Active Directory Trusts

Let’s discuss AD trusts. And further in, after we discuss trusts types, we’ll revisit Kerberos authentication across a trust path, which I’ve previously discussed in the following blog and is pertinent in the scope of explaining trusts:

Active Directory Trusts

Active Directory domain to domain communications occur through a trust. An AD DS trust is a secured, authentication communication channel between entities, such as AD DS domains, forests, and UNIX realms. Trusts enable you to grant access to resources to users, groups and computers across entities.

The way a trust works is similar to allowing a trusted entity to access your own resources. It’s a two-step process. The first step is to establish the trust. The second step is to provide permissions.

For example, if users in the Contoso.com domain require access to a shared folder in the Trimagna.com domain, and the two domains are not in the same forest, you would establish the trust where Trimagna.com trusts Contoso.com, therefore the direction of the arrow would be Trimagna.com points to Contoso.com.

image

For an analogy, if you were to give your car keys to a friend to allow him or her to use your car, you are establishing a trust between you and your friend. In this case, you are the trusting friend, or domain, and the friend is the trusted friend, or domain. Once the keys have been provided, then the next step is to allow access to your resource, or car, by providing permissions to use the car. However, this trust is only in one direction, you trust your friend. If you want your friend to trust you, your friend, or the other domain, must be initiated by your friend, or the other domain.

AD DS Trust Types

There are various trust types. The trust that you create must be appropriate for the design. Trusts can be transitive or non-transitive. The one that you choose to create depends on the scenario and requirements. Other trusts types can be created as required, depending on the scenario. The table below shows the various trust types you can create.

Trusts can be created using the New Trust Wizard found in the Active Directory Domains and Trusts console, or using the Netdom command line utility. If you choose to create one of the one-way trust types in both directions, it can be created simultaneously, or separately. If you create it separately, you must re-run the procedure to establish the trust in the other direction.

image

Trust Type

Characteristics

Direction

Authentication
Mechanism

Notes

Parent-Child

Transitive

Two-way

Kerberos V5
or NTLM

Created automatically when a child domain is added.

Tree-Root

Transitive

Two-way

Kerberos V5
or NTLM

Created automatically when a new Tree is added to a forest.

Shortcut

Transitive

One-way
or
Two-way

Kerberos V5
or NTLM

Created Manually.
Used in an AD DS forest to shorten the trust path to improve authentication times.

Forest

Transitive

One-way
or
Two-way

Kerberos V5
or NTLM

Created Manually.
Used to share resources between AD DS forests.

External

Non-transitive

One-way

NTLM Only

Created Manually.
Used to access resources in an NT 4.0 domain or a domain in another forest that does not have a forest trust established.

Realm

Transitive or non-transitive

One-way
or
Two-way

Kerberos V5 Only

Created Manually.
Used to access resources between a non-Windows Kerberos V5 realm and an AD DS domain.

Trust Flow: Transitive vs. Non-Transitive

Trust communication flow is determined by the direction of the trust. The trust can be a one-way or a two-way trust. And the transitivity determines whether a trust can be extended beyond the two domains with which it was formed. A transitive trust can be used to extend trust relationships with other domains; a non-transitive trust can be used to deny trust relationships with other domains. Authentication requests follow a trust path. The transitivity of the trust will affect the trust path.

Transitive Trust

· Contoso.com trusts Trimagna.com.

· Contoso.com trusts Adatum.com.

· Therefore, Trimagna.com trusts Adatum.com.

One-way Trust

· Domain A trusts Domain B, but Domain B does not trust Domain A.

· Domain A trusts Domain C, but Domain C does not trust Domain A.

· Therefore, Domain B does not trust Domain C.

o For these two domains to trust each other, you would need a one way trust created between each other.

Automatic Trusts: and Tree-Root Trusts

By default, two-way, transitive trusts are created automatically when a child domain is added or when a domain tree is added. The two default trust types are parent-child trusts and tree-root trusts.

Parent-Child Trust

A transitive, two-way parent-child trust relationship automatically created and establishes a relationship between a parent domain and a child domain whenever a new child domain is created using the AD DS installation process process within a domain tree. They can only exist between two domains in the same tree with the same contiguous namespace. The parent domain is always trusted by the child domain. You cannot manually create a Parent-Child trust.

image

Tree-Root Trust

A transitive, two-way tree-root trust relationship automatically created and establishes a relationship between the forest root domain and a new tree, when you run the AD DS installation process to add a new tree to the forest. A tree-root trust can only be established between the roots of two trees in the same forest and are always transitive. You cannot manually create a tree-root trust.

image

Shortcut Trust

Shortcut trusts are manually created, one-way, transitive trusts. They can only exist within a forest. They are created to optimize the authentication process shortening the trust path. The trust path is the series of domain trust relationships that the authentication process must traverse between two domains in a forest that are not directly trusted by each other. Shortcut trusts shorten the trust path.

image

Forest Trust

Forest trusts are manually created, one-way transitive, or two-way transitive trusts that allow you to provide access to resources between multiple forests. Forest trusts uses both Kerberos v5 and NTLM authentication across forests where users can use their Universal Principal Name (UPN) or their Pre-Windows 2000 method (domainName\username). Kerberos v5 is attempted first, and if that fails, it will then try NTLM.

image

Forest trusts require DNS resolution to be established between forests, however to support NTLM failback, you must also provide NetBIOS name resolution support between the forests.

Forest trusts also provide SID filtering enforcement in Windows Server 2003 and newer. This ensures that any misuse of the SID history attribute on security principals (including the inetOrgPerson attribute) in the trusted forest cannot pose a threat to the integrity of the trusting forest.

Forest trusts cannot be extended to other forests, such as if Forest 1 trusts Forest 2, and another forest trust is created between Forest 2 and Forest 3, Forest 1 does not have an implied trust. If a trust is required, one must be manually created.

External Trust

An external trust is a one-way, non-transitive trust that is manually created to establish a trust relationship between AD DS domains that are in different forests, or between an AD DS domain and Windows NT 4.0 domain. External trusts allow you to provide users access to resources in a domain outside of the forest that is not already trusted by a Forest trust.

image

SID filter quarantining is enabled by default with Windows Server 2003 and newer AD DS domains. SID filtering verifies that incoming authentication requests made from security principals in the trusted domain contain only SIDs of security principals from the trusted domain.

External trusts are NTLM based, meaning users must authenticate using the Pre-Windows 2000 logon method (domain\username).NTLM requires NetBIOS name resolution support for functionality.

Additional reading on creating External Trusts and DNS Support:

Realm Trust

A Realm trust can be established to provide resource access and cross-platform inter-operability between an AD DS domain and non-Windows Kerberos v5 Realm.

  • A Realm trust only uses Kerberos V5 authentication. NTLM is not used.
  • When the direction of the trust is from a non-Windows Kerberos Realm to an AD DS domain (Realm trusts AD DS domain), the non-Windows realm trusts all security principals in the AD DS domain.
  • Realm trusts are one-way by default, but you can create a trust in the other direction to allow two-way access.
  • Because non-Windows Kerberos tickets do not contain all the information AD DS requires, the AD DS domain only uses the account to which the proxy account (the non-Windows principal) is mapped to evaluate access requests and authorization. With Realm trusts, all AD DS domain proxy accounts can be used in an AD DS group in ACLs to control access for non-Windows accounts.

image

Additional reading:

Trusted Domain Object (TDO)

To understand cross domain authentication, we must first understand Trusted Domain Objects (TDOs). Each domain within a forest is represented by a TDO that is stored in the System container within its domain. The information in the TDO varies depending on whether the TDO was created by a domain trust or by a forest trust.

When a domain trust is created, attributes such as the DNS domain name, domain SID, trust type, trust transitivity, and the reciprocal domain name are represented in the TDO.

When a forest trust is first established, each forest collects all of the trusted namespaces in its partner forest and then stores the information in a TDO. The trusted namespaces and attributes that are stored in the TDO include domain tree names, child domain names, user principal name (UPN) suffixes, service principal name (SPN) suffixes, and security ID (SID) namespaces used in the other forest. TDO objects are stored in each domain, then replicated to the global catalog.

Therefore, because trusts are stored in Active Directory in the global catalog as TDOs, all domains in a forest have knowledge of the trust relationships that are in place throughout the forest. If there are two or more forests that are joined together through forest trusts, the forest root domains in each forest know of the trust relationships throughout all of the domains in the trusted forests.

The only exception to the rule is External trusts to a Windows NT 4.0 domain do not create TDOs in Active Directory because it is NTLM based, in which SPN and domain SIDs do not exist, therefore do not apply.

Additional reading:

Trust Path between Domains

The trust path is the series of domain trust relationships that the authentication process must traverse between two domains in a forest that are not directly trusted by each other.

Before authentication for a user, computer or service can occur across trusts, Windows must determine if the domain being requested has a trust relationship with the requesting account’s logon domain. This is determined by quering the global catalog for TDO data. The Windows security system’s Netlgon service through an authenticated RPC (Remote Procedure Call) to the remote domain’s trusted domain authority, (the remote domain controller), computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account.

The Windows security system extends a secured channel to other Active Directory domains through interdomain trust relationships. This secured channel is used to obtain and verify security information, including security identifiers (SIDs) for users and groups. The trust path is stored for authentication requests to the trusted domain.

Kerberos authentication Sequence between Domains in a Forest

image

A user in the marketing.trimagna.com domains needs to gain access to a file share on a server called fileserver.sales.contoso.com domain. This is assuming the User has already logged on to a workstation using credentials from the marketing.trimagna.com domain. As part of the logon process, the authenticating domain controller issues the User a ticket-granting ticket (TGT). This ticket is required for User1 to be authenticated to resources.

The User attempts to access a shared resource on \\FileServer.sales.contoso.com\share.

The following Kerberos V5 authentication process occurs:

1. The User’s workstation asks for a session ticket for the FileServer server in sales.contoso.com by contacting the Kerberos Key Distribution Center (KDC) on a domain controller in its domain (ChildDC1) and requests a service ticket for the FileServer.sales.contoso.com service principal name (SPN).

2. The KDC in the user’s domain (marketing.trimagna.com) does not find the SPN for FileServer.sales.contoso.com in its domain database and queries the GC to see if any domains in the forest contain this SPN.

a. The GC checks its database about all forest trusts that exist in its forest. If a trust to the target domain is found, it compares the name suffixes listed in the forest trust trusted domain objects (TDOs) to the suffix of the target SPN to find a match.

b. Once a match is found, the global catalog sends the requested information as a referral back to the KDC in marketing.trimagna.com.

3. The KDC in the marketing.trimagna.com then issues the workstation a TGT for the contoso.com domain. This is known as a referral ticket.

4. The workstation then contacts the KDC in the trimagna.com tree root domain to request a referral to the KDC in the sales.contoso.com.

5. The KDC in the trimagna.com domain recognizes the user’s request to establish a session with a resource that exists in a foreign domain’s server.

a. The KDC then issues a TGT for the KDC in the contoso.com domain.

6. The workstation then presents the TGT for the sales.contoso.com domain to the KDC in the contoso.com domain.

7. The contoso.com KDC queries a GC to see if any domains in the forest contain this SPN. The GC checks its database about all forest trusts that exist in its forest. If a trust to the target domain is found, it compares the name suffixes listed in the forest trust trusted domain objects (TDOs) to the suffix of the target SPN to find a match.

a. Once a match is found, the global catalog sends the requested information as a referral back to the KDC in contoso.com.

8. The KDC issues a TGT for the sales.contoso.com domain.

9. The workstation then contacts the KDC of the sales.contoso.com domain and presents the referral ticket it received from its own KDC.

a. The referral ticket is encrypted with the interdomain key that is decrypted by the foreign domain’s TGS.

b. Note: When there is a trust established between two domains, an interdomain key based on the trust password becomes available for authenticating KDC functions, therefore it’s used to encrypt and decrypt tickets.

10. The workstation also presents the KDC in the sales.contoso.com the TGT it received from the KDC in contoso.com for the sales.contoso.com domain and is issued a ST (Session Ticket) for the sales.contoso.com domain.

a. The ST is populated with the domain local group memberships from the sales.contoso.com domain.

11. The user presents FileServer.sales.contoso.com the ST to the server to gain access to resources on the server in sales.contoso.com.

12. The server, FileServer.sales.contoso.com compares the SIDs include in the session ticket to the ACEs on the requested resource to determine if the user is authorized to access the resource. If there is, the user is permitted to access the resource based on the ACL permissions.

Kerberos Authentication with a Shortcut Trust

If a shortcut trust exists from the sales.contoso.com domain to the marketing.trimagna.com domain, then the trust path will shortened, therefore the user authentication path will be direct between the two domains.

image

Additional Reading

============================================================

 

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Fine-Grained Password Policies User Interface in Windows 2012 R2 and Newer

Intro

Ace again! Let’s talk about FGPP!

When Active Directory was first introduced in Windows Server 2000, you can only create one password policy for the domain. That was configured in the Default Domain Policy. If you attempted to create a GPO linked to an OU with password policy settings, the Active Directory CSEs (Client Side Extensions – the client side DLLs that determine, download and run GPOs assigned to the computer or user) will ignore them.

FGGP Expanded Requirements

Therefore if an IT infrastructure design required a different password for different locations or users, the only option was to either create a password filter or create a separate child domain or a new Tree in the forest. Of course this came with design challenges, additional hardware and administrative overhead. For a number of years, this was a limitation that IT administrators had no real solution or alternative.

To provide a solution, Fine-Grained Password Policies (FGPPPs), were introduced in Windows Server 2008, continued in Windows 2008 R2. They provided administrators to create a Password Settings Policy (PSO) for a set of user accounts or groups and cannot be linked to GPOs, and the only way to create and administer PSOs and FGGPs are using low-level utilities, such as ADSI Edit.

Windows Server 2012 introduced a new GUI to ease creation and administration of PSOs and FGPPs. In this section, we will learn about the new FGPP and PSO features, and how to create administer them.

  • Why would we need an FGGP?
  • Understanding Password Settings Objects (PSOs)
  • What’s new in Windows 2012 FGGP?
  • PSO Resultant Set of Policies (RSOP)
  • What’s required to implement FGGPs? PowerShell and FGGPs

Why would we need a FGGP?

You can use fine-grained password policies to specify specific password policies in a single domain by applying different restrictions settings for password and account lockout policies to different sets of users and groups in a domain.

For example, you can apply stricter settings to privileged accounts such as administrator accounts, or executive accounts, and apply less strict settings to the accounts of other users. You can also create special password policies for accounts that get their passwords synchronized with other data sources or applications.

Understanding Password Settings Objects (PSOs)

Password Settings Objects (PSOs) have identical password settings as the password policy in a GPO. These settings include password length, complexity, account lockout, password minimum and maximum age, password history settings, PSO link, and Precedence.

PSOs are not linked to an OU. PSOs are applied users or groups. To help keep track of PSOs to an OU, for example, administrators can create an Active Directory group in an OU that is identically named as the group name.

With Windows Server 2008 and Windows Server 2008 R2, ADSI Edit (Active Directory Services Editor), a low level editor, is required to create, modify and apply PSOs to users or groups. ADSI Edit is akin to a “registry editor” that allows you to modify data in the various partitions in the AD database. Using ADSI Edit requires additional knowledge and skill level by an administrator to understand the various Active Directory database partitions and how to access them.

What’s new in Windows Server 2012 FGGPs?

In Windows Server 2012, creating and managing fine-grained password policy can now be performed using a user interface, the ADAC (Active Directory Administration Center), vastly improving ease of administration.

Administrators can now visually see a specific user’s resultant set of policies (RSOP), view and sort all password policies within a given domain, and manage individual password policies.

image

PSO Resultant Set of Policies (RSOP)

If a user or group has multiple PSOs linked to them, possibly because they are part of multiple Active Directory groups that have different PSOs, only one PSO can be applied. Therefore, the RSOP must be evaluated to insure the correct PSO is applied.

To determine and calculate the RSOP, each PSO has an additional attribute called the msDS-PasswordSettingsPrecedence.

The msDS-PasswordSettingsPrecedence attribute has an integer value of 1 or greater. The lower the value, the higher precedence it has. In a scenario where an AD group has two PSOs linked, with one of them having a value of 2, and the a value of 4, then the PSO with a value of 2 wins, and is applied to the AD group.

RSOP msDS-PasswordSettingsPrecedence Logic:

• A PSO that is linked directly to the user object is the resultant PSO. (Multiple PSOs should not be directly linked to users.)

• If no PSO is linked directly to the user object, the global security group memberships of the user, and all PSOs that are applicable to the user based on those global group memberships, are compared. The PSO with the lowest precedence value is the resultant PSO.

• If no PSO is obtained from conditions (1) and (2), the Default Domain Policy is applied.

Additional reading on RSOP:

AD DS: Fine-Grained Password Policies
http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

What’s required to implement FGGPs?

To point out, Fine-grained password policies can only be applied to global security groups and user objects (or inetOrgPerson objects, a specific attribute some third party applications may use, if they are used instead of user objects).

Requirements include:

  • Only members of the Domain Admins group can set fine-grained password policies, however, the tasks can be delegated to other users.
  • The domain functional level must be Windows Server 2008 or higher.
  • You must use the Windows Server 2012 version of ADAC (Active Directory Administrative Center) to administer fine-grained password policies through a graphical user interface.

Server Manager can be used to install the RSAT tools (Remote Server Administration Tools) on Windows Server 2012 computers to use the correct version of Active Directory Administrative Center to manage Recycle Bin through a user interface.

  • You can use RSAT on Windows® 8 computers to use the correct version of Active Directory Administrative Center to manage FGGPs.

PowerShell and FGGPs

PowerShell can also be used to create and manage FGGPs. For example, the command below will create the following settings:

  • • PSO Name: TestPswd
  • • Complexity: Enabled
  • • Lockout Duration: 30 Minutes
  • • Lockout Observation Windows: 30 Minutes
  • • Lockout Threshold: 0 Minutes
  • • MaxPasswordAge: 42 Days
  • • Minimum Password Age: 1 Day
  • • MinPasswordLength: 7 characters
  • • PasswordHistoryCount: 24 passwords remembered that you can’t use
  • • ProtectedFromAccidentalDeletion: Yes (prevents accidental deletion)
  • • Security Principal Applied to: AD Group called “group1”
New-ADFineGrainedPasswordPolicy TestPswd -ComplexityEnabled:$true -LockoutDuration:"00:30:00" -LockoutObservationWindow:"00:30:00" -LockoutThreshold:"0" -MaxPasswordAge:"42.00:00:00" -MinPasswordAge:"1.00:00:00" -MinPasswordLength:"7" -PasswordHistoryCount:"24" -Precedence:"1" -ReversibleEncryptionEnabled:$false -ProtectedFromAccidentalDeletion:$true
Add-ADFineGrainedPasswordPolicySubject TestPswd -Subjects group1
Additional Reading:

AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

Introduction to Active Directory Administrative Center Enhancements (Level 100)
http://technet.microsoft.com/en-us/library/hh831702.aspx

Creating fine grained password policies through GUI Windows server 2012 “Server 8 beta”
Microsoft Technet, by Tamer Sherif Mahmoud, Team Blog of MCS
http://blogs.technet.com/b/meamcs/archive/2012/05/29/creating-fine-grained-password-policies-through-gui-windows-server-2012-server-8-beta.aspx

============================================================

Summary

Stay tuned for more on Azure and Cloud Computing

Published 10/15/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023[2][2][2] clip_image0043[2][2][2] clip_image0063[2][2][2] clip_image0083[2][2][2] clip_image0103[2][2][2] clip_image0123[2][2][2] clip_image0143[2][2][2] clip_image0163[2][2][2]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

What is Cloud Computing?

Intro

Ace here again. This is part of my blog series on Azure and Cloud Computing

This is a short discussion about cloud computing, another aspect of Internet service providers offering to help companies reduce costs by practically eliminating hardware.

Service Providers and Services

In the past few years, many online service providers have gained momentum offering datacenter services to allow customers the ability to host services, applications, and operating systems. These service providers provide 24/7 availability and uptime monitoring, backups, disaster recovery, maintain application updates and provide full support.

As long as an employee has internet access, whether at the office or away, they can access these services and applications.

A Cloud Operating System does what a traditional operating system does – manage applications and hardware, but at the scope and scale of cloud computing, meaning the applications and hardware are operated and managed outside of a company’s network.

The foundations of the Cloud OS are Windows Server 2012 and Windows Azure, complemented by the full feature set of Microsoft technology solutions, such as SQL Server, System Center, Exchange Server, and Visual Studio. Together, these technologies provide a consistent platform for infrastructure, applications and data that can span your datacenter, service provider datacenters, and the Microsoft public cloud.

Public Clouds

Shared Public Cloud

A Shared Public Cloud provides the benefit of rapid implementation, massive scalability, and low cost of entry because multiple tenants share and absorb the overall costs reducing individual tenant costs.

It is delivered in a shared physical infrastructure where the architecture, customization, and degree of security are designed and managed by the hosting provider according to market-driven specifications.

Public clouds have weaker security due to their shared nature.

Dedicated Private Clouds

Dedicated Private clouds are similar to a Shared Public Cloud, except they are delivered on a dedicated physical infrastructure dedicated to a single organization.

Security, performance, and sometimes customization are better in the Dedicated Public Cloud than in the Shared Public Cloud. Its architecture and service levels are defined by the provider and the cost may be higher than that of the Shared Public Cloud.

Private Cloud

Dedicated Private clouds may be hosted by the organization itself at a co-location service where the organization owns all hardware and software, and provide their own full maintenance procedures including disaster recovery solutions, with the co-location only providing 24/7 power and internet connectivity guarantees, or they may be hosted by a cloud services provider, which provides all hardware and software and ensures that the cloud services are not shared with any other organization.

Private clouds are more than just large-scale hypervisor installation. They can use the Microsoft System Center 2012 management suite, which makes it possible to provide self-service delivery of services and applications.

Self-hosted Private Cloud

A Self-hosted Private Cloud provides the benefit of architectural and operational control utilizing the existing investment in people and equipment, and provides a dedicated on-premise environment that is internally designed, hosted, and managed.

Hosted Private Cloud

A Hosted Private Cloud is a dedicated environment that is internally designed, externally hosted, and externally managed. It blends the benefits of controlling the service and architectural design with the benefits of datacenter outsourcing.

Private Cloud Appliance

A Private Cloud Appliance is a dedicated environment that is purchased from a vendor and designed by that vendor, and are based on provider & market driven features and architectural control. They can be hosted internally or externally, and can be internally or externally managed. A Private Cloud Appliance benefits consumers by combining advantages of a predefined functional architecture, lower deployment risk with the benefits of internal security and control.

What does Windows 2012 R2 and Cloud OS Mean to Organizations?

It means organization can shift to efficiently manage datacenter resources as a whole, including networking, storage and computing. Organizations will be able to deliver and manage powerful apps that boost employee productivity providing faster access across private, hybrid (mixture of private & public clouds) and public clouds.

With Windows Server 2012 and newer, and System Center, an organization owns its own private cloud, and they can provide users a self-service portal to request their own multitier applications including web servers, database servers, and storage components.

Windows Server 2012 and the components of the System Center 2012 suite can be configured so service requests can be processed automatically, without requiring manual deployment of virtual machines and database server software.

Microsoft Private Cloud Fast Track

Microsoft Private Cloud Fast Track is a joint effort between Microsoft and its hardware partners to deliver pre-configured solutions that reduce the complexity and risk of implementing a private cloud, and provides and delivers flexibility and choice across a range of hardware vendor options technologies in pre-configured solutions.

For more information on Microsoft Private Cloud Fast Track, and the implementation deployment guide:

Microsoft Private Cloud Fast Track Information New and Improved, by Thomas W Shinder, MSFT, 7/27/2012
http://blogs.technet.com/b/privatecloud/archive/2012/07/27/microsoft-private-cloud-fast-track-information-new-and-improved.aspx

For a complete list of Reference Architecture for Private Cloud Documents:

Reference Architecture for Private Cloud
http://social.technet.microsoft.com/wiki/contents/articles/3819.reference-architecture-for-private-cloud.aspx

============================================================

Summary

Stay tuned for more on Azure and Cloud Computing

Published 10/15/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023[2][2] clip_image0043[2][2] clip_image0063[2][2] clip_image0083[2][2] clip_image0103[2][2] clip_image0123[2][2] clip_image0143[2][2] clip_image0163[2][2]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

What is SaaS, PaaS, and IaaS?

Intro

Ace here again. With Azure gaining traction, and the whole “Cloud”computing buzzwords becoming a staple to every day life, I thought to bring some sunlight through and explain some of the offerings.

SaaS: Software as a Service

Software as a Service (SaaS) delivers business processes and applications, such as Sharepoint, CRM, collaboration, and e-mail, as standardized capabilities for a usage-based cost at an agreed, business-relevant SLA (service level agreement).

SaaS provides significant efficiencies in cost and delivery with minimal customization that represents a shift of operational risks from the consumer to the hosting provider. All infrastructure and IT operational functions are abstracted away from the consumer reducing consumer resource overhead.

The end user is the consumer, and benefits the most with SaaS with increased application uptime and performance.

PaaS: Platform as a Service

The most complex of the three, cloud platform services or “Platform as a Service,” (PaaS) delivers computational resources with an efficient and agile approach to operate scale-out applications in a predictable and cost-effective manner, through a platform, such as Windows Server 2012.

With PaaS, the application owner is the consumer. PaaS delivers application execution services, such as application runtime, storage, and integration, for applications written for a pre-specified development framework the consumer can build upon to develop, customize, and test applications. Deployment of applications is quick, simple, and cost-effective, eliminating the need to purchase underlying layers of hardware and operating systems.

PaaS is highly scalable. Consumers need not worry about platform upgrades or downtime due to maintenance.

Service levels and operational risks are shared because the consumer (customer) takes responsibility for the stability, architectural compliance, and overall operations of the application while the provider delivers the platform capability (including the network infrastructure and operational functions) at a predictable service level and cost.

One comparison between SaaS vs. PaaS is with PaaS, vendors still manage runtime, middleware, O/S, virtualization, hardware (servers & storage), and networking, but users manage applications and data. With SaaS, the users only control the software, not the platform the software is running on.

IaaS: Infrastructure as a Service

Cloud infrastructure services, known as “Infrastructure as a Service,” (IaaS), deliver computer infrastructure (such as a platform virtualization environment), storage, and networking.

IaaS abstracts hardware (server, storage, and network infrastructure) into a pool of computing, storage, and connectivity capabilities that are delivered as services for a usage-based (metered) cost. Its goal is to provide a flexible, standard, and virtualized operating environment that can become a foundation for PaaS and SaaS.

IaaS is usually seen to provide virtual server standardization by the hosting provider. The hosting provider manages virtualization and provides service level agreements (SLA) that cover the performance and availability of the virtualized infrastructure.

The consumer takes responsibility for configuration, operations, maintenance, updates, upgrades and support of the guest Operating System (OS), software, and Database (DB). Compute capabilities (such as performance, bandwidth, and storage access) are also standardized.

IaaS is an advanced state of IT maturity that has a high degree of automation, integrated-service management, and efficient use of resources.

The consumer can be the application owner and/or the IT department, and also provide middleware, application and operating system updates, upgrades and support. The benefit to the consumer is they can install any required platforms.

image

Click here for additional information

What does Windows 2012 R2 and Cloud OS Mean to Organizations?

It means organization can shift to efficiently manage datacenter resources as a whole, including networking, storage and computing. Organizations will be able to deliver and manage powerful apps that boost employee productivity providing faster access across private, hybrid (mixture of private & public clouds) and public clouds.

With Windows Server 2012 and System Center, an organization owns its own private cloud, and they can provide users a self-service portal to request their own multitier applications including web servers, database servers, and storage components.

Windows Server 2012 and the components of the System Center 2012 suite can be configured so service requests can be processed automatically, without requiring manual deployment of virtual machines and database server software.

Microsoft Private Cloud Fast Track

Microsoft Private Cloud Fast Track is a joint effort between Microsoft and its hardware partners to deliver pre-configured solutions that reduce the complexity and risk of implementing a private cloud, and provides and delivers flexibility and choice across a range of hardware vendor options technologies in pre-configured solutions.

For more information on Microsoft Private Cloud Fast Track, and the implementation deployment guide:

Microsoft Private Cloud Fast Track Information New and Improved, by Thomas W Shinder, MSFT, 7/27/2012
http://blogs.technet.com/b/privatecloud/archive/2012/07/27/microsoft-private-cloud-fast-track-information-new-and-improved.aspx

For a complete list of Reference Architecture for Private Cloud Documents:

Reference Architecture for Private Cloud
http://social.technet.microsoft.com/wiki/contents/articles/3819.reference-architecture-for-private-cloud.aspx

============================================================

Summary

Published 10/15/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023[2] clip_image0043[2] clip_image0063[2] clip_image0083[2] clip_image0103[2] clip_image0123[2] clip_image0143[2] clip_image0163[2]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Active Directory DNS Single Label Names

Intro

Hey everyone, Ace again. Let’s discuss this issue. I hardly see this issue any more, because it was a previously prevalent when Active Directory was introduced, since there were some confusion about AD domain naming, and many IT admins used NT4’s domain naming guidelines. Man of us are now familiar with AD’s naming convention, and have more than likely renamed or rebuilt their AD domains. However, there are still some installations with this issue. 

How did it happen? Many reasons, such as lack of research on AD’s DNS requirements, assumptions, or a simple typo when originally upgrading from NT4 or promoting your new AD domain. It doesn’t matter now, because you were brought here to find out what to do with it.

I hope you find this blog informative on this issue and what to do about it.

First, let’s discuss a little background on the necessary components at play…

FQDN

First, let’s discuss the FQDN. What is an FQDN? It stands for “Fully Qualified Domain Name.” It is multi-level, or hierarchal, such as:

domain.com
domain.net
domain.local
childdomainname.domain.local
etc

What is a Single Label DNS Domain name?
The name is reminiscent of the legacy style NT4 domain NetBIOS domain names, such as:

DOMAIN
CORP
COMPANYNAME
etc

Unfortunately, since this does not work with DNS, and Active Directory relies on DNS, therefore, it does not work with Active Directory. Stay with me. I’ll explain…

DNS

DNS is a hierarchal database. Some call it a “tree” with a root (the ‘com’ or ‘net’, etc, name), then the trunk (the ‘domain’ portion of it), and the branches (such as www, servername, etc). The Root domain name, such as com, edu, net, etc, is also known as the TLD (Tope Level Domain name).

Basically you can look at a DNS domain name as having multiple levels separated by periods. The minimal requirment for an FQDN domain name, such as microsoft.com, is two levels. Then of course are your resource names, such as www, servername, or even child domain names under it.

Notice with a single label name there is only one name for the domain, or one level? Don’t get this confused with the NetBIOS domain name, that we were familiar with in the NT4 days. AD supports the NetBIOS domain name as well, but only as a NetBIOS domain name. It’s one of the domain names chosen when a machine is promoted into a domain controller for a brand new domain in a brand new forest. NT4 wasn’t reliant nor did it use DNS for NT4 domains. However, AD is reliant, therefore it must follow DNS naming rules.

Unfortunately the old NT4 style names are not hierarchal because there is only one level.
 
Since AD requires and relies on DNS, and DNS is a hierarchal database, a single label name does not follow any sort of hierarchy. DNS fails with single label names. Windows 2008, Windows 2003, XP and Vista have problems resolving single label names because it does not follow the proper format for a DNS domain name, such as domain.com, etc.

Also, Windows 2000 SP4 and all newer machines have problems querying single label names. It’s explained below by Alan Woods. Because clients query DNS for AD resources (domain controller locations and other services), they may have difficulty finding resources.

How did it happen? As I said earlier, it doesn’t matter now, because you were brought here to find out what to do with it.

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain (or any AD upgrade or installation):
http://support.microsoft.com/kb/555040

Single Label Name Explanation

Another variation of the Single Label Name explanation that I had provided in a response to a post in the DNS and/or AD newsgroups at one time:

The issue is the single label name. Locally at HQ, it’s using NetBIOS to join, however remotely, it’s relying on DNS. DNS queries do not work properly with single label names on Windows 2000 SP4 and all newer machines.

Period. Why? good question. It’s based on the fact DNS is hierarchal. Hierarchal meaning it must have multi levels, a minimum of two levels.

The TLD (top level domain) is the root name, such as the com, net, etc., names. The client side resolver service algorithm (which is governed by the DHCP Client service which must be running on all machines, static or not),
relies on that name for the basis to find the second level name (the name “domain” in domain.com, etc.). If the name is a single label name, it thinks THAT name is the TLD.

Therefore it then hits the Internet Root servers to find how owns and is authoritative for that TLD.Such as when looking up Microsoft.com. It queries for the COM portion, which the roots return the nameservers responsible for the COM servers, then it queries for the servers responsible for Microsoft.com zone.

If it’s a single label, the query ends there, and it won’t go further. However what is funny (sic) is that even though the single label name is being hosted locally in DNS, it will NOT query locally first, because it believes it is a TLD, therefore goes through the normal resolution (recursion and devolution) process, which causes excessive query traffic to the internet Root servers.

How to fix it? Good question. Glad you’ve asked.

  1. The preferred “fix” (in a one line summary), is to install a fresh new domain properly named and use ADMT to migrate user, group and computer accounts into the new domain from the current domain.
  2. An alternative is to perform a domain rename, (difficulty depends on the operating system and which version of Exchange is installed).
  3. As a temporary resort, you can use the patch or band aid registry fix to force resolution and registration that is mentioned in the following link. This must be applied to every machine. Unfortunately it must be done on every machine in the domain, including the DCs, member servers, workstations and laptops.

Information About Configuring Windows 2000 for Domains with Single-Label DNS Names:
http://support.microsoft.com/?id=300684

Single Label Names and being a better Internet Neighbor

The following was posted by Microsoft’s Alan Woods in 2004:

Single label names, from Alan Woods, [MSFT], posted:

—– Original Message —–
From: “Alan Wood” [MSFT]
Newsgroups: microsoft.public.win2000.dns
Sent: Wednesday, January 07, 2004 1:25 PM
Subject: Re: Single label DNS

Hi Roger,

We really would prefer to use FQDN over Single labled. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.

Example: Single Labeled domain .domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA

If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.

Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that.   NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON’T DO IT.  It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.

Microsoft is seriously asking you to NOT do this.  We will support you but
it the end results could be limiting as an end results depending on the
services you are using.

Thank you,

Alan Wood[MSFT]

 

Related Articles – Even though they seem old, they STILL APPLY!!!

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain
http://support.microsoft.com/kb/555040

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003:
http://support.microsoft.com/kb/825036

DNS and AD (Windows 2000 & 2003) FAQ:
http://support.microsoft.com/kb/291382

Naming conventions in Active Directory for computers, domains, sites, and OUs (Good article on DNS and other names)
http://support.microsoft.com/kb/909264

============================================================

Summary

I hope this helps!

Published 10/15/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Delegate Permissions for an OU in Active Directory Users and Computers (ADUC) & Create a Custom MMC, or Just Use RSAT

Updated 9/20/2016

Note- this was put together and fast published and there may be errors. Check back for updates when I add RSAT info.

Prologue

Ace here again. Yep, me again. This scenario comes up time to time. Sure, you can use the RSAT tools, but here an old fashioned, truly tried method that works nicely so a delegated OU admin can only see and do what they need to do in their OU.

Scope

After you Delegate Permissions in to a limited admin in Active Directory, such as the ability to reset passwords, you may want to create a custom ADUC MMC (console or custom taskpad)  for the delegated admin to control the portion of AD (the OU) they are allowed or delegated in.

For Windows 2003 AD – but it will work in 2008 and newer

The last time I set this up for a customer, involved a snap-in for each ‘location’ OU, I allowed to retain the rt-click context, and the tree view available in the custom console (left pane and right pane), but I removed everything else including the file menu buttons and such. So under View, Customize, uncheck everything except the top one that says Console Tree. This way they can’t go up level or click any of the things in there. But they will have the right-click feature.
 
You can also choose to remove the left hand pane (tree view).

MMC v2 and v3 are the same:

  • Start/run/mmc, hit enter
  • File, Add-Remove Snap-in, Add ADUC
  • Drill down under the domain to the OU you want.
  • Right-click on that OU, choose new window from here.
  • A new window pops up with the OU in the left pane and the contents in the right pane.
  • Close the original ADUC window leaving the new window open that you’ve just created.
  • Expand the window to take up the whole console. – This will keep them in this section and they will not be able to go up levels and are ‘stuck’ in this OU.
  • Select View/Customize
  • Uncheck everything but Console Tree.
  • File/Options Choose Console Mode, then select:

User mode: Limited Access single window
Check: Do not Save Changes to this console
Uncheck: Allow the user to customize views
Save it.

  • Logon as a test user that was delegated permissions and test it.

If you want to eliminate the ability for the delegated admin to right-click on a user account, uncheck the Console Tree above, then change the console view by right-clicking on the OU, choose New Task View, and choose a vertical or horizontal list, then choose to create a new task, menu command, highlight a user account, choose reset password, or anything else in the right column, choose an icon, and finish.

Copy the .MSC file via a UNC connected to the delegated person’s XP workstation’s \Documents and Settings\username\desktop folder, or if Windows Vista or newer, in the C:\users\username\desktop folder.

Keep in mind, the Active Directory Administration Center, RSAT tools or AdminPak tools, depending on what operating system version the client side is, needs to be installed on the workstation for the ADUC binaries to be available for this task pad to work.

 

For Windows 2003/Windows XP using the AdminPak tools just for the ADUC snap-in, nothing else:

Copy over the following three DLLS from the 2003 or newer DC you are on, to their client’s system32 folder. All three of these are needed on a 2003 DC or newer, or the ADUC won’t open. However, on an XP or newer machine, you only need two. If I were to allow users to change passwords and create a custom MMC for just that OU, then all I need is adprop.dll and dsadmin.dll, otherwise you need all three.

  • adprop.dll (for object properties)
  • dsadmin.dll (ability to alter object properties)
  • dsprop.dll (for object properties related to directory services)

Then you can use PSEXEC (one of the PSTools available free at Microsoft) to remotely register the DLLs listed below on their workstation using the regsrv32.exe utility.
Download PsExec v1.98, by By Mark Russinovich, Published: April 28, 2009
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

  • psexec \\machinename regsvr32 adprop.dll
  • psexec \\machinename regsvr32 dsadmin.dll
  • psexec \\machinename regsvr32 dsprop.dll

Here are some screenshots at the following link:

Create Taskpads for Active Directory Operations:
http://www.petri.co.il/create_taskpads_for_ad_operations.htm

===============================================

For AD on Windows 2008 and newer:

You can use the ADAC & RSAT Tools, or you can use the above method.
Note: ADAC does not have a feature to break down specific tools to create a custom console as shown above.

For the Active Directory Administration Center and the RSAT tools:

For the Related links below for the new AD Admin Center. However, the Admin Center does not have the feature to break down just specific tools to create a custom console as shown above.

Active Directory Administration Center (ADAC):

Active Directory Administrative Center: Getting Started
http://technet.microsoft.com/en-us/library/dd560651(WS.10).aspx

Active Directory Administrative Center —  the New AD interface
http://techibee.com/active-directory/active-directory-administrative-center-a-new-ad-interface-for-win7-and-win-2008/290

Learn New Features in Active Directory Administrative Center
http://www.enterprisenetworkingplanet.com/windows/article.php/3887136/Learn-New-Features-in-Active-Directory-Administrative-Center.htm

Remote Server Administration Tools (RSAT) for Windows operating systems (Discusses how to install it for all versions of Windows)
https://support.microsoft.com/en-us/kb/2693643

Remote Server Administration Tools for Windows 10
https://www.microsoft.com/en-us/download/details.aspx?id=45520 

Customizing – Installing Remote Server Administration Tools (RSAT) for Windows 7
http://www.petri.co.il/remote-server-administration-tools-for-windows-7.htm

Remotely managing your Server Core using RSAT
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/04/27/remotely-managing-your-server-core-using-rsat.aspx
==================================================================

Summary

I hope this helps!

Last updated – 2/2006, updated 9/20/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image002[3] clip_image004[3] clip_image006[3] clip_image008[3] clip_image010[3] clip_image012[3] clip_image014[3] clip_image016[3]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Kerberos Authentication Sequence Across Trusts

 

Intro

Hey everyone, Ace again. This is a quick publish on how Kerb authentication works across a trust.

Here’s how it works (no shortcut trusts)

AD Trusts - Kerberos Authentication Sequence across a trust (from the PPT slide)

A user in the marketing.trimagna.com domains needs to gain access to a file share on a server called fileserver.sales.contoso.com domain. This is assuming the User has already logged on to a workstation using credentials from the marketing.trimagna.com domain. As part of the logon process, the authenticating domain controller issues the User a ticket-granting ticket (TGT). This ticket is required for User1 to be authenticated to resources.

The User attempts to access a shared resource on \\FileServer.sales.contoso.com\share.

The following Kerberos V5 authentication process occurs:

1. The User’s workstation asks for a session ticket for the FileServer server in sales.contoso.com by contacting the Kerberos Key Distribution Center (KDC) on a domain controller in its domain (ChildDC1) and requests a service ticket for the FileServer.sales.contoso.com service principal name (SPN).

2. The KDC in the user’s domain (marketing.trimagna.com) does not find the SPN for FileServer.sales.contoso.com in its domain database and queries the GC to see if any domains in the forest contain this SPN.

a. The GC checks its database about all forest trusts that exist in its forest. If a trust to the target domain is found, it compares the name suffixes listed in the forest trust trusted domain objects (TDOs) to the suffix of the target SPN to find a match.

b. Once a match is found, the global catalog sends the requested information as a referral back to the KDC in marketing.trimagna.com.

3. The KDC in the marketing.trimagna.com then issues the workstation a TGT for the contoso.com domain. This is known as a referral ticket.

4. The workstation then contacts the KDC in the trimagna.com tree root domain to request a referral to the KDC in the sales.contoso.com.

5. The KDC in the trimagna.com domain recognizes the user’s request to establish a session with a resource that exists in a foreign domain’s server.

a. The KDC then issues a TGT for the KDC in the contoso.com domain.

6. The workstation then presents the TGT for the sales.contoso.com domain to the KDC in the contoso.com domain.

7. The contoso.com KDC queries a GC to see if any domains in the forest contain this SPN. The GC checks its database about all forest trusts that exist in its forest. If a trust to the target domain is found, it compares the name suffixes listed in the forest trust trusted domain objects (TDOs) to the suffix of the target SPN to find a match.

a. Once a match is found, the global catalog sends the requested information as a referral back to the KDC in contoso.com.

8. The KDC issues a TGT for the sales.contoso.com domain.

9. The workstation then contacts the KDC of the sales.contoso.com domain and presents the referral ticket it received from its own KDC.

a. The referral ticket is encrypted with the interdomain key that is decrypted by the foreign domain’s TGS.

b. Note: When there is a trust established between two domains, an interdomain key based on the trust password becomes available for authenticating KDC functions, therefore it’s used to encrypt and decrypt tickets.

10. The workstation also presents the KDC in the sales.contoso.com the TGT it received from the KDC in contoso.com for the sales.contoso.com domain and is issued a ST (Session Ticket) for the sales.contoso.com domain.

a. The ST is populated with the domain local group memberships from the sales.contoso.com domain.

11. The user presents FileServer.sales.contoso.com the ST to the server to gain access to resources on the server in sales.contoso.com.

12. The server, FileServer.sales.contoso.com compares the SIDs include in the session ticket to the ACEs on the requested resource to determine if the user is authorized to access the resource. If there is, the user is permitted to access the resource based on the ACL permissions.

Shortcut Trust

If a shortcut trust exists from the sales.contoso.com domain to the marketing.trimagna.com domain, then the trust path will shortened, therefore the user authentication path will be direct between the two domains.

image

Additional Reading
Kerberos Explained
http://technet.microsoft.com/en-us/library/bb742516.aspx

Accessing resources across domains [and trusts]
http://technet.microsoft.com/en-us/library/cc787646(v=ws.10).aspx

============================================================

Summary

I hope this helps!

Published 9/20/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image00262 clip_image00462 clip_image00662 clip_image00862 clip_image01062 clip_image01262 clip_image01462

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Delegate Permissions for an OU in Active Directory Users and Computers (ADUC) & Create a Custom MMC, or Just Use RSAT

Updated 9/20/2016

Note- this was put together and fast published and there may be errors. Check back for updates when I add RSAT info.

Prologue

Ace here again. Yep, me again. This scenario comes up time to time. Sure, you can use the RSAT tools, but here an old fashioned, truly tried method that works nicely so a delegated OU admin can only see and do what they need to do in their OU.

Scope

After you Delegate Permissions in to a limited admin in Active Directory, such as the ability to reset passwords, you may want to create a custom ADUC MMC (console or custom taskpad)  for the delegated admin to control the portion of AD (the OU) they are allowed or delegated in.

For Windows 2003 AD – but it will work in 2008 and newer

The last time I set this up for a customer, involved a snap-in for each ‘location’ OU, I allowed to retain the rt-click context, and the tree view available in the custom console (left pane and right pane), but I removed everything else including the file menu buttons and such. So under View, Customize, uncheck everything except the top one that says Console Tree. This way they can’t go up level or click any of the things in there. But they will have the right-click feature.
 
You can also choose to remove the left hand pane (tree view).

MMC v2 and v3 are the same:

  • Start/run/mmc, hit enter
  • File, Add-Remove Snap-in, Add ADUC
  • Drill down under the domain to the OU you want.
  • Right-click on that OU, choose new window from here.
  • A new window pops up with the OU in the left pane and the contents in the right pane.
  • Close the original ADUC window leaving the new window open that you’ve just created.
  • Expand the window to take up the whole console. – This will keep them in this section and they will not be able to go up levels and are ‘stuck’ in this OU.
  • Select View/Customize
  • Uncheck everything but Console Tree.
  • File/Options Choose Console Mode, then select:

User mode: Limited Access single window
Check: Do not Save Changes to this console
Uncheck: Allow the user to customize views
Save it.

  • Logon as a test user that was delegated permissions and test it.

If you want to eliminate the ability for the delegated admin to right-click on a user account, uncheck the Console Tree above, then change the console view by right-clicking on the OU, choose New Task View, and choose a vertical or horizontal list, then choose to create a new task, menu command, highlight a user account, choose reset password, or anything else in the right column, choose an icon, and finish.

Copy the .MSC file via a UNC connected to the delegated person’s XP workstation’s \Documents and Settings\username\desktop folder, or if Windows Vista or newer, in the C:\users\username\desktop folder.

Keep in mind, the Active Directory Administration Center, RSAT tools or AdminPak tools, depending on what operating system version the client side is, needs to be installed on the workstation for the ADUC binaries to be available for this task pad to work.

 

For Windows 2003/Windows XP using the AdminPak tools just for the ADUC snap-in, nothing else:

Copy over the following three DLLS from the 2003 or newer DC you are on, to their client’s system32 folder. All three of these are needed on a 2003 DC or newer, or the ADUC won’t open. However, on an XP or newer machine, you only need two. If I were to allow users to change passwords and create a custom MMC for just that OU, then all I need is adprop.dll and dsadmin.dll, otherwise you need all three.

  • adprop.dll (for object properties)
  • dsadmin.dll (ability to alter object properties)
  • dsprop.dll (for object properties related to directory services)

Then you can use PSEXEC (one of the PSTools available free at Microsoft) to remotely register the DLLs listed below on their workstation using the regsrv32.exe utility.
Download PsExec v1.98, by By Mark Russinovich, Published: April 28, 2009
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

  • psexec \\machinename regsvr32 adprop.dll
  • psexec \\machinename regsvr32 dsadmin.dll
  • psexec \\machinename regsvr32 dsprop.dll

Here are some screenshots at the following link:

Create Taskpads for Active Directory Operations:
http://www.petri.co.il/create_taskpads_for_ad_operations.htm

===============================================

For AD on Windows 2008 and newer:

You can use the ADAC & RSAT Tools, or you can use the above method.
Note: ADAC does not have a feature to break down specific tools to create a custom console as shown above.

For the Active Directory Administration Center and the RSAT tools:

For the Related links below for the new AD Admin Center. However, the Admin Center does not have the feature to break down just specific tools to create a custom console as shown above.

Active Directory Administration Center (ADAC):

Active Directory Administrative Center: Getting Started
http://technet.microsoft.com/en-us/library/dd560651(WS.10).aspx

Active Directory Administrative Center —  the New AD interface
http://techibee.com/active-directory/active-directory-administrative-center-a-new-ad-interface-for-win7-and-win-2008/290

Learn New Features in Active Directory Administrative Center
http://www.enterprisenetworkingplanet.com/windows/article.php/3887136/Learn-New-Features-in-Active-Directory-Administrative-Center.htm

Remote Server Administration Tools (RSAT) for Windows operating systems (Discusses how to install it for all versions of Windows)
https://support.microsoft.com/en-us/kb/2693643

Remote Server Administration Tools for Windows 10
https://www.microsoft.com/en-us/download/details.aspx?id=45520 

Customizing – Installing Remote Server Administration Tools (RSAT) for Windows 7
http://www.petri.co.il/remote-server-administration-tools-for-windows-7.htm

Remotely managing your Server Core using RSAT
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/04/27/remotely-managing-your-server-core-using-rsat.aspx
==================================================================

Summary

I hope this helps!

Last updated – 2/2006, updated 9/20/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image002 clip_image004 clip_image006 clip_image008 clip_image010 clip_image012 clip_image014 clip_image016

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

OU Structures and Group Policy Objects (GPOs) Design Considerations and Guidelines

Original posting: 8/25/2014
Revised 5/26/2017

Hey everyone, Ace here, again. This is an accumulation of notes on OU structures. It’s not very well laid out, but I hope it gives you some ideas on how to design an OU structure and to help with applying GPOs.

Default Domain Policy and OU Design

It’s suggested and recommended to not change the Default Domain Policy.
Keep in mind, whatever you set at the domain level will flow downhill to
everything. I would suggest to design your OU structure to reflect your
organization and/or departments, which will also help you create GPOs for
the OU design.

For example, for a company with more than one location/site, I would suggest
the following – and this is just that… a suggestion.

Domain
…..Philly OU
…………..Accounting
…………..Sales
…………..Marketing
…………..Desktop
…………..Users
…………..Groups
…………..Laptops
…..Seattle OU
…………..Accounting
…………..Sales
…………..Marketing
…………..Desktops
…………..Users
…………..Groups
…………..Laptops

In the above example, I separated Laptops and Desktops because I have two different Windows Update GPOs set. The Desktop Windows Update GPO I created runs at 3:00 AM, whereas the Laptop Updates run at 3:30 PM while the users have the laptops in the
office.

I also separated groups just to “group” them together, and for no other reason.

This design also allows me to create GPOs for the different offices,
or I can create one and link them to both offices. The design possibilities
are endless, especially if you control flow with Block Inheritance, Loopback, WMI filtering, disabling the Computer or User portion of a GPO, etc., however in many cases I do not use these features because trying to support them 8 months later when there’s a problem it is difficult to remember what you had blocked, etc.

And yes, you can use RSOP to look at what is being applied, etc., but I find it easier to simply create another OU or a child OU to have a different setting than the parent, such as the following, where I created a GPO to lock the desktop with two different time settings.

The Desktops OU has a 30 minute setting, but I created a 15 Minute Timeout OU directly beneath it. Because the identical setting is different on the child, it overrides the parent’s setting. I can simply “look” at my OUs and know what I have applied.

…..Seattle OU
…………..Accounting
…………..Sales
…………..Marketing
…………..Desktops
………………..15 Minute Timeout OU
…………..Users
…………..Laptops

These are just suggestions, and you may find that it may work for you, or not. Even in a single site, I still do it this way, because it is flexible. You never know when the customer or your company may expand. If they do, simply create another OU for the new location.

GPO Inheritance:

There was one question that came up regarding the above example that I thought
I would share:

So lets say I open AD users and Computers and create a new OU named Philly OU,
then inside this OU I create another six sub-OU such as: Accounting,Sales,Marketing, etc..

My questions is do I need right click on each sub-OU such as Accounting,Sales,Marketing, etc…  in the GPO tab to configure the same policy settings or just enough by setting up a GPO policy in the Philly OU parent OU folder to automatically apply to all other sub-OU?
 
The simple answer is yes, the policy will inherit or flow downhill (traverse), as long as:

• There are no blocks or filtering not allowing it to apply to the target (user or computer).
• No other policy has enforcement override with conflicting settings
• Whether the GPO is targeting user accounts or computer objects, the user and computer objects must have read rights to the following attributes:
     – gpLink
     – gpOptions

Note: The Read permissions is also important if you were to enable Loopback Processing, as well as List Object Mode on the directory, which is a form of filtering views in the ADUC and GPMC.

Loopback processing explained:

Loopback processing of Group Policy, explained. Sunday, 26 July 2009
http://kudratsapaev.blogspot.co.uk/2009/07/loopback-processing-of-group-policy.html

You can use the Loopback to apply a GPO that depend only on which computer the user logs on to, say for example if the computer object is in a different OU. It’s a feature normally used to lock down a computer that a user is on. It’s normally used with Kiosk mode, such as a self-checkout register at the grocery store, but it can be used for anything you need. More info on this feature:

Circle Back to Loopback – Part 1
By Jonathan Stephens, MSFT
http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx

Back to the Loopback: Troubleshooting Group Policy loopback processing, Part 2
By Jonathan Stephens, MSFT
http://blogs.technet.com/b/askds/archive/2013/05/21/back-to-the-loopback-troubleshooting-group-policy-loopback-processing-part-2.aspx

Loopback processing of Group Policy
http://support.microsoft.com/kb/231287

*

Videos that should help understand this better:

Video: Active Directory: Introduction to Group Policy
Compiled From MOC 2279b Planning, Implementing & Maintaining a Microsoft Windows 2003 AD Infrastructure, Module 6, by Ace Fekay
https://www.youtube.com/watch?v=E0qjZhMNQUY

Active Directory: Introduction to Group Policy

*

Video: Introduction to Active Directory’s Logical Design
Compiled From MOC 2279b Planning, Implementing & Maintaining a Microsoft Windows 2003 AD Infrastructure, Module 1, by Ace Fekay
http://www.youtube.com/watch?v=TLZZ1iHMr2Q

Introduction to Active Directory’s Logical Design

 

References

Dude, where’s my GPO? Using PowerShell to find all of your Group Policy links.
“… you can easily create a report of all your Group Policy Objects (GPOs) …”
Cool article to list out all your GPOs in one spot with PowerShell. Can be helpful with troubleshooting.
http://blogs.technet.com/b/ashleymcglone/archive/2013/05/29/dude-where-s-my-gpo-using-powershell-to-find-all-of-your-group-policy-links.aspx

A good discussion on GPO Design in the following thread with good info by Christoffer Andersson:
Thread: “Building Organization Hierarchy with Active Directory” 6/2013
http://social.technet.microsoft.com/Forums/windowsserver/en-US/798bf766-a351-4fdb-b8f8-927ad60e1270/building-organisation-hierarchy-with-active-directory

Reviewing OU Design Concepts, Updated: April 11, 2008
Applies To: Windows Server 2008, Windows Server 2008 R2 (These concepts also apply to 2003):
Quoted: “While there is no technical limit to the number of levels in your OU structure, for manageability we recommend that you limit your OU structure to a depth of no more than 10 levels. There is no technical limit to the number of OUs on each level. Note that Active Directory Domain Services (AD DS)–enabled applications might have restrictions on the number of characters used in the distinguished name (that is, the full Lightweight Directory Access Protocol (LDAP) path to the object in the directory) or on the OU depth within the hierarchy.”
http://technet.microsoft.com/en-us/library/cc725715(v=ws.10).aspx

Here’s a basic visual of how GPOs work, and how it would flow downhill.
https://onedrive.live.com/?cid=0C7B9FD0852378B8&id=C7B9FD0852378B8%21237&parId=C7B9FD0852378B8%21234&o=OneUp
image

Design Considerations for Organizational Unit Structure and Use of Group Policy Objects
http://technet.microsoft.com/en-us/library/cc785903.aspx

TechNet Magazine: Group Policy
http://technet.microsoft.com/en-us/magazine/cc135925.aspx

Group Policy and Advanced Group Policy Management
http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx

Win2k3 AD OU/GPO Design Discussion
http://www.tomshardware.com/forum/190896-46-win2k3-design-discussion

AD Scalability and GPOs
http://technet.microsoft.com/en-us/library/cc756101.aspx

You receive a “Failed to delete Group Policy Object” error message when you try to delete the default domain policy or the default domain controller policy in Windows Server 2003 and in Windows 2000 Server”
“… the default domain Group Policy object (GPO) and the default domain controller Group Policy object cannot be deleted.”
http://support.microsoft.com/kb/910201

Default Group Policy objects become corrupted: disaster recovery
http://technet.microsoft.com/en-us/library/cc739095(WS.10).aspx

Chapter 4: Strengthening Domain and Domain Controller Policy Settings (applies to all operating systems)
http://technet.microsoft.com/en-us/library/cc773205(v=WS.10).aspx

*

============================================================

Summary

Published 5/1262017
I hope this helps!

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Active Directory Firewall Ports – Let’s Try To Make This Simple

Preamble

Ace here again. I thought to clean up and re-publish my blog on AD ports requirements. Yes, they are extensive, to the dismay of the network group in your organization. But it is what it is, and it is what we need to follow to make AD work.

RPC server not available? Replication errors in the Event viewer? Sound familiar?

If so, you’ve been succumbed to the fact and realization there are possibly necessary ports being blocked causing these familiar AD communications errors. Whether between locations with firewall/VPN tunnel port blocks, Windows Firewall (which is usually not the culprit because they will auto-configure for the role of the machine and it’s current network location), or even security software or antivirus apps with some sort of “network traffic protection” feature enabled that is causing the problem.

Simply speaking, if there are replication or other AD communication problems, and you have an antivirus software installed on the endpoints or installed on all of  your DCs, disable it, or better yet, uninstall it. Uninstalling it is the best bet, so you know there are no traces of other subcomponents that are active that may still be causing the block. If after uninstalling it, and you find replication now works, well there you have it. At that point, you’ll need to contact your antivirus vendor to ask them the best way to configure it to allow AD communications and replication.

If it’s not your antivirus or security app, and disabling the Windows firewall doesn’t do the trick, then it’s obvious it’s an outside factor – your edge/perimeter firewalls.

Also to point out, when testing for port blocks, tools such as telnet is not a good tool to test AD/DC to DC connectivity, nor is any sort of standard port scan, such as using nmap, or a simple ping, resolving with nslookup (although resolving required records is a pre-requisite), or other tools. The only reliable test is using Microsoft’s PortQry, which tests specific AD ports and the ephemeral ports, and the required responses from the services on the required AD ports it specifically scans for.

AD through a NAT? Nope. Period.

Oh, and don’t expect to get this to work through a NAT. NATs cannot translate the encrypted RPC traffic therefore bonking LDAP communications.

Description of Support boundaries for Active Directory over NAT
http://support.microsoft.com/kb/978772

How to configure RPC dynamic port allocation to work with firewalls”
AD communications won’t work through a NAT port translation, such as you cannot use DCOM through a NAT firewall that performs address translation (e.g. where a client connects to virtual address 198.252.145.1, which the firewall maps transparently to the server’s actual internal IP address of, say, 192.100.81.101). This is because DCOM stores raw IP addresses in the interface marshaling packets and if the client cannot connect to the address specified in the packet, it will not work.”
Quoted from: http://support.microsoft.com/kb/154596/en-us

Windows 2000 NAT Does Not Translate Netlogon Traffic (this applies to all DCs)
Quoted: “Windows 2000 NAT does not support Netlogon and translate Kerberos. If you have clients that are located behind a Windows 2000-based NAT server and need access to domain resources, consider creating a Routing and Remote Access virtual private network (VPN) tunnel for Netlogon traffic, or upgrade the clients to Windows 2000.”
Quoted from: http://support.microsoft.com/kb/263293

*

Ok, let’s find out if the ports are being blocked

Now you’re thinking that your network infrastructure engineers know what they’re doing and opened up the necessary ports, so you’re thinking, this can’t be the reason? or is it? Well, let’s find out. We can use PortQry to test it. And no, you don’t want to use ping, nslookup, nmap or any other port scanner, because they’re not designed to query the necessary AD ports to see if they are responding or not.

So let’s run PortQry:

First, download it:

       PortQryUI – GUI – Version 2.0 8/2/2004
       http://www.microsoft.com/download/en/details.aspx?id=24009

Then run the “Domains & Trusts” option between DCs, or between DCs and any machine (other servers you want to promote, or even from a client machine), or from the bridgeheads in each site to the other bridgehead in the other site., pretty much anywhere that you want to test if there are any blocked AD ports.

The point is, you’ll want to run it in any scenario where a DC must communicate to another DC or to a client.

If you get any errors with “NOTLISTENING,” 0x00000001, and 0x00000002, that means there is a port block. Take note on which ports they are.

You can ignore UDP 389 and UDP 88 messages. If you see TCP 42 errors, that just means WINS is not running on the target server.

PortQry References

Knock Knock Is That Port Open?
By Mark Morowczynski [MSFT] 18 Apr 2011, Quick tutorial about PortQry GUI version.
http://blogs.technet.com/b/markmoro/archive/2011/04/18/knock-knock-is-that-port-open.aspx

“At times you may see errors such as The RPC server is unavailable or There are no more endpoints available from the endpoint mapper …”
http://blogs.technet.com/b/askds/archive/2009/01/22/using-portqry-for-troubleshooting.aspx

How to use Portqry to troubleshoot Active Directory connectivity issues
http://support.microsoft.com/kb/816103

If you want to use the command line only version:

Download details: PortQry Command Line Only Port Scanner Version 2.0
http://www.microsoft.com/downloads/en/details.aspx?familyid=89811747-c74b-4638-a2d5-ac828bdc6983&displaylang=en

Understanding portqry and the command’s output: New features and functionality in PortQry version 2.0
http://support.microsoft.com/kb/832919

Description of the Portqry.exe command-line utility
http://support.microsoft.com/kb/310099

Portqry Remarks
http://technet.microsoft.com/en-us/library/cc759580(WS.10).aspx

*

DC to DC and DC to client communications Require Numerous ports

There’s no secret to this. That’s the simplest I can put it.

And, the list of ports required is long, to the dismay of network infrastructure engineering teams that must bequest ports to allow AD to communicate, replicate, etc., these ports must be opened. There really isn’t much that can be done otherwise.

Here’s the list with an explanation of each port:

Protocol and Port
AD and AD DS Usage Type of traffic 
TCP 25 Replication SMTP
TCP 42 If using WINS in a domain trust scenario offering NetBIOS resolution WINS
TCP 135 Replication RPC, EPM
TCP 137 NetBIOS Name resolution NetBIOS Name resolution
TCP 139 User and Computer Authentication, Replication DFSN, NetBIOS Session Service, NetLogon
TCP and UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP
TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL
TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC
TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL
TCP and UDP 88 User and Computer Authentication, Forest Level Trusts Kerberos
TCP and UDP 53 User and Computer Authentication, Name Resolution, Trusts DNS
TCP and UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts SMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
TCP 9389 AD DS Web Services SOAP
TCP 5722 File Replication RPC, DFSR (SYSVOL)
TCP and UDP 464 Replication, User and Computer Authentication, Trusts Kerberos change/set password
     
UDP 123 Windows Time, Trusts Windows Time
UDP 137  User and Computer Authentication NetLogon, NetBIOS Name Resolution
UDP 138 DFS, Group Policy, NetBIOS Netlogon, Browsing DFSN, NetLogon, NetBIOS Datagram Service
UDP 67 and UDP 2535 DHCP (Note: DHCP is not a core AD DS service but these ports may be necessary for other functions besides DHCP, such as WDS) DHCP, MADCAP, PXE

And We Must Never Forget the Ephemeral Ports!!

And most of all, the Ephemeral ports, or also known as the “service response ports,” that are required for communications. These ports are dynamically created for session responses for each client that establishes a session, (no matter what the ‘client’ may be), and not only to Windows, but to Linux and Unix as well.

See below in the references section to find out more on what ‘ephemeral’ means.are used only for that session. Once the session has dissolved, the ports are put back into the pool for reuse. This applies not only to Windows, but to Linux, Unix and other operating systems, as well. See below in the references section to find out more on what ‘ephemeral’ means.

The following chart shows what the ephemeral ports are depending on the OS version, and what they are used for.

Window 2003, Windows XP, and Windows 2000

TCP & UDP

1024-5000 Ephemeral Dynamic Service Response Ports
Windows 2008/Vista and newer TCP & UDP 49152-65535 Ephemeral Dynamic Service Response Ports
TCP Dynamic Ephemeral Replication, User and Computer Authentication, Group Policy, Trusts RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
UDP Dynamic Ephemeral Group Policy DCOM, RPC, EPM

If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDCs, then the following must be opened:

TCP & UDP 1024 – 65535 NT4 BDC to Windows 2000 or newer Domain controller PDC-E communications RPC, LSA RPC, LDAP, LDAP SSL, LDAP GC, LDAP GC SSL, DNS, Kerberos, SMB

See, wasn’t that simple?

 

The Short list without port explanations:

Protocol Port
TCP 25
TCP 42
TCP 135
TCP 137
TCP 139
TCP and UDP 389
TCP 636
TCP 3268
TCP 3269
TCP and UDP 88
TCP and UDP 53
TCP and UDP 445
TCP 9389
TCP 5722
TCP and UDP 464
UDP 123
UDP 137
UDP 138
UDP 67
UDP 2535
TCP & UDP 1024-5000
TCP & UDP 49152-65535

If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDC:

The following Ephemeral ports must be opened (yes, it’s pretty much the whole range):

TCP & UDP 1024-65535

*

Restricting Ports Across a Firewall

You also have the ability to restrict DC to DC replication traffic, and DC to client communications, to a specific ports. Keep in mind, it also depends on what ports and services you’ll want to restrict. When choosing this option, you must specify the correct ports for the correct service.

It depends on what ports and services you want to restrict?

1. Method 1

This is to used to set the specific AD replication port. By default it uses dynamic port to replicate data from DC in one site to another.

This is applicable for restriction AD replication to a specific port range.

Procedure:  Modify registry to select a static port.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Restricting Active Directory replication traffic and client RPC traffic to a specific port
 http://support.microsoft.com/kb/224196

2. Method 2

This is for configuring the port range(s) in the Windows Firewall.

Netsh – use the following examples to set a starting port range, and number of ports after it to use

netsh int ipv4 set dynamicport tcp start=10000 num=1000
netsh int ipv4 set dynamicport udp start=10000 num=1000

The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
http://support.microsoft.com/kb/929851

3. Modify the registry

This is for Windows services communications. It also affects AD communications.
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc

How to configure RPC dynamic port allocation to work with firewalls
 http://support.microsoft.com/kb/154596/en-us

Here are some related links to restricting AD replication ports.

Reference thread:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/76e8654a-fbba-49af-b6d6-e8d9d127bf03/

RODC Firewall Port Requirements
http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

Active Directory Replication over Firewalls
http://technet.microsoft.com/en-us/library/bb727063.aspx

 

RODC – “Read only Domain Controllers” have their own port requirements

Traffic
Type of Traffic
UDP 53 DNS DNS
TCP 53 DNS DNS
TCP 135  RPC, EPM
TCP Static 53248  FRsRpc
TCP 389  LDAP

TCP and UDP Dynamic
1025 – 5000
Windows 2000, Windows 2003, Windows XP Ephemeral Ports
TCP and UDP Dynamic 49152 – 65535 Windows 2008, Windows Vista and all newer operating systems Ephemeral Ports

Designing RODCs in the Perimeter Network
http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx

Restricting Active Directory replication traffic and client RPC traffic to a specific port
http://support.microsoft.com/kb/224196

Good discussion on RODC and firewall ports required:
http://forums.techarena.in/active-directory/1303925.htm

Further info on how RODC authentication works will help understand the ports:
Understanding “Read Only Domain Controller” authentication
http://blogs.technet.com/b/askds/archive/2008/01/18/understanding-read-only-domain-controller-authentication.aspx

 

References

How to configure a firewall for domains and trusts
http://support.microsoft.com/kb/179442

Active Directory and Active Directory Domain Services Port Requirements, Updated: June 18, 2009 (includes updated new ephemeral ports for Windows Vista/2008 and newer). This also discusses RODC port requirements. You must also make sure the ephemeral ports are opened. They are:
   TCP & UDP 1025-5000
   TCP & UDP 49152-65535
http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

Windows 2008, 2008 R2, Vista and Windows 7 Ephemeral Port range has changed from the ports used by Windows 2003 Windows XP, and Windows 2000. Default ephemeral (Random service dynamic response ports) are UDP 1024 – 65535 (See KB179442 below), but for Vista and Windows 2008 it’s different. Their default start port range is UDP 49152 to UDP 65535 (see KB929851 below).

Quoted from KB929851 (link posted below): “To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Microsoft Windows that used a default port range of 1025 through 5000.”

Windows Vista, Windows 7, Windows 2008 and Windows 2008 R2 Service Response Ports (ephemeral ports) have changed.
http://support.microsoft.com/?kbid=929851

Active Directory and Firewall Ports – I found it hard to find a definitive list on the internet for what ports needed opening for Active Directory to replication between Firewalls. …
http://geekswithblogs.net/TSCustomiser/archive/2007/05/09/112357.aspx

Active Directory Replication over Firewalls, Jan 31, 2006. (includes older pre-Windows Vista/2008 ephemeral ports)
http://technet.microsoft.com/en-us/library/bb727063.aspx

How Domains and Forests Work
Also shows a list of ports needed.
http://technet.microsoft.com/en-us/library/cc783351(v=ws.10).aspx

Paul Bergson’s Blog on AD Replication and Firewall Ports
http://www.pbbergs.com/windows/articles/FirewallReplication.html

 

Exchange DS Access ports

Configuring an Intranet Firewall for Exchange 2003, April 14, 2006.
Protocol ports required for the intranet firewall and ports required for Active Directory and Kerberos communications
http://technet.microsoft.com/en-us/library/bb125069.aspx

 

Additional Reading

Restricting Active Directory replication traffic and client RPC …Restricting Active Directory replication traffic and client RPC traffic to a … unique port, and you restart the Netlogon service on the domain controller. …
http://support.microsoft.com/kb/224196

How to restrict FRS replication traffic to a specific static port – How to restrict FRS replication traffic to a specific static port … Windows 2000-based domain controllers and servers use FRS to replicate system policy …
http://support.microsoft.com/kb/319553

Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based or Windows Vista-based computers
This KB indicates Checkpoint firewalls having an issue with AD communications.
http://support.microsoft.com/?kbid=899148

 

 

Checkpoint Firewall and AD, DNS and RPC Communications and Replication traffic

Checkpoint firewalls have a known issue if you are running version R55 or older. You will need to make a registry entry to allows traffic to flow between the 2 sites via the vpn. The preferred solution is to upgrade the Checkpoint firewall.

More info:

Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based or Windows Vista-based computers
(This link relates to and helps resolve the Checkpoint issue)
http://support.microsoft.com/?kbid=899148

Note from one poster on the internet with a Checkpoint firewall:
For Windows 2003 R2 and non-R2 remote domain controller we added the Server2003NegotiateDisable entry in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc

 

 

I know you’ve enjoyed reading this.

Well, whether you did or not, at least you now know what to do to make it work.

Comments, suggestions and corrections are welcomed!

==================================================================

Summary

I hope this helps!

Original Publication Date: 11/1/2011
Updated 11/4/2014

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image00262 clip_image00462 clip_image00662 clip_image00862 clip_image01062 clip_image01262 clip_image01462

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.