Priprema Za Kurs 20742B: Computer Equipment and Trade - CET
Priprema Za Kurs 20742B: Computer Equipment and Trade - CET
Priprema Za Kurs 20742B: Computer Equipment and Trade - CET
Kloniranje VDC-a
1. Ubaciti postojeći DC objekat koji se klonira, u grupu Cloneable Domain Controllers"
2. Potvrditi preduslove za kloniranje komandom
Get-ADDCCloningExcludedApplicationList
Nekompatibilan softver se mora ukloniti
Ažurirati listu kompatibilnog softvera komandom
Get-ADDCCloningExcludedApplicationList -GenerateXml
New-ADDCCloneConfigFile
-CloneComputerName "VirtualDC2"
-SiteName "ADSite01"
-Static -IPv4Address "10.0.1.2"
-IPv4SubnetMask "255.255.255.0"
-IPv4DefaultGateway "10.0.1.1"
-IPv4DNSResolver "10.0.0.2"
-PreferredWINSServer "10.0.0.3"
C:\Windows\NTDS\DCCloneConfig.xml
Sample: C:\Windows\System32\SampleDCCloneConfig.xml
2. Ugasiti Source DC
3. Eksportovati VM
7. Obrisati snapshot-ove
8. Startovati kloniranu VM
Lab: Deploying and administering AD DS
Virtual machines: 20742B-LON-DC1 and 20742B-LON-SVR1
Password: Pa55w.rd
Module 2: Managing objects in AD DS
Lesson 1: Managing user accounts
Podela naloga:
Lokalni (SAM)
Domenski (AD)
Po načinu nastanka:
Builtin: Administrator, Guest
User Created: koje kreiramo
Ostalo:
Administrativni alati: AD Users and computers ili Active Directory Administrative Center
RSAT Tools
Windows Powershell
Dssadd, dsget,dsmod, dsmove,dsquery,dsrm
Svojstva korisničkog naloga: User Principal Name – UPN i Pre Windows 2000 User Logon
Name
SID
User Profile
o Local
o Roaming
Modifikacija atributa više naloga istovremeno
Account Templates
o Address Tab: sve osim Street address
o Account tab: logon hours, logon workstations, account options, account expiration
o Profile tab: sve
o Organization tab: department, company, manager
o Member of tab: sve
Demo: Kreiranje naloga, preimenovanje, resetovanje lozinke, otključavanje, prebacivanje,
enabling disabling, rad sa templejtima
Lesson 2: Managing groups in AD DS
Podela grupa:
Lokalne (SAM)
Domenske (AD)
Po načinu nastanka:
Builtin: Administrators, Domain Admins, Users, Domain Users… ima ih mnogo
User Created: koje kreiramo
Domenske grupe
Scope:
Global
Domain Local
Universal
Type:
Security
Distribution
Princip
IGDLA
I->G->DL<-A
Default Groups
Universal
Enterprise Admins
Schema Admins
Global
Domain Admins
Domain Users
Domain Local
Administrators
Users
Server Operators
Remote Desktop users
Backup operators
Print Operators
Special Identites
Anonymous Logon.
System
Authenticated Users.
Everyone.
Interactive.
Network
Creator Owner.
Lesson 3: Managing computer objects in AD DS
Prestaged/non prestaged
Password: Pa55w.rd
Lesson 4: Using Windows PowerShell for AD DS administration
Korisnički nalozi
Cmdlet Description
Unlock-ADAccount Unlocks a user account after it has become locked after too many
incorrect sign in attempts
ili
Cmdlet Description
Cmdlet Description
Test-ComputerSecureChan- Verifies or repairs the trust relationship between a computer and the
nel domain
Reset-ComputerMa-
Resets the password for a computer account
chinePassword
Test-ComputerSecureChannel –Repair
Upiti u vezi objekata
CreateUsers.csv
CreateUsers.ps1
$csvfile="CreateUsers.csv"
$domain="adatum.com"
$OU="OU=IT,DC=adatum,DC=com"
$users=import-csv $csvfile
foreach ($i in $users){
$FullName="$i.FirstName $i.LastName"
$Username=$i.username
$UPN=$i.username +"@" +$domain
$securePassword=Convertto-securestring $i.password -asplaintext -force
new-aduser -name $FullName -Path $OU -samaccountname $Username
-userprincipalname $UPN -accountPassword $securePassword -enabled $true
}
Lesson 5: Implementing and managing OUs
Location
Organization
Hybrid
Organizacione jedinice
Cmdlet Description
Lab B: Administering AD DS
Virtual machines: 20742B-LON-DC1, 20742B-LON-SVR1, and 20742B-LON-CL1
User name: Adatum\Administrator
Password: Pa55w.rd
Module 3: Advanced AD DS infrastructure management
Lesson 1: Overview of advanced AD DS deployments
Višestruki domeni?
Ništa novo
Windows 2003
Windows
2008
Ništa novo
Windows 2008 R2
AD Recycle bin
Ništa novo
Lesson 3: Configuring AD DS trusts
Karakteristike relacija verovanja
Smer
Tranzitivnost
Način uspostavljanja
Vrste trast relacija i detalji
Automatic trusts (Parent and Child, Tree-root)
Shortcut trusts
External trusts
Realm trusts
Forest trusts
Alati za upravljanje relacijama verovanja
AD Domains and Trusts
Netdom trust:
o NETDOM TRUST TRUSTINGDOMAINNAME /DOMAIN:TRUSTEDDOMAINNAME /VERIFY
o NETDOM TRUST TRUSTINGDOMAINNAME /DOMAIN:TRUSTEDDOMAINNAME /REMOVE
[/FORCE] /USERD:USER /PASSWORDD:*
Domain Quarantine (SID Filtering)
Uključen by default za External i Forest trust relacije.
Trusting (verujući) domen se oslanja samo na SID naloga Trusted (verovanog) domena. Pri tome se atru-
bit “SID History” naloga verovanog domena ignoriše, da bi se izbegla manipulacija sa “SID history atribu-
tom” u kojoj administrator verovanog domena modifikuje “SID History“ i unese SID koji bi mogao imati
pristup na resurse udaljenog domena.
Modeli autentifikacije
Modeli autentifikacije:
Selective authentication
Domain-wide authentication (for an external trust) or forest-wide authentication (for a forest
trust)
Ako se odabere Domain Wide ili Forest – Wide svi korisnici verovanog domena mogu se koristiti za
pristup na bilo koji servis na bilo kom računaru verujućeg domena.
Kod Selektivne autentifikacije korisnik čiji je nalog u verovanom domenu mora imati ovlašćenje Allow to
Authenticate nad Computer objektom verujućeg domena na koji pristupa
Name Suffix Routing
Mehanizam rutiranja autentifikacionih zahteva između šuma povezanih Forest trust relacijama. AD
rutira sve jedinstvene name sufikse. Podržano je filtriranje sufiksa – spečavanje autentifikacije.
Password: Pa55w.rd
Module 4: Implementing and administering AD DS sites and replication
Definicija sajta i subnet-a
An Active Directory site represents a unit of the network that is characterized by fast, reliable, inexpen-
sive connectivity. Much documentation suggests that the slowest link speed within a site should be no
less than 512 kilobits per second (kbps). However, this guidance is notimmutable. Some organizations
have links as slow as 56 or even 28 kbps within a site.
Update types
attribute level,
move to deleted container,
Moving two objects with the same RDN to the same Container.
Update Convergence i Replication Latency
Urgent replication:
Povezuje dva ili više sajt linkova tako da je veza između sajtova tranzitivna. Neophodni su samo
ako je isključena opcija Bridge all Site Links (koja se konfiguriše preko svojstava IP ili SMTP
kontejnera)
A site link bridge connects two or more site links in a way that creates a transitive link
Globalni katalog
Brza pretraga
Smeštaj univerzalnih grupa
Konfigurisanje globalnog kataloga
NTDS Settings servera
Universal Group Membership Caching
Command line alati za dijagnostiku: repadmin (status replikacije) i dcdiag (testiranje ispravnosti i
bezbednosti replikacije)
Powershell cmdlets
Karakteristike RODC-a
Sadrži repliku svih atributa osim lozinki
Kada stigne zahtev za autentifikacija RODC prima zahtev i prosleđuje ga Doman kontroleru
čvorišnog sajta
Može se konfigurisati Password Replication policy - PRPkojima se definišu nalozi čije lozinke
RODC sme da kešira
Ukljanjanje Read Only DC-a se svodi na brisanje računarskog naloga
Replikacija je jednosmerna ka RODC-ovima čime se eliminiše mogućnost korupcije AD-a
RODC imaju lokalnu grupu Administrators koja se može koristiti za dodelu lokalnih administra-
tivnih privilegija
Ako je RODC DNS sa AD integrisanim zonama, one su takođe Read-Only, Dynamic Update
zahtevi se rešavaju referalima na writeable DC
Napomene:
Da bi se obrisala keširana lozinka mora se resetovati lozinka na hub sajtu
Može se izvršiti prepopulate
Prepopulate se ne može izvršiti bez adekvatno podešenih password replication polisa (vredi isti
algoritam replikacije lozinki.
PSO precedence
1. User PSO
2. Group PSO with lowest precedence
3. Group PSO with smaller GUID (u slučaju iste precedence vrednosti)
4. GPO
Bezbednosna poboljšanja
Windows Hello:
o For biometric-based sign in to Windows
Microsoft Passport:
o To leverage Windows Hello and TPM
Azure Multi-Factor Authentication:
o To enhance account security by adding second factor of verification
o Can be used in cloud or for on-premises applications
A service account may be an account that is local to the computer, such as the built-in Local Service,
Network Service, or Local System accounts.
A is an AD DS object class that enables simplified password and SPN management for service ac-
counts.
Klasa msDS-ManagedServiceAccount
Koristi mehanizam ažuriranja lozinki koji se koristi za Computer objekte bez potrebe za inter-
vencijom korisnika
SPN - “Service Principal Name”
Smešteni su u CN=Managed Service Accounts, DC=<domain>,DC=<com> container
Podržano na Windows Serverima 2012 i 2008 R2
Pretpostavka za Managed Service Accounts je root key? Add-KDSRootKey –EffectiveTime ((Get-
Date).AddHours(-10))
Procedura konfigurisanja
1. Na DCu. Add-KDSRootkey creates the KDS root key to support group Managed Service Accounts, are-
quirement on Windows Server 2012 DCs:
Add-KDSRootKey –EffectiveTime ((Get-Date).AddHours(-10))
install-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory
Install-ADServiceAccount –Identity <MSA Name>
What Are Group Managed Service Accounts?
Pretpostavke
1. At least one domain controller must be running Windows Server 2012 to store managed password
information.
Add-KdsRootKey –EffectiveImmediately
Primer
New-ADServiceAccount –Name LondonSQLFarm
–PrincipalsAllowedToRetrieveManagedPassword LONSQL1, LON-SQL2, LON-SQL3
Module 8: Deploying and managing AD CS
Lesson 1: Deploying CAs
PKI – Public Key Infrastructure
je kombinacija softvera, tehnologija kriptovanja, procesa I servisa koji omogućavaju obezbeđivanje
komunikacije I poslovnih transakcija. Oslanja se na razmenu digitalnih sertifikata između autentificiranih
korisnika i proverenihs resursa.
Obezbeđuje usluge:
confidentiality,
integrity,
authenticity,
nonrepudiation
Šta je digitalni sertifikat
Lična karta ili vozačka dozvola za sajber-prostor.
Digitalni sertifikat obezbeđuje legitiman transfer poverljivih informacija, novca i drugih osetljivih
materijala posredstvom javnih kriptografskih tehnologija. Vlasnik digitalnog sertifikata ima dva
ključa: privatni koji poseduje samo korisnik a koji omogućava digitalno potpisivanje odlaznih
poruka i dekriptovanje dolaznih poruka i javni ključ koji može koristiti svako za slanje kriptovanih
poruka specifičnom korisniku.
Razlozi za korišćenje digitalnih sertifikata
L2TP, SSTP, IKEV2 VPN
EFS
Digitalni sertifikati za Web servere, SMTP servere i slično
Zaštita razmene elektronskih poruka
Role servisi
Certification Authority.
o Izdaje digitalne sertifikate
Certification Authority Web Enrollment.
o Web aplikacija koja obezbeđuje interfejs za izdavanje digitalnih sertifikata i drugih
funkcija
Online Responder.
o Servis koji obezbeđuje validaciju digitalnih sertifikata preko Online Certificate Status
Protocol-a
Network Device Enrollment Service (NDES).
o Obezbeđuje participaciju mrežnih uređaja, npr. rutera i svičeva, koji koriste Simple Cer-
tificate Enrollment Protocol u Majkrosoftovoj PKI infrastrukturi (protokol razvila firma
CISCO).
Certificate Enrollment Web Service (CES).
o Proxy između klijenata i CA. Funkcije:
Request, renew, and install issued certificates.
Retrieve CRLs.
Download a root certificate.
Enroll over the internet or across forests (new to Windows Server 2008 R2).
Certificate Enrollment Policy Web Service.
o Combined with the Certificate Enrollment Web Service, it enables policy-based certifi-
cate enrollment when the client computer is not a member of a domain, or when a do-
main member is not connected to the domain.
Tipologija CA prema oblasti nadležnosti
Internal (Private)
o veća kontrola upravljanja sertifikatima,
o korišćenje templejta,
o eksterni klijenti mu ne veruju
External (Public)
o minimalna administracija,
o veruje mu više eksternih klijenata,
o viši troškovi
Tipologija CA prema Majkrosoftovoj implementaciji
Standalone
o Tipično se koristi u offline režimu
o Ne zavisi od AD-a
o Zahtev za izdavanje sertifikata se šalje manuelno
o Odobrenje za izdavanje se obavlja manuelno
Enterprise
o Tipično se koristi u online režimu
o Zavisi od AD-a
o Zahtev za izdavanje sertifikata može da se šalje manuelno ili automatski
o Odobrenje za izdavanje se obavlja manuelno ili automatski
Implementacija Hijerarhije CA
Dvoslojna hijerarhija
Troslojna hijerarhija
Povezivanje odvojenih hijerarhija
CAPolicy.inf
The CAPolicy.inf file is stored in the %Windir% folder of the root or subordinate CA. If you want to de-
ploy a root or subordinate CA,and you want to predefine some values for use during installation and de-
fine some additional parameters, you can use the CAPolicy.inf file
[certsrv_server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
CRLPeriod=Days
CRLPeriodUnits=2
CRLDeltaPeriod=Hours
CRLDeltaPeriodUnits=4
ClockSkewMinutes=20
LoadDefaultTemplates=True
AlternateSignatureAlgorithm=0
ForceUTF8=0
EnableKeyCounting=0
CA Administrativne role.
Role/group Purpose Information
CA administrator Manage the CA Assigned by using the CA con-
sole
Certificate manager Issue and manage certificates Assigned by using the CA con-
sole
Backup operator Backup and restore files and di- Operating system role
rectories
Auditor Manage auditing and Security Operating system role
Event log
Enrollees Read and enroll Can request certificates
CRL sadrži vremenski označenu listu opozvanih sertifikata potpisanih od CA i dostupnih pki korisnicima
preko javnog repozitorijuma. Delta CRL je relativno mala CRL koji sadrži samo izmene u odnosu na
poslednju CRL.
CDP?
The CDP is a certificate extension that indicates from where the CRL for a CA can be retrieved. It can
contain none, one, or many HTTP, FTP, FILE, or LDAP addresses.
AIA?
AIA addresses are the URLs in the certificates that a CA issues. These addresses tell the verifier of a cer-
tificate where to retrieve the CA's certificate.
Online Responder?
Online Responder provides clients with an efficient way to determine the revocation status of a certifi-
cate by using Online Certificate Status Protocol – OCSP.
Password: Pa55w.rd
Autoenrollment. Using this method, the administrator defines the permissions and the configu-
ration of a certificate template. These definitions help the requestor to request, retrieve, and
renew certificates automatically without enduser interaction. This method is used for AD DS do-
main computers. The certificate must be configured for autoenrollment through Group Policy.
Manual enrollment. Using this method, the private key and a certificate request are generated
on a device, such as a Web service or a computer. The certificate request is then transported to
the CA to generate the certificate being requested. The certificate is then transported back to
the device for installation. Use this method when the requestor cannot communicate directly
with the CA, or if the device does not support autoenrollment.
CA Web enrollment. Using this method, you can enable a website CA so that users can obtain
certificates. To use CA Web enrollment, you must install Internet Information Server (IIS) and
the web enrollment role on the CA of AD CS. To obtain a certificate, the requestor logs on to the
website, selects the appropriate certificate template, and then submits a request. The certificate
is issued automatically if the user has the appropriate permissions to enroll for the certificate.
The CA Web enrollment method should be used to issue certificates when autoenrollment can-
not be used. This can happen in the case of an Advanced Certificate request. However, there are
cases where autoenrollment can be used for certain certificates, but not for all certificates.
Enrollment on behalf (Enrollment Agent). Using this method, a CA administrator creates an En-
rollment Agent account for a user. The user with Enrollment Agent rights can then enroll for cer-
tificates on behalf of other users. You would use this method, for example, if you need to allow
a manager to preload logon certificates of new employees on to smart cards
Enrollment Agent
When a user gets a certificate based on an Enrollment Agent template, he or she has the ability
to enroll for a certificate on behalf of another user.
Restricted Enrollment Agent?
This functionality allows you to limit the permissions for users who are designated as Enrollment
Agents, to enroll for smart card certificates on behalf of other users..
Lesson 3: Using certificates in a business environment
Conditions for Losing Keys
User profile is deleted or corrupted.
Operating system is reinstalled.
Disk is corrupted.
Computer is stolen.
Key Archival and Recovery Agents
To use private key archival, you must enable this functionality on both the CA and specific certif-
icate templates, such as EFS.
KRAs (Key recovery Agents) are designated users who are able to retrieve the original certificate,
private key, and public key that were used to encrypt the data, from the CA database.
When you have a configured CA to issue a KRA certificate, any user with Read and Enroll permis-
sion on the KRA certificate template can enroll and become a KRA.
Key archival process
1. Konfigurisati KRA certificate template.
Dozvoliti KRA: Read, Enroll
2. Publikovati KRA Template
3. KRA sebi izdaje sertifikat baziran na KRA template-u
Certificates MMC\Personal\AllTasks\Request a new certificate
Selektovati Key Recovery Agent Template
Sertifat mora biti izdat manuelno korišćenjem Eksport/Import-a
4. Kofigurisati Recovery Agents.
Enable KRA. <CAName > properties\Recovery Agents\Archive the key. Dodati jedan ili
više KRA sertifikata na listu.
5. Konfigurisati željene Template sa opcijom Archive subject’s encryption private key
6. Publikovati prethodno podešen template
Oporavak izgubljenog ključa
Password: Pa55w.rd
Module 10: Implementing and administering AD FS
Lesson 1: Overview of AD FS
ADFS Enables organizations to establish federation trusts and share resources across organizational and
Active Directory Domain Services (AD DS) boundaries.
Identity Federation
Identity federation enables the distribution of identification, authentication, and authorization across
organizational and platform boundaries. Nije isto što i AD trust.
Kod Claims- based autentifikacije korisnik može da se autentificira preko Directory servisa lo-
ciranog unutar svoje organizacije a zatim mu se dodeljuje Claim baziran na toj autentfikaciji.
Claim se onda može prezentovati aplikaciji koja je pokrenuta u drugoj organizaciji.
Aplikacija mora biti dizajnirana da omogući pristup prema prezentovanom Claim-u
Bazirana je na Web servisima: SOAP, XML, WSDL i HTTPS. Web servisi se registruju preko UDDI
protokola.
U razmeni Claim-ova koristi se Security Assertion Markup Language (SAML je XML based)
AD FS svojstva
WEB SSO
Interoperabilnost sa softverskim rešenjima drugih kompanija
Podrška za mobilne telefine, PDA, i desktop
Proširiva arhitektura
Novosti u Windows 2016 implementaciji:
Sign in with Azure Multi-factor Authentication
Password-less Access from Compliant Devices
Sign in with Windows Hello for Business
Configure access control policies with wizard
Users in third party, LDAP v3 compliant directories
ADFS in single organization
The applications may not be running on Windows servers or on any servers that support AD DS
authentication, or on Windows Server servers that are not domain–joined.
Multiple domains and forests that may be the results of mergers and acquisitions,
Users from outside the office, that access internal applications, login to computers that are not
part of windows domain
ADFS in single organization
B2B Federation
Scenario 1: The chief executive officer (CEO) copies a spreadsheet file containing the compensa-
tion packages of an organization's executives from a protected folder on a file server to the
CEO’s personal USB drive.
Scenario 2: An internal document should be viewable by a group of authorized people within
the organization. These people should not be able to edit or print the document.
Scenario 3: People within the organization should not be able to forward sensitive email mes-
sages that have been assigned a particular classification
Komponente:
1. AD RMS Cluster
Root Cluster: Obezbeđuje sve AD RMS Servise
Licencing Only: Opcioni, obezbeđuje samo deo funkcionalnosti root klastera i zanimljiv je
u specifičnim situacijama (podrška za Rights management za spoljne poslovne partnere
kao deo ekstraneta koji zahteva jaku separaciju praćenje pristupa na resurse)
2. Web servisi: IIS Role servis
3. AD DS
4. Database services : smeštaj informacija o korisnicima, ključevima i logovanju poristupa. Može se
koristiti i Windows Interbal database)
5. AD RMS client instaliran automatski na Vista+ a na starije mora de se doda.
6. AD RMS enabled aplikacija npr Microsoft Office.
Office 2003+
Exchange 2007+
Sharepoint Server 2007+
Adobe reader through third party components
Vrste sertifikata
Server licensor certificate - SLC. (Identifikuje AD RMS rolu instaliranu na server) The SLC is a self-
signed certificate generated during the AD RMS setup Other members of the root cluster will
share this SLC. If you create a licensing-only cluster, it will generate its own SLC and share it with
members of its cluster. The default duration for an SLC is 250 years.
Machine certificate (Identifikuje računara kome se može verovati i sadrži javni ključ za računar
na bazi per user per computer)
The first time an AD RMS–enabled application is used, a machine certificate is created. The AD
RMS client in Windows automatically manages this process with the AD RMS cluster. This certifi-
cate creates a lockbox on the computer to correlate the machine certificate with the user’s pro-
file.The machine certificate contains the public key for the activated computer. The private key
is contained within the lockbox on the computer.
Rights account certificate(RAC) (Identifikuje korisnika prema e-mail adresi ili SID-ju)
RACs are issued to trusted users who have an e-mail-enabled account in AD DS. RACs are gener-
ated when the user first tries to open rights-protected content. Standard RACs identify users in
relation to their computers and have a duration of 365 days.Temporary RACs do not tie the user
to a specific computer and are valid for only 15 minutes. The RAC contains the public key of the
user as well as his or her private key. The private key is encrypted with the computer’s private
key.
Client licensor certificate (CLC) (Identifikuje korisnika koji može publikovati RMD zaštitu doku-
menta čak iako nema bvezu sa RMS serverom)
After the user has a RAC and launches an AD RMS–enabled application, the application automat-
ically sends a request for a CLC to the AD RMS cluster. The client computer must be connected
for this process to work, but after the CLC is obtained, the user can apply AD RMS policies even
offline. Because the CLC is tied to the client’s RAC, it is automatically invalidated if the RAC is re-
voked.
Publishing license - PL (Definiše prava i uslove korišćenja podataka u momentu publikacije) The
publishing license is created when the user saves content in a rights-protected mode. This li-
cense lists which users can use the content and under which conditions as well as the rights
each user has to the content.This license includes the symmetric content key for decrypting con-
tent as well as the public key of the cluster.
Use license - UL(Omogućava uvid u dokument prema prethodno definisanoj Publishing licenci)
The use license is assigned to a user who opens rights-protected content. It is tied to the user’s
RAC and lists the access rights the user has to the content. If the RAC is not available, the user
cannot work with rights-protected content. It contains the symmetric key for decrypting con-
tent. This key is encrypted with the public key of the user.
What is Azure RMS?
Feature AD RMS Azure RMS Azure RMS for Office 365
IRM for on-premises Exchange Server and SharePoint Yes Yes Yes
Server
The ability to share with any organization without fur- No Yes Yes
ther configuration
1. Sign in to the server that is hosting AD RMS, and that you wish to decommission.
2. Modify the access control list (ACL) of the file decommissioning.asmx. Grant the Everyone group
Read & Execute permission on the file. This file is stored in the %sys-
temdrive%\inetpub\wwwroot\_wmcs\decomission folder.
3. In the Active Directory Rights Management Services console, expand the Security Policies node,
and then click the Decommissioning node.
4. In the Actions pane, click Enable Decommissioning.
5. Click Decommission.
6. When prompted to confirm that you want to decommission the server, click Yes.
ADRMS Reports
External Sharing
1. Najbolje je ustanoviti Forest trust relacije između dve šume
2. Moguće je deliti dokument i Windows Live ID-jevima
3. Microsoft Federation Gateway
4. Azure Authentication
5. Alternativno Koristiti Trusted User Domains i Trusted Publishing Domains
Vrste Templejta
6. Distributed Rights Policy Template,
dostupan korisnicima,
može se penzionisati akcijom arhivacije i onda postaje Archived Rights Policy Template
7. Archived Rights Policy Template,
nije dostupan korisnicima,
može se koristiti za definisanje novih template-a
Exclusion policies
Exclusion policies allow you to prevent specific user accounts, client software, or applications
from using AD RMS
User Exclusion
Application Exclusion
Lockbox Exclusion (verzija klijenta)
AD RMS Super Users Group
8. Members of this group can decrypt any rights-protected content file and remove rights-protec-
tion from it.
Lab: Implementing an AD RMS infrastructure
Estimated Time: 60 minutes
Password: Pa55w.rd
Module 12: Implementing AD DS synchronization with Microsoft Azure
AD
Lesson 1 Planning and preparing for directory synchronization
Azure AD?
AzureAd je primarno identity rešenje za Internet aplikacije: http port 80 i https 443.
Ne postoje organizacione jedinice
Korisnici i grupe nisu u hijerarhijskoj strukturi
Ne postoje GPO
LDAP upiti se ne koriste već REST API preko HTTP-a
Ne koristi Kerberos već SAML-Security Assertion Markup Language/WS-Federation i OpenID
Connect
Uključuje podršku za Federation servise
Azure AD autentifikacione opcije:
Cloud Only varijanta
Sinhronizacija, jednosmerena ili dvosmerna, korisnika, grupa i atributa sa ADDS-om
ADFS SSO između Cloud i ADDS sistema
Korisnici čije se lozinke sinhronizuju mogu koristiti Office 365, Microsoft Dynamics CRM i Micro-
soft Intune
U slučaju korišćenja ADFS-a takođe su na raspolaganju Office 365, Microsoft Dynamics CRM i
Microsoft Intune
Pregled upravljanja identitetima
Exchange Server sync
Shared Global Address Lists
Syncronized GA
Sync Users Azure AD Connect
Move some or all mailboxes to Office 365 from on Premises Exchange
Safe and Blocked Senders synced from on premises to Exchange Online
Azure AD object quota
Do 50000
Uvećava se do 300000 nakon verifikacije prvog domena
Za više kontaktirati Microsoft Technical Support
Network Ports
443
Capacity Planning
AD FS and Azure AD
AD DS domain
controller
6 Federation trust
AD FS
Azure AD
7 10
4
5 9
3
8
2
SaaS application
Client
computer 1 11
Lesson 2 Implementing directory synchronization by using Azure AD Connect
Preduslovi domena
The AD schema version and forest functional level must be Windows Server 2003 or later. The
domain controllers can run any version as long as the schema and forest level requirements are
met.
If you plan to use the feature password writeback, then the Domain Controllers must be on
Windows Server 2008 (with latest SP) or later. If your DCs are on 2008 (pre-R2), then you must
also apply hotfix KB2386717.
The domain controller used by Azure AD must be writable. It is not supported to use a RODC
(read-only domain controller) and Azure AD Connect does not follow any write redirects.
It is not supported to use on-premises forests/domains using SLDs (Single Label Domains).
It is not supported to use on-premises forests/domains using "dotted" (name contains a period
".") NetBios names.
It is recommended to enable the Active Directory recycle bin.
Konfigurisanje sinhronizacije
Set-ADSyncScheduler -CustomizedSyncCycleInterval d.HH:mm:ss
Permissions and accounts
Azure AD Global Administrator
Enterprise Administrator account for your on-premises AD DS if
Lesson 3 Managing identities with directory synchronization
User writeback
Da bi sinhronizacija naloga od Azure AD-a ka on premises AD-u radila treba uključiti User writeback
Password writeback
Users can change their passwords via the login page or user settings in Azure AD
$accountName=Administrator
$PasswordOU="CN=users,DC=adatum,DC=com"
Get-ADSyncConnector | fl name,AADPasswordResetConfiguration
Get-ADSyncAADPasswordResetConfiguration -Connector "adatum.onmicrosoft.com -
AAD"
Set-ADSyncAADPasswordResetConfiguration -Connector "adatum.onmicrosoft.com -
AAD" -Enable
$true
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":CA;`"Reset Pass-
word`";user'"
Invoke-Expression $cmd | Out-Null
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":CA;`"Change Pass-
word`";user'"
Invoke-Expression $cmd | Out-Null
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":WP;lockoutTime;us-
er'"
Invoke-Expression $cmd | Out-Null
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":WP;pwdLastSet;us-
er'"
Invoke-Expression $cmd | Out-Null
Device writeback
Devices that are enrolled with Office 365 mobile decide management (MDM) or Microsoft Intune can
sign in to AD FS–controlled resources based on the user and the device they are on.
Install-WindowsFeature –Name AD-DOMAIN-Services –IncludeManagementTools
Import-Module 'C:\Program Files\Microsoft Azure Active Directory
Connect\AdPrep\AdSyncPrep.psm1'
Initialize-ADSyncDeviceWriteback {Optional:–DomainName [name] Optional:-Ad-
ConnectorAccount [account]}
Preduslovi
Bulk Activation
User accounts that you create in Azure AD through directory synchronization are not automatically acti-
vated for cloud services such as Office 365. Atribut isLicenced=True.
1. Connect-MsolService
Uneti podatke o online administratoru:
adatum01@adatum12244.onmicrosoft.com
Pa55w.rd1
2. Get-MsolUser | Where-Object {$_.isLicensed -ne "True"}
3. Get-MsolUser -UnlicensedUsersOnly | Set-MsolUserLicense -AddLicenses SKU
Group Writeback
Group writeback feature also writes groups from Azure AD to on-premises AD DS
Import-Module ‘C:\Program Files\Microsoft Azure Active Directory Con-
nect\AdPrep\AdSyncPrep.psm1’
Preduslov
7. Quit
8. Quit
Powershell
SchemaMaster,DomainNamingMaster -Force
command line syntax you can use role numbers in place of the role names. The following list details the
role number for each of the five FSMO roles.
PDC Emulator – 0
RID Master – 1
Infrastructure Master – 2
Schema Master – 3
Domain Naming Master – 4
Understanding restartable AD DS
Lesson 3: Active Directory backup and recovery options for AD DS and other identity and
access solutions
Backup AD-a
AD Recycle Bin
System state backup
add-windowsfeature windows-server-backup –includeallsubfeature
Wbadmin start systemstatebackup –backuptarget:
<lokacija za smeštaj backup-a > -quiet
Full Server Backup
o Wbadmin start backup -allcritical -backuptarget:<lokacija za
smeštaj backup-a> -quiet
Restauracija AD-a
NonAuthoritative Restore:
1. Pokrenuti Directory Services Restore Mode
2. Pregled liste system state backup-ova:
wbadmin get versions
3. Snimiti podatak version identifier
4. Pokrenuti restauraciju wbadmin start systemstaterecovery –version:<version> wbad-
min start systemstaterecovery –version:12/03/2007-18:25
5. Restart
Authoritative Restore
Nastupa neposredno nakon neautoritativne restauracije pre prvog restarta
5. Ntdsutil
6. Activate instance ntds
7. authoritative restore
8. restore database ili restore subtree ou=ouname,dc=dcname,dc=dcname
9. quit
10. quit
11. restart
Snapshots
Kreiranje snapshot-a
1. ntdsutil
2. ntdsutil: snapshot
3. snapshot: activate instance ntds
4. snapshot: create
5. snapshot: quit
6. ntdsutil: quit
Brisanje zastarelih snapshot-ova
1. ntdsutil
2. ntdsutil: snapshot
3. snapshot: list all
2007/12/03:23:18 {42c44414-c099-4f1e-8bd8-4453ef2534a4}
C: {c0dd71ba-5bcd-4daf-9fbb-5cfbdd168022}
D: {2bbd739f-905a-431b-9449-11fba01f9931}
4. snapshot: delete 1
Snapshot {c0dd71ba-5bcd-4daf-9fbb-5cfbdd168022} mounted as
C:\$SNAP_200712032318_VOLUMEC$\
Snapshot {2bbd739f-905a-431b-9449-11fba01f9931} mounted as
C:\$SNAP_200712032318_VOLUMED$\
5. snapshot: quit
6. ntdsutil: quit
Montiranje snapshot-a
1. ntdsutil
2. ntdsutil: snapshot
3. snapshot: list all
2007/12/03:23:18 {42c44414-c099-4f1e-8bd8-4453ef2534a4}
C: {c0dd71ba-5bcd-4daf-9fbb-5cfbdd168022}
D: {2bbd739f-905a-431b-9449-11fba01f9931}
4. snapshot: mount 1
Snapshot {c0dd71ba-5bcd-4daf-9fbb-5cfbdd168022} mounted as
C:\$SNAP_200712032318_VOLUMEC$\
Snapshot {2bbd739f-905a-431b-9449-11fba01f9931} mounted as
C:\$SNAP_200712032318_VOLUMED$\
5. snapshot: quit
6. ntdsutil: quit
Startovanje adlds instance koja reprezentuje sadržaj snapshota
dsamain radi iz cmd-a ne iz powershell-a
dsamain –dbpath c:\$snap_200712032318_volumed$\windows\ntds\ntds.dit
-ldapport 10000
Password: Pa55w.rd