In this article we will review the subject area “Configure Active Directory trusts” from the Microsoft 70-640 certification exam objective.

In this series, we will move through the content blueprint of the Microsoft Windows Active Directory Configuration (70-640)exam objectives with an eye toward preparing you to pass this Microsoft Certified Technology Specialist (MCTS) exam.

The screenshot below shows the relevant section from the 70-640 exam blueprint on configuring Active Directory Domain Services (AD DS) trust relationships.

Microsoft Exam 70-640 – Configure Active Directory Trusts

(more…)

In the last post I summarized the content underlying domain 2, section 1 (“Configure a forest or a domain”) in the Microsoft 70-640 Active Directory Configuration certification exam blueprint. Today I will provide a sample practice question and a detailed explanation and analysis

You are the administrator of a multi-domain Active Directory forest in which all domain controllers run Windows Server 2003. You want to introduce a new Windows Server 2008 R2 computer as a domain controller into one domain in the environment.

Sample practice question

Which of the following actions should you undertake in order to accomplish your goal?

a. Install the R2 update on all existing Windows Server 2003 domain controllers.

b. Run dcpromo /forestprep on an existing domain controller.

c. Run adprep /domainprep on an existing domain controller.

d. Run admt computer /n on the Windows Server 2008 R2 computer.

(more…)

In this article we will review the subject area “Configure a forest or a domain” from the Microsoft 70-640 certification exam objective.

In this series, we will move through the content blueprint of the Microsoft Windows Active Directory Configuration (70-640) exam objectives with an eye toward preparing you to pass this Microsoft Certified Technology Specialist (MCTS) exam.

Microsoft Exam 70-640 – Configure a forest or a domain / Domain 2, Subobjective 1

(more…)

In this tutorial you will learn how to point the authoritative time server in your Active Directory domain at an Internet-based atomic time source.

As you probably already know, the Kerberos authentication protocol has limited tolerance for time skew between client and server. Specifically, the time difference between domain computers needs to be less than five minutes.

Some Windows administrators want to synchronize their Windows Server 2008 system clocks to an external atomic time source. How can we accomplish this goal? Well, read on!

The Windows Time Service: Basic operation

The Windows Time (W32Time) service exists in both Windows Server 2008 R2 as well as Windows 7, and is the “engine” that drives system time synchronization within an Active Directory domain.

By default, the domain controller that holds the PDC Emulator FSMO role is the authoritative time source for the domain. More broadly, the PDC Emulator in the forest root domain holds the authoritative time for the entire forest. Check out the following Visio diagram:

(more…)

In this article you will learn how to improve your network security by disabling Universal Serial Bus (USB) drive usage in your Active Directory domain.

Universal Serial Bus (USB) flash drives are undeniably convenient and easy to use. However, these devices pose very real security threats.

Number one, allowing your users to mount their own USB flash drives provides a vector for malicious code into your network. Number two, a malicious user can steal sensitive data by copying it to their flash drive and leaving the campus.

Here are a couple excellent articles that delve more deeply into IT security threats posed by USB devices:

• Social Engineering, the USB Way
• USB Drives Pose Insider Threat

You may decide to institute an IT security policy in your domain that prohibits use of personal USB devices. This is all well and good, but how many of your users will actually adhere to the policy without some kind of a control in place?

(more…)

In a previous post I covered the basics of managed service accounts (MSAs) in Windows Server 2008 R2. Today, I will discuss  a bug that can prevent MSAs from being created in domains that include Read-Only Domain Controllers (RODCs) on screened subnets.

Both the Read-Only Domain Controller (RODC) and the Managed Service Account (MSA) are, for my money, delightful advancements in the Windows Server platform. We will recall that the RODC allows Windows administrators to deploy Active Directory domain controllers to unmanaged or lightly managed branch offices in a more secure fashion. The idea is that because the domain controller directory database is not writeable, a malicious user would thereby be prevented from making unauthorized changes to it.

The managed service account is great because it solves the (seemingly) age-old conundrum of how we can integrate domain password policy with dedicated service accounts for our applications and services.

(more…)

In this article you will learn the basics of managed service accounts in Windows Server 2008 R2.

Here’s the situation: You are called into consult for a client, and in examining their IT infrastructure you observe no organization as to how service accounts are deployed. For instance, some line-of-business (LOB) applications are using the domain Administrator as their service account identity, while others use the Local Service or Network Service identity.

Recently, the client began associating application services with dedicated domain user service accounts. However, because domain password policy forces password changes every 60 days, the manual reassignment of service account passwords created organizational headaches for the IT support staff.

How can you resolve this mess of a real-world situation?

(more…)

This last part in this series gives you some valuable tips when running BitLocker in an Active Directory environment.

BitLocker, like any other new technology, is a lot of trial and error. Here are the things I’ve learned using BitLocker that will hopefully help you out:

Test, test, test

I think, I encrypted my two test systems about 20 times each before I got comfortable with BitLocker. You may also want to consider making the IT staff that will be supporting BitLocker encrypt their own laptops as part of your pilot. The quickest way to identify issues is to use the technology yourself on a daily basis.

Backup, backup, backup!!!

Always, always, always, make sure you have a backup of a drive before you encrypt it with BitLocker. Always, always, always, make sure you keep a backup of data that resides on BitLocker encrypted drives. If you’re not using Folder Redirection and Offline File or running a some kind of third-party backup software on your clients, now is the time to investigate before encrypting your data. If you’ve got mobile users, you’re hopefully doing this already.

(more…)

Part 6 of 7 explains how to view the BitLocker Recovery Password in Active Directory, how to access TPM information and how to put BitLocker recovery information manually into Active Directory.

Now that we’ve used BitLocker to encrypt an operating system Drive, a fixed data drive, and a removable drive, we should have recovery information for all three drives in Active Directory.

View the BitLocker Recovery Password in AD

To view the information, first make sure that you’ve installed the BitLocker Recovery Password Viewer. Go into Active Directory Users & Computers and view the properties of your Computer object by double-clicking on it. Go to the BitLocker Recovery tab and you should now see the recovery keys for all of the drives encrypted on the system.

BitLocker Recovery Key in Active Directory

(more…)

BitLocker To Go is used to encrypt removable data drives such as flash drives. Part 5 in this series also discusses the BitLocker To Go Reader which is required to read encrypted data on legacy Windows versions.

Last, but certainly not least is encrypting Removable Data Drives. As we did with the Operating System Drives and the Fixed Data Drives, start by going to the Control Panel and finding the BitLocker Drive Encryption applet. Click “Turn On BitLocker”. Hopefully, you noticed that the User Account Control (UAC) shield is missing for encrypting Removable Data Drives. What does this mean? It means that users that do not have Administrative rights can encrypt their own removable devices!

BitLocker to Go

(more…)

In this article you will learn some strategies for troubleshooting the “Network accounts are unavailable” error in Mac OS X Lion computers that are bound to Active Directory Domain Services.

4sysops readers have spoken: there are serious integration problems between Apple Mac OS X 10.7 Lion and Active Directory Domain Services (AD DS). Specifically, we are seeing (a) sluggish binding between the Macs and AD; (b) super-slow domain logons; and (c) completely blocked domain logons.

The biggest indicator of this problem is the red dot icon and “Network accounts are unavailable” message in the Mac OS X Lion logon screen; this is shown in Figure 1.

The dreaded “Network accounts are unavailable” error in Mac OS X Lion

(more…)

This post in our Active Directory for BitLocker series explains how to encrypt operating system drives and hard disk data drives.

Now that we’ve updated Active Directory and created our Group Policy Object with our BitLocker, TPM, and Sleep settings, we’re ready to encrypt our first device. To begin, you’ll first need to make sure that your computer meets the hardware/software requirements (Please note that in the screenshots and instructions below, I’ve performed the procedure in Windows 7. The process should be mostly the same in Windows Vista.)

Encrypting an operating system drive with BitLocker

• Windows Vista Ultimate or Enterprise; Windows 7 Ultimate or Enterprise
• Trusted Platform Module (TPM) version 1.2 or higher
• BIOS that is compatible with the TPM
• TPM must be enabled in the BIOS – Some manufacturers enable the TPM automatically and others leave it disabled. You may need to refer to documentation from your vendor to enable the TPM.
• Two hard drive partitions: one drive for Windows and one as a boot volume. (A standard Windows 7 installation automatically creates the necessary partitions. Windows Vista will require use of the BitLocker Drive Preparation Tool – http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7806.)
• Drive must be formatted as NTFS

(more…)

Part 3 in this series covers best practices for configuring BitLocker for Active Directory through Group Policy.

The last thing you’ll need to do before encrypting your next drive is to configure Group Policy. I copied the essential Microsoft’s Best Practices settings and added my own experiences at the end of the article. In a new or existing Group Policy Object, navigate to Computer Configuration, Policies, Administrative Templates, Windows Components, BitLocker Drive Encryption, and set the following:

Top Level / Global

• Choose drive encryption method and cipher strength – Set to not configured.
• Prevent memory overwrite on restart – Set to not configured.
• Provide the unique identifiers for your organization – Set to enabled, and enter an identifier in the BitLocker identification field.

(more…)

Part 2 in this series about BitLocker and Active Directory explains how to update the Active Directory Schema, how to configure additional Access Control Entry (ACE) settings, and how to install the BitLocker Password Recovery Viewer.

If you installed a Domain Controller running Windows Server 2008 Beta 3 or later (Yes, this was taken directly from Microsoft documentation… I hope you didn’t have a DC running a beta product in your production Forest!), the required schema extensions here have already been performed.

Updating the Active Directory Schema for BitLocker

You can check to see if the attributes are available by running ASDI Edit and looking for the BitLocker recovery object CN=ms-FVE-RecoveryInformation. This should give you an idea of what you’ll see: Screenshot 1 is a Windows Server 2003R2 SP2 Domain Controller; screenshot 2 is a Windows Server 2008R2 SP2 Domain Controller. As you can see, the Server 2008R2 DC has the required schema extensions and the Server 2003R2 DC does not.

BitLocker Active Directory -  Windows Server 2003 R2 DC Schema

(more…)

This article reviews the Lepide Active Directory Management and Reporting tool, which is an alternative to the built-in Active Directory management tools in Windows Server 2008.

Lepide Active Directory Management and Reporting Tool

(more…)