Download presentation
Presentation is loading. Please wait.
Published byJuniper Parks Modified over 9 years ago
8
Installing Domain Controllers
9
Dcpromo RIP Provides XML file and PowerShell command to automate adding the role Can be run remotely
10
Create IFM seed with NTDSUTIL IFM seed generation no longer requires offline defrag (on by default)
11
Adprep can still be run manually if required Checks are performed at each stage of the Wizard and any issues highlighted before the final validation
12
DC virtualization
13
Any problems?
14
DSA-GUID = A InvocationID = E highestCommitedUSN = 4567 HW vector M,5679 DSA-GUID = A InvocationID = E highestCommitedUSN =1000 DSA-GUID = B InvocationID = M highestCommitedUSN = 3000 HW vector M,3000HW vector E,1000 Time DSA-GUID = A InvocationID = E highestCommitedUSN =4567 DSA-GUID = B InvocationID = M highestCommitedUSN = 5679 HW vector M,5679HW vector E,4567 DSA-GUID = B InvocationID = M highestCommitedUSN = 3000 HW vector E,1000 Restore snapshot USN rollback…
15
Send me your changes from 1000 Add users 3050 Send me your changes from 5679 There aren’t any! It gets worse! Replication OK DSA-GUID = A InvocationID = E highestCommitedUSN = 4567 DSA-GUID = B InvocationID = M highestCommitedUSN = 3000 HW vector M,5679HW vector E,1000 DC1 DC2 Checks UTD vectors from DC2 and sends changes What happens next?
16
There aren’t any! DSA-GUID = A InvocationID = E highestCommitedUSN = 4567 DSA-GUID = B InvocationID = M highestCommitedUSN = 3050 HW vector M,5679HW vector E,1000 Send me your changes from 5679 Appears more up to date than me, that’s not right! Disable inbound and outbound replication Stop Netlogon service Write event log messages Replication log
18
Watch this space
21
PDCE W2012 CloneableDomainControllers Check for incompatible components Get-ADDCCloningExcludedApplicationList Remove incompatible components or declare them as safe Source DC XML Deploy XML to source DC or mounted vhd/vhdx copy (can be on removable media) Create new VM Cloned DC DCCloneConfig.XML If ID has changed cloning starts if XML exists
24
DCCloneConfig.XML rootdc4 London 192.168.137.202 255.255.255.0 192.168.137.1 192.168.137.200 Create using New-ADDCCloneConfigFile or create from sample:..\windows\system32\SampleDCCloneConfig.XML DCCloneConfig.xml placed in …\windows\NTDS Alternate locations are available New-ADDCCloneConfigFile –Static -IPv4Address "192.168.137.202" -IPv4DNSResolver "192.168.137.200" -IPv4SubnetMask "255.255.255.0" -CloneComputerName "AD-DC3" -IPv4DefaultGateway "192.168.137.1" -SiteName "London"
26
Kerberos enhancements
28
Protect backend services by setting services account parameter – PrincipalsAllowedToDelegateToAccount Block cross forest delegation by setting netdom trust to “no” for /EnableTGTDelegation
29
User’s Kerberos Token PAC User’s group memberships added to PAC Authorization based on group membership Pre-Windows 8 & Server 2012 User Groups Claims Device Groups Claims Windows 8 & Server 2012 Compound ID PAC contains a user’s group and claims information + Device information Authorization can be based on group membership, user and device claims
30
Files can be classified (tagged) and access and audit policies applied based on the files classification Expression based access control and auditing Expressions can contain groups, users, and user and device claims Access based on compound ID user and device claims
32
Exhaustible resources
34
S-1-5-21-1539329446-2123584859-1544097757-5023 Domain subauthority RID
42
http://microsoft.com/msdn www.microsoft.com/learning http://channel9.msdn.com/Events/TechEd http://microsoft.com/technet
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.