As many may have seen, the Administrator account has some special privileges. It can logon to a workstation/server when no Global Catalog is available and it can always logon. Well seems that always is not entirely true. Just as a regular account the Administrator account gets locked when the password attempts reach the limit as […]
With the release of Windows 2008, the backup mechanism of Windows has also changed. No more NTBackup, but Windows backup, available to your 2008 system as a feature. Also part of that feature is the systemstate backup, you know the one that is utterly Important to restore Domain Controllers. Now the GUI will not let you perform a single systemstate backup (only full backups including everything) and backups can be stored on a network share. But let’s say we want a systemstate backup only?!
Lots of us install Exchange (what ever version) in our infrastructure.. do you know what Exchange does to your Active Directory.. make a statement order the shirt 😉 Link
When you use Windows 7, Windows 2008 R2 or Vista / Windows 2008 you almost always have to type the domain name during logon.. eg Type your username as ROOTDOMAINUser… annoying: yes.. go to the following group policy to specify the default domain logon: ComputerAdministrative TemplatesSystemLogonAssign a default domain for logon and set your default logon […]
So we have deployed the Managed Service Accounts, and now we want a password policy set on them.. usually the service accounts have a different password policy set, so most of you will probably use PSO’s (Password Setting Object). In my demo I’ve set a new policy stating that the max age of a password is only 10 minutes ( msDS-MaximumPasswordAge: 0:00:10:00). I’ve set the PSO’s msDS-PSOAppliesTo attribute to be the Active Directory Group “Service Accounts” so that all managed service accounts that are member of this group MUST change their password every 10 minutes. For the sanity check, I’ve also created a simple useraccount and added that to the group also. Now we only needed to wait 10 minutes.. When logging in as the user onto the SQL box, I indeed got the message that I needed to change my password. My demo users’ pwdLastSet attribute indeed jumped from : 2/4/2009 4:58:20 PM W. Europe Standard Time; to pwdLastSet: 2/4/2009 5:28:05 PM W. Europe Standard Time;
Password policies can help administrators secure their environment, letting users change their passwords on regular basis makes it harder for hackers to get in to a system by guessing a password. There is one group of accounts though that usually do not have the password policy applied to.. they almost never change their password and when they do.. it is a load of work for the admin, there is service downtime involved.. and after the password has been changed.. it will be not be changed for a long time.. Yes, I’m talking about Service Account.. the accounts administrators usually apply the “Password Never Expires” option to. These accounts usually have more rights to systems, perhaps even local Administrator access to machines (like SQL or mail) or even worse (Don’t tell me you have these in place) Domain Admin rights. Changing passwords for these accounts is crucial to the security of your environment. To make life easier Windows 2008 R2 introduces the Managed Service Accounts, with these, you can easily change the password of an account, and the client computers where these service accounts are operational will change the password in the service configuration.
The introduction of Windows 2008 brought us the famous Read-Only domain controller, the domain controller without passwords (unless explicitly approved) and one-way replication. That one-way replication also applied to the SYSVOL share. Sysvol is replicated by either FRS or DFSR depending on the initial setup of the domain. If you have upgraded your domain from Windows 2000 or Windows 2003 to Windows 2008 SYSVOL is still using FRS to replicate. When you have initially deployed Windows 2008 and set the forest functional level to use the Windows 2008 standards; DFSR is used. Usually the replication of Sysvol is two-way, you can change the contents on each domain controller and those changes are replicated to all domain controllers.
Windows 2008 R2 Active Directory introduces the Recycle Bin option. If you deployed Windows 2008 R2 or upgraded your domain to the Windows 2008 R2 schema and you think the recycle bin is active, you are wrong. You have to specifically enable the recycle bin feature.
So upgrade your forestlevel and run the following command within a poweshell console:
Enable-ADOptionalFeature -Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=DirectoryService,CN=Windows NT,CN=Services,CN=Configuration,DC=rootdomain,dc=local’
-Scope Forest -Target ‘rootdomain.local’
Since Windows NT4, clients who wanted to join a domain always needed a direct connection to the domain, either via VPN, dial-in or direct connection. New in Windows 2008R2 is the option for an offline domain join.. how does this work.. ? read on!
A new program is introduced called djoin.exe. We can use this to join a computer to the domain which is not directly connected. What does it do? It creates a text file that can be used by a Windows 7 or Windows 2008R2 client to join the domain.
Let’s say you want to isolate a domain controller for a certain time, you would issue the command:
repadmin /options +DISABLE_INBOUND_REPL or/and +DISABLE_OUTBOUND_REPL
normally this command requires Domain Admin/Enterprise Admin privileges.
Why and how to change that below.. first the usual warnings:
Playing with ADSIEDIT could damage your domain, please test everything in a lab environment first blabla.