Lecture 3: Active Directory Domain Service (AD DS)
Agenda Active Directory Domain Service (AD DS) Installing and Configuring Active Directory Domain Services Implementing a Group Policy Infrastructure Managing User Desktop with Group Policy
Module 1 Configuring Active Directory Domain Services
Module Overview Installing Domain Controllers Configuring Read-Only Domain Controllers New Features in Group Policy Configuring Group Policy Preferences
Lesson 1: Installing Domain Controllers Requirements for Installing AD DS What Are Domain and Forest Functional Levels? AD DS Installation Process Advanced Options for Installing AD DS
Requirements for Installing AD DS Requirements Description Server A computer running Windows Server 2008 (Web Server edition is not supported) Minimum disk space of 250 MB and a partition formatted with NTFS file system Network configuration AD DS Installation Permissions TCP/IP must be configured, including DNS client settings DNS Server that supports dynamic updates must be available or will be configured on the domain controller Local Administrator permissions to install the first domain controller in a forest Domain Administrator permissions to install additional domain controllers in a domain Enterprise Administrator permissions to install additional domains in a forest
What Are Domain and Forest Functional Levels? Functional levels: Determine the AD DS features available in a domain or forest Restrict which Windows Server operating systems can be run on domain controllers in the domain or forest Supported functional levels: Domain Windows 2000 Server native Windows Server 2003 Windows Server 2008 Supported Domain Controller Operating Systems Windows Server 2008 Windows Server 2003 Windows 2000 Server Windows Server 2008 Windows Server 2003 Windows Server 2008 Forest Windows 2000 Windows Server 2003 Windows Server 2008
AD DS Installation Process 1 2 3 4 5 6 Install the Active Directory Domain Services role by using the Server Manager Run the Active Directory Domain Services Installation Wizard (Dcpromo) Choose the deployment configuration Select the additional domain controller features Select the location for the database, log files, and SYSVOL folder Configure the Directory Services Restore Mode Administrator Password
Advanced Options for Installing AD DS To access the advanced mode installation options, choose the Advanced Mode option in the Active Directory Domain Services Installation Wizard or run dcpromo /adv Use the advanced mode options to: Create a new domain tree Use backup media as the source for AD DS information Select the source domain controller for the installation Modify the default domain NetBIOS name Define the Password Replication Policy for an RODC
Installing AD DS by Using IFM (Install From Media) Use Ntdsutil.exe to create the installation media Ntdsutil.exe can create the following types of installation media: Full (or writable) domain controller Full (or writable) domain controller with SYSVOL data Read-only domain controller with SYSVOL data Read-only domain controller
Upgrading to Windows Server 2008 AD DS To prepare previous versions of Active Directory for a Windows Server 2008 domain controller installation: Current Version Before Installing Command Windows 2000 Server or Windows Server 2003 Windows 2000 Server Windows Server 2003 Windows Server 2008 domain controllers Must be run before other Adprep commands Windows Server 2008 domain controllers Windows Server 2008 domain controllers adprep /forestprep adprep /domainprep /gpprep adprep /domainprep Windows Server 2003 Windows Server 2008 RODCs adprep /rodcprep
Lesson 2: Configuring Read-Only Domain Controllers What Is a Read-Only Domain Controller? Read-Only Domain Controller Features What Are Password Replication Policies?
What Is a Read-Only Domain Controller? RODCs host read-only partitions of the AD DS database, only accept replicated changes to Active Directory, and never initiate replication RODC RODCs provide: Additional security for branch office with limited physical security Additional security if applications must run on a domain controller RODCs: Cannot hold operation master roles or be configured as replication bridgehead servers Can be deployed on servers running Windows Server 2008 Server Core for additional security
Read-Only Domain Controller Features RODCs provide: Unidirectional replication Credential caching Administrative role separation Read-only DNS RODC filtered attribute set
What Are Password Replication Policies? The password replication policy determines how the RODC performs credential caching for authenticated user By default, the RODC does not cache any user credentials or computer credentials Options for configuring password replication policies: No credentials cached Enable credential caching on an RODC for specified accounts Add users or groups to the Domain RODC Password Allowed group so that credentials are cached on all RODCs
Lesson 3: New Features in Group Policy New Group Policy Settings What Are Multiple Local Group Policies?
New Group Policy Settings There are approximately 700 new settings available New settings : New categories: Antivirus Client Help Deployed Printer Connections Internet Explorer 7 Wireless Configuration Terminal Services Windows Error Reporting Removable storage device management Power management User Account Control Network Access Protection Windows Defender Windows Firewall with Advanced Security
What Are Multiple Local Group Policies? One layer of computer configurations that applies to all users Layers apply only to individual users, not to groups There are three layers of user configurations: Administrator Non-Administrator User-specific
Lesson 4: Configuring Group Policy Preferences What Are Group Policy Preferences? Difference Between Group Policy Preferences and Settings Group Policy Preference Features
What Are Group Policy Preferences? Group Policy preferences expand the range of configurable settings within a GPO and: Are not enforced Enable IT pros to configure, deploy, and manage operating system and application settings that were not manageable using Group Policy
Difference Between Group Policy Preferences and Settings Group Policy Preferences Group Policy Settings Are written to the normal locations in the registry that the application or operating system feature uses to store the setting. Strictly enforce policy settings by writing the settings to areas of the registry that standard users cannot modify. Do not cause the application or operating system feature to disable the user interface for the settings they configure. Refresh preferences by using the same interval as Group Policy settings by default. Are not available on local computers. Typically disable the user interface for settings that Group Policy is managing. Refresh policy settings at a regular interval. Are available through local Group Policy.
Group Policy Preference Features Common Tab Targeting Features Used to configure additional options that control the behavior of a Group Policy preference item Determines to which users and computers a preference item applies
Module 2 Implementing a Group Policy Infrastructure
Module Overview Understand Group Policy Implement GPOs Manage Group Policy Scope Group Policy Processing Troubleshoot Policy Application
Lesson 1: Understand Group Policy What Is Configuration Management? Overview of Policies Benefits of Using Group Policy Group Policy Objects GPO Scope Group Policy Client and Client-Side Extensions Group Policy Refresh Review the Components of Group Policy
What Is Configuration Management? A centralized approach to applying one or more changes to one or more users or computers Group Policy: The framework for configuration management in an AD DS domain Setting: Definition of a change or configuration Scope: Definition of the users or computers to which the change applies Application: A mechanism that applies the setting to users and computers within the scope Tools for management, configuration, and troubleshooting
What Is Group Policy? Group Policy enables IT administrators to automate one-to-many management of users and computers Use Group Policy to: Apply standard configurations Deploy software Enforce security settings Enforce a consistent desktop environment Local Group Policy is always in effect for local and domain users and local computer settings
Group Policy Settings Group Policy settings for users control these settings: Software Windows Security Desktop Group Policy settings for computers control these settings: Software Windows Security Operating systems
How Group Policy Is Applied Computer starts Refresh Interval Every 90 minutes Computer settings applied Startup scripts run User logs on Refresh Interval Every 90 minutes User settings applied Logon scripts run
Overview of Policies The granular definition of a change or configuration Prevent access to registry-editing tools Rename the Administrator account Divided between User Configuration ("user policies") Computer Configuration ("computer policies") Define a setting Not configured (default) Enabled Disabled
Benefits of Using Group Policy Apply security settings Manage desktop and application settings Deploy software Manage folder redirection Configure network settings
Group Policy Objects Container for one or more policy settings Managed with the GPMC Stored in Group Policy Objects container Edited with the GPME Applied to a specific level in AD DS hierarchy
GPO Scope Scope Definition of objects (users or computers) to which GPO applies GPO Links GPO can be linked to multiple sites, domain, or organizational unit (OU) (SDOU) GPO link(s) define maximum scope of GPO Security Group Filtering Apply or deny application of GPO to members of global security group Filter application of scope of GPO within its link scope WMI Filtering Refine scope of GPO within link based on WMI query Preference Targeting
Group Policy Client and Client-Side Extensions How GPOs and their settings are applied Group Policy Client retrieves ordered list of GPOs GPOs are downloaded, and then cached Components called CSEs process the settings to apply the changes One for each major category of policy settings: Security, registry, script, software installation, mapped drive preferences, and so on Most CSEs apply settings only if the GPO as a whole has changed Improves performance Security CSE applies changes every 16 hours GPO application is client driven ("pull")
Group Policy Refresh When GPOs and their settings are applied Computer Configuration Startup Every 90-120 minutes Triggered: GPUpdate command User Configuration Logon Every 90-120 minutes Triggered: GPUpdate command
Lesson 2: Implement GPOs Local GPOs Domain-Based GPOs Demonstration: Create, Link, and Edit GPOs GPO Storage Manage GPOs and Their Settings
Local GPOs Apply before domain-based GPOs Any setting specified by a domain-based GPO will override the setting specified by the local GPOs. Local GPO One local GPO in Windows 2000 Server, Windows XP, Windows Server 2003 Multiple local GPOs in Windows Vista and later Local GPO: Computer settings and settings for all users Administrators GPO: Settings for users in Administrators Non-administrators GPO: Settings for users not in Admins Per-user GPO: Settings for a specific user If domain members can be centrally managed using domain-linked GPOs, in which scenarios might local GPOs be used?
Domain-Based GPOs Created in Active Directory, stored on domain controllers Two default GPOs Default Domain Policy Define account policies for the domain: Password, account lockout, and Kerberos policies Default Domain Controllers Policy Define auditing policies for domain controllers and Active Directory
GPO Storage GPC GPO Stored in AD DS Friendly name, globally unique identifier (GUID) Version GPT What we call a GPO is actually two things, stored in two places Separate replication mechanisms Stored in SYSVOL on domain controllers (DCs) Contains all files required to define and apply settings.ini file contains Version
Manage GPOs and Their Settings Copy and Paste into a Group Policy Objects container Create a new "copy" GPO and modify it Transfer a GPO to a trusted domain, such as test-toproduction Back Up all settings, objects, links, permissions (access control lists [ACLs]) Restore into same domain as backup Import Settings into a new GPO in same or any domain Migration table for source-to-destination mapping of UNC paths and security group names Replaces all settings in the GPO not a "merge" Save Report Delete Rename
Lesson 3: Manage Group Policy Scope GPO Links Group Policy Processing Order GPO Inheritance and Precedence Use Security Filtering to Modify GPO Scope WMI Filters Enable or Disable GPOs and GPO Nodes Target Preferences Loopback Policy Processing
GPO Links GPO link Causes policy settings in GPO to apply to users or computers within that container Links GPO to site, domain, or OU (SDOU) Must enable sites in the GPM console GPO can be linked to multiple sites or OUs Link can exist but be disabled Link can be deleted, but GPO remains
Group Policy Processing Order GPO1 Local Group GPO2 Site GPO3 GPO4 Domain OU GPO5 OU OU
Computer D User D Domain Business OU Computer B User B Computer User E Computer C User C Employees Groups Clients Computer D+B+C User D+B+E
Computer D User D Domain Block Inheritance Business OU Computer B User B Computer User E Computer C User C Employees Groups Clients Computer B+C User B+E
Security Computer D Computer S User D User S Domain Block Inheritance Enforced Business OU Computer B User B Computer User E Computer C User C Employees Groups Clients Computer B+C+S User B+E+S
GPO Inheritance and Precedence The application of GPOs linked to each container results in a cumulative effect called inheritance Default Precedence: Local Site Domain OU OU (LSDOU) Seen on the Group Policy Inheritance tab Link order (attribute of GPO Link) Lower number Higher on list Precedent Block Inheritance (attribute of OU) Blocks the processing of GPOs from above Enforced (attribute of GPO Link) Enforced GPOs blast through Block Inheritance Enforced GPO settings win over conflicting settings in lower GPOs
Use Security Filtering to Modify GPO Scope Apply Group Policy permission GPO has an ACL (Delegation tab Advanced) Default: Authenticated Users have Allow Apply Group Policy Scope only to users in selected global groups Remove Authenticated Users Add appropriate global groups Must be global groups (GPOs don t scope to domain local) Scope to users except for those in selected groups On the Delegation tab, click Advanced Add appropriate global groups Deny Apply Group Policy permission Does not appear on the Delegation tab or in filtering section
WMI Filters Create a WMI filter WQL Similar to T-SQL Select * FROM Win32_OperatingSystem WHERE Caption="Microsoft Windows XP Professional" AND CSDVersion="Service Pack 3" Create a WMI filter Use the filter for one or more GPOs
Enable or Disable GPOs and GPO Nodes GPO Details tab GPO Status drop-down list Enabled: Both Computer Configuration and User Configuration settings will be applied by CSEs All settings disabled: CSEs will not process the GPO Computer Configuration settings disabled: CSEs will not process settings in Computer Configuration User Configuration settings disabled: CSEs will not process settings in User Configuration
Target Preferences Targeting within a GPO Scope = scope of GPO + scope of targeting Only possible with preferences Multiple options Test effect Test performance impact
Loopback Policy Processing At user logon, user settings from GPOs scoped to computer object are applied Create a consistent user experience on a computer Conference rooms, kiosks, computer labs, VDI, RDS, and so on Computer Configuration\Policies\Administrative Templates\System\Group Policy User Group Policy loopback processing mode Replace mode User gets none of the User settings that are scoped to the user and gets only the User settings that are scoped to computer Merge mode User gets the User settings scoped to the user, but those settings are overlaid with User settings scoped to the computer. The computer settings prevail.
Business OU Computer B User B Computer User E Computer C User Loopback Computer K User K Employees Groups Clients Kiosks Computer B+C User B+E Replace Computer B+K User B+K Merge Computer B+K User E+B+K
Lesson 4: Group Policy Processing Detailed Review of Group Policy Processing Slow Links and Disconnected Systems Identify When Settings Take Effect
Detailed Review of Group Policy Processing 1. Computer starts; RPCSS and MUP are started 2. Group Policy Client starts and obtains an ordered list of GPOs that are scoped to the computer Local Site Domain OU Enforced GPOs 3. GPC processes each GPO in order Should it be applied? (enabled/disabled/permission/wmi filter) CSEs are triggered to process settings in GPO Settings configured as Enabled or Disabled are processed 4. User logs on 5. Process repeats for user settings 6. Every 90-120 minutes after startup, computer refresh 7. Every 90-120 minutes after logon, user refresh
Slow Links and Disconnected Systems Group Policy Client determines whether link to domain should be considered slow link By default, less than 500 kilobits per second (kbps) Each CSE can use determination of slow link to decide whether it should process Software CSE, for example, does not process Disconnected Settings previously applied will continue to take effect Exceptions include startup, logon, logoff, and shutdown scripts Connected Windows Vista and newer operating systems detect new connection and perform Group Policy refresh if the refresh window was missed while the system was disconnected
Identify When Settings Take Effect GPO replication must happen GPC and GPT must replicate Group changes must be incorporated Logoff/logon for user; restart for computer Group Policy refresh must occur Windows XP, Windows Vista, and Windows 7 clients Always wait for network at startup and logon User must logoff or logon or the computer must restart for the settings to take effect Manually refresh: GPUpdate [/force] [/logoff] [/boot] Most CSEs do not reapply settings if GPO has not changed Configure in Computer\Admin Templates\System\Group Policy
Lesson 5: Troubleshoot Policy Application Resultant Set of Policy Generate RSoP Reports Perform What-If Analyses with the Group Policy Modeling Wizard Examine Policy Event Logs
Resultant Set of Policy Inheritance, filters, loopback, and other policy scope and precedence factors are complex RSoP The "end result" of policy application Tools to help evaluate, model, and troubleshoot the application of Group Policy settings RSoP analysis The Group Policy Results Wizard The Group Policy Modeling Wizard GPResult.exe
Generate RSoP Reports Group Policy Results Wizard Queries WMI to report actual Group Policy application Requirements Administrative credentials on the target computer Access to WMI (firewall) User must have logged on at least once RSoP report Can be saved View in Advanced mode Shows some settings that do not show in the HTML report View Group Policy processing events GPResult.exe /s ComputerName /h filename
Perform What-If Analyses with the Group Policy Modeling Wizard Group Policy Modeling Wizard Emulates Group Policy application to report anticipated RSoP Can be used prior to GPO application Recommended in Group Policy design phase
Examine Policy Event Logs System log High-level information about Group Policy Errors elsewhere in the system that could impact Group Policy Application log Events recorded by CSEs Group Policy Operational log Detailed trace of Group Policy application
Module 3 Managing User Desktop with Group Policy
Module Overview Implement Administrative Templates Configure Group Policy Preferences Manage Software with GPSI Folder Redirection
Lesson 1: Implement Administrative Templates What Are Administrative Templates? How Administrative Templates Work Managed Settings, Unmanaged Settings, and Preferences Central Store
What Are Administrative Templates?.ADMX.ADML Registry
How Administrative Templates Work Policy settings in the Administrative Templates node make changes to the registry HKCU\Software\Microsoft\ Windows\CurrentVersion\ Policies\System DisableRegeditMode 1 Regedit UI tool only 2 Also disable regedit /s
Central Store.ADM files Stored in the GPT Leads to version control and GPO bloat problems.admx/.adml files Retrieved from the client Problematic if the client doesn't have the appropriate files Central Store Create a folder called PolicyDefinitions on a DC Remotely: \\contoso.com\sysvol\contoso.com\policies\ PolicyDefinitions Locally: %SystemRoot%\SYSVOL\contoso.com\ Policies\PolicyDefinitions Copy.ADMX files from your %SystemRoot%\PolicyDefinitions Copy.ADML file from language-specific subfolders (such as en-us)
Lesson 2: Configure Group Policy Preferences What Are Group Policy Preferences? Differences Between Group Policy Preferences and Settings
What Are Group Policy Preferences? Group Policy preferences expand the range of configurable settings within a GPO and: Are not enforced Enable IT pros to configure, deploy, and manage operating system and application settings that were not manageable by using Group Policy Features of Group Policy Preferences: Create: Create a new item on the targeted computer Delete: Remove an existing item from the targeted computer Replace: Delete and re-create an item on the targeted computer Update: Modify an existing item on the targeted computer
Differences Between Group Policy Preferences and Settings Group Policy Preferences Group Policy Settings Are written to the normal locations in the registry that the application or operating system feature uses to store the setting Strictly enforce policy settings by writing the settings to areas of the registry that standard users cannot modify Do not cause the application or operating system feature to disable the user interface for the settings they configure Refresh preferences by using the same interval as Group Policy settings by default Are not available on local computers Typically disable the user interface for settings that Group Policy is managing Refresh policy settings at a regular interval Are available through local Group Policy
Lesson 3: Manage Software with GPSI Understand GPSI Software Deployment Options Create and Scope a Software Deployment GPO Maintain Software Deployed with GPSI GPSI and Slow Links
Understand GPSI (Group Policy Software Installation) Client-side extension (CSE) Installs supported packages Windows Installer packages (.msi) Optionally modified by Transform (.mst) or patches (.msp) GPSI automatically installs with elevated privileges Downlevel application package (.zap) Supported by publish option only Requires user to have admin privileges System Center Configuration Manager and other deployment tools can support a wider variety of installation and configuration packages No feedback No centralized indication of success or failure No built-in metering, auditing, license management
Software Deployment Options Software deployment options Assign application to users Start menu shortcuts appear - Install-on-demand File associations made (optional Auto Install ) - Install-on-document invocation Optionally, configure to install at logon Publish application to users Advertised in Programs And Features (Control Panel) - Install-on-request Assign to computers Install at startup
Options for Deploying and Managing Software Using Group Policy 1 2 1.0 Preparation Deployment 4 3 2.0 Removal Maintenance
How Software Distribution Works Windows Installer Windows Installer service Fully automates the software installation and configuration process Modifies or repairs an existing application installation Benefits of Using Windows Installer Windows Installer package contains Information about installing or uninstalling an application An.msi file and any external source files Summary information about the application A reference to an installation point Custom installations Resilient applications Clean removal
Options for Installing Software Assign software during Computer Configuration Assign software during User Configuration Software Distribution Point Publish software using Add or Remove Programs? Publish software using document activation
Maintaining Software Using Group Policy Deploy next version of the application 2.0 Mandatory upgrade Users can use only the upgraded version 2.0 2.0 1.0 Users can decide when to upgrade Optional upgrade 2.0 1.0 You can select specific users for an upgrade Selective upgrade
Create and Scope a Software Deployment GPO Computer [or User] Configuration \ Policies \ Software Settings \ Software Installation Right-click New Package Browse to.msi file through network path (\\server\share) Choose deployment option (Recommended: Advanced) Managing the scope of a software deployment GPO Typically easiest to manage with security group filtering Create an app group such as APP_XML Notepad Put users into the group: allows users to access software share in the event that repairs or reinstalls are necessary Put computers into the group if assigning to computers
Maintain Software Deployed with GPSI Redeploy application After successful install, client will not attempt to reinstall app You might make a change to the package Package All Tasks Redeploy Application Upgrade application Create new package in same or different GPO Advanced Upgrades Select package to upgrade Uninstall old version first; or install over old version Remove application Package All Tasks Remove Uninstall immediately (forced removal) or Prevent new installations (optional removal) Don t delete or unlink GPO until all clients have applied setting
GPSI and Slow Links The Group Policy Client determines whether the domain controller providing GPOs is on the other side of a slow link Less than 500 kbps by default Each CSE uses the slow link determination to decide whether to process By default, GPSI does not process over a slow link You can change slow link processing behavior of each CSE Computer Configuration\Policies\Administrative Templates\ System\Group Policy You can change the slow link threshold Computer [or User] Configuration\Policies\Administrative Templates\System\Group Policy
What Is Folder Redirection? Folder redirection allows folders to be located on a network server, but appear as if they are located on the local drive The folders that can be redirected are: My Documents (Documents in Windows Vista) Application Data (AppData in Windows Vista) Desktop Start Menu Extra folders that can be redirected in Windows Vista are: Contacts Downloads Favorites Searches Links
Folder Redirection Configuration Options Use basic Folder Redirection when all users save their files to the same location With advanced Folder Redirection, the server hosting the folder location is based on group membership Target folder location options: Redirect to the users home directory Create a folder for each user under the root path Redirect to the following location Redirect to the local userprofile location Accounting Users Accounting Managers Accounts A-M Accounts N-Z Misty Anne
Options for Securing Redirected Folders NTFS permissions for root folder Creator/Owner Full control - subfolders and files only Administrator Security group of users that put data on share Local System None List Folder/Read Data, Create Folders/Append Data - This Folder Only Full control Share permissions for root folder Creator/Owner Full control - subfolders and files only Security group of Full control users that put data on share NTFS permissions for each users redirected folder Creator/Owner Full control - subfolders and files only %Username% Administrators Local system Full control, owner of folder None Full Control
2009 Microsoft, Microsoft Dynamics, the Office logo, and Your potential. Our passion. are trademarks of the Microsoft group of companies. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.