Running an R2-Based Active Directory


"Good troubleshooting, great management tips, and pointers on what I should be using now that I have R2 DCs, with some laughs and a few glimpses of Windows Server 8!"

a two-day course by Mark Minasi, author of Mastering Windows Server 2008 R2

Where You Can Attend This Seminar   Course Objectives     Course Outline     Course Materials    Bring a Class to Your Site  About the Instructor

Course Objectives

As Active Directory enters its "tweens," most AD admins and managers have moved from "how do I design and set this up?" to "now that I'm running a 10-year-old AD that someone else created and is now gone, how can I most easily and cheaply manage it, fix it, and streamline it?"  Active Directory consultant and expert Mark Minasi, author of the best-selling Mastering Windows Server book series, answers those questions every day for his clients... and now he can answer them for you.  Based on his consulting work and requests from attendees to previous courses, Mark shows you how to get the most out of your existing AD, as well as explaining how to exploit the new-to-R2 features that adding one or more R2 DCs will offer you.

This two-day course unfolds in four parts.  Part One aims to make your life easier by explaining effective AD-related troubleshooting tools and techniques.  Mark begins by explaining the down-and-dirty details of troubleshooting DNS (including AD-integrated DNS), which AD old-timers will know is the root of most AD problems, and dispels a pernicious myth about R2's DNS server and Extensions to DNS (EDNS).  Following that, you'll see how to kick nslookup to the curb, replacing it with the far more powerful (and free!) Domain Internet Groper tool, better known as "dig."  From there, you'll learn about using event logs, Netlogon logs and Kerberos logs to take logon troubleshooting to the next level, including step-by-step instructions on using Network Monitor to show what's exactly happening in a failed logon.  This "AD troubleshooting" first part ends with a quick examination of an ongoing security threat posed by NTLM logons, and how to find and eradicate them before someone uses them to penetrate your network.

Next, we'll move to Part Two, a multi-pronged discussion of virtualizing domain controllers.  We've been virtualizing various kinds of servers for years, but virtualizing DCs has always carried the faint whiff of "hey, go ahead and do that, but it's your funeral!" and so you'll learn how virtualizing affects clock synchronization, server imaging/duplicate SID issues, and replication.  Most important, though, you'll learn how to address each of those situations to ensure worry-free DC virtualization.

In Part Three, Mark leads you through an all-new, practical, example-filled guide to getting started using PowerShell to simplify a wide variety of admin tasks... even if you've never used PowerShell.  One recent attendee told Mark that he was able to clean up years of accumulated AD junk in an AD that he'd just inherited... and he got it done before the class was even over!  (We do recommend, however, that in general you'll want to be careful about actually modifying your production network while in class... but apparently it did work out well for at least one attendee.)  We're pretty sure that every attendee will walk away with at least one "hey, I could use that!" moment in the PowerShell section.

Part Four rounds out the class with a serious of presentations highlighting three new AD-related technologies and their new R2 support:  service accounts, protection from DNS spoofing, and object undeletion.  Rather than simply presenting a laundry list of features, however, this section begins each topic with an informative, easy-to-follow bit of background, clearly explaining the problem before presenting R2's solution.  That way, you'll be superbly equipped to make all-important "do I care, and if so, how much?" call on implementing these new technologies.

Each seat in these two-day sessions goes for $995, the same rate we've been charging since 1999.  We offer a discount for anyone registering three or more employees, and of course just hiring Mark to deliver a class just for your organization for his flat fee can net more savings as well as the chance to align the class more specifically to your organization's needs... but trust us, at any rate, just avoiding one DC virtualization error or saving three days' work by creating a PowerShell one-liner will make the class more than pay for itself.

Join Mark for a fun, fast-paced, lucid discourse on getting your AD work done better and faster!

Key Seminar Benefits

  • Get the latest AD design tips, for those who are re-designing their networks
  • Learn how "QAAA" -- Question, Answer, Authority and Additional -- is the key to cracking even the most frustrating DNS name resolution puzzles
  • Discover where to get and how to use "dig," a great free DNS troubleshooting tool
  • Understand why the all-too-common advice to "disable EDNS," a bit of non-wisdom found on many Internet blogs, is a horribly bad idea, and how to identify and solve the problems supposedly created by EDNS
  • See how managing and troubleshooting AD-integrated DNS zones differ from more traditional
  • See the easy way to use Network Monitor or WireShark's power to troubleshoot DNS and Kerberos problems... anyone can do it!
  • Find out how to enable and read Netlogon's debug log to help you smoke out logon problems
  • Know how Kerberos logon tickets work and, sometimes, how they can not work (and what to do about it)
  • Understand Kerberos "token bloat" and "ticket bloat," how it's going to be more and more common as time goes on, and how to monitor and remediate such problems
  • Grasp the nature of network security threats posed in modern-day ADs by LM and NTLM logons and the tools that will enable you to eradicate them
  • Understand the basic problems that virtualization poses for domain controllers
  • Choose the right approach to time synchronization in virtualized environments
  • Learn how to avoid the most common problems arising from imaging virtual servers in an AD
  • Master the AD replication concepts that can lead to a serious -- and hard to eradicate -- AD failure called "USN bubbles," as these bubbles are, well, fairly hard to pop
  • Configure R2's nifty new AD-related PowerShell cmdlets so that you can use them even if your "newest" DC only runs Server 2003 R2
  • Save time by getting the scoop on what does and doesn't make sense AD-wise with PowerShell
  • Learn PowerShell basics "in passing" as you see how to solve thorny AD admin tasks with simple PowerShell "one-liners"
  • Discover the PowerShell "one liners" that let you accomplish things like disabling anyone who hasn't logged on in 97 days, or that let you undelete accidentally deleted AD objects
  • Uncover the "filter" commands and the "hammer" commands that, when glued together, let you accomplish in an hour or so what would have taken days of VBScript/ADSI coding... and start building your own library of PowerShell power tools
  • Understand how Windows services -- whether built-in ones like the file server, or add-ons like the Exchange service account -- interact with Active Directory and in particular Kerberos, and what you need to know to simplify them and make them most reliable with R2's "managed service accounts"
  • Know how to prepare your AD to use R2's undelete function
  • Finally understand just what DNSSEC is, why you need it, and how R2 can help you use it to protect yourself from a growing set of "DNS spoofing" scams


Course Outline

  1. DNS Queries Explained

    When DNS doesn't work, neither does AD, and the "atomic" part of DNS is the query.  We'll start off by examining queries in greater-than-usual detail, so we can understand how to fix them when they break.

    1. DNS servers and recursion across the Internet and inside the firewall
    2. Transient ports and transaction IDs
    3. UDP, TCP, and the answer to "why there are only 13 root servers?"

  2. Cracking Open Queries

    Now we're ready to take DNS queries down to the "bare metal" with an old friend, Network Monitor.  (What's that you say, Netmon and you aren't old friends?  Fear not... Mark's defanged Netmon for thousands, and you too will be a Netmon lover by the time we're done.)

    1. Netmon acquisition and setup for minimum annoyance
    2. Tips on getting traces
    3. Filtering in Netmon
    4. Picking apart a DNS packet
    5. Understanding QAAA
    6. Knowing your baseline:  a successful query, step by step in Netmon
    7. Next step:  a method of tracking dynamic DNS updates
    8. A better DNS tool:  DIG

  3. Extensions to DNS (EDNS)

    By now, you'll know plenty about DNS queries, and you'll also know that while DNS is an amazingly robust system, it's based on a bunch of quarter-century-old assumptions that don't really reflect the reality of today's TCP/IP networks, and that those assumptions are cramping DNS performance.  Fortunately there's a workaround for all of that called Extensions to DNS (EDNS).  Even more fortunately, Microsoft DNS has supported EDNS since 2003, if you enable it.  R2 finally did enable it, and many people think that's a bad idea.  Mark disagrees, but it's your call -- and this section will equip you to make that call.

    1. EDNS goals:  more flags, bigger packets
    2. Solving the all-important backward compatibility issue
    3. Firewalls and EDNS:  busting the "EDNS breaks DNS" myth
    4. Configuring EDNS on Windows DNS servers

  4. Troubleshooting AD-Integrated DNS Zones

    As you probably know, most AD-serving DNS zones live not as primary or secondary zones but instead as "Active Directory-integrated" zones.  To the outside observer, they're indistinguishable from any other DNS zone on any kind of DNS server, but the servers that replicate those zones do it in an entirely different fashion, and secure them differently as well.  Most of the time, they "just work," but when they don't, you'll need to know a few new things, and you'll learn those things in this section.

    1. How AD-integrated zones work
    2. Choosing an application partition for your DNS zone
    3. DNS update security and how it can cause trouble
    4. Mixing AD-I, primary and secondary zones

  5. AD Design:  Brief Review and Update

    Most of us have already got our ADs up and working, but some of us are faced with the task of reworking existing AD designs or building new ADs.  What we know about how best to design (or re-design) AD has changed in the 12-plus years that AD's been around, as you'll learn in this brief section.

    1. Forests, domains, and OUs: AD building blocks
    2. Do domains matter any more?  Does the empty root still make sense?
    3. Handling mergers and acquisitions:  an overview of your options
  6. Getting to R2
  7. While much of this class will benefit folks running any variety of AD, we want you to easily get to a state where you can get the most out of your R2 investment.  The first step in accomplishing that is to get your first R2 DC installed.  In this short intro section, we'll review how to add that first R2 domain controller into your existing AD enterprise, list what that first R2 server gives you, and then we'll map out a path to eventually reach an all-R2 world, and what that will buy you.

    1. Updating the schema safely
    2. Requirements for R2 DCs
    3. Approaches to migration
    4. "FSMO moving day"

  8. Logon Troubleshooting I:  Event Logs and Netlogon
  9. If it isn't DNS, it's time to put on that caving helmet with the light on it and start exploring Windows' labyrinthine logon processes.  Our first two guides:  event logs and the Netlogon log.  Here's how to do it.

    1. What to audit on event logs
    2. "Logon" events versus "Account logon" events
    3. Reminder:  event logs can be consolidated
    4. Activating Netlogon logs
    5. A plan for deciphering Netlogon logs

  10. Logon Troubleshooting II:  Cracking Open Kerberos

    Once we've established the specifics of a logon failure (what didn't log on when, and some of the "why"), we may still need to look deeper, and Kerberos is about as deep as you can go.  In this section, you'll quickly review how Kerberos works, see how to use Network Monitor to track it, and understand common sources of Kerberos failures.

    1. Kerberos basics:  users, services, tickets, and the Key Distribution Service
    2. Kerberos clues with KLIST
    3. Strengthening Kerberos with Server 2008/R2 and Windows 7/Vista
    4. Kerberos tracking with Network Monitor
    5. Kerberos uses UDP or TCP... when do you care?
    6. Activating Kerberos logging and finding sources to decipher the logs
    7. Understanding token bloat and ticket bloat
    8. Tools to track bloat
    9. Strategies to avoid bloat
    10. Future glimpse in brief:  how Windows 8 battles bloat

  11. Securing your AD from NTLM/LM

    As if you didn't already have enough to do, we're afraid Mark's got to make you worry about something else:  NTLM logons.  Yup, NTLM's been around for a long time, and yup, it's always been one of those "one of these days we'll have to worry about this..." things, and unfortunately, it's one of those days.  In this section, you'll learn why you give a hoot about NTLM logons and, best of all, how R2's making your life a bit easier in tracking down and eradicating those logons.

    1. The NTLM and LM threat:  why now?
    2. How NTLM creeps into Kerberos-centric ADs
    3. NTLM restriction policies
    4. A sample test that'll produce NTLM every time... via a bug in the NET command

  12. Virtualized DCs and Time

    In this section, we start the second part of the class, where we'll explain how to safely run your DCs as virtual machines.  The first trouble spot is time synchronization. 

    1. Time sync drift review in Windows
    2. How VMs cause troubles for time
    3. An alternative time sync strategy
    4. Implementing the strategy most easily

  13. Virtualized DCs and Imaging

    The ease of system rollout with an imaging tool like Ghost or ImageX revolutionized desktop OS deployment back in 1995.  Since then, the simplicity of imaging virtual server images has led to many organizations rolling out legions of member servers, and some of those servers bear security IDs (SIDs) that are identical to their cybernetic brethren's and sistren's.  Is running a bunch of servers with the same SIDs a bad thing?  Well, asking that question in a room full of server admins can actually generate more heat than the "which is better, PC or Mac" question, but there is a right answer to the question.  As you'll find out in this section, duplicate SIDs can lead to a bunch of serious problems... and you'll find out how to handle those problems in this section.   (By the way, Mark asked us to assure our readers that "sistren" is indeed an English word, albeit one not used in quite a while, and here a while means a Canterbury Tales' timeframe.)

    1. Review: SIDs, systems  and security
    2. Some things you may not know about SIDs
    3. Where duplicate SIDs get domains in trouble
    4. The case for Sysprep

  14. Looking After Replication in a Virtual Environment

    AD replication is really quite robust -- Mark's only seen a few serious replication failures in the past decade or so -- but the rise of virtualized DCs, in combination with snapshots has changed that story.  AD's replication structure is well thought-out, with a lot of internal consistency checking and an impressive ability to detect and heal replication problems.  It has one flaw, however:  the AD folks at Microsoft designed AD with the assumption that time always goes forward.  With virtual machines, though, that's not a good assumption, as restoring a snapshot does what only H.G. Wells and Doctor Who had done previously -- running time backward.  In this section, you'll learn exactly what happens when the clock runs backwards for AD, and how you can step into Jean-Claude Van Damme's role as Time Cop and avoid polluting your AD's time stream.

    1. AD replication review:  USNs, high-watermarks, up-to-dateness vector tables, and all that other stuff that you used to know but have forgotten because AD replication works so well that you never had to worry about it
    2. How restoring snapshots creates "USN bubbles" and why they are so very bad
    3. Database identifiers: how the Invocation ID makes life easier for us time cops
    4. Safe time travel with a couple of Registry entries
    5. A very brief trip into the future for a glimpse of how Windows 8 Server makes AD time travel safer

  15. AD's New PowerShell Tools:  A Brief Intro

    For many of us, PowerShell's been a great-sounding idea that we've skipped so far because, well, it surely sounds nice but it's not clear how it'll make our AD administrative tasks all that much easier, right?  Well, not really right any more, as Microsoft has released 76 PowerShell tools ("cmdlets," in PowerShell-speak) that not only make tasks that once took days into ones that you can accomplish in an hour or two, they didn't make us upgrade to R2 to use them.  In this section, we'll quickly cover the barest of PowerShell basics so we're ready to meet some real power tools.

    1. Getting PowerShell for your AD
    2. The sort of stuff that PowerShell's good at, versus what it's not so good at
    3. PowerShell power tools:  a taste of why PowerShell will win you over
    4. The PowerShell AD automation approach:  the "filter" and the "hammer"

  16. Collecting the Users:  Understanding PowerShell's AD Filters

    Some AD tasks are one-off, single user jobs that take a moment and so really may not justify automation in all admin's minds.  In other cases, though and in particular tasks involving ADs that have had a few generations of administrators, can be jobs that look like "find all of the users with such-and-such problem or characteristic and do such-and-such to those users."  Solving such tasks manually can be time-consuming and mind-numbing, which is why we'll want to know how to attack them with PowerShell.  (Another reason why we'll want to know that is because if we don't attack them with PowerShell and enjoy the speed and efficiency that automation offers, then, well, we soon might not have a job that involves AD administration, if you know what we mean.)  In this section, you'll learn about four PowerShell cmdlets that make finding users under a given set of criteria a snap.  In the process, you'll also learn the basic "tricks of the trade" that all PowerShell users need to know.

    1. Using get-aduser to collect users by attributes and location in the forest
    2. Zeroing in on account problems:  search-adaccount lets you find inactive, disabled, locked etc users
    3. Get-adobject:  a more complex, but wider-spectrum search tool
    4. Get-adgroupmember:  grabbing users by their group memberships

  17. Dropping the Hammer:  Now That You've Got 'Em...

    Once you've winnowed out just the users that you want, what do you want to do to them?  Change their manager?  Delete them?  Unlock their accounts?  Force them to set a new password when next they log on?  There's an app -- or, rather, a cmdlet -- for all of those, and many more, as you'll learn in this section.

    1. Changing attributes with set-aduser
    2. Changing passwords
    3. Account changes:  unlocking, enabling, disabling and more
    4. Moving and deleting accounts
    5. Changing group memberships
  18. More Complex PowerShell Applications

    In our last "pure" PowerShell section, we'll extend our knowledge to show you how to make PowerShell's power tools way more powerful.

    1. More complex cleanup:  using for-each to cleanse your AD
    2. Building users en masse with import-csv
    3. Running remote PowerShell sessions
    4. Next steps:  where to go from here to explore PowerShell more thoroughly

  19. Services and AD: Understanding SPNs and R2's new Managed Service Accounts (MSAs)

    Much of the publicity about R2's AD features heralds the AD recycle bin as being R2's most attractive new AD-related feature, but many folks we've spoken to are more excited about a new-to-R2 item called "Managed Service Accounts" or MSAs.  If you've ever set up a service or an IIS application pool to run under an account other than the local System account, then you might also find MSAs pretty interesting, as they're a new sort of account designed specifically to be used one of those service/IIS app pool situations.

    1. Services in AD
      1. Services are not servers
      2. Services as Kerberos must see them:  understanding Service Principal Names (SPNs)
      3. SPN tasks and tools
      4. Security and service accounts
    2. MSA overview
      1. New type of AD account
      2. Serve services on member servers
      3. Automatic password updates
    3. MSA requirements
    4. Creating and using an MSA
      1. Creating the account
      2. Preparing the member server
      3. Attaching the account to the service/pool
    5. Managing MSAs
    6. Automatic SPN management

  20. 21st Century DNS:  DNSSEC Comes to Server

    Once considered to be the safe, secure bedrock of the Internet, DNS has come under attack in recent years, and that's highlighted the perceived need for some sort of way of establishing that the DNS data you're getting is indeed the data that you want.  That way seems to be DNSSEC, a set of technologies first outlined in RFCs in 2000 but that many folks still aren't using.  That may change, however, as the US government, the .org and other big top-level domains have already secured their root domains, and private roots like .com and .net will soon follow.  In order to play in this secure new world, Microsoft's DNS needs to support DNSSEC, and 2008 R2's DNS server finally does.

    1. Why DNSSEC?
      1. DNS insecurity
      2. Common attack approaches
      3. Cost of inactivity
    2. DNSSEC's approach to the problem
      1. Secured PKI-based transfer
      2. Four new resource records
        1. DNSKEY
        2. RRSIG
        3. NSEC (and its controversial cousin NSEC3)
        4. DS
    3. DNSSEC's "web of trust"
      1. How you can trust a DNSSEC public key
      2. The root problem:  the root's got a problem (for now)
      3. Workarounds: trust anchors and the interim Trust Anchor Repository (iTAR)
      4. Who's signed and who isn't
    4. Making DNSSEC work with Windows Server 2008 R2: what pieces you'll need
    5. Signing your zone with DNSCMD /offlinesign
    6. Trusting others:  managing trust anchors
      1. Getting trust anchors
      2. Installing them via CLI and GUI... and why you may not be able to use all trust anchors
      3. Letting others trust you
    7. Client support of DNSSEC:  the "name resolution policy table" (NRPT)

  21. "Oops" Protection in Active Directory:  the AD Recycle Bin

    Well, AD's been with us for about ten years now, and if we've learned nothing else, most of us have painfully discovered that un-deleting accidentally deleted AD objects is a pain.  Server 2008 introduced a sort of "70 percent solution" to the problem in the form of AD snapshots, a pretty neat idea that might have made AD undeletes easy... but that ultimately went nowhere.  Instead, Server 2008 R2 took the undelete bull by the horns and offers a complete solution in the form of the somewhat misnamed "AD recycle bin."  While it can undelete objects quite nicely, there are a few catches -- but in this section you'll learn how to make the AD recycle bin work for you.

    1. AD recycle bin overview
    2. What you'll need to make it work
    3. Undelete syntax and examples
    4. How long before it starts to smell?  A look at how quickly you've got to perform a desired recycle
    5. Recycle hitches and solutions

  22. Active Directory's New GUI:  the AD Administrative Center

    When AD arrived with Windows 2000, it introduced Active Directory Users and Computers (ADUC).  ADUC's nice, but it's a bit quirky in some ways, so Server 2008 R2 ships with a brand-new GUI admin tool for Active Directory, the "AD Administrative Center" (ADAC).  This section shows ADAC's abilities and gives it an under-the-hood look.

    1. Running ADAC
    2. ADAC capabilities
    3. ADAC requirements
    4. ADAC:  PowerShell scripts with a GUI front-end

Course Materials and Course Format

The class works from PowerPoint presentations.  Every attendee gets a printed copy of the PowerPoints.  To make it possible to run this course in just two days, this runs in mainly lecture/demo format.  You'll see an R2-based AD run through its paces in a series of interesting and explanatory demonstrations. 

Arranging a Course At Your Location

We offer this class as a public seminar occasionally; you can view the current schedule  But you needn't wait Mark can come to your organization to teach it on-site. On-site classes offer you the flexibility to lengthen or shorten the class, add hands-on labs, modify the course's focus and zero in on your group's specific needs.  For more info, please contact out office at (757) 426-1431 between noon and five PM Eastern time or email to discuss scheduling and fees.