© Mike O'Leary 2019

Mike O'LearyCyber Operationshttps://doi.org/10.1007/978-1-4842-4294-0_6

6. Active Directory

Mike O’Leary¹ 

(1)

Towson, MD, USA

 

Introduction

Active Directory is a database of users, groups, computers, printers, and other objects. Windows uses Active Directory to organize the objects together into domains and larger forests. These are managed by domain controllers. Common platforms for domain controllers include Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.

This chapter introduces Active Directory, beginning with the process to install Active Directory components on Windows servers and promote them to domain controllers. Test domains are developed that not only include Windows systems but incorporate Linux systems using PowerBroker Open. Active Directory relies on Windows DNS, which can interact with BIND DNS servers. PowerShell scripts can be used to manage a domain; the chapter demonstrates a script to add domain users. Groups and organizational units allow domain administrators to delegate authority and apply group policy. The chapter includes an example of a group policy that restricts the directories in which users can run executable programs.

Installation

The process to configure a Windows server as the first domain controller for a domain is similar, whether the server runs Windows Server 2008 R2, 2012, 2012 R2, or 2016. In this example, no existing infrastructure is assumed present - no existing domain, no forest, and no existing DNS servers. Active Directory is installed first. When complete, the system is promoted to a domain controller, installing DNS in the process.

Installation on Windows Server 2012 and Later

To install Active Directory on Windows Server 2012 or later, from Server Manager (Figure 6-1), select Add Roles and Features. Choose “Role-based or feature-based installation.” Server Manager allows an administrator to manage both local and remote servers; since this is the first domain controller for the domain, select the local system as the destination for the installation. From the list of server roles, select Active Directory Domain Services. This requires additional features to be installed, including the Active Directory module for Windows PowerShell; these are automatically selected. No additional features are necessary for the server at this stage. The wizard continues with a confirmation prompt before it is ready to begin the installation.

Figure 6-1

Windows Server 2012 R2 Server Manager

When the installation is complete, Server Manager shows a new role, AD DS, and a notification flag. From the notification flag, select the option to promote the server to a domain controller. The same option is available if the AD DS role is selected from the navigation pane in Server Manager; a warning notification appears indicating that configuration is required for the system and letting the user promote the system to a domain controller. In either case, the Active Directory Domain Services Wizard (Figure 6-2) launches.

Figure 6-2

Windows Server 2012 R2 Active Directory Domain Services Configuration Wizard

From the wizard, select the option to add a new forest. In this example, the server is named cassini.saturn.test, and the root domain name is corp.saturn.test.

When selecting the name for the domain, do not use the top-level domain name .example. Windows Server 2012, 2012 R2, and 2016 are unable to create DNS forward zones for this namespace; they report the name as invalid. These systems are also unable to create conditional forwarders to the .example domain. This problem does not occur on Windows Server 2008 R2.

Select the functional level of the forest and the domain. Servers older than the functional level of the forest cannot join the forest, and servers older than the functional level of the domain cannot join the domain. Because the intent of this example is to replicate servers as deployed between 2011 and 2017, Windows Server 2012 is a reasonable choice as the functional level for both the forest and the domain. The functional level of a domain can be changed after the domain has been created. From Server Manager, navigate Tools ➤ Active Directory Domains and Trusts. Select the domain, right-click, and select Raise domain functional level.

Directory Services Restore Mode (DSRM) is one of the options when booting a domain controller in safe mode. Since a system in restore mode does not have access to the Active Directory database, the DSRM password is used to authenticate the user logging in at the terminal. This password should be kept secure; a user with this password and physical access to the system has complete access to the Active Directory database.

Because this example does not assume an existing DNS structure, the domain controller needs to add DNS capabilities; this is marked for installation by default. As the wizard continues, a warning box appears saying, “A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server.” During the DNS server installation process, the server tries to contact DNS servers for the parent zone and set up a delegation for the new server. In this example, there is no parent DNS server, so this message is expected.

The wizard continues and presents a candidate NetBIOS name for the domain. NetBIOS names are 15 characters or less, and they are usually capitalized.

The Active Directory data file (ntds.dit), the log file (edb.log), and other working files are stored in the database directory or the log file directory; in both cases the default is C:\Windows\NTDS. Group policy files and various scripts are stored in the SYSVOL folder, by default in the directory C:\Windows\SYSVOL.

The wizard reviews the options and checks prerequisites. Two warnings are expected. One refers to the already noted inability to create a delegation zone on the parent DNS server; the second points out that the weaker cryptography algorithms are disallowed. Press the install button to complete the promotion of the server to a domain controller. The system reboots during the installation.

Once the system reboots, it is a domain controller and a DNS server. The installation process changes the default nameserver for the system; a check of the network adapter settings shows that the preferred nameserver becomes 127.0.0.1. Although the hostname remains unchanged, the system’s domain changes to match the domain; the server originally named cassini.saturn.test for the Windows domain corp.saturn.test becomes cassini.corp.saturn.test. This behavior is expected; when setting a host’s name (System Properties ➤ Computer Name ➤ Change ➤ More), the box to automatically change the DNS suffix to match domain membership is checked by default (Figure 6-3).

Figure 6-3

Changing the DNS suffix on a Windows Server 2012 R2 system

Installation on Windows Server 2008 R2

Some changes need to be made when using Windows Server 2008 R2. Instead of starting with Server Manager, from the Initial Configuration Tasks window (Figure 6-4), select “Add Roles.” From the list of roles, choose Active Directory Domain Services. The user is prompted to add the required .NET 3.5.1 framework before it is ready to begin the installation.

Figure 6-4

Windows Server 2008 R2 Initial Configuration Tasks

Once the installation completes, the wizard tells the user that the Active Directory Domain Services Installation Wizard (dcpromo.exe) needs to be run. This is in the form of a clickable hyperlink; the program can also be run directly from the Run menu or an Administrator command prompt.

The Active Directory Domain Services Wizard functions in much the same way as it does for Server 2012 and later. One caveat is that a Windows 2008 system with a static IPv4 address and a dynamically assigned IPv6 address warns the user that a dynamically assigned address is present on the system.

Windows DNS

Windows Server uses DNS Manager to manage its DNS server. To launch it on Windows Server 2012, or later, from Server Manager select Tools, then navigate to DNS. It is also available directly from the Start Menu on Windows Server 2012; on Windows Server 2016, 2012 R2, and 2008 R2, it can be found by navigating the Start Menu to Administrative Tools.

From the navigation pane, expand the server name; there are four main subheadings: the forward lookup zones, the reverse lookup zones, conditional forwarders, and global logs. Figure 6-5 shows the result from an example Windows Server 2008 R2 system; the host’s name is galileo.ad.jupiter.test, which is a domain controller for the domain ad.jupiter.test.

Figure 6-5

DNS Manager on Windows Server 2008 R2

The first forward lookup zone, _msdcs.ad.jupiter.test, contains service location records (SRV) that provide information about the domain. For example, navigate _msdcs.ad.jupiter.test ➤ dc ➤ _tcp ➤ _ldap to locate a SRV record that indicates that the LDAP service is running on port TCP/389 on the server galileo.ad.jupiter.test.

The second forward lookup zone provides records for the namespace; in this example, this is ad.jupiter.test. It includes similar service location records, organized by Active Directory site, protocol (TCP/UDP), domain, and forest. It also includes the start of authority (SOA), nameserver (NS), and address records for the namespace.

To add a new address record to the forward lookup zone for the DNS domain ad.jupiter.test, right-click on the DNS domain name, then select New Host to obtain the New Host dialog box (Figure 6-6). Choose the host name and IP address; then select Add Host.

Figure 6-6

Adding a new host on Windows Server 2008 R2

The user can add both the forward zone A record and the reverse zone PTR record in one step. However, if this is done immediately after the server is configured, it fails. Although the DNS server installation correctly configured its forward zone, it does not configure the reverse zone. Right-click on the Reverse Lookup Zone from the navigation pane in DNS Manager, then select New Zone to launch the New Zone Wizard (Figure 6-7). Create a primary zone storing the result in Active Directory. Choose where it should be replicated - to all DNS servers in the forest or all DNS servers in the domain. Specify the network for the reverse zone, either through the ID or the zone name.

Windows Server, by default, allows for secure dynamic updates for DNS zones integrated with Active Directory; systems can then update their own DNS record, and DHCP servers can update PTR records.

When the reverse zone is created, it includes the start of authority and nameserver records; it does not include pointer records, even for the domain controller itself. Add this record, as well as the PTR records for any address records added earlier. Subsequent new hosts can add both the address record and the pointer record at the same time, provided the appropriate box is checked; see Figure 6-6.

Figure 6-7

Creating a reverse lookup zone in Windows Server 2008 R2

Scripting Windows DNS

When many hosts need to be added to a DNS server, it is better to do so with a script. Suppose that a list of host names and addresses is available in the file dns_data.txt from Listing 6-1.

101    io

102    europa

103    ganymede

104    callisto

105    amalthea

106    himalia

107    elara

... Output Deleted ...

Listing 6-1

Sample file dns_data.txt with DNS data for a network

Suppose the user intends that the host io.ad.jupter.test receives the address 10.0.5.101, the host europa.ad.jupiter.test receives the address 10.0.5.102, and so on. Consider the Windows batch script in Listing 6-2.

@echo off

for /f "tokens=1,2" %%i in (dns_data.txt) do (

   dnscmd /RecordAdd ad.jupiter.test %%j /CreatePTR A 10.0.5.%%i

)

Listing 6-2

Windows batch script DNS.bat to read a text file and add entries to a Windows DNS server

By default, batch files echo each run command to the screen; the command @echo off disables this. The script uses the for loop to read through the data in the in the file dns_data.txt. Two tokens are specified; as the file is parsed, everything up to the first space or connected group of spaces is stored in the variable %%i and what remains (up to the second space or connected group of spaces) is stored in the variable %%j. The Windows command prompt provides help on the use and syntax of for loops in a batch script through the command

C:\Users\Administrator>for /?

Runs a specified command for each file in a set of files.

FOR %variable IN (set) DO command [command-parameters]

  %variable  Specifies a single letter replaceable parameter.

  (set)      Specifies a set of one or more files.  Wildcards may be used.

  command    Specifies the command to carry out for each file.

  command-parameters

             Specifies parameters or switches for the specified command.

To use the FOR command in a batch program, specify %%variable instead

... Output Deleted ...

The host name in the %%j variable and the last octet of the IP address, in the %%i variable, are passed to dnscmd. This is a command-line utility for managing DNS servers on Windows. The /RecordAdd switch is used to add new records to a DNS zone. The first argument is the name of the zone, and the second is the name of the record to be added. The /CreatePTR switch is used so that both the forward zone and reverse zone entries are made. The command concludes with the type of record - an A address record, and its value, the IP address of the host. More information about the syntax of dnscmd is available by running it from the command line with the /? switch.

Save the batch script as DNS.bat in the same directory as the data file dns_data.txt. Run the script from the command line, and the hosts are added to the DNS server.

C:\Users\Administrator\Desktop>dns.bat

Add A Record for io.ad.jupiter.test at ad.jupiter.test

Command completed successfully.

Add A Record for europa.ad.jupiter.test at ad.jupiter.test

Command completed successfully.

... Output Deleted ...

DNS Configuration

A Windows DNS server can forward requests to different servers, either on a per-zone basis or for all unknown requests. It can use stub zones or be configured as a slave to use data from other servers; it can also use recursion. Windows servers include a robust logging system.

Conditional Forwarding and Server Forwarding

To forward requests for a DNS domain to a different server, from DNS Manager, select Conditional Forwarders in the navigation pane, then right-click and select New Conditional Forwarder (Figure 6-8). Enter the name of the DNS domain to be forwarded, and choose the IP address to receive the forwarded requests.

The server may initially be unable to validate the server, as seen in Figure 6-8. Once the forwarder is in place, from the navigation pane, right-click on the forwarder, select Properties, then Edit. The server is listed as validated.

The process for forwarding reverse queries is the same, save now the domain is an appropriate subdomain of .in-addr.arpa. For example, the appropriate reverse lookup zone for 10.0.5.0/24 is named 5.0.10.in-addr.arpa.

Figure 6-8

Setting up a new conditional forwarder in Windows Server 2012 R2

Windows uses server-level forwarding for DNS domains not explicitly provided with a conditional forwarder. From the navigation pane of the DNS Manager (Figure 6-5), right-click on the name of the server, then select Properties. From the Forwarders tab, select one or more forwarders; these are used for queries that the server cannot answer. If none of the forwarders can answer the query, the server may use the root hints; this is the default behavior.

The root hints file can be updated from the Root Hints tab on the same Properties dialog box. The root hints file itself is located on the server in C:\Windows\System32\Dns\Cache.dns and can be replaced with an updated copy from http://www.iana.org/domains/root/files .

Recursion

Like BIND servers, by default, Windows DNS Server is vulnerable to DNS amplification attacks; this can be verified with the Metasploit module auxiliary/scanner/dns/dns_amp as was done in Chapter 5. To disable recursion, select the Advanced tab from the same Properties dialog box (Figure 6-9); then select Disable recursion. This disables server-level forwarders but does not disable zone-level conditional forwarders. It is not possible to disable recursion from some hosts and allow it from other, presumably trusted hosts.

Figure 6-9

The properties dialog box for the DNS Server on Windows Server 2016

DNS Logging

Windows logs information, warning, and error logs about the DNS server using the Windows log system (cf. Chapter 10). They can be found in Event Viewer, by navigating Event Viewer ➤ Application and Services Logs ➤ DNS Server. They are also accessible from the navigation pane in DNS Manager (Figure 6-10) on systems other than Windows Server 2016.

Figure 6-10

Viewing DNS logs in DNS Manager on Windows Server 2012 R2

Windows can be configured to log the details of DNS queries. From DNS Manager, right-click on the name of the server and bring up the Properties dialog box. From the Debug Logging tab, select the types of data to be recorded and the location of the log file. The log file is plain text and begins with a key that explains the fields. Here is an example of a log file that shows a request from 10.0.4.252 for the address titan.corp.saturn.test and the server’s response.

DNS Server log file creation at 8/25/2014 10:25:17 AM

Log file wrap at 8/25/2014 10:25:17 AM

Message logging key (for packets - other items use a subset of these fields):

        Field #  Information         Values

        -------  -----------         ------

           1     Date

           2     Time

           3     Thread ID

           4     Context

           5     Internal packet identifier

           6     UDP/TCP indicator

           7     Send/Receive indicator

           8     Remote IP

           9     Xid (hex)

          10     Query/Response      R = Response

                                     blank = Query

          11     Opcode              Q = Standard Query

                                     N = Notify

                                     U = Update

                                     ? = Unknown

          12     [ Flags (hex)

          13     Flags (char codes)  A = Authoritative Answer

                                     T = Truncated Response

                                     D = Recursion Desired

                                     R = Recursion Available

          14     ResponseCode ]

          15     Question Type

          16     Question Name

8/25/2014 10:25:22 AM 0770 PACKET  000000F62A727B10 UDP Rcv 10.0.4.252      8d7d   Q [0001   D   NOERROR] A      (5)titan(4)corp(6)saturn(4)test(0)

8/25/2014 10:25:22 AM 0770 PACKET  000000F62A727B10 UDP Snd 10.0.4.252      8d7d R Q [0085 A D   NOERROR] A      (5)titan(4)corp(6)saturn(4)test(0)

... Output Deleted ...

Zone Properties

To change other settings for a zone, right-click the zone inside DNS Manager, then select Properties (Figure 6-11). The Start of Authority (SOA) tab allows the user to update the timing settings: refresh interval, retry interval, TTL, and expiration. The serial number can be manually set or simply incremented. The Zone Transfers tab on the same dialog box allows the user to control zone transfers. By default, zone transfers are prohibited; this can be overridden and zone transfers permitted to a list of known servers or to any server.

Stub Zones and Slave Zones

Instead of setting up conditional forwarders, the user may prefer to set up a stub zone. For a stub zone, the server only holds information about the authoritative name servers for the zone. To build a stub zone, from DNS Manager, right-click on the type of zone (Forward Lookup or Reverse Lookup) and select New Zone. For the zone type, select stub zone. Choose how the zone is to be replicated in Active Directory. Provide the name of the zone and the IP address of a master DNS server for the zone. The chosen master must allow zone transfers. It takes a few moments for the zone transfer to occur, and if checked immediately after configuration, the zone may report an error. If it has been configured correctly, wait a moment and then refresh the view.

Figure 6-11

The Name Servers tab in the zone properties dialog box on Windows Server 2012 R2

To configure a zone on a BIND server as a slave to a zone hosted on a Windows master, first configure the slave zone in BIND, specifying the master. For example, if cassini.corp.saturn.test at 10.0.6.120 is the Windows DNS master, in the BIND named.conf file, include an appropriate zone definition like

zone "corp.saturn.test" in {

       type slave;

       file "slaves/bak.corp.saturn.test";

       masters {10.0.6.120; };

};

On the Windows master, from DNS Manager, right-click on the zone to bring up the zone properties dialog box. From the Zone Transfer tab, be sure that the Windows server allows zone transfers to the BIND slave nameserver.

Because of the complexity of the DNS entries for a domain controller, it is difficult to set up a BIND master for an Active Directory installation. A Windows Server acting as a stand-alone DNS server (without Active Directory) can easily be configured as a slave to a BIND DNS server (or another Windows DNS server for that matter). To do so, create a new zone, specifying the type as a secondary zone. Provide the name of the zone and the IP addresses of one or more master servers.

Managing a Windows Domain

The key benefit of an Active Directory structure is the ability to manage computers and users. With a domain controller built, the next steps are to add these computers and users to the domain.

Adding Systems

Before adding a new system to a domain, ensure that the system is on the network, that it is using the DNS server provided by Active Directory, and that it can reach the Active Directory domain controller. It is simplest if the system to be added to the domain already has a DNS entry in the DNS server.

Adding Windows Systems to a Windows Domain

Windows systems can be added to a Windows domain without additional software. The process of joining the domain is like the method used to set the system’s domain name. Start the Control Panel on the system; navigate System and Security ➤ System; then from the Computer name domain and workgroup setting section, select Change Settings. On the resulting System Properties dialog box (Figure 6-13), use the option to rename the computer or change its domain or workgroup. Provide the domain name. A dialog box appears asking for an account name and password on the domain; provide the credentials. Once the system authenticates, the user is welcomed to the domain; the system then needs to be restarted.

Adding OpenSuSE Systems to a Windows Domain

Linux systems can be added to a Windows domain. On OpenSuSE systems, this feature is included in YaST. To join such a system to a Windows domain, be sure that the system can connect to the domain controller and that its DNS is properly configured. From YaST, navigate to Windows Domain Membership. When the configuration module is launched, the user is presented with a dialog box (Figure 6-12) to choose the domain the system is to join.

Figure 6-12

The Windows Domain Membership configuration module from YaST on OpenSuSE 11.4

If additional software packages are necessary, these will be downloaded and installed. When this completes, the user is prompted to provide the username and password for a domain user. When these are provided, the system is joined to the domain.

Adding Linux Systems to a Windows Domain Using PowerBroker Open

It is possible to add CentOS, Mint, and Ubuntu systems to a Windows domain. One way to do so is to install and configure Samba, but this is somewhat complex.

The open source tool PowerBroker Open ( https://github.com/BeyondTrust/pbis-open/wiki ) simplifies the process considerably. Start by downloading an appropriate version and package ( https://github.com/BeyondTrust/pbis-open/releases ); for Mint or Ubuntu systems, it is a .deb file, while for a CentOS system it is an .rpm file. Different versions are available for different architectures (x86 or x86_64). Run the file (as root) to start the installer.

For example, a user on a CentOS 7.2 system would download the .rpm package, then run the installer.

[root@pan ~]# sh ./pbis-open-8.5.3.293.linux.x86_64.rpm.sh

Creating directory pbis-open-8.5.3.293.linux.x86_64.rpm

Verifying archive integrity... All good.

Uncompressing pbis-open-8.5.3.293.linux.x86_64.rpm............

Would you like to install package for legacy links? (i.e.  /opt/likewise/bin/lw-find-user-by-name -> /opt/pbis/bin/find-user-by-name) (yes/no) no

Would you like to install now? (yes/no) yes

Installing packages and old packages will be removed

warning: /root/pbis-open-8.5.3.293.linux.x86_64.rpm/./packages/pbis-open-upgrade-8.5.3-293.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID c9ceecef: NOKEY

Preparing...                       ################################# [100%]

Updating / installing...

   1:pbis-open-upgrade-8.5.3-293   ################################# [100%]

warning: /root/pbis-open-8.5.3.293.linux.x86_64.rpm/./packages/pbis-open-8.5.3-293.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID c9ceecef: NOKEY

Preparing...                       ################################# [100%]

Updating / installing...

   1:pbis-open-8.5.3-293           ################################# [100%]

Setting up SELinux Policy Module

... Output Deleted ...

Installing Packages was successful

New libraries and configurations have been installed for PAM and NSS.

Please reboot so that all processes pick up the new versions.

As root, run domainjoin-gui or domainjoin-cli to join a domain so you can log on with Active Directory credentials. Example:

domainjoin-cli join MYDOMAIN.COM MyJoinAccount

The installation process with other distributions is similar.

There are two tools that can be used to join the system to the domain: the graphical tool /opt/pbis/bin/domainjoin-gui and the command-line-only tool /opt/pbis/bin/domainjoin-cli. The graphical tool will try to launch when the installation is complete. Figure 6-13 shows the graphical tool on Mint 18.1.

Figure 6-13

The graphical tool to join a domain from Power Broker Open 8.5.3.293 shown on Mint 18.1

After the domain is selected, the graphical tool asks the user for credentials with administrative privileges on the Windows domain. When the system is joined to the domain, a restart is required.

On some systems, the graphical tool may fail to work; for example, on a default CentOS 7.2 system it fails because it cannot load the shared library libpangox-1.0.so.0, while on a default Ubuntu 15.10 it fails because it cannot load the shared library libglade-2.0.so.0. To use the command-line tool, specify the verb join, the domain to be joined, and an account on that domain. As an example, to join the domain corp.saturn.test as the user fhaber, the syntax is

[root@pan ~]# /opt/pbis/bin/domainjoin-cli join corp.saturn.test fhaber

Joining to AD Domain:   corp.saturn.test

With Computer DNS Name: pan.corp.saturn.test

fhaber@CORP.SATURN.TEST's password: <enter password here>

Warning: System restart required

Your system has been configured to authenticate to Active Directory for the

first time.  It is recommended that you restart your system to ensure that all applications recognize the new settings.

SUCCESS

The installation process assumes the presence of an SSH server on the system. If there is no SSH server on the system, attempts to join the domain fail. The user can either install the SSH server or specify that SSH is to be disabled. As an example, consider Ubuntu 15.10, which does not include an SSH server as part of its default installation. To join the domain corp.saturn.test as the domain user fhaber without an SSH server on the system, the user can run

dhilbert@Tarvos:~$ sudo /opt/pbis/bin/domainjoin-cli join --disable ssh corp.saturn.test fhaber

Joining to AD Domain:   corp.saturn.test

With Computer DNS Name: Tarvos.corp.saturn.test

fhaber@CORP.SATURN.TEST's password: <enter password here>

Warning: System restart required

Your system has been configured to authenticate to Active Directory for the

first time.  It is recommended that you restart your system to ensure that all applications recognize the new settings.

SUCCESS

After the system has joined the domain, restart the system and log in as a regular, non-Active Directory user. Validate that the system correctly joined the domain first by querying the domain.

dhilbert@tarvos:~$ sudo /opt/pbis/bin/domainjoin-cli query

Name = tarvos

Domain = CORP.SATURN.TEST

Distinguished Name = CN=TARVOS,CN=Computers,DC=corp,DC=saturn,DC=test

Next, verify that it correctly determined the domain controller. For example, if the domain name is corp.saturn.test, this can be done with the command

dhilbert@tarvos:~$ /opt/pbis/bin/get-dc-name corp.saturn.test

Printing LWNET_DC_INFO fields:

===============================

dwDomainControllerAddressType = 23

dwFlags = 62461

dwVersion = 5

wLMToken = 65535

wNTToken = 65535

pszDomainControllerName = cassini.corp.saturn.test

pszDomainControllerAddress = 10.0.6.120

pucDomainGUID(hex) = EB 33 63 1D 7B 8E 77 44 BA 75 6F B7 A2 2B AF E4

pszNetBIOSDomainName = CORP

pszFullyQualifiedDomainName = corp.saturn.test

pszDnsForestName = corp.saturn.test

pszDCSiteName = Default-First-Site-Name

pszClientSiteName = Default-First-Site-Name

pszNetBIOSHostName = CASSINI

pszUserName = <EMPTY>

Next, check that the system can correctly locate users on the domain. For example, to query for the domain user fhaber, the user can run

dhilbert@tarvos:~$ /opt/pbis/bin/find-user-by-name corp\\fhaber

User info (Level-0):

====================

Name:              CORP\fhaber

SID:               S-1-5-21-2774461806-4257634802-1797393593-1179

Uid:               1891632283

Gid:               1891631617

Gecos:             <null>

Shell:             /bin/sh

Home dir:          /home/local/CORP/fhaber

Logon restriction: NO

When referring to a domain user, the proper syntax on a Linux system is domain\username; however when this is used on the command line, the backslash needs to be escaped, hence the double backslash on the command line.

To check that the user can correctly authenticate to the system, the user can run

dhilbert@tarvos:~$ pbis authenticate-user --user corp\\fhaber

Password: <enter password here>

Success

Other useful pbis commands include pbis enum-users, which lists the Active Directory users on the systems; and pbis status, which provides details of the domain.

To correctly configure the Bash environment for Active Directory users, run

dhilbert@tarvos:~$ sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash

Ubuntu systems do not grant all users sudo privileges. A reasonable approach is to grant sudo privileges to all Active Directory domain administrators. Run visudo (using sudo), and add the line

%corp\\domain^admins ALL=(ALL) ALL

This line allows all members of the group corp\domain^admins privileges to use sudo.

The needed group name may not include the Windows domain. A user can determine the groups to which a user belongs by running the command id. On some systems, the group will include the domain name, but on others, the domain is not included. For example, on a Mint 18.1 system, the id of a domain user does not include the domain name.

dhilbert@Ijiraq ~ $ id fhaber

uid=1891632283(fhaber) gid=1891631617(domain^users) groups=1891631617(domain^users),1891631676(denied^rodc^password^replication^group),1891631616(domain^admins)

This can also be seen via pbis enum-groups.

dhilbert@Ijiraq ~ $ pbis enum-groups

Group info (Level-0):

====================

Name: winrmremotewmiusers__

Gid:  1891632104

SID:  S-1-5-21-2774461806-4257634802-1797393593-1000

... Output Deleted ...

Group info (Level-0):

====================

Name: domain^admins

Gid:  1891631616

SID:  S-1-5-21-2774461806-4257634802-1797393593-512

... Output Deleted ...

In this case, the proper line in visudo would be

%domain^admins ALL=(ALL) ALL

Log out, then log in as the user corp\administrator or some other domain administrator. Verify that the Bash prompt is set correctly, and this user can use sudo to perform system administration tasks.

Some systems join Active Directory correctly but have problems with the login screen. For example, by default the greeter on an Ubuntu 12.10 system does not provide the option to enter a username. To allow this, modify /etc/lightdm/lightdm.conf to include

[SeatDefaults]

autologin-guest=false

user-session=ubuntu

greeter-session=unity-greeter

greeter-show-manual-login=true

On an Ubuntu 15.10 system, the corresponding file that needs to change is /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf and it should have the content

[Seat:*]

greeter-session=unity-greeter

greeter-show-manual-login=true

Adding Users

Users and computers in the domain can be managed with the tool Active Directory Users and Computers (Figure 6-14). On a Windows Server 2008 R2 system, launch the tool from the Start Menu, navigating Start ➤ Administrative Tools ➤ Active Directory Users and Computers. For Windows Server 2012 or later from Server Manager (Figure 6-1) select Tools, then Active Directory Users and Computers. On Windows Server 2012, it is also available directly from the Start Menu, while on Windows Server 2012 R2 or 2016, it is available from the Administrative Tools entry on the Start Menu. The tool can also be started from a terminal with dsa.msc.

To see the computers that are members of the domain, from the navigation pane select the domain, then the container labeled Computers; to see the users on the system, select the container labeled Users.

Figure 6-14

Active Directory Users and Computers on Windows Server 2012 R2

There are several default security groups present. The Domain Users group contains the users on the domain. Users in the Domain Admins group have administrator-level access on domain controllers, domain servers, and domain workstations; members of the Enterprise Admins can administer all the domains in the forest.

Not every group listed under users refer to people; there is a group for domain computers and a group for domain controllers.

To add a new user, from the navigation pane in the Active Directory Users and Computers right-click on users; select New, then User. Enter the name of the user and an account name; then choose a password for the new user. By default, the user must change the password at their next logon.

Once the user is created, double-click on the user name in the Active Directory Users and Computer Window to see the properties of that user (Figure 6-15). There are tabs for general information, the address of the user, details of the account and profile, the telephone number for the user, and the place the user has within the organization. Some of the account properties include the domain groups to which the user belongs, the location of the user profile, and the location of the user’s home directory.

Figure 6-15

Properties of a user on Windows Server 2012 R2

Scripting and PowerShell

Although the graphical process works well when adding a single user, adding many users is better handled with a script. PowerShell includes an Integrated Scripting Environment (ISE); this is installed by Default on Windows Server 2012 and later but is an additional feature on Windows Server 2008 R2. To install it, navigate the Start Menu through Administrative Tools ➤ Server Manager. From Server Manager, expand the navigation pane for the server, right-click on Features, then select Add Features. From the resulting menu, select Windows PowerShell Integrated Scripting Environment (ISE) and install.

On Windows Server 2008 R2 PowerShell ISE then appears in the Start Menu; navigate All Programs ➤ Accessories ➤ Windows PowerShell ISE. On Windows Server 2012 or 2012 R2, there is an icon for PowerShell on the taskbar, while there is an entry for Windows PowerShell ISE in the Start Menu on Windows Server 2016.

Figure 6-16

Windows PowerShell ISE on Windows Server 2016, showing the script pane (CTRL+R) and the commands add-on

To create a “Hello World” PowerShell script, create a script with the single line like Listing 6-3.

"Hello World"

Listing 6-3

The “Hello World” PowerShell script Testing.ps1

There is no need for a print statement or an echo statement; putting a string alone on a line causes it to be printed when the PowerShell script is run. Save the result as say “Testing.ps1”. The script can be executed directly from the PowerShell ISE by pressing F5.

On Windows Server 2008 R2 or Windows Server 2012, the script fails; on Windows Server 2012 the returned error is

PS C:\Windows\system32> C:\Users\Administrator\Desktop\Testing.ps1

File C:\Users\Administrator\Desktop\Testing.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see

about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.

    + CategoryInfo          : SecurityError: (:) [], ParentContainsErrorRecordException

    + FullyQualifiedErrorId : UnauthorizedAccess

By default, these systems do not allow users, even administrators, to run scripts that have not been signed by a trusted publisher (like Microsoft). The current policy can be found by running

PS C:\Windows\system32> Get-ExecutionPolicy

Restricted

A better choice is to set this to RemoteSigned

PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned

In this mode, local scripts can be run, but scripts downloaded remotely must be signed. This is the default policy on Windows Server 2012 R2 and Windows Server 2016. With this change, the Hello World script runs as expected.

Suppose that the list of users to be added to the system is available in a plain text file named Users.txt like Listing 6-4.

Hermann Emil Fischer

Svante August Arrhenius

William Ramsay

Johann Friedrich Wilhelm Adolf von Baeyer

Henri Moissan

Eduard Buchner

... Output Deleted ...

Listing 6-4

The file Users.txt, which contains a list of user names to be added to a domain

Consider the PowerShell script in Listing 6-5.

$nameslist = Get-Content C:\Users\Administrator\Desktop\Users.txt

ForEach ($name in $nameslist) {

  $first = $name.Split(' ')[0]

  $last = $name.Split(' ')[-1]

  $username = $first.ToLower()[0] + $last.ToLower()

  New-ADUser -Name $name `

   -AccountPassword (

          ConvertTo-SecureString "password1!" -AsPlainText -Force) `

   -DisplayName $name `

   -Enabled $true `

   -SamAccountName $username `

   -givenname $first `

   -surname $last `

   -userprincipalname ($username + "@corp.saturn.test") `

  }

Listing 6-5

The PowerShell script useradd.ps1 to read a file of user names and create the corresponding user in Active Directory

The script begins by using Get-Content to read the file Users.txt into the array $nameslist. It then loops through each name in the list, pulling out the first name, the last name, and building a username formed by taking the first letter of the first name and appending it to the last name, all in lower case.

The function New-ADUser is a cmdlet; there are many cmdlets that can perform many different jobs. This one adds the given user to Active Directory with a fixed password, setting only a few of the many available fields for a user. Help for a cmdlet is available¹ directly from PowerShell:

PS C:\Users\Administrator> Get-Help new-aduser

NAME

    New-ADUser

SYNOPSIS

    Creates a new Active Directory user.

SYNTAX

    New-ADUser [-Name] <String> [-AccountExpirationDate <DateTime>] [-AccountNotDelegated <Boolean>] [-AccountPassword <SecureString>] [-AllowReversiblePasswordEncryption <Boolean>] [-AuthenticationPolicy <ADAuthenticationPolicy>] [-AuthenticationPolicySilo <ADAuthenticationPolicySilo>] [-AuthType {Negotiate | Basic}] [-CannotChangePassword

... Output Deleted ...

DESCRIPTION

    The New-ADUser cmdlet creates a new Active Directory user. You can set commonly used user property values by using the cmdlet parameters.

    Property values that are not associated with cmdlet parameters can be set by using the OtherAttributes parameter. When using this parameter be sure to place single quotes around the attribute name.

... Ouput Deleted ...

Returning to the script, provided a backtick is the last character on a line, the command is continued over the subsequent line; this makes the result much easier to read. PowerShell also continues a line when it cannot be complete at that point: for example, if a line contains an open parenthesis and a following line contains the closing parenthesis.

This script also works on Windows Server 2008 R2, but only if it is preceded with the line

Import-Module ActiveDirectory

By default, PowerShell on Windows Server 2008 R2 does not load the New-ADUser cmdlet.

Organizing a Domain

In Active Directory, an organizational unit (OU) is a container for users, groups, and/or computers. OUs can be created around roles, around geography, around the structure of the company/organization, or around any other convenient set of distinctions.

Consider, for example, a small company that has decided to create an organizational unit named “Main Site” in the anticipation that their organization will later grow. That OU contains two separate OU’s, one for their computers and one for their users. Each of these is further subdivided into the following structure:

• Main Site

  • Main Site- Computers

    • Linux Servers

    • Linux Workstations

    • Windows Servers

    • Windows Workstations

  • Main Site- Users

    • Disabled Accounts

    • IT Staff

    • Production

    • Sales

    • Security Groups

To create this structure, launch Active Directory Users and Computers (Figure 6-17), either from the Start Menu or from the Server Manager. Right-click on the domain name, select New ➤ Organizational Unit, then create the parent OU named Main Site. Each child OU is created in the same fashion by right-clicking on the parent OU.

Figure 6-17

OU structure implemented in Windows Server 2008 R2

When creating an OU, the checkbox “Protect container from accidental deletion” is enabled by default. To delete a protected OU, start Active Directory Users and Computers; from the main menu, navigate View ➤ Advanced Features. This shows additional elements in the navigation pane. Right-click on the OU that is to be deleted, then select Properties. From the Object tab, uncheck the box that protects the object from accidental deletion. The OU can then be deleted by right-clicking on it and selecting Delete.

Moving users and computers to and from OUs is simple; just drag the item from the source and drop it in the destination. Each time this is done, a dialog box appears (Figure 6-18), warning the user that this change can affect how group policies are applied; this is expected behavior.

Figure 6-18

Warning box from moving objects in Active Directory, from Windows Server 2008 R2

Groups and Delegation

A user or computer can only be a member of a single OU; however, they can be part of multiple groups. Groups come in two types: distribution groups, primarily used for email distribution lists; and security groups, used to manage permissions and rights.

To demonstrate the power of groups, create a new group in the Security Groups OU created earlier. To do so, right-click on the OU, select New ➤ Group. Provide the name of the group, say Sales Admins. There are three options for the scope of the group: domain local, global, and universal; select the default global scope. For the group type, select Security.

To add users to the newly created group, select a user from Active Directory Users and Computers, then right-click; select Add to a group and provide the group name.

Despite the name of the group (Sales Admins), membership in this group has not (yet) given these users any additional privileges. To give the members of this group privileges, right-click on the Sales OU and select Delegate Control; this starts the Delegation of Control Wizard (Figure 6-19). Select the Sales Admins group, and delegate some common tasks, say the abilities to

• Create, delete, and manage user accounts

• Reset user passwords and force password change at the next logon

• Modify the membership of a group

Figure 6-19

The Delegation of Control Wizard on Windows Server 2008 R2

Although creating delegations is easy, the process of determining which tasks, if any, have already been delegated is more complex. In Active Directory Users and Computers, from the View menu select Advanced Features. Right-click on a container, say the Sales OU, then select Properties. From the Security Tab, press the Advanced button. The permissions tab lists the permissions assigned to the object; this includes the delegated tasks (Figure 6-20).

Figure 6-20

Advanced Security Settings for the OU Sales, showing the authority delegated to members of the Sales Admins group, on Windows Server 2008 R2

Remote Server Administration Tools

Once the Delegation of Control wizard completes, the members of the Sales Admins group have these additional privileges, but it is not clear how these are to be exercised. Domain members that are not domain administrators do not have privileges to log on locally to the domain controller, so how can the members of this group perform administrative activities?

The Remote Server Administration Tools (RSAT) allow a user with the proper privileges the ability to make administrative changes to a domain from a workstation. Different versions are available for different systems

• Win 7 (SP1): http://www.microsoft.com/en-us/download/details.aspx?id=7887

• Win 8: http://www.microsoft.com/en-us/download/details.aspx?id=28972

• Win 8.1: http://www.microsoft.com/en-us/download/details.aspx?id=39296

• Windows 10: https://www.microsoft.com/en-us/download/details.aspx?id=45520

On Windows 7 systems, once the tool is installed, its components must be enabled. From the Control Panel, navigate Programs ➤ Turn Windows features on or off under Programs and Features. From the Windows Features dialog box, select remote administration snap-ins and tools. Administrative tools are not shown on the Start Menu for all users; this is done on a per-user basis. Right-click the Start Menu; select Properties. On the Start Menu tab, click Customize. From the Customize Start Menu dialog box, scroll down to System Administrative Tools and select Display on the All Programs menu and the Start menu. Click OK.

On Windows 8 or 8.1, the components are enabled automatically and an entry for Administrative tools placed in the Start Menu. That item may not be visible though, until the user right-clicks on the Windows 8 Start Menu and selects All apps.

On Windows 10, the Windows Update service must be running to install Remote Server Installation Tools; if it was disabled during setup to prevent automatic installation of updates (cf. Chapter 1) it needs to be enabled. The components appear in the Start Menu in the group Windows Administrative Tools.

If a member of the Sales Admins group is logged on to a domain workstation, they can use the Active Directory Users and Computers tool installed on that workstation to make allowed changes using the same interface that a domain administrator might use on a domain controller.

Group Policy

Group policies are used to create and enforce different policies, including security-related policies. Group policies are either local to the machine or are based on Active Directory. To view the local group policy settings on a system, run the program gpedit.msc as an administrator; this can be run either from the command line or from the run box.

Group Policies can be set at different levels in the following order

• Local group policies

• Site-linked policies

• Domain-linked policies

• OU-linked policies

In the case of overlapping policies, whichever is written last is the one that is applied. When multiple policies are assigned at the same level, they are executed as they appear in the graphical interface in reverse order, from the last to the first. In general, it is best to work on group policies at the site, domain, or OU level. Local group policies would need to be manually replicated on individual machines and do not take advantage of the ability to use Active Directory to manage many systems at once.

The core tool for group policy is the Group Policy Management tool (Figure 6-21). It is available from Server Manager; in Windows Server 2008 R2 it is listed as a feature, while in Windows Server 2012 or later it is available in the tools list. Group Policy Management can also be launched from the Start menu, under administrative tools.

To view a group policy, from the Group Policy Management tool, expand the navigation pane through Group Policy Management ➤ Forest: [Your Forest name] ➤ Domains ➤ [Your Domain Name] ➤ Group Policy Objects. There are two pre-built policies, named “Default Domain Controllers Policy” and “Default Domain Policy.” Select the Default Domain Policy, and view the Setting Tab. By default, the user is prompted with a warning stating that content within this application is being blocked by the Internet Explorer Enhanced Security Configuration.²

This policy sets, for example, the password requirements and lockout thresholds that are applied to the domain.

The name of the policy, by itself, is not sufficient to ensure that it is applied. The Group Policy Management tool shows a link from the default domain (corp.saturn.test in Figure 6-21) to the Default Domain Policy directly beneath the domain name in the navigation pane; it is this link that actually applies the policy. Click on the domain name in Group Policy Management, then view the tab Linked Group Policy Objects to see that the Default Domain Policy is being applied, with link order 1.

Figure 6-21

The Group Policy Management Tool on Windows Server 2012 R2, viewing the settings for the default domain policy

Group policy objects (GPOs) are pulled by clients from the server. This happens on a regular basis, but it is not immediate. Group policy settings can be updated manually on a single system by running the command gpupdate from a command prompt on that system. Systems also update their GPO settings on user login, so if a domain user logs out and then logs back on, then any new policy settings will be applied.

Group Policy Example: Directory Creation

Group policy can be used to configure the system and accounts in a wide range of ways. For example, it is possible to use group policy to automatically create a directory on the desktop for each user who logs in, say the directory %USERPROFILE%\Desktop\Tools.

To create a new group policy object, right-click on Group Policy Objects in the navigation pane, then select New. Give the new GPO a descriptive name: say “Desktop Tools Directory.” Because policies can be quite complex, an organization may create template policies, called starter GPOs, which can be used as the basis of a new policy; this is not necessary in this example.

To add policies to the newly created group policy object, right-click the name of the group policy in the navigation pane and select Edit. This brings up the Group Policy Management Editor (Figure 6-23); this is the tool that is used to set the policies that are to be enforced. From the navigation pane, expand User Configuration ➤ Preferences ➤ Windows Settings ➤ Folders. Right-click to create a new folder rule. Specify the action as “Create” and provide the location of the folder (Figure 6-22). Update the attributes and set the parameters in the Common tab as desired.

Figure 6-22

The New Folders Dialog Box from the Group Policy Management Editor, on Windows Server 2012 R2

This completes the specification of the rule. The Group Policy Management Editor does not contain an option to save the rule; it is automatic. Once the rule’s options are set, quit the editor.

Although the rule has been created, it has not been applied to any members of the domain. Earlier in the chapter, organizational units were created with computers in one OU, subdivided by system type; and users in a second OU, subdivided by role. To apply this policy to the members in an OU, right-click on an OU, say Main Site- Users, then select Link an Existing GPO. Choose the newly created GPO from the list. At this point, the GPO is applied to the users in that OU.

Group Policy Example: Software Restriction Policies

Group policy can be used to enforce security settings. For example, it is possible to limit users so that they can only execute programs from defined directories. Create a new GPO with the name Allowable Code Execution and edit it. From the navigation pane in the Group Policy Management Editor (Figure 6-23), navigate Computer Configuration ➤ Policies ➤ Windows Settings ➤ Security Settings ➤ Software Restriction Policies, then right-click and select New Software Restriction Policies.

Select Security Levels; three are available - Unrestricted, Basic User, and Disallowed. These are the allowable default policies, and the default security level is set to be Unrestricted. Double-click on Disallowed and choose Set as Default. In this setting, without an explicit allow rule allowing program execution, no program can run. When the setting is changed, the user is warned that the new setting is more restrictive than it was previously and could result in programs failing to run.

Select Additional Rules. By default, it contains two directories, determined by paths in the registry. The first path is %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%, and a check with regedit for example, shows that this is C:\Windows. The second path %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% is C:\Program Files. For these directories, an exception has been made and the security level has been set to unrestricted. This allows any program contained in these directories (or subdirectories) to run. One problem is that these default rules do not allow files in the directory C:\Program Files (x86) to run. From the navigation pane for the Group Policy Management Editor, right-click on Additional Rules, and select New Path Rule. For the path, choose %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)% which corresponds to C:\Program Files (x86) and set the policy to unrestricted.

Figure 6-23

Group Policy Management Editor for the Allowable Code Execution Policy using software Restriction Policies, on Windows Server 2012 R2

To allow a user to run programs of their own choosing, add the directory %USERPROFILE%\Desktop\Tools and set permissions on it to be unrestricted; this is the directory the previous group policy automatically creates.

Return to Software Restriction Policies in the Group Policy Management Editor; select Enforcement. The resulting dialog allows the user to select how the restriction policies should be implemented. Apply the policies to all software files and to all users.

The collection of designated file types is used to determine what the policy considers to be an executable file. By default, shortcuts are considered executable files, meaning that they no longer function unless located in a permitted directory. As this is probably too restrictive, select the LNK file type, and remove it from the list; this allows links to function as expected.

This completes the construction of the policy. To apply it, link it to an appropriate OU, for example, the OU containing all Windows workstations. Unlike most group policies, software restriction policies are not applied when a user logs in; one way to apply them is to restart the computer. As an example, the remote computer named hyperion can be restarted with the following command.

C:\Users\Administrator>shutdown /r /m \\hyperion

Here the /r switch indicates the system is to reboot, while /m specifies the name of the remote system. The firewall on the remote system must allow remote management. The user on the system is told that the system will reboot in less than one minute. That amount of time can be extended up to 600 seconds with the flag /t; consider the command

C:\Users\Administrator>shutdown /r /t 600 /m \\iapetus

This informs the users on iapetus that the system will shut down in 600 seconds or in 10 minutes.

When the system reboots, standard programs like Internet Explorer, Paint, or Calculator all work as expected. However, if a user tries to run a program from elsewhere, it is blocked with a message that varies slightly depending on the version of Windows. If the program is copied into the directory Desktop\Tools, however, it can run.

Group Policy Example: Windows Defender

Another useful security-related group policy controls Windows Defender, the antivirus tool from Microsoft. If the policy Computer Configuration ➤ Policies ➤ Administrative Templates ➤ Windows Components ➤ Windows Defender ➤ Turn Off Windows Defender is set to enabled, then Windows Defender will be disabled. Setting it to disabled or leaving it unconfigured means that Windows Defender will run.

Adding a Second Domain Controller

Because of the importance of the domain controller to an organization, a domain should never have just one domain controller. To add a second domain controller, start with another Windows server; set the hostname and IP address for the system and join it to the domain.

Run the Add Roles Wizard; choose Active Directory Domain Services Installation. It is not necessary to install DNS services. Once the role is installed, run the Active Directory Domain Services Installation Wizard (dcpromo.exe) in the same fashion as the first domain controller. For the deployment configuration, choose to add the domain controller to the existing domain. The user is prompted for domain credentials. A directory services restore mode password is required; this can be distinct from the DSRM password on other domain controllers. Once the wizard completes, the server functions as an additional domain controller (Figure 6-24).

Figure 6-24

Adding a second Windows Server 2016 as a domain controller

Replication ensures that changes made on one domain controller are replicated to all others; this can be verified by inspection on the new domain controller.

Notes and References

I like two general references for Windows Server operating systems:

• Windows Server 2012 Inside Out, William Stanek. Microsoft Press, January 2013.

• Mastering Windows Server 2012 R2, Mark Minasi, Kevin Greene, Christian Booth, Robert Butler, John McCabe, Robert Panek, Michael Rice, and Stefan Roth. Sybex, December 2013.

Not only do these books cover Windows Server 2012, they contrast the behavior of Windows Server 2012 with Windows Server 2008.

Installing Active Directory

NetBIOS names actually have 16 characters, but on Windows systems the last character is reserved for the resource type ( http://technet.microsoft.com/en-us/library/cc779578.aspx ). The NetBIOS specification allows for case-sensitive names ( http://msdn.microsoft.com/en-us/library/dd891456.aspx ), but in practice NetBIOS names are capitalized. The NetBIOS name should be a truncated version of the host name; if not, applications may break ( https://docs.microsoft.com/en-us/windows/desktop/SysInfo/computer-names ). See also Microsoft KB 909264 ( https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and ) for naming conventions.

During testing, you may be tempted to use the same top-level name for the root domain name of different domains. For example you may want to name the first domain ad.neptune.test and the second domain ad.saturn.test. This may lead to trouble, as both systems want the same NetBIOS name- AD. If both systems are together on the same network, a NetBIOS name collision results. The solution is to also use different top-level names - say ad.neptune.test and corp.saturn.test.

The inability Windows Server 2012 and later to use the top-level domain .example appears to conflict with RFC 6761 ( http://tools.ietf.org/html/rfc6761 ); section 6.5 explicitly states that “Authoritative DNS servers SHOULD NOT recognize example names as special.”

Details of the file structure for Active Directory domain controllers can be found in Chapter 24 of Windows 2012 Server Inside and Out.

DNS

For more detail on the different kinds of Active Directory records in DNS, check out Chapter 22 of Windows Server 2012 Inside Out or Chapter 6 of Mastering Windows Server 2012 R2.

The discussion of DNS, both here and in Chapter 4 is superficial. A deeper understanding requires knowing much more about delegation and recursion. The security problems of DNS are well known, and many are solved with DNSSEC, which is not even mentioned. Sorry - there isn’t room.

A nice place to learn more about batch scripting is available at Wikibooks, at http://en.wikibooks.org/wiki/Windows_Batch_Scripting . Microsoft TechNet has a summary of the various Windows command-line tools (including dnscmd) at https://technet.microsoft.com/en-us/library/cc754340.aspx .

Managing a Domain

When building a domain on a test network, you may create only the administrator account on the domain controller, and the Windows system may only have the local administrator account. When the Windows system is joined to the domain, attempts to log in as the domain administrator may be interpreted as an attempt to log in as the local administrator. To specify the domain account, be sure to use the account name domainname\administrator. To specify the local account, be sure to use the account name <name of local system>\administrator.

PowerShell

PowerShell is worth a book in its own right; a good starting place is at the Microsoft Scripting Center at http://technet.microsoft.com/en-us/scriptcenter/powershell.aspx . More information about PowerShell execution policies can be found at http://technet.microsoft.com/en-us/library/hh847748.aspx .

A good place to learn more about cmdlets in PowerShell is on the Microsoft Developer Network at http://msdn.microsoft.com/en-us/library/ms714395.aspx . Specifics about the New-ADUser cmdlet can be found at http://technet.microsoft.com/en-us/library/ee617253.aspx or http://technet.microsoft.com/en-us/library/hh852238.aspx .

The PowerShell version can be found by running $PSVersionTable from a PowerShell prompt.

• PowerShell 2.0: Windows 7 SP1, Windows Server 2008 R2

• PowerShell 3.0: Windows 8, Windows Server 2012

• PowerShell 4.0: Windows 8.1, Windows Server 2012 R2

• PowerShell 5.0: Windows 10-1507, Windows 10-1511

• PowerShell 5.1: Windows 10-1607, Windows 10-1709, Windows Server 2016

Organizing a Domain

Another option for managing which applications can run on a system is AppLocker. Unfortunately, AppLocker is not available for most versions of Windows, including Home Premium and Professional; see http://technet.microsoft.com/en-us/library/ee424382.aspx . Device Guard, which can be used only with Windows 10 or Windows Server 2016, can provide even more security for applications that can run on the system; see https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide . Even these more restrictive policies can be bypassed though; see https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe .

Windows servers run several services on a range of ports. Microsoft maintains a list of the port requirements for Windows Server systems at http://technet.microsoft.com/en-us/library/dd772723.aspx . See also https://msdn.microsoft.com/en-us/library/cc875824.aspx . A domain controller can often be identified on an NMap scan by the ports it uses. For example, Kerberos authentication uses TCP/88 and UDP/88, while TCP/389 is used for LDAP queries.

Footnotes

1

The first time PowerShell is asked for help, it will prompt the user for permission to download additional help data online; without it, PowerShell only provides partial help. To manually download the online help data, from PowerShell, run PS C:\Users\Administrator> update-help.

 

2

If that is not a metaphor, I don’t know what is.