeneratealogoneventnotanaccountlogoneventonthatsystem.

Onlydomaincontrollersgenerateaccountlogoneventsfordomainusers.Rememberthatanaccountlogoneventoccursonthedomaincontrollerthatauthenticatesa



domainuser,regardlessofwherethatuserlogson.Ifyouwanttoauditlogonstodomainaccounts,youshouldscopeaccountlogoneventauditingtoaffectonlydomaincontrollers.Infact,theDefaultDomainControllersGPOthatiscreatedwhenyouinstallyourfirstdomaincontrollerisanidealGPOinwhichtoconfigureaccountlogonauditpolicies.

View Logon Events

Accountlogonandlogonevents,ifaudited,appearintheSecuritylogofthesystemthatgeneratedtheevent.Anexampleisshowninthefollowingscreenshot.



So,ifyouareauditinglogonstocomputersinthehumanresourcesdepartment,theeventsareenteredineachcomputersSecuritylog.Similarly,ifyouareauditingunsuccessfulaccountlogonstoidentifypotentialintrusionattempts,theeventsareenteredineachdomaincontrollersSecuritylog.Thismeans,bydefault,youwillneedtoexaminetheSecuritylogsofalldomaincontrollerstogetacompletepictureofaccountlogoneventsinyourdomain.

Asyoucanimagine,inacomplexenvironmentwithmultipledomaincontrollersandmanyusers,auditingaccountlogonsorlogonscangenerateatremendousnumberofevents.Iftherearetoomanyevents,itcanbedifficulttoidentifyproblematiceventsworthyofcloserinvestigation.Youshouldbalancetheamountofloggingyouperformwiththesecurityrequirementsofyourbusinessandtheresourcesyouhaveavailabletoanalyzeloggedevents.

Lab B: Audit Authentication



ThevirtualmachinesshouldalreadybestartedandavailableaftercompletingLabA.However,iftheyarenot,youshouldcompleteLabAbeforecontinuing.YouwillbeunabletocompleteLabBsuccessfullyunlessyouhavecompletedLabA.

1. Start6425CNYCDC1.

2. LogontoNYCDC1asPat.Coleman,withthepassword,Pa$$w0rd.

3. OpenWindowsExplorerandthenbrowsetoD:\Labfiles\Lab10b.

4. RunLab10b_Setup.batwithadministrativecredentials.UsetheaccountPat.Coleman_Admin,withthepassword,Pa$$w0rd.



5. Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue.

6. ClosetheWindowsExplorerwindow,Lab10b.

Lab Scenario

ThesecurityteamatContoso,LtdhastaskedyouwithincreasingthesecurityandmonitoringofauthenticationagainsttheenterprisesADDSdomain.Specifically,youneedtocreateanaudittrailoflogons.

Exercise: Audit Authentication

Inthisexercise,youwilluseGroupPolicytoenableauditingofbothsuccessfulandunsuccessfullogonactivitybyusersinthecontoso.comdomain.Youwillthengeneratelogoneventsandviewtheresultingentriesintheeventlogs.


1. Configureauditingofaccountlogonevents.

2. Configureauditingoflogonevents.

3. ForcearefreshGroupPolicy.



4. Generateaccountlogonevents.

5. Examineaccountlogonevents.

6. Examinelogonevents.

Task 1: Configure auditing of account logon events.

1. RunGroupPolicyManagementasanadministrator,withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd.

2. ModifytheDefaultDomainControllersPolicyGPOtoenableauditingeventsforbothsuccessfulandfailedaccountlogonevents.

3. CloseGroupPolicyManagementEditor.

Task 2: Configure auditing of logon events.

1. CreateaGroupPolicyObject(GPO)linkedtotheServers\ImportantProjectOU.NametheGPOServerLockdownPolicy.

2. ModifytheServerLockdownPolicytoenableauditingeventsforbothsuccessfulandfailedlogonevents.

3. CloseGroupPolicyManagementEditorandGroupPolicyManagement.



Task 3: Force a refresh Group Policy.

1. Start6425CNYCSVR1.Asthecomputerstarts,itwillapplythechangesyoumadetoGroupPolicy.

2. OnNYCDC1,runtheCommandPromptasanadministrator,withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd,andthenrunthecommandgpupdate.exe/force.Closethecommandprompt.

Task 4: Generate account logon events.

1. LogontoNYCSVR1asPat.Coleman,butenteranincorrectpassword.Thefollowingmessageappears:Theusernameorpasswordisincorrect.

2. Afteryouhavebeendeniedlogon,logonagainwiththecorrectpassword,Pa$$w0rd.

Task 5: Examine account logon events.

1. OnNYCDC1,runEventViewerasanadministrator,withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd.



2. IdentifythefailedandsuccessfuleventsintheSecuritylog.

Question:WhichEventIDisassociatedwiththeaccountlogonfailureevents?(Hint:Lookfor

theearliestofaseriesoffailureeventsatthetimeyouloggedonincorrectlytoNYCSVR1.)

Question:WhichEventIDisassociatedwiththesuccessfulaccountlogon?(Hint:Lookfor

theearliestofaseriesofeventsatthetimeyouloggedonincorrectlytoNYCSVR1.)

Task 6: Examine logon events

1. OnNYCSVR1,runEventViewerasanadministrator,withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd.

2. IdentifythefailedandsuccessfuleventsintheSecuritylog.

Question:WhichEventIDisassociatedwiththelogonfailureevents?(Hint:Lookforthe



earliestofaseriesoffailureeventsatthetimeyouloggedonincorrectlytoNYCSVR1.)

Question:WhichEventIDisassociatedwiththesuccessfullogon?(Hint:Lookfortheearliest

ofaseriesofeventsatthetimeyouloggedonincorrectlytoNYCSVR1.)

Results:Inthisexercise,youestablishedandreviewedauditingforsuccessfulandfailedlogonstothedomainandtoserversintheImportantProjectOU.

NoteDonotshutdownthevirtualmachineafteryoufinishthislabbecausethesettings

youhaveconfiguredherewillbeusedinsubsequentlabsinthismodule.


Question:YouhavebeenaskedtoauditattemptstologontodesktopsandlaptopsintheFinancedivisionbyusinglocalaccountssuchasAdministrator.Whattypeofauditpolicydo



youset,andinwhatGPO(s)?

Lesson 3: Configure Read-Only Domain Controllers

Branchofficespresentauniquechallengetoanenterprisesinformationtechnology(IT)staff:Ifabranchofficeisseparatedfromthehubsitebyawideareanetwork(WAN)link,shouldyouplaceadomaincontrollerinthebranchoffice?InthepreviousversionsofWindows,theanswertothisquestionwasnotsimple.WindowsServer2008,however,introducesanewtypeofdomaincontrollertheRODCthatmakesthequestioneasiertoanswer.Inthislesson,youwillexploretheissues



relatedtobranchofficeauthenticationanddomaincontrollerplacement,andyouwilllearnhowtoimplementandsupportabranchofficeRODC.

Objectives


IdentifythebusinessrequirementsforRODCs.

InstallanRODC.

Configurepasswordreplicationpolicy.

ConfigurepasswordRODCcredentialscaching.

MonitorthecachingofcredentialsonanRODC.

Authentication and Domain Controller Placement in aBranch Office



Considerascenarioinwhichanenterpriseischaracterizedbyahubsiteandseveralbranchoffices.ThebranchofficesconnecttothehubsiteoverWANlinksthatmaybecongested,expensive,slow,orunreliable.UsersinthebranchofficemustbeauthenticatedbyActiveDirectorytoaccessresourcesinthedomain.Shouldadomaincontrollerbeplacedinthebranchoffice?

Inbranchofficescenarios,manyoftheITservicesarecentralizedinthehubsite,whichiscarefullymaintainedbytheITstaff.Inlargerorganizations,thehubsitemayincludearobustdatacenter.Branchoffices,however,areoftensmallersitesinwhichnodatacenterexists.Infact,manybranchofficeshavenosignificantITpresenceotherthanahandfulofservers.Theremaybenophysicallysecurefacilitytohousebranchofficeservers.Theremaybefew,ifany,localITstafftosupporttheservers.



Ifadomaincontrollerisnotplacedinthebranchoffice,authenticationandserviceticketactivitieswillbedirectedtothehubsiteovertheWANlink.Authenticationoccurswhenusersfirstlogontotheircomputersinthemorning.ServiceticketsareacomponentoftheKerberosauthenticationmechanismusedbytheWindowsServer2008domains.Youcanthinkofaserviceticketasakeyissuedbythedomaincontrollertoauser.Thekeyallowstheusertoconnecttoaservice,suchastheFileandPrintservice,onafileserver.Whenauserfirsttriestoaccessaspecificservice,theusersclientrequestswhatiscalledaserviceticketfromthedomaincontroller.Becauseuserstypicallyconnecttomultipleservicesduringaworkday,serviceticketactivityhappensregularly.AuthenticationandserviceticketactivityovertheWANlinkbetweenabranchofficeandahubsitecanresultinsloworunreliableperformance.

Ifadomaincontrollerisplacedinthebranchoffice,authenticationismuchmoreefficientbutthereareseveralpotentiallysignificantrisks.Adomaincontrollermaintainsacopyofallattributesofallobjectsinitsdomain,includingsecretssuchasinformationrelatedtouserpasswords.Ifadomaincontrollerisaccessedorstolen,itbecomespossibleforadeterminedexperttoidentifyvalidusernamesandpasswords,atwhichpointtheentiredomainiscompromised.Youmustatleastresetthepasswordsofeveryuseraccountinthedomain.Becausethesecurityofserversatbranchofficesisoftenlessthanideal,abranchofficedomaincontrollerposesaconsiderablesecurityrisk.

AsecondconcernisthatchangestotheActiveDirectorydatabaseonabranchofficedomaincontrollerreplicatetothehubsiteandtoallotherDCsintheenvironment.



Therefore,corruptiontothebranchofficedomaincontrollerposesarisktotheintegrityoftheenterprisedirectoryservice.Forexample,ifabranchofficeadministratorperformsarestoreofthedomaincontrollerfromanoutdatedbackup,therecanbesignificantrepercussionsfortheentiredomain.

Thethirdconcernrelatestoadministration.Abranchofficedomaincontrollermayrequiremaintenancesuchasanewdevicedriver.Toperformmaintenanceonastandarddomaincontroller,youmustlogonasamemberoftheAdministratorsgrouponthedomaincontroller,whichmeansyouareeffectivelyanadministratorofthedomain.Itmaynotbeappropriatetograntthatlevelofcapabilitytoasupportteamatabranchoffice.

What Are Read-Only Domain Controllers?



Thesecurity,directoryserviceintegrity,andadministrationconcernsleftmanyenterpriseswithadifficultchoicetomake.WindowsServer2008introducestheRODC,whichisdesignedspecificallytoaddressthebranchofficescenario.AnRODCisadomaincontroller,typicallyplacedinthebranchoffice,whichmaintainsacopyofallobjectsinthedomainandallattributesexceptforsecretssuchaspasswordrelatedproperties.Ifyoudonotconfigurecaching,whenauserinthebranchofficelogson,theRODCreceivestherequestandforwardsittoadomaincontrollerinthehubsiteforauthentication.

YoucanconfigureapasswordreplicationpolicyfortheRODCthatspecifiesuseraccountstheRODCisallowedtocache.Iftheuserloggingonisincludedinthepasswordreplicationpolicy,theRODCcachesthatuserscredentials,sothenexttime



authenticationisrequested,theRODCcanperformthetasklocally.Asuserswhoareincludedinthepasswordreplicationpolicylogon,theRODCbuildsitscacheofcredentialssothatitcanperformauthenticationlocallyforthoseusers.Usually,youwilladduserslocatedinthesamephysicalsiteasanRODCtothepasswordreplicationpolicy.

BecausetheRODCmaintainsonlyasubsetofusercredentials,iftheRODCiscompromisedorstolen,theeffectofthesecurityexposureislimited.OnlytheuseraccountsthathadbeencachedontheRODCmusthavetheirpasswordschanged.TheRODCreplicateschangestoActiveDirectoryfromdomaincontrollersinthehubsite.Replicationisoneway.NochangestotheRODCarereplicatedtoanyotherdomaincontroller.Thiseliminatestheexposureofthedirectoryservicetocorruptionduetochangesmadetoacompromisedbranchofficedomaincontroller.Finally,RODCshavetheequivalentofalocalAdministratorsgroup.YoucangiveoneormorelocalsupportpersonneltheabilitytofullymaintainanRODCwithoutgrantingthemtheequivalentrightsofDomainAdmins.

Prerequisites for Deploying an RODC



TodeployanRODC,youfirstmustperformsomepreparationsteps.ThehighlevelstepstoinstallanRODCareasfollows:

1. EnsurethattheforestfunctionallevelisWindowsServer2003orlater.

2. IftheforesthasanydomaincontrollersrunningWindowsServer2003,runadprep/rodcprep.

3. EnsurethereisatleastonewritabledomaincontrollerrunningWindowsServer2008orWindowsServer2008R2.

4. InstalltheRODC.



Eachofthesestepsisdetailedinthefollowingsections.

Verifying and Configuring Forest Functional Level of Windows Server2003 or Later

FunctionallevelsenablefeaturesuniquetospecificversionsofWindows,andarethereforedependentontheversionsofWindowsrunningondomaincontrollers.IfalldomaincontrollersareWindowsServer2003orlater,thedomainfunctionallevelcanbesettoWindowsServer2003.IfalldomainsareattheWindowsServer2003domainfunctionallevel,theforestfunctionallevelcanbesettoWindowsServer2003.Domainandforestfunctionallevelsarediscussedindetailinanothermodule.

RODCsrequirethattheforestfunctionallevelisWindowsServer2003orlatersothatthelinkedvaluereplication(LVR)isavailable.Thisprovidesahigherlevelofreplicationconsistency.ThedomainfunctionallevelmustbeWindowsServer2003orlatersothatKerberosconstraineddelegationisavailable.ThismeansalldomaincontrollersintheentireforestmustberunningWindowsServer2003orlater.

Constraineddelegationsupportssecuritycallsthatmustbeimpersonatedunderthecontextofthecaller.Delegationmakesitpossibleforapplicationsandservicestoauthenticatetoaremoteresourceonbehalfofauser.Becausedelegationprovidespowerfulcapabilities,typicallyonlydomaincontrollersareenabledforit.ForRODCs,applicationsandservicesmustbeabletodelegate,butonlyconstraineddelegationisallowedbecauseitpreventsthetargetfromimpersonatingagainandmakinganotherhop.TheuserorcomputermustbecacheableattheRODCforconstraineddelegation



towork.ThisrestrictionplaceslimitsonhowarogueRODCmaybeabletoabusecachedcredentials.

Todeterminethefunctionallevelofyourforest:

1. OpenActiveDirectoryDomainsandTrusts.

2. Rightclickthenameoftheforest,andthenclickProperties.

3. Verifytheforestfunctionallevel,asshownbelow.Anyusercanverifytheforestfunctionallevelinthisway.Nospecialadministrativecredentialsarerequiredtoviewtheforestfunctionallevel.



IftheforestfunctionallevelisnotatleastWindowsServer2003,examinethepropertiesofeachdomaintoidentifyanydomainsforwhichthedomainfunctionallevelisnotatleastWindowsServer2003.Ifyoufindsuchadomain,ensurethatalldomaincontrollersinthedomainarerunningWindowsServer2003.Then,inActiveDirectoryDomainsandTrusts,rightclickthedomainandclickRaiseDomainFunctionalLevel.AfteryouhaveraisedeachdomainfunctionalleveltoatleastWindowsServer2003,rightclicktherootnodeoftheActiveDirectoryDomainsAndTrustssnapinandclickRaiseForestFunctionalLevel.IntheSelectAnAvailableForestFunctionalLeveldropdownlist,clickWindowsServer2003,andclickRaise.Youmustbeanadministratorofadomaintoraisethedomain'sfunctionallevel.Toraisetheforestfunctionallevel,youmustbeeitheramemberoftheDomainAdminsgroupintheforestrootdomainoramemberoftheEnterpriseAdminsgroup.

Running ADPrep /RODCPrep

IfyouareupgradinganexistingforesttoincludedomaincontrollersrunningWindowsServer2008,youmustrunadprep/rodcprep.ThiscommandconfigurespermissionssothatRODCsareabletoreplicateDNSapplicationdirectorypartitions.DNSapplicationdirectorypartitionsarediscussedinanothermodule.IfyouarecreatinganewActiveDirectoryforest,anditwillhaveonlydomaincontrollersrunningWindowsServer2008,youdonotneedtorunadprep/rodcprep.

Thecommandisfoundinthe\sources\adprepfolderoftheWindowsServer2008installationDVD.Copythefoldertothedomaincontrolleractingastheschema



master.Theschemamasterroleisdiscussedinanothermodule.LogontotheschemamasterasamemberoftheEnterpriseAdminsgroup,openacommandprompt,changedirectoriestotheadprepfolder,andtypeadprep/rodcprep.

Beforerunningadprep/rodcpep,youmustrunadprep/forestprepandadprep/domainprep.SeeModule15formoreinformationaboutpreparingaWindowsServer2003domainandforestforthefirstWindowsServer2008domaincontroller.

Placing a Writable Windows Server 2008 Domain Controller

AnRODCmustreplicatedomainupdatesfromawritabledomaincontrollerrunningWindowsServer2008orWindowsServer2008R2.ItiscriticalthatanRODCisabletoestablishareplicationconnectionwithawritableWindowsServer2008domaincontroller.Ideally,thewritableWindowsServer2008domaincontrollershouldbeintheclosestsitethehubsite.IfyouwanttheRODCtoactasaDNSserver,thewritableWindowsServer2008domaincontrollermustalsohosttheDNSdomainzone.

Installing an RODC



Aftercompletingthepreparatorysteps,youcaninstallanRODC.AnRODCcanbeeitherafullorServerCoreinstallationofWindowsServer2008.WithafullinstallationofWindowsServer2008,youcanusetheActiveDirectoryDomainServicesInstallationWizardtocreateanRODC.SimplyclickReadonlyDomainController(RODC)ontheAdditionalDomainControllerOptionspageofthewizard,asshowninthefollowingscreenshot.

Alternatively,youcanusethedcpromo.execommandwiththe/unattendswitchtocreatetheRODC.OnaServerCoreinstallationofWindowsServer2008,youmustusethedcpromo.exe/unattendcommand.

YoucancompletetheinstallationofanRODCintwostages,eachperformedbya



differentindividual.Thefirststageoftheinstallation,whichrequiresDomainAdmincredentials,createsanaccountfortheRODCinADDS.ThesecondstageoftheinstallationattachestheactualserverthatwillbetheRODCinaremotelocation,suchasabranchoffice,totheaccountthatwaspreviouslycreatedforit.Youcandelegatetheabilitytoattachtheservertoanonadministrativegrouporuser.

Duringthisfirststage,theActiveDirectoryDomainServicesInstallationWizardrecordsalldataabouttheRODCthatwillbestoredinthedistributedActiveDirectorydatabase,suchasitsdomaincontrolleraccountnameandthesiteinwhichitwillbeplaced.ThisstagemustbeperformedbyamemberoftheDomainAdminsgroup.

TheadministratorwhocreatestheRODCaccountcanalsospecifyatthattimewhichusersorgroupscancompletethenextstageoftheinstallation.Thenextstageoftheinstallationcanbeperformedinthebranchofficebyanyuserorgroupwhowasdelegatedtherighttocompletetheinstallationwhentheaccountwascreated.Thisstagedoesnotrequireanymembershipinbuiltingroups,suchastheDomainAdminsgroup.IftheuserwhocreatestheRODCaccountdoesnotspecifyanydelegatetocompletetheinstallationandadministertheRODC,onlyamemberoftheDomainAdminsorEnterpriseAdminsgroupscancompletetheinstallation.

YoucanperformastagedinstallationofanRODCbyusingseveralapproaches.YoucanprecreateanRODCaccountbyusingActiveDirectoryUsersandComputersconsole,whichisappropriateforasmallernumberofaccounts.Youcanalsousethedcpromocommandlineutilitywithappropriateswitches,oryoucanusetheanswer



filetoperformanunattendedinstallationofanRODC.

Demonstration: Configure a Password Replication Policy

ApasswordreplicationpolicydetermineswhichuserscredentialscanbecachedonaspecificRODC.IfapasswordreplicationpolicyallowsanRODCtocacheauser'scredentials,theauthenticationandserviceticketactivitiesofthatusercanbeprocessedbytheRODC.Ifauser'scredentialscannotbecachedonRODC,theauthenticationandserviceticketactivitiesarereferredbytheRODCtoawritabledomaincontroller.Toaccessthepasswordreplicationpolicy,openthepropertiesofthedomaincontrollerintheDomainControllersOUandthenclickthePasswordReplicationPolicytab.ThepasswordreplicationpolicyofanRODCisdeterminedby



twomultivaluedattributesoftheRODC'scomputeraccount.TheseattributesarecommonlyknownastheAllowedListandtheDeniedList.Ifauser'saccountisontheAllowedList,theuser'scredentialsarecached.YoucanincludegroupsontheAllowedList,inwhichcasealluserswhobelongtothegroupcanhavetheircredentialscacheontheRODC.IftheuserisbothontheAllowedListandtheDeniedList,theuser'scredentialswillnotbecachedtheDeniedListtakesprecedence.

Configure Domain-Wide Password Replication Policy

Tofacilitatethemanagementofpasswordreplicationpolicy,WindowsServer2008createstwodomainlocalsecuritygroupsintheUserscontainerofActiveDirectory.Thefirstone,namedAllowedRODCPasswordReplicationGroup,isaddedtotheAllowedListofeachnewRODC.Bydefault,thegrouphasnomembers.Therefore,bydefault,anewRODCwillnotcacheanyuserscredentials.IfthereareuserswhosecredentialsyouwanttobecachedbyalldomainRODCs,addthoseuserstotheAllowedRODCPasswordReplicationGroup.

ThesecondgroupisnamedDeniedRODCPasswordReplicationGroup.ItisaddedtotheDeniedListofeachnewRODC.IfthereareuserswhosecredentialsyouwanttoensurearenevercachedbydomainRODCs,addthoseuserstotheDeniedRODCPasswordReplicationGroup.Bydefault,thisgroupcontainssecuritysensitiveaccountsthataremembersofgroupsincludingDomainAdmins,EnterpriseAdmins,andGroupPolicyCreatorOwners.



NoteRememberthatitisnotonlyuserswhogenerateauthenticationandserviceticketactivity.Computersinabranchofficealsorequiresuchactivity.Toimproveperformanceofsystemsinabranchoffice,allowthebranchRODCtocachecomputercredentialsaswell.

Configure RODC-Specific Password Replication Policy

ThetwogroupsdescribedintheprevioussectionprovideamethodtomanagepasswordreplicationpolicyonallRODCs.However,tobestsupportabranchofficescenario,youneedtoallowtheRODCineachbranchofficetocachecredentialsofusersinthatspecificlocation.Therefore,youneedtoconfiguretheAllowedListandtheDeniedListofeachRODC.

ToconfigureanyRODCspasswordreplicationpolicy,openthepropertiesoftheRODCscomputeraccountintheDomainControllersOU.OnthePasswordReplicationPolicytab,showninthefollowingscreenshot,youcanviewthecurrentpasswordreplicationpolicysettingsandaddorremoveusersorgroupsfromthepasswordreplicationpolicy.



Demonstration Steps

1. RunActiveDirectoryUsersandComputerswithadministrativecredentials.UsetheaccountPat.Coleman_AdminwiththepasswordPa$$w0rd.

2. IntheDomainControllersOUopenthepropertiesofBRANCHDC01.

3. ClickthePasswordReplicationPolicytabandviewthedefaultpolicy.

4. ClosetheBRANCHDC01properties.

5. IntheActiveDirectoryUsersandComputersconsoletree,clicktheUserscontainer.



6. DoubleclickAllowedRODCPasswordReplicationGroup.GototheMemberstabandexaminethedefaultmembershipofAllowedRODCPasswordReplicationGroup.

7. ClickOK.

8. DoubleclickDeniedRODCPasswordReplicationGroupandgototheMemberstab.

9. ClickCanceltoclosetheDeniedRODCPasswordReplicationGroupproperties.

Demonstration: Administer RODC Credentials Caching



Inthisdemonstration,youwillseehowtoadministerRODCcredentialscaching.

WhenyouclicktheAdvancedbuttononthePasswordReplicationPolicytabofanRODC,anAdvancedPasswordReplicationPolicydialogboxappears.Anexampleisshowninthefollowingscreenshot.



ThedropdownlistatthetopofthePolicyUsagetaballowsyoutoselectoneoftworeportsfortheRODC:

AccountswhosepasswordsarestoredonthisReadOnlyDomainController:DisplaythelistofuserandcomputercredentialsthatarecurrentlycachedontheRODC.UsethislisttodeterminewhethernotrequiredcredentialsarebeingcachedontheRODC,andmodifythepasswordreplicationpolicyaccordingly.

AccountsthathavebeenauthenticatedtothisReadOnlyDomainController:Displaythelistofuserandcomputercredentialsthathavebeenreferredtoawritabledomaincontrollerfor

authenticationorserviceticketprocessing.UsethislisttoidentifyusersorcomputersthatareattemptingtoauthenticatewiththeRODC.Ifanyoftheseaccountsarenotbeingcached,consideraddingthemtothepasswordreplicationpolicy.



Inthesamedialogbox,theResultantPolicytaballowsyoutoevaluatetheeffectivecachingpolicyforanindividualuserorcomputer.ClicktheAddbuttontoselectauserorcomputeraccountforevaluation.

YoucanalsousetheAdvancedPasswordReplicationPolicydialogboxtoprepopulatecredentialsintheRODCcache.IfauserorcomputerisontheAllowlistofanRODC,theaccountcredentialscanbecachedontheRODC,butwillnotbecacheduntiltheauthenticationorserviceticketeventscausestheRODCtoreplicatethecredentialsfromawritabledomaincontroller.ByprepopulatingcredentialsintheRODCcache,forusersandcomputersinthebranchofficeforexample,youcanensurethatauthenticationandserviceticketactivitywillbeprocessedlocallybytheRODCevenwhentheuserorcomputerisauthenticatingforthefirsttime.Toprepopulatecredentials,clickPrepopulatePasswordsandselecttheappropriateusersandcomputers.

DemonstrationSteps:

1. OnNYCDC1,intheActiveDirectoryUsersandComputersconsoletree,clicktheDomainControllersOUandopenthepropertiesofBRANCHDC01.

2. ClickPasswordReplicationPolicy.

3. ClickAdvanced.

TheAdvancedPasswordReplicationPolicyforBRANCHDC01dialogboxappears.



ThePolicyUsagetabdisplaysaccountswhosepasswordsarestoredonthisReadOnlyDomainController.

4. Fromthedropdownlist,selectAccountsWhosePasswordsAreStoredOnThisReadOnlyDomainController.

5. Fromthedropdownlist,selectAccountsthathavebeenauthenticatedtothisReadonlyDomainController.

6. ClicktheResultantPolicytab,andthenclickAdd.

TheSelectUsersorComputersdialogboxappears.

7. TypeChris.Gallagher,andthenpressEnter.

8. ClickPolicyUsage.

9. ClickPrepopulatePasswords.

TheSelectUsersorComputersdialogboxappears.

10. Typethenameoftheaccountyouwanttoprepopulate(forexample,typeChris.Gallagher),andthenclickOK.

11. ClickYestoconfirmthatyouwanttosendthecredentialstotheRODC.

Thefollowingmessageappears:Passwordsforallaccountsweresuccessfullyprepopulated.



Administrative Role Separation

RODCsinbranchofficesmayrequiremaintenancesuchasanupdateddevicedriver.Additionally,smallbranchofficesmaycombinetheRODCrolledwiththefileserverroleonasinglesystem,inwhichcaseitwillbeimportanttobeabletobackupthesystem.RODCssupportlocaladministrationthroughafeaturecalledadministrativeroleseparation.ThisfeaturespecifiesthatanydomainuserorsecuritygroupcanbedelegatedtobethelocaladministratorofanRODCwithoutgrantingthatuserorgrouprightsforthedomainorotherdomaincontrollers.Therefore,adelegatedadministratorcanlogontoanRODCtoperformmaintenancework,suchasupgradingadriver,ontheserver.Butthedelegatedadministratorcannotlogontoanyotherdomaincontrollerorperformanyotheradministrativetaskinthedomain.



EachRODCmaintainsalocaldatabaseofgroupsforspecificadministrativepurposes.YoucanaddadomainuseraccounttotheselocalrolestoallowsupportofaspecificRODC.

Youcanconfigureadministrativeroleseparationbyusingthedsmgmt.execommand.ToaddausertotheAdministratorsroleonanRODC,followthesesteps:

1. OpenacommandpromptontheRODC.

2. Typedsmgmt,andthenpressEnter.

3. Typelocalroles,andthenpressEnter.

Atthelocalrolesprompt,youcantype?andpressEnterforalistofcommands.YoucanalsotypelistrolesandpressEnterforalistoflocalroles.

4. Typeaddusernameadministrators,whereusernameisthepreWindows2000logonnameofadomainuser,andthenpressEnter.

YoucanrepeatthisprocesstoaddotheruserstothevariouslocalrolesonanRODC.

Lab C: Configure Read-Only Domain Controllers



Lab Setup

Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubeginthelab,youmustcompletethefollowingsteps:

1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthenclickHyperVManager.

2. InHyperVManager,click6425CNYCDC1,andintheActionspane,clickStart.

3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.



4. Logonbyusingthefollowingcredentials:

Username:Pat.Coleman

Password:Pa$$w0rd

Domain:Contoso

5. OpenWindowsExplorerandthenbrowsetoD:\Labfiles\Lab10c.

6. RunLab10c_Setup.batwithadministrativecredentials.UsetheaccountPat.Coleman_Admin,withthepassword,Pa$$w0rd.

7. Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue.

8. ClosetheWindowsExplorerwindow,Lab10c.

Lab Scenario

ThesecurityteamatContoso,LtdhastaskedyouwithincreasingthesecurityandmonitoringofauthenticationagainsttheenterprisesADDSdomain.Specifically,youaretoimprovethesecurityofdomaincontrollersinbranchoffices.

Exercise 1: Install an RODC

Inthisexercise,youwillconfiguretheserverBRANCHDC01asanRODCin



thedistantbranchoffice.Toavoidtravelcosts,youdecidetodotheconversionremotelywiththeassistanceofAaronPainter,thedesktopsupporttechnicianandonlyITstaffmemberatthebranch.AaronPainterhasalreadyinstalledaWindowsServer2008computernamedBRANCHDC01asaserverinaworkgroup.YouwillstageadelegatedinstallationofanRODCsothatAaronPaintercancompletetheinstallation.


1. StageadelegatedinstallationofanRODC.

2. RuntheActiveDirectoryDomainServicesInstallationWizardonaworkgroupserver.

Task 1: Stage a delegated installation of an RODC.

1. RunActiveDirectoryUsersandComputersasanadministrator,withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd.

2. RightclicktheDomainControllersOU,andthenclickPrecreateReadonlyDomainControlleraccount.

3. StepthroughtheActiveDirectoryDomainServicesInstallationWizard,acceptingalldefaults.UsethecomputernameBRANCHDC01andontheDelegationofRODCInstallationandAdministrationpage,delegateinstallationto



Aaron.Painter_Admin.

NoteWhenthewizardiscomplete,theserverappearsintheDomainControllersOUwiththeDCTypecolumnshowingUnoccupiedDCAccount(Readonly,GC).

Task 2: Run the Active Directory Domain Services Installation Wizard on aworkgroup server.

1. Start6425CBRANCHDC01.

2. LogontoBRANCHDC01asAdministratorwiththepasswordPa$$w0rd.

3. ClickStart,andthenclickRun.

4. Typedcpromo,andthenpressEnter.

AwindowappearsthatinformsyouthattheADDSbinariesarebeinginstalled.Wheninstallationiscompleted,theActiveDirectoryDomainServicesInstallationWizardappears.

5. ClickNext.

6. OntheOperatingSystemCompatibilitypage,clickNext.



7. OntheChooseADeploymentConfigurationpage,clicktheExistingforestoption,clickAddadomaincontrollertoanexistingdomain,andthenclickNext.

8. OntheNetworkCredentialspage,typecontoso.com.

9. ClicktheSetbutton.

AWindowsSecuritydialogboxappears.

10. IntheUserNamebox,typeAaron.Painter_Admin.

11. InthePasswordbox,typePa$$w0rd,andthenpressEnter.

12. ClickNext.

13. OntheSelectaDomainpage,selectcontoso.com,andthenclickNext.

AmessageappearstoinformyouthatyourcredentialsdonotbelongtotheDomainAdminsorEnterpriseAdminsgroups.BecauseyouhaveprestagedanddelegatedadministrationoftheRODC,youcanproceedwiththedelegatedcredentials.

14. ClickYes.

AmessageappearstoinformyouthattheaccountforBRANCHDC01hasbeenprestagedinActiveDirectoryasanRODC.

15. ClickOK.



16. OntheLocationForDatabase,LogFiles,andSYSVOLpage,clickNext.

17. OntheDirectoryServicesRestoreModeAdministratorPasswordpage,typePa$$w0rd12345inthePasswordandConfirmPasswordboxes,andthenclickNext.

Inaproductionenvironment,youshouldassignacomplexandsecurepasswordtotheDirectoryServicesRestoreModeAdministratoraccount.

Also,notethatwemodifiedtheminimumpasswordlengthinLabAandassuchneedtomeetthenewminimumpasswordlengthrequirements.

18. OntheSummarypage,clickNext.

19. Intheprogresswindow,selecttheRebootOnCompletioncheckbox.ActiveDirectoryDomainServicesisinstalledonBRANCHDC01,theserverreboots.

Results:Inthisexercise,youcreatedanewRODCnamedBRANCHDC01inthecontoso.comdomain.

Exercise 2: Configure Password Replication Policy

Inthisexercise,youwillconfigureadomainwidepasswordreplicationpolicyandthepasswordreplicationpolicyspecifictoBRANCHDC01.




1. Configuredomainwidepasswordreplicationpolicy.

2. CreateagrouptomanagepasswordreplicationtothebranchofficeRODC.

3. ConfigurepasswordreplicationpolicyforthebranchofficeRODC.

4. Evaluateresultantpasswordreplicationpolicy.

Task 1: Configure domain-wide password replication policy.

WhoarethedefaultmembersoftheAllowedRODCPasswordReplicationGroup?

WhoarethedefaultmembersoftheDeniedRODCPasswordReplicationGroup?

AddtheDNSAdminsgroupasamemberoftheDeniedRODCPasswordReplicationGroup.

ExaminethepasswordreplicationpropertyforNYCBRANCHDC01.

WhatarethepasswordreplicationpoliciesfortheAllowedRODCPasswordReplicationGroupandfortheDeniedRODCPasswordReplicationGroup?

Task 2: Create a group to manage password replication to the branch officeRODC.



1. IntheGroups\RoleOU,createanewglobalsecuritygroupcalledBranchOfficeUsers.

2. AddthefollowinguserstotheBranchOfficeUsersgroup:

Anav.Silverman

Chris.Gallagher

Christa.Geller

Daniel.Roth

Task 3: Configure password replication policy for the branch office RODC.

ConfigureBRANCHDC01sothatitcachespasswordsforusersintheBranchOfficeUsersgroup.

Task 4: Evaluate resultant password replication policy.

OpentheResultantPolicyforBRANCHDC01'spasswordreplicationpolicy.

Question:WhatistheresultantpolicyforChris.Gallagher?



Results:Inthisexercise,youconfiguredthedomainwidepasswordreplicationpolicytopreventthereplicationofpasswordsofmembersofDNSAdminstoRODCs.YoualsoconfiguredthepasswordreplicationpolicyforBRANCHDC01toallowreplicationofpasswordsofmembersofBranchOfficeUsers.

Exercise 3: Manage Credential Caching

Inthisexercise,youwillmonitorcredentialcaching.


1. Monitorcredentialcaching.

2. Prepopulatecredentialcaching.

Task 1: Monitor credential caching.

1. LogontoBRANCHDC01asChris.GallagherwiththepasswordPa$$w0rdandthenlogoff.

2. LogontoBRANCHDC01asMike.DansegliowiththepasswordPa$$w0rd,andthenlogoff.

Thecontoso.comdomainusedinthiscourseincludesaGroupPolicyobject



(named6425C)thatallowsuserstologontodomaincontrollers.Inaproductionenvironment,itisnotrecommendedtogiveuserstherighttologontodomaincontrollers.

3. OnNYCDC1,inActiveDirectoryUsersandComputers,examinethepasswordreplicationpolicyforBRANCHDC01.

Question:Whichusers'passwordsarecurrentlycachedonBRANCHDC01?

Question:WhichusershavebeenauthenticatedbyBRANCHDC01?

Task 2: Prepopulate credential caching.

InthepasswordreplicationpolicyforBRANCHDC01,prepopulatethepasswordforChristaGeller.

Results:Inthisexercise,youidentifiedtheaccountsthathavebeencachedonBRANCHDC01,orhavebeenforwardedtoanotherdomaincontrollerforauthentication.YoualsoprepopulatedthecachedcredentialsforChristaGeller.




Question:Whyshouldyouensurethatthepasswordreplicationpolicyforabranchoffice

RODChas,initsAllowlist,theaccountsforthecomputersinthebranchofficeaswellasthe

users?

Question:Whatwouldbethemostmanageablewaytoensurethatcomputersinabranch

areintheAllowlistoftheRODC'spasswordreplicationpolicy?

To prepare for the next module

Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis,completethefollowingsteps:

1. Onthehostcomputer,startHyperVManager.

2. Rightclick6425CNYCDC1intheVirtualMachineslist,andthenclickRevert.



3. IntheRevertVirtualMachinedialogbox,clickRevert.

4. Repeatthesestepsfor6425CNYCSVR1and6425CBRANCHDC01.

Module Review and Takeaways

Review Questions

Question:Inyourorganization,anumberofusersdealwithconfidentialfilesonaregular



basis.Youneedtoensurethatalltheseusershavestrictaccountpolicesenforced.TheuseraccountsarescatteredacrossmultipleOUs.Howwouldyouaccomplishthiswiththeleastadministrativeeffort?

Question:Whereshouldyoudefinethedefaultpasswordandaccountlockoutpoliciesfor

useraccountsinthedomain?

Question:Whatwouldbethedisadvantageofauditingallsuccessfulandfailedlogonsonallmachinesinyourdomain?

Question:Whataretheadvantagesanddisadvantagesofprepopulatingthecredentialsfor

allusersandcomputersinabranchofficetothatbranch'sRODC?

Common Issues Related to Authentication in Active Directory

Issue Troubleshootingtip

UserisnotforcedtochangethepasswordevenifthatsettingisconfiguredinDefaultDomainPolicy.

Userorgroupdoesnothavethe



rightPSOapplied.

YoucannotdeployanRODC.

Real World Issues and Scenarios

Youmustensurethatalluserschangetheirpasswordevery30days.Companyproceduresspecifythatifauser'spasswordwillexpirewhiletheuserisoutoftheoffice,theusermaychangethepasswordpriortodeparture.Youmustaccountforauserwhoisoutoftheofficeforuptotwoweeks.Additionally,youmustensurethatausercannotreuseapasswordwithinaoneyeartimeperiod.Howwouldyouconfigureaccountpoliciestoaccomplishthis?

Best Practices Related to Authentication in an AD DS Domain

UseDefaultDomainPolicyGPOtospecifygeneralpasswordandaccountlockoutpoliciesthatwillapplyformostusers.

Usefinegrainedpasswordpolicytospecifypasswordandaccountlockoutpoliciesforspecificusersandgroupswithadministrativeprivileges.

Donotenablealloptionsforauditingbecauseyouwillhavemanysecuritylogs,whichwillbehardtosearch.Useadvancedauditloggingtohavemoregranularcontrol.

DeployRODCsinsiteswherephysicalsecurityisanissue.



Tools

Tool Usedfor Wheretofindit

GroupPolicyManagementconsole

Editingandmanaginggrouppolicyobjects

AdministrativeTools

ADSIEdit CreatingPasswordSettingObjects

AdministrativeTools

Dcpromo Creatingandmanagingdomaincontrollers

Commandlineutility

Windows Server 2008 R2 Features Introduced in this Module

Feature Description

AdvancedAuditPolicies NewsettingsinGroupPolicyobjectformoredetailedauditingofvarioussystemevents

module 10_ improving the security of authentication in an ad ds domain

Documents

ad ds domainhttps

security of authentication

lockout policiesbydefault