download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any...
Transcript of download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any...
![Page 1: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/1.jpg)
![Page 2: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/2.jpg)
![Page 3: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/3.jpg)
![Page 4: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/4.jpg)
![Page 5: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/5.jpg)
Session Objectives and Takeaways
![Page 6: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/6.jpg)
Session Objectives and Takeaways
![Page 7: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/7.jpg)
![Page 8: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/8.jpg)
![Page 9: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/9.jpg)
Active Directory Forest
Schema
Master
Infrastructure
Master
Step1:
run: ADPREP /ForestPrep
Step 2:
run: ADPREP /DomainPrep (each domain)
run: ADPREP /DomainPrep /GPPrep (each
domain)
run: ADPREP /DomainPrep /RODCPREP
(optional, depends on using RODC or not)
Step 3: Install Fresh or
Upgrade
WS 2008 R2
Domain
Controller
![Page 10: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/10.jpg)
![Page 11: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/11.jpg)
![Page 12: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/12.jpg)
![Page 13: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/13.jpg)
![Page 14: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/14.jpg)
![Page 15: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/15.jpg)
![Page 16: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/16.jpg)
![Page 17: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/17.jpg)
![Page 18: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/18.jpg)
![Page 19: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/19.jpg)
![Page 20: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/20.jpg)
![Page 21: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/21.jpg)
Demote the original DC gracefully and disconnect from network
Fresh install a Windows server 2008 R2 on a new hardware
Rename to the original name and join to domain
Promote to Windows server 2008 R2 DC
Transfer back all the FSMO roles
![Page 22: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/22.jpg)
Demote the original DC gracefully and disconnect from network
Fresh install a Windows server 2008 R2 on a new hardware
Rename to the original name and join to domain
Promote to Windows server 2008 R2 DC
Transfer back all the FSMO roles
8. Apply any registry key / DC hardening keys that used before
![Page 23: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/23.jpg)
Demote the original DC gracefully and disconnect from network
Fresh install a Windows server 2008 R2 on a new hardware
Rename to the original name and join to domain
Promote to Windows server 2008 R2 DC
Transfer back all the FSMO roles
8. Apply any registry key / DC hardening keys that used before
9. Upgrade DC one by one
![Page 24: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/24.jpg)
Demote the original DC gracefully and disconnect from network
Fresh install a Windows server 2008 R2 on a new hardware
Rename to the original name and join to domain
Promote to Windows server 2008 R2 DC
Transfer back all the FSMO roles
8. Apply any registry key / DC hardening keys that used before
9. Upgrade DC one by one
10. Change domain and forest functional mode
![Page 25: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/25.jpg)
Considerations
netsh
Printbrm.exe
CA backup and restore
![Page 26: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/26.jpg)
New Domain Functional Level
![Page 27: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/27.jpg)
New Forest Functional Level
![Page 28: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/28.jpg)
![Page 29: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/29.jpg)
DES Encryption For Kerberos
![Page 30: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/30.jpg)
DES Encryption For Kerberos
![Page 31: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/31.jpg)
DES Encryption For Kerberos
![Page 32: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/32.jpg)
Encryption Criteria for Kerberos
Role O.S Supported encryption level for Kerberos
DC Windows 2003 RC4 and DES
Client Windows XP DES and RC4
Resource Server Non Windows Kerberos Server DES
![Page 33: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/33.jpg)
DES Encryption is Disabled – So, what?
Role O.S Supported encryption level for
Kerberos
DC Windows 2003 RC4 and DES
Client Windows 7 AES and RC4
Resource Server Non Windows Kerberos
Server
DES
![Page 34: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/34.jpg)
Authoritative Restore of the Krbtgt
![Page 35: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/35.jpg)
Authoritative Restore of the Krbtgt
![Page 36: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/36.jpg)
Authoritative Restore of the Krbtgt
![Page 37: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/37.jpg)
Authoritative Restore of the Krbtgt
![Page 38: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/38.jpg)
Invalid FSMO Role Holder
![Page 39: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/39.jpg)
Invalid FSMO Role Holder
![Page 40: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/40.jpg)
Invalid FSMO Role Holder
![Page 41: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/41.jpg)
Invalid FSMO Role Holder
![Page 46: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/46.jpg)
LDAP Query Policy Hard Limits
http://support.microsoft.com/kb/2009267
![Page 47: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/47.jpg)
NT4 Crypto
![Page 48: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/48.jpg)
Dynamic Port Range
![Page 49: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/49.jpg)
Dynamic Port Range
![Page 50: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/50.jpg)
Dynamic Port Range
![Page 51: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/51.jpg)
Miscellaneous
![Page 52: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/52.jpg)
Considerations before Upgrade
![Page 53: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/53.jpg)
Considerations before Upgrade
![Page 54: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/54.jpg)
![Page 55: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/55.jpg)
RODC Benefits
![Page 56: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/56.jpg)
Branch office….
![Page 57: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/57.jpg)
RODC Features
![Page 58: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/58.jpg)
RODC Authentication and Client Operations
58
How it works: Password caching during first logon
Hub
`
Read Only DCHub Writable DC
Branch
![Page 59: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/59.jpg)
RODC Authentication and Client Operations
59
How it works: Password caching during first logon
Hub
`
Read Only DCHub Writable DC
Branch
1. AS_Req sent to RODC
(request for TGT)
1
![Page 60: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/60.jpg)
RODC Authentication and Client Operations
60
How it works: Password caching during first logon
Hub
`
Read Only DCHub Writable DC
Branch 2. RODC: Looks in DB: "I
don't have the users
password "
1. AS_Req sent to RODC
(request for TGT)
1
2
![Page 61: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/61.jpg)
RODC Authentication and Client Operations
61
How it works: Password caching during first logon
Hub
`
Read Only DCHub Writable DC
Branch 2. RODC: Looks in DB: "I
don't have the users
password "
3. Forwards Request to a
writeable DC
1. AS_Req sent to RODC
(request for TGT)
1
2
3
![Page 62: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/62.jpg)
RODC Authentication and Client Operations
62
How it works: Password caching during first logon
Hub
`
Read Only DCHub Writable DC
Branch 2. RODC: Looks in DB: "I
don't have the users
password "
3. Forwards Request to a
writeable DC
4. Writeable DC
authenticates request
1. AS_Req sent to RODC
(request for TGT)
1
2
3
4
![Page 63: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/63.jpg)
RODC Authentication and Client Operations
63
How it works: Password caching during first logon
Hub
`
Read Only DCHub Writable DC
Branch 2. RODC: Looks in DB: "I
don't have the users
password "
3. Forwards Request to a
writeable DC
4. Writeable DC
authenticates request
5. Returns authentication
response and TGT back to
the RODC
1. AS_Req sent to RODC
(request for TGT)
1
2
3
4
5
![Page 64: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/64.jpg)
RODC Authentication and Client Operations
64
How it works: Password caching during first logon
Hub
`
Read Only DCHub Writable DC
Branch 2. RODC: Looks in DB: "I
don't have the users
password "
3. Forwards Request to a
writeable DC
4. Writeable DC
authenticates request
5. Returns authentication
response and TGT back to
the RODC
1. AS_Req sent to RODC
(request for TGT)
1
2
3
4
5
6
6. RODC gives TGT to User
and Queues a replication
request for the password
6
![Page 65: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/65.jpg)
RODC Authentication and Client Operations
65
How it works: Password caching during first logon
Hub
`
Read Only DCHub Writable DC
Branch 2. RODC: Looks in DB: "I
don't have the users
password "
3. Forwards Request to a
writeable DC
4. Writeable DC
authenticates request
5. Returns authentication
response and TGT back to
the RODC
6. RODC gives TGT to User
and Queues a replication
request for the password
7) Hub DC checks
Password Replication
Policy to see if
Password can be
replicated
1. AS_Req sent to RODC
(request for TGT)
1
2
3
4
5
6
6
7
7
Note: At this point the user will have a hub signed TGT
![Page 66: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/66.jpg)
RODC Limitations
![Page 67: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/67.jpg)
RODC Considerations
![Page 68: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/68.jpg)
Fine Grain Password Policy (FGPP)
![Page 69: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/69.jpg)
Creating a Fine Grain Password Policy
![Page 70: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/70.jpg)
FGPP – Implementation Considerations
![Page 71: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/71.jpg)
FGPP – Defining Scope
![Page 72: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/72.jpg)
FGPP – Best Practices
![Page 73: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/73.jpg)
Listens on port 9389
Advertised via DC Locator
nltest /dsgetdc:domain /ws
Active Directory Web Services
![Page 74: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/74.jpg)
AD Core
LDAP
S.DS.P / S.DS.AM / S.DS.AD
.NET
S
E
R
V
E
R
C
L
I
E
N
T
ADUC/ADSS/ADDT
WSH
ADSI
LDAP
MMC
…
GUI
DS RPC-Based Protocols
… DSR SAM
CLI
DS RPC-Based Protocols
… DSR SAM
![Page 75: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/75.jpg)
AD Core
LDAP
AD Web Services
S.DS.P / S.DS.AM / S.DS.AD
AD PowerShell MUX
WCF
.NET
WPF
.NET
.NET
S
E
R
V
E
R
C
L
I
E
N
T
WCF
.NET
AD Core
DS RPC-Based Protocols
… DSR SAM
AD Admin Center
GUI
BPA ADUC/ADSS/ADDT
WSH
ADSI
LDAP
MMC
…
GUI
DS RPC-Based Protocols
… DSR SAM
CLI
![Page 76: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/76.jpg)
Recycle Bin
Tombstone
Object
Recycled
Object
Deleted
Object
Windows Server 2008
No Recycle bin feature
Windows Server 2008 R2 with Recycle Bin enabled
Garbage
Collection
Garbage
Collection
Live
Object
Auth Restore
Delete
Delete
Undelete Deleted Object
Lifetime
180 Days
Tombstone
Lifetime
180 Days
Tombstone
Lifetime
180 Days
Live
Object
![Page 77: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/77.jpg)
Recovering Multiple Objects Deleted Objects container
A flat list of all objects in the Deleted state
DN is mangled, attributes preserved, lastKnownParent
Restore objects to live parent
Deleted objects must be restored to a live parent
Perform restore in top-down order
lastKnownParent and lastKnownRDN properties useful in rebuilding hierarchy
RDN over 128 chars truncated
\0ADEL:…
![Page 78: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/78.jpg)
Recovering Multiple Objects Deleted Objects container
A flat list of all objects in the Deleted state
DN is mangled, attributes preserved, lastKnownParent
Restore objects to live parent
Deleted objects must be restored to a live parent
Perform restore in top-down order
lastKnownParent and lastKnownRDN properties useful in rebuilding hierarchy
RDN over 128 chars truncated
Delete
\0ADEL:…
\0ADEL:…
\0ADEL:…
\0ADEL:…
\0ADEL:...
\0ADEL:…
![Page 79: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/79.jpg)
Recovering Multiple Objects Deleted Objects container
A flat list of all objects in the Deleted state
DN is mangled, attributes preserved, lastKnownParent
Restore objects to live parent
Deleted objects must be restored to a live parent
Perform restore in top-down order
lastKnownParent and lastKnownRDN properties useful in rebuilding hierarchy
RDN over 128 chars truncated
\0ADEL:…
\0ADEL:…
\0ADEL:…
\0ADEL:…
\0ADEL:...
\0ADEL:…
![Page 80: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/80.jpg)
Recovering Multiple Objects Deleted Objects container
A flat list of all objects in the Deleted state
DN is mangled, attributes preserved, lastKnownParent
Restore objects to live parent
Deleted objects must be restored to a live parent
Perform restore in top-down order
lastKnownParent and lastKnownRDN properties useful in rebuilding hierarchy
RDN over 128 chars truncated
\0ADEL:…
\0ADEL:…
\0ADEL:…
\0ADEL:…
\0ADEL:...
\0ADEL:…
Undelete
![Page 81: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/81.jpg)
Recovering Multiple Objects Deleted Objects container
A flat list of all objects in the Deleted state
DN is mangled, attributes preserved, lastKnownParent
Restore objects to live parent
Deleted objects must be restored to a live parent
Perform restore in top-down order
lastKnownParent and lastKnownRDN properties useful in rebuilding hierarchy
RDN over 128 chars truncated
\0ADEL:…
\0ADEL:…
Undelete
![Page 82: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/82.jpg)
Recovering Multiple Objects Deleted Objects container
A flat list of all objects in the Deleted state
DN is mangled, attributes preserved, lastKnownParent
Restore objects to live parent
Deleted objects must be restored to a live parent
Perform restore in top-down order
lastKnownParent and lastKnownRDN properties useful in rebuilding hierarchy
RDN over 128 chars truncated
\0ADEL:…
![Page 83: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/83.jpg)
Recycle Bin Considerations
![Page 84: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/84.jpg)
Key new features overview
![Page 85: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/85.jpg)
![Page 86: download.microsoft.com/documents/hk/technet... · Transfer back all the FSMO roles 8. Apply any registry key / DC hardening keys that used before 9. Upgrade](https://reader035.fdocuments.in/reader035/viewer/2022071116/5ffecaec243e0752db10b1cc/html5/thumbnails/86.jpg)