Pre-Requirements

OSI Layers
1-Physical
Signaling
Clock Syncronization
2-Data link
Arbitration -> CSMA/CD & CSMA/CA
Physical Addressing ---> Next Hop
MAC Address -> 48 bits/Hex
OUI + Interface (2*24 bits)
Error Checking
Encapsulation/Decapsulation
Half Duplex/Full Duplex
HUB & Switch
Switching -> Transparent
Plug & Play
Mac Table -> Listening & Learning -> ARP
Collision Domain
3-Network
Logical Addressing
IP: 32 bits -> Net ID + Host ID
Subnetmask
Routing
Host Routing: Same Broadcast Domain
Router Routing: Different Broadcast Domain
Ping:
Transmit Failed. General Failure
Destination Host Unreachable
Request Timeout
TTL Expired
Reply
Tracert
Broadcast Domain

4-Transport
5-Session
6-Presentation
7-Application

****** MCSE ******

Introduction
220 hrs -> 50% AD + 20% Network Infrastructure + 30% Application
Network Infrastructure: DHCP / DNS / RRAS (Direct Access)
Application: File SRV (DFS or Fail-Over Cluster)
SPOF? HA? Redundant? FT?
Group or Cluster?
Heartbeat
vip
MCSE 2008 & 2008 R2 -> 2012 -> 2016 & 2019 -> 2022

****** ADDS ******

Workgroup or Domain model?

Windows Installation
Boot Image?
Install Image?
OOBE
Role & feature?!
ADDS?
Directory? Partitions?
Structure? Domain? Object? OU? Tree? Forest? Site?
Install ADDS
Dc Promotion / Replication / DC Demotion / Metadata Clean-up / FSMO (Master Role) /
Trust
Join Computer / Disjoin
Management Tools
User Accounts
Group Policy / RSOP / Group Policy Filtering / Delegation
Groups
Certificate
Hyper-V

****** Infrastructure ******

DNS:
Zone-> Forward Lookup & Reverse Lookup
Forwarding -> Conditional Forwarders & Unconditioanl Forwarding
Secondary Zone?
Zone Transfer?
Root Hints?
Delegation?

DHCP:
DORA? Scope? DHCP Options? DHCP Failover?
DHCP Relay Agent?

IPAM
Windows Firewall

RRAS:
NAT & PAT?
ICS?
VPN SRV
Tunneling Protocols
Remote Authentication
Radius SRV (NPS)
VPN Site 2 Site -> Trust & DHCP Relay Agent

****** Application ******

File Server
Disk/ Partition Table/ MBR & GPT/
File System?
Block Level & File Level
Raid & Raid Types
Storage Types
iSCSI
Shared Storage
NTFS Permissions
Qouta
FSRM -> Data-Deduplication
DFS
Failover Cluster for File Server

Web SRV -> IIS

WDS
WSUS
Monitoring -> Event Forwarding
Backup
Backup & Restore Active Directory
CA
Hyper-V

****** Selective ******

IPv6
CA Failover
IPAM
Offline Root CA
Direct Access
DAC

******************************************

Networks (Management): Workgroup & Domain Model

Each computer has 3 Unique Address: Computer Name & MAC Address & IP Address

Workgroup (Peer to Peer)

10 Clients?! 20 Clients?! -> No Limit

Logon:
Anonymous or Authenticated Logon

1-Authentication (Protocol & Method):

Authentication Protocol: NTLM
Authentication Method: User Account / Fingerprint / Face detect / ID
card / .....
Username\Password -> Clear Text(Plain) & Cipher Text
Encryption -> Algorithm (ECC/RSA/...) + Key
Symmetric & Asymmetric Encryption (Pair Key -> Public & Private)
key length , Life time

Example: 4 Clients & Server

User Account -> Attributes -> username / password / SID (security ID)
Whoami /user
Local SAM (LSD) -> Local User Account -> This Machine
The database on the machine to check for the authentication pass or failure

--> LUSRMGR.MSC <-- Local user manager

--> SYSDM.CPL <-- System properties

Interactively (behind the machine) ≠ Remotely (far from machine)

Locally (using database on the machine itself) ≠ in Domain (using database on DC)
This machine

2-Authorization:
Right : to the system itself
Permission: Allow or Deny (Level) : to the resources of the system
Access : physical access to system

3-Accounting

AAA Server
Domain Model (Server Based is wrong name) ->
centralized database of objects in MS ecosystem : Directory (GSD/DSD) -> To Domain
-> Domain User Account
Join to Domain

Authentication Protocol: Kerberos 5.0 (Port:88)

SSO (Single Sign-on) :

Ticket (Token): DC writes these on Ticket : SID for Users & Security Groups
Life-Time:by default 10 hrs -> Renew

Local User Account -> CLI or GUI -> LSD -> This Machine
for /l %v in (1,1,3) do net user u%v Aa12345 /add
for /l %v in (1,1,3) do net user u%v /delete

****** Introduction for Active Directory ******

Win NT: PDC + BDC

Updates (Accounts,Groups) -> GSD/DSD -> Flat (25MB) -> Not Modular

Win 2000: DC -> Active Directory Directory Services

Updates -> Directory (Partitioning)

Design & Feasibility

1.Bare Metal
2.Server side OS -> Microsoft -> Windows server version -> Edition :
Datacenter/standard -> with GUI or CLI (core mode) -> OoBE
-> Linux
3.Service

Core mode VS GUI

Core mode: Better security due to fewer components and services.
Less failure due to fewer components and services.
Consumes less resources becuase of no GUI.
Reduced maintenance since there are fewer patches and updates.

Limited compatibility,It does not support all the server roles and
features as GUI
Some applications and drivers may not work properly
Requires more skills and experience to manage

1- Web SRV
Server side: IIS / Client Side: any web browser
Protocol: HTTP/HTTPS - Port:80/443

2- Mail SRV
Server Side: Exchange / Client Side: Outlook
Protocol: Pop3/Imap4/SMTP - Port:110/143/25

3- AAA SRV (DC)

Server Side: ADDS / Client Side: dsa.msc (Management Tool)
Protocol: DAP/LDAP/LDAPS - Port:389/636

What is Directory?
Database -> Domain user Accounts -> Not Flat -> Hierarchical structure

2000 & 2003 -> Active Directory Directory Services

2008 -> Active Directory Directory Services -> Directory Services (Microsoft)
Active Directory Domain Services: ADDS
Active Directory Certificate Services: ADCS
Active Directory Lightweight Directory Services: ADLDS
Active Directory Right Managaement Services: ADRMS
Active Directory Federation Services: ADFS

****** ADDS Fundamentals ******

Database: DataFile
NTDS.dit - Datafile -> Directory

ADDS:Active Directory Domain Services

1- DOMAIN -> DC-> Directory -> NTDS.dit -> Partitions
Partition Types? How Many? What's for?

2- Centralized Management
3- AD integrated applications

Structure vs Object

ADDS Objects:
User Accounts
Computer Accounts
Groups ...

ADDS Structures:
1)Logical: Domain, OU(Container), Tree(Namespace), Forest(Trust)

A)OU:
Domain Data Partition?
What is OU?
Advantages:
1- Hierarchical Structure (for Directory)
2- Hierarchical Structure (for Management)
3- Define & Assign Policy
4- Hide Objects

OU vs Group?!
Parametrs to make OU: Physical Locations -> No
Same Policies -> No

B)Domain:
Logical -> Users & Computers -> Same Policies

C)Forest:
Example: A network with multiple Domains

Trust
One-Way
- Direction-> incoming & outgoing
Two-way

Transitive or Non-Transitive

Manual or Automatic

... -> OU -> OU -> OU -> Domain -> Forest -> Active Directory
 | |
D C -> Directory -> NTDS.dit -> Domain Data Partition

How to Convert a Workgroup network to Domain Model?!

Forest Root Domaion
Forest Name = Forest root domain name

Directory is for Forest

New Directory for New Forest -> DDP for Each Domain
Configuration Information Partition -> Information About Forest

Computer Name: Netbios Name -> Flat (one segment) -> 15 Char -> without dot ->
Capital letters
FQDN or Full Computer Name or DNS Name -> dot -> Hostname + Suffix
Name (Network name)

D)Tree
Namespace -> Tree: Graph (‫ )همبند و بدون لوپ‬-> Root Domain & Child Domain

***** Windows Installation *****

Windows Installation (Full mode or Core mode)

Windows Mode:
Core
With Desktop Experience

Windows Edition:
Standard
Data Center

Windows Installation: Boot Image & Install Image (Thin & Thick)
Sources: Boot.wim & Install.wim
Boot Image: RAM -> Ramdisk X: -> WinPE
Installation -> OOBE -> Sysprep -> Image (Dism) -> Mini Setup

****** Image ******

Sources -> install.wim & Boot.wim

get-imageinfo
mount image
unmount image

****** OOBE ******

#Name
hostname
sysdm.cpl
*CLI: netdom renamecomputer %computername% /newname:srv /usero:administrator
/passwordo:P@ssw0rd /force /reboot:10
Echo %computername%

shutdown /r /t 0

#Network Settings
ipconfig /all
ncpa.cpl
cli: netsh interface show interface
*netsh interface set interface name="Local Area Connection 2" newname=ETH
*netsh interface ipv4 show interface
*netsh interface ipv4 set address ETH static 192.168.10.1 255.255.255.0

#Firewall
firewall.cpl
cli: netsh advfirewall show allprofiles
*netsh advfirewall set allprofiles state off

#RDP
mstsc
netstat -na | findstr "3389"
regedit -> Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server: fDenyTSConnections
How to change port Num?
*reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v
fDenyTSConnections /t reg_dword /d 0 /f

#Date & Time

timedate.cpl
cli: time
date
timezone
cli: tzutil /l > c:\test.txt
tzutil /s "iran standard time"

#Disable USB Storages

reg add "HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR" /v Start /t reg_dword /d
4 /f

#Change Password
Net User

slmgr /skms kms.digiboy.ir

slmgr /ato

Pause

Server Manager Console

Sconfig

Run as Administrator
CTRL+SHIFT+Enter
runas /profile /user:jafarinejad\administrator cmd

***** Roles & Features *****

Windows Components -> Roles & Features -> Active directory domain services -> DC
Promotion
Server Side Applications:
Role? Feature?!
Pre-Requirements?!
OS Source?!
Add or Remove?!
Restart?!

Powershell -> cmdlet {command (8.3)/ cmd}

CMDLet: verb-Noun
Install-windowsfeature -name dhcp,rsat-dhcp
How to Export feature installation?
PS Install-windowsFeature -configurationFilePath -> Unattended Installation

CLI:
Dism /online /Enable-Feature /featurename:DHCP

****** Install a New forest ******

Active Directory Pre-Installation

1- OS -> Server-side -> Win2k19
2- Network Connections -> Static IP Address
3- At least one Partition with NTFS file System -> Convert
4- windows source?
5- Role & Features
6- SRV must be DNS Client

****** SPOF ******

What is SOPF?
Problem: SPOF -> Redundancy & FT -> HA -> SLA -> Performance -> Load Balance &
Quick Access
How to reach above requirements?
By DNS -> Round Robin
Problem: Data + Config Synchronization
Service: Stateful or Stateless
Cluster -> Heartbeat
Stateful (Failover) or Stateless (NLB)

Domain Controller
Minimum Requirement -> 1 DC
Minimum Recommended -> 2 DC

Public Solution: DNS

****** DC Replication ******

DC Replication description:
Push or Pull or Push & Pull
Push: By change (Change rate) or Time Interval
=> in AD: Pull Replication by
Notification (15S)
Pull: By Notification or Time Interval

Replication Topology
Double Ring -> Connection Object -> KCC (15mnts) --force--> repadmin /kcc
Admin Can change replication Topology

Changes are detected in Attributes

Compressed? No
Encrypted? No
Which Protocol? Which Port? -> (RPC:135)

****** Site ******

Problem: WAN links (Bad Links) -> Low Performnace for Logon
Create a new site
Site (Physical Structure): include one or more Dc's that connect with a well
Connection -> Quick Access
Wan Link <-> Router => Subnet (netid) -> CIP
 Default-First-Site-Name

Intra-site Replication or Inter-site Replication

Inter-site Replication:
Pull / By Time Interval / 15mins to 7 Days (180 mins Default) / Managable
(Compression & Encryption)

if Physical Security in Site is low -> RODC (read only DC)

****** Schema ******

which data & which Infromation?!

Schema: Pattern to Data Entry (Object class & Attributes) -> Schema Partition

GUI,WebUI,CLI -> Management Tools

Extend schema -> one-way : you can not go back once you extend

AD Integrated Applications
Application Directory Partition (Optional)

****** DC PROMOTION ******

ADDS Role installation -> DC Promotion

Global Catalog (GC Server)

Example: A forest with 2 Domains
Which Partitions?
Domain Wide & Forest Wide Partitions
What is problem? -> No DC With all objects of Forest
1- Search entire of forest
2- Ua from A.com member of Gb from B.com

Ticket: User Sid & group Sid

GC: All Objects with specific Attributes

Permission: Allow & Deny

Domain Functional Level & Forest Functional Level

Example:
Delete an User Account
SID -> Read-Only -> Unique in Local SAM
Domain User Accounts -> SID + GUID (Forest)

AD Recycle Bin:
Delete Object: Tombstone (Win2008 R2,180 Days) -> Default Disable
Services?!
Safe Mode -> Safe Mode with Networking -> Backup application
DSRM -> MSConfig

Servers:
1- Stand Alone Server
2- Member Server
3- DC

Log Types: Event Logs vs Transaction Logs (Auto Recovery + Performance)

 Closed Transaction log files & Current Transaction log files -> Removed by Full
(Normal) Backup

SYSVOL:
Policy -> Notify

Netlogon:
Scripts

ADDS Tools:
dsa.msc -> DDP
domain.msc -> Trust
dssite.msc -> Sites
Adsiedit.msc -> link to all partitions
dsac
gpmc.msc
active directory schema snap-in (regsvr32 -> schmmgmt.dll)

ntdsutil
Partition Management: Connections
Server connections: connect to server dc.mcse.com
Server connections: q
Partition Management: List

ldp.exe
dcdiag
esentutl
3rd party applications -> (Manageengine,ADREPLSTATUS)

c:\windows\debug

****** Additional DC ******

Attended or Unattended Installation

Answer file
Powershell

Replication Check
dssite.msc
repadmin /kcc
repadmin /syncall
repadmin /replsum

DC Demotion

**** Join To Domain ****

Join to Domain: Online or Offline (Win7 & 2008R2)

offline Join -> djoin

Online:
1- Physical & Logical Connection in Network
2- DC+DNS Available
3- Logon Locally (This Machine) -> Local User Account -> Local Administrators
(Built-In)
4- Domain -> FQDN
5- DNS Client
6- Domain User Account -> Standard User Account
who want the user account?
what's for?
which user account is enough?

How to Logon to a joined PC? This Machine Or This Domain

Computer Netbios Name\username -> This Machine -> .\username
Domain Netbios Name \username -> to Domain

Computer Account

Disjoin -> Tshoot -> Trust Relationship

Re-Join

Delete Computer Account

Reset Computer Account

NETDOM JOIN -> CLI

Add-Computer -> Powershell

****** Administration ******

Local or Remote

Remote Administration: Network Infrastructure + Right/Permission + Management Tools

Tools: Remote Desktop -> RDP 3389
Telnet -> 23
SSH -> 22
psexec
pssession
3rd party Application -> VNC or AnyDesk
WebUI
Management Console (MMC.exe) -> Snap-in
console tree
center pane
action pane

How to enable Management Tools?

1- Add or Remove Snap-in (Install Role or Features)
2- Server Side: AdminPAK -> RSAT + GPMC
3- Client Side: RSAT.msi + GPMC.msi

regsvr32 schmmgmt.dll

Author mode or User mode?

******* User Account ********

Object : User Account

Attribute: Username / Password / Fullname , etc

Local user account: This Machine / LSD (SAM) / NTLM / built-in (Administrator &
Guest) / Right -> Administrators (lusrmgr.msc,compmgmt.msc)
Domain user account : To domain / Directory -> Domain Data partition / kerberos
5.0 (TGT)/ built-in / AD Permission / UPN or Down Level

User Account For Service?!

Log on DC by Standard user account?!

UAC Prompt -> Secure Desktop

 Prompt for credentials: Elevation / Security
Prompt for Consent

User Account Properties

****** Group Policy ******

Group Policy: one or more policy

Local Group Policies:
Local group policy object
Right -> Administrators (view & edit / gpedit.msc)
Computer Configuration (Per Computer)
-> Process Priority
User Configuration (Per User)

We have some similar policies in user & computer configuration

Computer configuration > User Configuration

Examples:

1- Prohibit Control Panel Policy for All

Secpol.msc & RSOP

2- Prohibit Control Panel Policy for Non-Administrators

MMC: group policy object editor -> Non-Administrators

Local Group Policy -> link to Computer / Apply to Computer & User (don't need
refresh & Update but maybe for take effect)

3- Password Policy

****** AD Group Policy ******

Group Policy Object

GPO1
GPO2
GPO3 ....
Permission -> gpmc.msc

Default Domain Policy -> Linked to Domain

Default Domain Controllers Policy -> Linked to Domain Controllers (OU)
Policies -> Link to (Site,Domain,OU) -> Apply to (Computers,Users)

How to work with gpmc.msc?

Password Policy
How to change password policy?!

Example:
1- Password Policy

SYSVOL
Refresh or Update
Computer Configuration -> Restart / After 90 + Random (0-30 mins) / for dc: 5
mins
User Configuration -> Logoff
gpupdate /force (/target)
gpresult /H
 specops gpupdate -> Force Remote Update
Group policy update on OU (After 2012)

Sysvol or domain data partition ?! Template -> Sysvol + Container -> DDP (System
Container)
Unique ID for group policy object in sysvol
dcgpofix

Priority on Group Policies

1- In a GPO: computer configuration > user configuration
2- AD Group Policy Objects > local Group Policy Objects
3- In AD GPOs: OU > Domain > Site
4- GPO1 < GPO2 < GPO3 < ... < Local GP (Merge & Apply)
5- UP & Down in Priority
6- Example: Admin Domain or OU? (Block enheritance or Enforce)
Enable & Disable CP

Backup & Restore GPO

Migration table editor

Starter GPO (Pattern)

Group Policy Object Editor -> Policies & prefrences (Description)

Administrative Templates -> Search for policies (filter)

how to add policies? -> adm (Sysvol bloat & not modular) vs admx + adml
Policydefinitions from c:\windows to sysvol -> policies

****** Distinguished Name & DS Commands ******

DN: Object Address in Directory -> Standard & Standard Name (Example: URL, MAC
address, UNC Path)
1- ‫از جز به کل‬
2- object type before object name
3- CN -> User Account/Computer Account/Group/Container
OU
DC
Tools -> Adsiedit

dsadd
dsadd user cn=u1,ou=mcse,dc=mcse,dc=com -pwd -upn

make users in bulk mode with cmd:

for /l %v in (3,1,10) do dsadd user cn=u%v,ou=mcse,dc=mcse,dc=com -pwd 123 -upn u
%v@mcse.com

dsrm
dsrm cn=u1,ou=mcse,dc=mcse,dc=com

dsmove
ou to ou , domain to domain -> ADMT
User account (Object) -> Sid , Guid , Sid history
sid filtering

Built-in Groups -> Windows or AD or Application

whoami /groups (security identifiers)

dsget: Object's Properties

 dsget group DN -sid

Find Object
design per site -> wrong definitions Domain & DC -> All Users (OU)
Solution: dsquery (how to search?)
saved queries -> User profiles
cmd: dsquery user -name a* ou=mcse,dc=mcse,dc=com (|)

redircmp , redirusr
redircmp ou=...,dc=mcse,dc=com
net computer \\pc2 /add

****** User account restriction by policies ******

Logon Hours Expires: computer -> windows -> security -> local policies -> security
options
Does Not apply to Administrator Account
Lockout policies: computer -> windows -> security Settings -> Account Policies
Does Not apply to Administrator Account
to prevent D-Dos attack -> Logon To ...

****** Make network drive by policies ******

File Server -> Browse

Map a network drive -> user -> policies -> windows settings -> scripts
net use driveletter: \\unc path\sharedname
net use driveletter: /delete

Where copy scripts?

File SRV? Problems!
Scripts on sysvol?
scripts on GPO Folder

How to change lable of shared folder?!

prefrences

Logon Script on User account -> profile tab (sysvol\scripts)

Example: Policy for ie -> preferences -> control panel -> internet settings

policy for network drive -> preferences -> control panel -> drive maps
Home folder -> %username%

******* User Profile ******

Data + Config (. or %userprofile%)

c:\users

1-Local User Profile -> c:\Users\username

Default -> Template
Public -> for all

Problems of local user profile: 1- Waste of drive space on C

2- Not Centralized
3- Backup

2-Temporary User Profile -> Guest

3-Raoming User Profile
profile path: \\sharedname\sharedfolder\%username%
Advantages & Disadvantages

4-Mandatory & Super Mandatory User profiles

Mandatory: Go to C:\users\default\ntuser and change NTuser.dat to NTuser.man
(Read-only profile)
Super-Mandatory: folder name of the profile path ends in .man

Users can not store Data on WinDir -> Redirect or Move desktop
User Configuration -> Windows Settings -> Folder Redirection

Remote Desktop Services Tabs:

Remote desktop Services Profile
Remote Control
Session
Invironment

****** Bulk mode User Account by script ******

CSV + Script

****** Password Setting Object (After 2008) ******

Description of PSO (dsa.msc/adsiedit.msc/dsac)

Per User or Group

System -> Password Setting Container

msDS-PSOAppliesto

****** OU ******

Overview
What is OU?
Advantages:
1- Hierarchical Structure (for Directory)
2- Hierarchical Structure (for Management)
3- Define & Assign Policy
4- Hide Objects

OU vs Group?!
Parametrs to make OU: Physical Locations -> No
Same Policies -> No

Object1 to Object2 (Resource) -> ACL & ACE

U1 --- (AD Permission) --- OU1

Delegation
by Security Options
by Wizard
Run as Different User
Allow logon local policy -> Default Domain Controllers Policy

Example: Protect ou by AD Permission

Example: Hidden objects by AD Permission
Example: Who can change password of adminsitrator?! (why)

****** Computer Account ******

Each domain user acceount -> join 10 computer (how to change?!)
how to delegate join to domain permission to help desks?

Disjoin & Rejoin

Computer account: Reset or Delete

Machine account password age: (30 Days) Local Policies -> Security options

Logon Cache (10) -> gpedit -> Local Policies -> Security options

Rename

Pre-stage
which OU & joint by which User?

****** Trust ******

what is trust?

Conditions of trusts
1- One way or Two way
Incoming or Outgoing
2- Transitive or non-transitive
3- Automatic or Manual

Questions:
1- Which domains?
2- One-way or Two ways
3- Transitive or non-transitive
4- Auto or Manual

Type of Trusts:
1- Tree root Trust
2- Parent-child Trust
3- Shortcut Trust: Optional/Non-transitive/Manual
4- External Trust: Optional/Non-transitive/Manual
5- Forest Trust: Optional/Transitive/Manual
6- Realm trust: AD vs Non-AD (Kerberos ver 5.0)

Domain.msc
Type of Trust In Wizard?!

Trust Password (7 Days)

External Trust
domain-wide or Selective

Forest Trust
forest-wide or selective

****** Groups ******

What's for?!
1- Prevent Unnecessary repeatition
2- Modular
3- Independence of Resource

Groups : User Account / Computer Account / Group

 Group = Members + (Right & Permissions) -> create a group + join members + assign
permissions
1- Fast & easy management (Security)
2- Fast & easy Announcement (Distribution)

Local Group (LSD):

Managed by Administrators (Right)
Tools: lusrmgr.msc / Compmgmt.msc

1) Built-in

System (Security Principals)

Members: Everyone / Authenticated users / Anonymous Logon
Ex) Shutdown/Restart , Time&Date , gpedit , Local User Accounts , AD User
Accounts , Network Settings , Role & Features , Share folders
Ex) Administrators on DC
Local Administrator vs Domain Administrator (Domain Admins)
DC Admins vs Domain Admins
EX) logon by Domain user accounts on joint pc
EX) Delete domain admins & Administrators

Non-System -> Right & Permission

Administrators

2) Non-Builtin

AD Group:
Built-in: OS or Active directory
windows: Built-in Container
AD: Users

AD Groups= Members + Right & permissions + Type + Scope

Types of Groups:

A: Security -> (right & permission) + E-mail Address

B: Distribution -> Mail

Example: G1-> security & G2-> Distribution

Change Type
security <---> distributed

Question: when we use Distribution Group?

user Sid + Security group sid => overload on Dc & Ticket Bloat

Scope of Groups: (3 Domains in 2 Forests)

Global -> member from local domain / resource from each domain (Trust)

Domain Local -> member from each domain (trust) / resource from local domain

Universal -> member from local forest / resource from local forest

Group Naming:
Global Named by Members
DL Named by Permissions
change scope
G <---> DL
G <---> Uni
DL <---> Uni

Nested Group
G ---> DL
G ---> Uni
Uni ---> DL

Usecase of Groups:

G ---> User & Computer Account

DL ---> Group
Uni ---> Both

Note: Members of Universal Group Defined by GC Srv

what's the problem?

Group Strategy
AP
A L P -> Workgroup
A G P
A G L P -> Built-in
A G DL P
A G U DL P

A:I -> Identity

P:A -> Access

Shadow Group (PSO) by example

CMD: dsquery user DN | dsmod group DN -chmbr

How can use user A.com as administrator in B.com?

Domain Admins : Global
Administrators : Domain Local
Enterprise Admins -> Forest Root Domain -> Configuration Partition -> forest
Admin
Schema admins -> forest root domain -> Schema Partition -> schema admin
Restricted Groups Policy
Members
Member of

****** FSMO ******

Flexible Single Master Operations (FSMO)

Windows NT / PDC -> 1 / BDC -> 25

Hub & spoke (replication topology : Star)
Change Password / Replication / Join / Add & Remove object:PDC

2000 -> Multi Master Roles -> DC

Replication topology:Ring

Master Roles:
Multi Master By Single Role

Example: 2 Users in 2 Different sites make same user Accounts

2 Users in 2 Different sites make changes on Schema
 Forest Wides:

Domain Naming
Add or Remove Domain to the Forest

Schema Master Role

Schema Extension
Forest Functional Level Raising

Domain Wides:

Relative Identifiers (RID)

DHCP or MAC ADDRESS

Infrastructure -> Multi Domain Environment

Example: Ua -> DLc

PDC Emulator (simulate vs emulate)

Backward Compatibility
Change Password
Change GPO
Date & Time
kerberos -> 5 mins
w32tm /query /source
NTP Srv (Time Srv) -> PTP Srv

Default location for master roles

Forest Wides -> first DC of first domain -> CIP
Domain Wides -> First Dc of Domain -> DDP

Graphical by snap-in:
regsvr32 schmmgmt.dll -> schema master role
domain.msc -> domain naming
dsa.msc -> domain wides

CMD:
Netdom query fsmo
dsquery server -hasfsmo schema

Powershell:
get-adforest

Note: Schema & Domain Naming master -> Same DC that is GC SRV
RID & PDC Emulator -> Same or seprated DC (when overload)
Infrastructure -> DC that is not a GC srv exception as under:
1- Every DC in a domain is GC
2- Domain in a multi-domain forest contains only one domain controller
3- There is only one domain in forest
Have a Failover Plan

Transfer vs Seize Master Roles

Reasons:
1- Spof risk & Performance
2- Plan To take DC offline
3- Decommission a DC

Force Removal:
Schema
Domain naming
 RID

Temporary:
Infra
PDC

How to seize Operations Master Roles?

ntdsutil
roles
fsmo maintenance: connections
server connections: connect to server dc1.mcse.com
fsmo maintenance: seize pdc

****** IFM (Install from Media) ******

ntdsutil -> ifm

****** RODC (After 2008) ******

1- Read only
2- No password -> (RODC Computer Account & an AD Account)
3- One-way Replication

Each site = just 1 RODC

RODC on Remote site -> Password Replication Policy (PRP) -> RODC Computer Account
OS Problems & Tshoot on RODC -> Local Administrators Group X -> Local Administrator
Role
ntdsutil: local roles
list roles
show role administrators
add %u administrators

****** AD Site ******

AD Physical Structure:

1DC (Minimum) SPOF -> 2DC (Recommended)

Replication -> FRS/DFSr(2012) -> Intra site / Inter site

KCC -> 15mins
Connection object -> replication topology -> Double Ring
repadmin /kcc

Management Tools
GUI -> dssite.msc
CLI -> repadmin /kcc /Syncall /replsum
3rd party -> manage engine or Dell Quest

Start to planning a Site

LAN or WAN-Link -> Do we need DC?
DC or RODC
Redundancy

DNS Query
_ldap._tcp.mcse.com
_ldap._tcp._siteA.mcse.com

Site Attributes
 1-Site Name -> Default-First-Site-Name
2-DC or DCs of site
3-Subnets
4-Site Link (Instructions for inter-site Rep)
Name: DefaultIPsitelink
Which sites?
Schedule: when?
15mins <= Replicate every <= 7 Days
Transport Type: Application Layer protocol
RPC(IP) or SMTP
RPC (Remote Procedure Call) -> Primary: 135
-> Secondary: Random
SMTP -> un-stable link
Need Certificate
Can't replicate Domain Data Partition
Wrong Scenarios
1 forest, 1 Domain, 1 Site
1 forest, 1 Domain, 2 Site
Solution:
1 forest, 2 Domain
2 forest

5-Cost
How many site link should i have?
which site link should i use?
-> what is + not cost?
Example: SiteA - SiteB - SiteC (Different bandwidth) -> STP (Spanning Tree
Protocol)

GC/GC Srv
Universal Group membership caching

PBS (Preferred Bridgehead Srv)

Site Link Bridge

****** Group Policy ******

Overview
Add local User Account or Chnage Administrator Password
CMD: Net user administrator 123
Preferences
Control Panel Settings
Local Users and Groups -> Laps (Local Administrator password Solution)

Group Policy Object Filtering

Link & Apply -> Link >= Apply

1-Block Inheritance
2-Enforced
3-Loopback processing
Administrative Templates -> System -> Group Policy -> Configure User group
policy ... -> Merge or Replace

Scenario: CP & Run Menu

4-Slow Link Detection (Default: 500kbps) -> ICMP / NLA (Network Location Awareness)
Software Installation
Folder Redirection
 Disk Quota
...

5-Security Filtering -> AD Permission (NTFS)

Read & Apply Group Policy
Authenticated Users: Deny / Allow

6-WMI Filtering -> Dynamic Filtering

Windows Management Instrumentation -> Variable & Value -> WMIC
if os=win7 then disable run menu
WMI-QL
Select * from (WMI-class) where (condition) = value -> Examples
Version & Product Type
WMI Code Creator Tool & WMI Explorer
Item Level Targeting
preferences

****** Software Installation ******

Computer Configuration
Assigend
Install
Remove

Advanced -> msi + mst

User Configuration
.msi & .zap

Assign for User (Help Desk) vs Assign for Computer

Control -> Install a program from the network
.msi

Published (msi,zap)
exe to zap:
[Application]
Friendlyname ="program name"
SetupCommand = \\path\filename.exe
DisplayVersion = X
Publisher = Corporation Name
URL = http://....
[ext]
xlS =
xlA =
XLB =

Advanced

****** Software Restrictions ******

For Executable Files

Security Levels
Unrestricted
Disallowed
Basic User

Path rule -> Path

Hash rule -> Content
Applocker
services -> application identity
Publisher

RSOP:

Logging Mode
cmd: rsop or gpresult
dsa.msc
mmc -> add snap-in
gpmc.msc -> Group policy results

Planning Mode ?!

****** Snapshot (After 2008) ******

is not suitable for ad & ad integrated apps (why?)

1- A forest restored from snapshots will have difficult data consistency issues
2- If malware was on the DCs at snapshot time, you’re just restoring the malware
3- Whatever servers you don’t restore from snapshot, you must rebuild
4- Snapshot recovery is just the beginning

ntdsutil
snapshot
Create -> Activate Instance ntds
Delete
Mount

ADDS & ADLDS (ADAM)

dsamain -dbpath pathfile ... -ldapport:Port Number

****** Backup & Restore ******

NT Backup (XP & 2003) -> Windows Server Backup (Feature) -> wbadmin.msc
Backup Strategy:
Which Data?
Which Application:
Backup Exec
Veeam Backup
SCDPM
Schedule
Type
Storage
Archive -> Tape
Verification

What is System State Backup?

DC System State Backup = Active Directory Backup
Installed Device Driver
Windows Registry
Active Directory Configuration & Some System File
System State vs Bare metal

When We Lost one of our DCs...

Types Of Backup:
Full Backup
 Only changes

Transaction Logs
Copy Backup

Differential Backup: From Last Full Backup

Incremental Backup: From Last Backup
Daily Backup: Daily Changes

What is Backup Period?!

Archive Bit

Volume Shadow Copy Service (VSS)

NTDS.dit

Scenario:
1- Install Backup Server Feature
2- Backup From Selected DC
3- Restore DSRM (if needed)
NTDSUtil -> Set DSRM Password -> Reset Password on ...
4- Reboot DC on Safe Mode
MSConfig -> Boot -> Safe Boot -> Active Directory Repair
5- Backup Recovery

What's The Problem?

USN -> Version
Authoritative Restoration
Increase USN

6- Increase USN
NTDSUTIL -> Authoritative Restore -> Activate Instance ntds -> Restore
Subtree DN

****** Force Removal ******

Migration & Tshoot: Problem in Replication

Forest Metadata (Data About Data)

metadata: Data about Data (Catalog)
metadata clean-up
ntdsutil
metadata cleanup
select operation target
connect to server dc1.mcse.com
list site -> select site x
list domains -> select domains x
list servers in site -> select server x
metadata cleanup: remove selected server

***** Additional units *****

AAA (NTLM or Kerberos) -> TGT & TGS -> Service Principal Name (SPN)
Golden Ticket -> kerberos -> ATA (Advanced Threat Analytics)
Manage Service Account (MSA or gMSA)
Runas savecred / Process Monitor
LAPS
Ransomware -> Backup
DLP (Data Leakage) -> ADRMS
DC Rename -> Netdom computername
Domain Rename -> ADMT
GPO Planning
how to work? or who's to apply?
CSE (Client Side extension)
Site Link Bridge
Slow link detection -> NLA (Network Level Authentication)
Applocker
Phantom Objects
Normal Object
Deleted before tombstone lifetime expires
Object is removed from ad completely
External refrences still exist

****** EFS ******

Volume -> NTFS -> EFS (Encrypting File System)
1- Encryption
2- NTFS Permission -> is it Full Secure?!
3- How to Encrypt files with EFS?
Chunklet -> Symmetric (AES,256 Bits) -> Asymmetric (keys) with Public ->
Certificate (Self signed)
4- who can decrypt encrypted files?
5- when we can't decrypt? Efs depends on Certificate
Reset password
-> Certificate
Change os

MMC -> Certificates

certmgr.msc

Transparent Encryption

How to disable efs on systems?

EFS Policy -> CC -> WS -> SS -> Public key policies -> Properties
Certificate Caching

Backup private key -> export -> Install or Import Cert

How to make private key exportable?

How to Encrypt Critical Data of Clients?

How to make multiple Certificate? How to choose Certificate?

Control -> UAC -> Manage Your File encryption certificates
Thumbprint
Decrypt files on all Logical Drives

Recovery Agent -> Domain Administrator -> on first DC

1- Certificate for File Recovery -> Cipher /r:
2- Policy -> Public key policies -> add data recovery agent
3- Install pfx

A file with multi user

Properties on file -> General -> Advance -> Details

***** Certificate on IIS *****

inetmgr
certlm.msc
****************** Network Infrastructure ********************

Name Resolution: DNS Service & WINS

DNS Client?! DNS SRV?!

Name Resolution Process(Client-Side):

1- Self Check
2- DNS Client Cache Check: TTL -> 60 mins
ipconfig /displaydns
ipconfig /flushdns

3- Hosts file check -> C:\Windows\System32\drivers\etc

4- DNS SRV
5- WINS / Broadcast / LMHosts file -> Node Type

DNS Client Service?!

DNS SRV:
Protocol: DNS
Port: UDP/53

How DNS Server works?!

Zone = Database DNS Srv -> Records (Static or Dynamic)

1- forward Lookup Zone -> IP

a) Host Record
A Record
AAAA Record

2- Reverse Lookup Zone -> FQDN

DNS Server Role

dnsmgmt.msc
dnscmd
powershell
nslookup

caching only server?!

ping vs nslookup

Multiple Host with same IP

Alias -> one ip with multiple service

Domain:
ADDS -> Policy
DNS -> Suffix Name

MX Record?
Example for Send & Recieve Emails:
Inside a network
Between two networks

nslookup:
set q=mx
set q=a

other records

Standard: www.mcse.com & ftp.mcse.com (A Record or Cname)

SPOF -> Stateful or Stateless -> Redundant -> Zone Transfer (only Records)
One-way / Primary Zone (R & W) & Secondary Zone (Read Only) / PUll (from Master):
Force / Time Interval / Notification

Transfer from zone

Query: UDP 53/ Zone Transfer: TCP 53

New Domain
AD Domain -> DNS Domain -> Zone -> Data File
1 Zone with multiple DNS Domain
Join to DNS Domain

SOA Record
Example: 1 Zone with multiple DNS Server
Retry Interval
Expire After
Default TTL (for Static Records)
Per Record

NS Record
Glue Record -> A record DNS SRV

DDNS In a Private Network:

A record or PTR (Pointer Record)

1- DNS SRV:
Active DDNS
Suffix Name

2- DNS Client:
DDNS Support (2000)
DNS Client of this DNS SRV
Suitable Suffix Name
Register this -> checkmark
When register Record? -> Hard Registration or Soft Registration
ipconfig /registerdns

Example: Change Suffix Name

Long Suffix Names Problem
Append Parent Suffix: Computer Configuration -> Administrative Templates ->
network -> DNS Client -> Devolution Level

Aging
for Dynamic Records
Update or Refresh
Stale & Scavenge

Blocklist:wpad , isatap
DNScmd: info , config
enableglobalquery block

Globalnames Zone (2008)

IPV6 Support & No Dynamic Records
dnscmd: info , config
enableglobalnames
what's for?

*** DNS Forwarders ***

Scenarios & Question Mode:

1-Local DNS Has Authority

Note:Secondary zone -> Need to Zone transfer

2-Local DNS Has not Authority:

A) Cache DNS SRV

DNS SRV Cache -> Cached Lookups
Clear Cache

Forward to forwarders

Example: we have a domain that connected to internet & a private network

B) Un-Conditional Forwarding (Internet Forwarders)

ISP
Google

C) Conditional Forwarding(2003)

1-By Conditional Forwarder

2-By Stub Zone (SOA Record,NS Record,Glue Record)

Has not Authority

Conditional Forwarder vs Stub Zone

1- Zone Transfer (Stub Zone)
2- More Flexibility (Conditional Forwarder)
3- Dynamically notified of changes (Stub Zone)

Hierarchical DNS Structure

Name Resolution Process on Internet:
1- Dot zone or Root Zone -> Root Hints (13 IP Addresses)
2- Top Level DNS Servers (Top Level domains) -> .com,.net,.ir,.org
3- Second Level DNS Servers -> Yahoo.com,Google.com,bmi.ir

Delegation -> New domain or New delegation

DNS Queries:
1- Non-Recursive Queries (Reverse)
2- Recursive Queries -> Last Answer
3- Iterative Queries -> Next Step

Root Hints

For Cancel Forwarding:

Make a dot Zone or Disable Recursion

how to change root hints?

Cache.dns -> Root Hints

How to Register A Domain?

1- Whois
2- Name Hosting
3- Delegation
=> Delegation Warning on DC promotion Wizard
Enable Bind Secondaries
1-AXFR -> All Zone Transfer -> Slow Zone Transfer & Fast Zone Transfer
2-IXFR -> Incremental Zone Transfer

Usecase for Reverse Lookup Zone

Examples:
Phone
Service -> Web Server (Automation)
Filtering -> Youtube

****** AD Integrated Zones ******

1- No Data File -> Records on Directory

2- DNS SRV should be Writeable DC
3- AD-Inegrated is not specific type zone
4- We Have not a Secondary AD-Inegrated Zone
5- Which Partition?
Example: a Forest with 2 Domains
Schema , CIP -> what's the problem?!
DDP : unnecessary replication & Entire Search?!

=> Application Directory Partition

mcse.com -> Domain Wide
-msdcs.forestname -> Forest Wide

How to make a Application Directory partition?

ntdsutil-> Partition Mnagement -> Connections -> ...
create nc dn servername

Domain Controller:
LDAP SRV
Kerberos SRV
GC SRV
-> IP Address & Port

Make AD Zones
Make Srv Record
=> Service Locations or SRV Record -> Netlogon

How to verify srv records?!

set q=srv
_ldap._tcp.mcse.com

Priority & Weight

Standard vs AD-Integrated Zones

Update server data file
Security
Secure Registration
Access Control by AD Permission
Replication
Conditional forwarding

what is DMZ?!
Caching Only DNS SRV

*** WINS ***

Netbeui (2000) vs TCP/IP

 netbeui: without logical address
Without layer3 & without routing
LAN & FLAT -> ALL edvices was in same Broadcast Domain
Master Browser
Self Tune

FQDN & Netbios

Socket Base Application vs Netbios base Application

Netbios over TCP/IP -> Interface between layer3 & layer4

Netbios name to IP -> LM Host File

WINS Server
Broadcast -> Master Browser (PDC Emulator)

How to Disable netbios ovet tcp/ip?

****** DHCP ******

IP Address:
Static
Dynamic
APIPA -> 169.254.x.y
Alternate Configuration

DORA:
1- DHCP Discover -> Broadcast
DHCP SRV: 67/UDP
DHCP Client: 68/UDP

2- DHCP Offer
3- DHCP Request
4- DHCP Ack + Options

Questions:
4 steps?
Broadcast?
Transaction ID -> Application layer

DHCP Pre-reqiurements
Static IP Address

1-DHCP Role Installation

DHCP SRV & Client in same broadcast domain
DHCP Relay Agent

2-Management tools:
dhcpmgmt.msc
netsh
powershell

3-DHCP Configuration:
Network monitor or wireshark for dhcp discover packet
Restart DHCP Service
Security problem -> rogue DHCP Srv (Fake)
Microsoft solution: Authorization -> Domain Admins
Cisco: DHCP Spoofing
Stand alone DHCP SRV
Firewall
 Scope -> Address Range or Address Pool
Activate Scope
Discover but no offer
Scope with Same netid <=> Primary IP Address
How Many Scope = VLANs That Include DHCP Client

4- Options
what is option?
Code & Name
option type -> boolean,string,...

which options set on client?

Server Option
Scope Option
Reservation Option

Which options on Server option? Which options on Scope option?

for example NBT Disable -> 0x2

*** Option Filtering ***

DHCP Class ID -> DHCP Client (DHCP SRV: User Class)
cmd: ipconfig /setclassid
Define vendor class
Set Predefined Options
IE -> WPAD / 252

Policy
define user classes (Class ID)
policy in scope

*** DHCP: Backup & Restore ***

DHCP & WINS use access database -> mdb files are access files
data file -> c:\system32\dhcp\dhcp.mdb
Event Log
Auto backup -> 60 mins (regedit)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcpserver\Parameters

Compact
jetpack
jetpack dhcp.mdb temp.mdb

batch file:
cd %systemroot%\system32\dhcp
net stop dhcpserver
jetpack dhcp.mdb temp.mdb
net start dhcpserver

Copy DHCP Data Files

config in registry (inconsistency between database & registry)

Reconcile

Migrate DHCP: Export & Import

netsh -> dhcp server -> export c:\dhcp.txt all
netsh -> dhcp server -> import c:\dhcp.txt all

****** SPOF On DHCP ******

HA & FT
 Problem:
SRVs are not sync => ip conflict
Solution:
1-Devide scope by Exclusion
Problem:
Insufficient IP Address due to full scope => NACK

2-Split Scope (2008 R2)

Problem:
Decentralized Management & Monitoring -> DHCP is Stateful -> config not sync

3-Failover Cluster

4-DHCP Failover (2012) -> Per Scope -> Only 2 DHCP SRV -> Port: TCP 647 for
heartbeat
Maximum Client Lead Time -> Just for Hot-Standby

Complete DHCP Configuration

Authorize
Make 2 security group
DHCP Administrators
DHCP Users

Example: if a client joined to AD domain set ip address

Command,CMD & Powershell

cmdlet (Verb-Noun)
get-help
get-verb
get-command
Install-Windowsfeature
-detailed
-examples
-name
-restart
-source

****** DHCP Integrity with DNS ******

Example
Name Protection
Security Problem -> Fake records on DNS

Multicast Scope
Types of IP Address -> Unicast, Multicast, Broadcast
Multicast: first octet 224 to 239
Standard: RIP v2 (224.0.0.9)
Static
Dynamic

Super Scope: one or more Scopes

Problem: Multinet -> Exclusion
Multihome

Bad Address?!

Bootp Table

Conflict Detection Attempts

 DHCP Attacks: Generate Fake MAC Address
Starvation Attack (Bad Address)

DHCP Relay Agent (concept)

Agent Definition
TTL
Delay Time -> 80-20

DNSUpdate Proxy (ADDS -> Users Containers)

****** IPAM ******

IP Address Management (2012)
1- Static IP Assignment
2- Dynamic IP Assignment
3- Forensic
4- Monitor & Management Services (DNS & DHCP)

WID: Windows Internal Database (2008)

SQL Express

phpIPAM or Solarwinds

****** Firewall ******

What is Firewall?
Home(Personal) or Network
Edge Firewall

What to do? How?

Rule(Policy): Traffic + Action (Permit or Block)

Microsoft: MS Proxy 2.2 , ISA 2000/2004/2006 , TMG 2010 => 2012 Discontinue
Kerio Control

How to Define Traffic?

1- IP Address
Default Rule: Traffic -> Any then Action -> Block

2- IP + Port (Application Layer) or IP + Protocol

Firewall is layer 4 device?!

Packet Filtering
Static Packet filtering & Dynamic Packet Filtering => Stateless Firewall &
Stateful Firewall

Application Filtering (Layer 7) -> UTM (Unified Threat Management) -> Firewall +
IDS + IPS + VPN + Accounting + Anti-Spam & Anti Virus + Reporting

Content Filtering?!

Priority of Rules

What is 3Leg (Homed) firewall Topology?!

Zombie

Backend Firewall & Front-end Firewall (Back to Back Topology)

What is DMZ (Premeter Network)?

Example:
 Ping
Routing Table
Arp -a
echo request

wf.msc
firewall.cpl

Browse

****** R-RAS ******

Routing & Remote Access

Routing: Host Routing & Router Routing

Routing & Remote Access Services

Routing Table?
Route print
Route add
Route add -p
Route Delete
Route -f -> Flush routing table

1- Network Destnation
=> Destination
2- Netmask
3- Gateway (to)
=> Action
4- Interface (from)
5- Metric => Cost

Traditional Routing -> Destination

Example) Ping 2 clinets with different Net ID

Solution: Route add 192.168.2.0 mask 255.255.255.0 192.168.1.10
Persistent by -p

Route Delete 192.168.2.0

Default route ?!
Default Gateway -> 0.0.0.0 0.0.0.0

Example) Routing with Windows System

Solution: Start R-RAS Service

Example) Private network connect with Public Network (NAT & PAT)
1-Routing
2-NAT
3-NAT Table
4-PAT
5-Basic Firewall -> Packet Filtering

Incoming Traffic -> Publishing (Static Mapping)

DMZ

ICS?!
Private + Public Interfaces (Gateway)
Route + NAT + PAT + DHCP Allocator + DNS Proxy
*** Install & Configure R-RAS ***

Scenario 1) LAN Routing with Microsoft OS

Ping
Start R-RAS
Set DG on Public System

Scenario 2) NAT
Install R-RAS
rrasmgmt.msc

Configure R-RAS
Configue NAT Protocol
Configure Protocol
Interface Binding
Configure Interfaces

Show Mapping
Example for Mapping
DNS & Web Service -> Configure to Service Publishing

Server Publishing -> PAT

Scenario 3) Private Networks with same network ranges

Address Pool & Reservation
Private to Public: Source IP Translation
Public to Private: Destination IP Translation

R-RAS: Routing & NAT or Remote Access

Scenario 4) Remote Access

Dial-up or VPN
VPN: R-RAS (VPN Gateway) + VPN Conncetion (CMAK)

1-Authentication -> Authentication protocols: PAP,SPAP,CHAP,EAP,MS-CHAP v1.2, MS-

CHAP v2.0
VPN SRV, DC, Radius SRV (NPS)

2-Authorization -> Radius SRV by NPS Module

Network Policy (NP) or Remote Access Policy (RAP)
1- Conditions
2- Permissions: Permit or Block (User Properties -> Dial-in)
3- Profiles

3-Accounting: logging

IP Address Assignment
Range or DHCP SRV

Tunnelling protocol
PPTP
L2TP
SSTP
IKEV2

which ip should ping or browse?

Mirosoft point to point encryption
Encryption + Encapsulation
TTL?

*** VPN Server ***

Scenario 1: PPTP
A- Configure Tunelling Protocol on VPN Connection (Client)
B- Configure Dial-in Tab on User Account (VPN SRV)

PPTP -> Port 1723 -> MPPE

How to make a Network Policy?

MS-CHAP V2.0
Dial-in Tab

Scenario 2: Enable Basic Firewall on RAS

General -> Public Interface -> Properties
Browse 100.1.1.1

Scenario 3: Why l2TP?

L2TP -> 1701 (UDP)

1- Security (Encryption mechanism)

PPTP -> MPPE
L2TP -> IPSEC

2- Tunelling Authentication (Server Authentication): Pre-shared key or Certificate

Note: A- Configure Tunneling Authentication Mechanism on VPN Server ->
Security
B- Set Pre-shared key on VPN Client Connection

3- Header Compression

Add L2TP Port

Tunneling Authentication -> Security tab on VPN Server
Type of VPN On Vpn-client
Preshared key Vpn-Client

Scenario 4: Why SSTP?

Too many Ports & Traffic must be open between client & SRV (L2TP)
SSTP -> Port 443 -> SSL (TLS)

Add SSTP Port

Tunelling Protocol on vpn-Client
Tunelling Authentication -> Certificate
inetmgr -> Server Certificates -> Create Self signed
issued To: change computer name
Trust to Certificate issuer -> Export certificate & import to CTL
Change IP Address to Hostname & change host file

IKE v2.0 (Same as L2TP)

Mobile Devices

Scenario 4: Configure AAA SRV (Radius SRV)

IAS (2003)
NPS -> Network Policy (RAP)

A- install & Configure NPS Role (NPS.msc)

Create User & Group
Define Network Policy
 B- Configure VPN SRV to Radius Client
VPN SRV -> Security -> Authentication Provider
Initial Score?

C- Configure Radius Client (VPN SRV) on Radius SRV

NPS -> Radius Clients & SRV -> Radius Clients

Radius Proxy
Full Access or Limited Access?
What is Shared Secret?

Radius SRV or Radius Proxy?

Network policy or Connection Request Policy

Radius Clients:
VPN Srv
Switch
-> 802.1x
AP

Internet Connection Lost By VPN Connection!!

Why?
VPN Connection -> Networking -> IPv4 -> Unbound use default ... + Add Static Route

Site to Site VPN (S2S)

Demand Dial Interface
Incoming or Outgoing?
Permanent or Temporary?
Name
Route
User Account: Dial in & Dial Out
Username = Name Demand Dial Interface
Dial in tab: Allow
Password: Never Expire

1-Network Infra-Structure
2-DNS
Conditional Forwarding or Stub Zone
3-Authentication
Trust
External or Forest -> one or two way

****** Scenarios ******

Scenario 1)
S2S VPN (PPTP & L2TP):
THR vs SHZ
1- Install R-RAS
2- Configure R-RAS to VPN SRV
3- Customize R-RAS
4- Make New Demand Dial Interface

Scenario 2)
How to Configure DHCP Relay Agent?
1- Install DHCP Role on DHCP Server
2- Create Scope on DHCP Server
3- Add DHCP Relay Agent protocol on VPN Server
Scenario 3)
Trust Between 2 Domains
1- Install ADDS Role
2- Create Trust
External (Domain-Wide or Selective)
Forest (Forest-Wide or Selective)
3- DNS & Name Resoliution

****************** Application ******************

****** Disk Management ******

HDD Type on Windows: Basic (Default) or Dynamic (After 2000)

How to prepare a Disk to Read/Write?

Basic -> Partitioning -> Primary or Extended
Primary
1- Active (Boot)
2- Partition (Volume) -> Format with file System

Extended
1- Partition -> Logical Drive -> Volume

How many Partitions we can make?

it depends on Partition Style
1- MBR -> 4 Primary or 3+1(Extended)
Extended Partition can devide to unlimited Logical Drives
2- GPT -> 128 Partitions
Larger Than 2TB & 64-bit Systems

MBR < Convert > GPT

We should zero format disk to do this

Free Space?
Unallocated Space?

Basic < Convert > Dynamic

1-Convert Basic to Dynamic to make Software RAID

We need 1mg unallocated space

2-Convert Dynamic to Basic to Install Windows

We should zero format disk to do this

Create VHD -> Initialize

Make Simple Volume

Mount a Volume to a folder
1- Empty Folder
2- Destination file system must be NTFS

Allocation Unit Size

Diskpart
List Disk
Select Disk

Offline -> Pass-through

Volume:
1-Simple Volume
2-Spanned Volume (JBOD)
3-Raid 0
4-Raid 1
5-Raid 5

Re-Scan
Import Foreign Disk

****** Raid Configuration ******

Sub Systems:
CPU
RAM
NIC
Storage

What is Storage?!
Disk vs Storage

BAY, Cage (Box), Storage Pool (Space), Enclosure (SAS Cable, SAS Controller)

What is RAID?
Disk (Group or Array) + Policy

Why?
SPOF with Disk (FT)
Performance
Capacity

What is JBOD? (Spanned Volume)

Raid Configuration
Hardware RAID vs Software RAID
Raid Controller or OS
Resources
Abilities
Flexibiliy

Software Raid Disabilities:

Just Raid 0,1,5 (With Spanned Volume)
No Hot-Spare

Raid vs Backup

Hot Spare?

Raid Technologies:
Striping
Mirroring
Parity

Raid 0 (Striped Volume):

2 <= Disk <= 32
Same Capacity
Best Performance (*N)
Without FT
Use for Pagefile,Temporary Data, Video Streaming
Raid 1 (Mirrored Volume):
2 Disks
Same Capacity
Read Performance: *2 (Read)
Fault Tolerance = 1
Use for OS

Raid 5
3 <= Disk <= 32
Raid 0 + Parity
What is Parity?
Same Capacity
Fault Tolerance but low Performance
Use for Data Store

Hybrid Raid
1+0 / 0+1 / 5+0 / 6+0

Software Defined Storage (2012)

Make Storage Pool / Hot-Spare / Virtual Disk (Raid)
Storage pool or Storage Space
Requirements:
Basic Disk
OS Server Side
At least 10 GB Capacity
Physical or Virtual Disks (Not Partitioned)
GPT or MBR

****** Storage Technologies ******

Access to Storage for Read/Write:

Block Level Access:

iSCSI & Fiber Channel
Hash = Address & No meta-data
Data Block -> Volume -> OS Server
Storage Volume -> System file -> windows (NTFS) & VMware (VMFS)

File Level Access:

SMB/NFS/CIFS
File Sharing

DAS
Block Level Access
Performance
Can not use as a Shared Storage
Internal
External

NAS
NIC
TCP/IP
OS: Unix Base
How many interface?
How many power?
Join to AD
WebUI
NFS/CIFS/HTTP
 RAID
File Server & Backup Destination
File Level Access

SAN
what is the problem?
Performance
Security
HBA
SFP: Single or Multi
HBA or FCA: FC Technology
16G or 32G
WWN & WWPN: 2*64 bit
Server to Storage & Storage to Storage

1-Hosts
2-Storage Networking -> Fiber Channel
3-Storages

Block Level & Shared Storage

iSCSI
iSCSI Initiator & iSCSI Target

FCoE
HBA + NIC ---> CNA (Converged Network Adapter)

****** Server Cluster ******

Cluster: Server Array (Group) + Rule (Policy) -> Service

What is Usage?!
SPOF -> FT -> HA + LB + QA

Public Solution:
DNS
Example) Web Server
What is problems?
1- load Balancing without weight
2- Some apps just try for one IP (Ping)
3- Problem with Public IP
4- Visit without name or Cache DNS
5- Delay
6- Awareness?!

Cluster: Awareness + Rule

Name
IP Address (VIP)
MAC Address

Example) Traditional Bank System

Failover?! Failback?! Heartbeat (Keep Alive)?!

Microsoft Server Cluster:

NLB (L3) -> Stateless
Failover (L7 - Apllication Aware) -> Stateful -> Shared Storage

Example) SRV1 & SRV2 as nodes of a Failover Cluster

 Owner (Active) or Passive (Stand-by)
Only 1 Active node -> NO LB
What is problem with active/passive Cluster?
Solution: 50-50 workload

A LUN for Cluster Configuration -> Quorum (Witness)

how to choose active node?

Failover Cluster -> Hyper-V

MS-Exchange -> DAG
SQL -> Always-on

NLB Cluster -> IIS

****** NLB Cluster ******

Maximum: 32 Hosts

Scenario: 3 VMs: 2 Hosts + 1 client

Install NLB Feature
Name (Optional)
IP Address (VIP)
MAC Address: Mode & IP Address
Mode: Unicast / Multicast / IGMP Multicast
Rule

MAC Address -> bit 7 (0 -> Built-in) & bit 8 (0 -> Unicast)

Problem with unicast Mode -> MAC Address Flapping & Connectivity Between Clients
Unicast Mode for Backward Compatibility

Multicast mode -> Unknown Unicast

Best Solution: IGMP Multicast -> Host of Cluster registerd on switch

NLBmgr
nlb or wlbs

Add Host to Cluster:

1- Ping
2- NLB Feature
3- Permission (Administrator)

Rule:
Per IP Address
Per Port
Per protocol

Single Host: Only F.T

Acctive/Passive
Which one is active?
Handling Priority

Affinity (Between Client & Server in Cluster):

Example for Affinity:

Remote Desktop Services (Terminal Services)
Remote Administration (Administration Mode)
Application Virtualization (Application Mode)
 Single:
Client -> IP Address
Parameters -> Rule & Number of Hosts

Network:
Client Network (24 Bits)
Parameters -> Rule & Number of Hosts

Application Awareness?!

****** Hyper-V ******

Server
Cost
Space
Capex & Opex
Advantages & Disadvantages?!

=> Server Virtualization

1 Server = 1 Service
Application -> Hypervisor
Type 1: Bare-Metal Hypervisor -> ESXi
Type 2: Hosted Hypervisor -> VMware Workstation -> Client Side

Hyper-V SRV (2008)

Role Hyper-V
SRV side: Type 1
Client Side: Type 2

Physical Machine: CPU /RAM /Disk /Network

Virtual Machine: VCPU , VRAM , VDisk , VNIC

=> Software Defined Datacenter: SDDC

Datacenter
Network -> NSX
SRV -> vsphere
Client -> Horizon View
Virtual Desktop Infrastructure: VDI
Application Virtualization
Storage -> V-SAN

Hyper-V Requirements:
64 Bits
CPU -> VT Support
Bios
Management Tools: virtmgmt.msc

VM: G1 , G2 (2012) , Nested VM (2016)

G1: BIOS / 2x IDE Controller / Legacy & Standard Network Adapter -> No PXE BootROM
(10G)
SCSI VS IDE?
Performance / Hot Swap
G2: UEFI -> Secure Boot / SCSI Boot / Only Microsoft & 64bit

Vcenter <> SCVMM

Dynamic Memory(2008R2): Startup / Min / Max

Disk : vhd (2TB) or vhdx (64TB)
1- Fixed Size: Performance
2- Dynamic: Utilization
3- Differencing: Parent/Child -> 1-Snapshot / 2-VDI

P2V Applications

fix <> dynamic

How to define disk type?!

inspect disk

Edit disk
Compact
Convert
Merge

Passthrough: Physical Component to VM

V-Switch: (Layer 2) -> VM + Physical Switch + Hyper-V SRV

1-Private: Only VMs (On Local Hyperv-SRV) -> Test & Tshoot
2-Internal: VM + Hyper-V SRV
3-External: Uplink to Physical switch

VMConnect

Move: Live Migration

Process
Storage
H1 -> H2
-> Vmotion in VMWare
H1 -> H1

Replication
primary & Replica

virtmgmt.msc

VM Migration (Move)
V-Motion -> Compute / Storage / Compute + Storage
Export & Import / move vhdx
live migration

VM Replication -> Veeam Backup & Replication

NIC Teaming

****** Failover Cluster ******

VM1: DC + DNS + GC
Shared Storage
iSCSI Target Server (iSCSI) -> SDS (2012)
Install iSCSI Target
Prepare Shared storage -> Create LUN (Vdisk) & Present to VMs

Node1(HV1) & Node2(HV2)

join to domain
Hyper-V Server Role Installation
Failover Clustering feature Installation
 Configure iscsi initiator -> iscsicpl -> Start iSCSI Initiator Service -> Quick
connect -> volume & Devices -> Auto Configure
Diskmgmt.msc -> Make simple volume on Node1
Configure Cluster with CLUadmin.msc
Create Cluster
Name
IP
Computer Account (CAP)
Create VM on Failover Console -> Configure Role

Failover
Failback
Switchover

CSV (Cluster Shared Volumes) -> NTFS

Single path & Multi path I/O

****** NTFS Permissions ******

File System
FAT -> FAT16
FAT32
ExFAT
NTFS
ReFS

NTFS Specification:
Security Tab
Compression
EFS
Quota

What is ACL & ACE?!

File Properties -> Basic Permissions

Read: (Content,Owner,Attributes,ACL) -> Change file?! -> NTFS Permission is not
suitable for DLP
Read & Execute: Executable Files -> Depends on Read Permission -> Inherited
Permission from parent object
Write: (Content,Attributes) -> Mailbox
Modify = Read + Read & Execute + Write + Delete + Rename
Full = Modify + Change Permission + Change Owner (Take Ownership / Give Ownership)
-> Full control Permission or Right for change Owner
Administrators can take ownership by Right

Allow vs Deny

Effective Permissions

Folder Properties -> Basic Permissions

Read
List Folder Contents
Read & Execute -> Local Path
Write
Modify = Read + Read & Execute + list folder contents + Write + Delete + Rename
Full = Modify + Change Permission + Change Owner (Take Ownership / Give Ownership)
+ Delete Subfolders & Files
Secure Location: folders or locations that have special ntfs permissions
(Windows/System32/Program files/Users)

Advance tab

Default NTFS Permissions -> Applies To

Auditing
Object Auditing
Windows Auditing -> Configure Group Policy
Advanced Audit Policy configuration (2008R2)

Event vs Report

Disk Quota -> NTFS

Soft Quota -> Monitoring
Hard Quota -> Limit

Size or Size on Disk?

Compression

Per User or Per Disk?

New Quota Entry
Export

Folder Quota -> Server Side (After 2008)

on file server (Role)
File Server Resource Manager -> fsrm.msc

File Screening
Define File types by file Screen (No Content Filtering)

Storage Reports Management

Configure to notify by email

****** File Server ******

Share folders for Users & Applications

1- Create Groups & Users
2- Create shared folders
Public (Temporary)
Organization Shared Folder
Home Folder (Private)

3- Configure Shared Permission

CSC or offline file

4- Configure NTFS Permission

5- Map folders to Users

User Configuration -> Preferences -> Drive Maps

6- ABE (Access Base Enumeration) -> 2003 R2

Servermanager -> File & Storage Services -> Shares

7- Workgroup Folder

8- Shadow Copy -> Default Shared folders (fsmgmt.msc) -> Configure shadow copy
How to share a folder remotely?!
 Policy for delete default shared folders -> Computer Configuration ->
preferences

9- File Server Security Hardening

SPOF
File Server -> HA
Statefulll -> Failover Cluster -> Shared Storage
Microsoft: DFS (Namespace + Replication)
Example: DC (sysvol)

1- Install DFS Module on File Servers

2- Same Configuration on File Servers
3- dfsmgmt.msc / dfsutil (cli)
4- Create Namespace
Create folder (Link)
DFS Replication Service
5- Reconfigure Policies
\\Domain FQDN\ns-public\*

Add New Namespace Server

Just for Domain-Based Name Spaces

Set Active

Diagnostic Report

****** DAC ******

Dynamic Access Rule -> SRV 2012

Access Rules -> (if , then)
User/Computer Claims & File Classification

1- Claims Based Authentication

What is claims based Authentication?
Define the types of claims (Attributes) -> DSAC
Configure DC by Policy
Default Domain Controllers Policy -> Computer Configuration -> Administrative
Templates -> System -> KDC -> KDC Support for Claims...

2- Configure File Classification

Install FSRM
Enable/Create Resource Properties -> DSAC
Add Attributes to Resource Property List
Update file server --Powershell--> Update-FSRMClassificatin...
Classify Files & Folders
Manual or Automatic (FSRM Console)

3- Configure Access Policies

Central Access Rules -> Central Access Policy
Configure Policy on File Servers ( Security Settings -> File System)
Define Central Policy tab on files or Folders

****** ADRMS ******

DLP:
User --Access--> Data

DRM (Digital Rights Management)

ADRMS
****** Print Server ******

What is Printer?
Hardware -> Print Device
Software -> Driver

Local or Network printer? when?!

print job
What is Printer Port?

Practical scenario
Print Server:
Intall printer
Share Printer
Permission
Quota Management
=> Papercut
Monitoring

Management Requirements:
Snap-in For Print Server Management
Policy for Install Network Printer

Bugs:
1-SPOF in Print Server
Failover Cluster

2-SPOF in Print Device

Multiple Print Devices for a Queue

3-Interface Problem
Network Interface Print Device

****** WDS ******

Win2003 SP1 -> RIS

WDS & SCCM

How to Install OS?!

CD,DVD,Bootable Flash or Network
Boot Image -> WinPE
Install Image -> Sysprep (Generalize)

Pre-Requirements:
NIC with PXE Boot-ROM
DHCP Server for IP Address
WDS with Boot & Install Image

Scenarios:
1- Client , DHCP Server , WDS in the Same Broadcast domain -> UDP 67
2- Client is not in same Broadcast Domain With WDS -> Options 66 (WDS Server) , 67
(Boot Image Address)
3- DHCP & WDS Services are on a Same Server
Option 60 & Change Port for WDS Service

Best Practice:
- Install & Configure a DC
 - Install a DHCP Server
- Install a WDS Server
wdsmgmt.msc or wdsutil

Boot image does not need Authentication -> TFTP

Install Image need Authentication & Authorization -> SMB

****** WSUS ******

Usecase for WSUS:

Bug Fix
Add Features

2000 (SP2) or XP
Manual Update:
Check for Update
Download
Test
Install

2000 (SP3) or XP (SP1)

Auto-Update
Problem -> Without Test

1- Check/Download/Install
2- Check/Download/Notify for Install
3- Check/Notify for Download/Notify for Install
4- Windows Update Disabled

Update Process with WSUS:

1- Check
2- Catalog
Product
Classification
3- Approve
4- Download

WSUS Deployment Scenarios:

1- https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/21669459
2- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-
server-2012-r2-and-2012/hh852344(v=ws.11)

WSUS Deployment Types

1-WSUS Simple Deployment
With Computer Groups

2-Upstream & DownStream

Updates Only -> Autonomous
Updates + Config -> Replica

3-Disconnected WSUS

4-Mobile Devices

Traffic on Http & Https

Requirements:
Hardware
Optimize
 Software
Role & Feature Installation
Database:
WID (Windows Internal Database)
SQL Server as Database -> Failover (Always-on)
Apps for Report
Microsoft Report Viewer 2012
Microsoft System CLR Types for SQL Server 2012
NTFS Drive

BITS:Background Intelligent Transfer Service

Available bandwidth
Percentage of the work is done

Wsusutil
Movecontent

Make Groups & Change Membership

Client side Configuration:

1- Configure Automatic Updates
2- Specify intranet microsoft...
3- Automatic Update Detection Frequency
4- Reschedule Automatic Updates...
5- Re-prompt for Restart...
6- Enable Client Side Targeting & Server Side Targeting

How to backup WSUS?

just for Catalog
wsusutil -> c:\programfiles\updateservices\tools (sysdm -> advanced)
Export

****** IIS ******

Web Server -> HTTP & HTTPS

FTP Server -> FTP & FTPS
SFTP -> Serv-U
SMTP Server -> Email (Send) , Port:25
Win2000: IIS 5.0
Win2003: IIS 6.0
Win2008: IIS 7.0
Management Tools

IIS is Importatnt Service

Website -> Webserver
Application: Web based Services
Web based Management
WSUS,Exchange,AD,Print Server,ADRMS,CA

Which Modules?

Default Documents
Physical Path

WebDAV -> Web Sharing

Security
Authentication
 Basic (Not Secure)
Digest
Windows
Web-Based or Form-Based

Inetsrv & Inetpub

Config:
IIS 6.0 -> Registry
IIS 7.0 -> Text

IUSR: Built-In Group

Vitual Directory
Redirection

Web Server with Multi websites

IP
Port
Hostname

What is Application Pool?

********** Certificate **********

Security: CIA Traid

1- Availability -> SPOF & D-DOS Attack
2- Confidentiality
3- Integrity -> Same data on client & SRV

1- Confidentiality -> encrypted data (Content)

Encryption = Algorythm + Key -> Cryptography
Secret key is problem. What is idea?

One-way or Two-way Encryption:

Two-way Encryption: Symmetric (Secret Key) & Asymmetric (Key-pair:Public key &
Private key)

Symmetric: DES (56bits) / 3DES (168bits) / AES (256bits)

Asymmetric: RSA (2048bits) -> Public key & Private Key

Confidentiality + Authentication:
SRV Authentication (Computer Account/Pre-shared key/Certificate) & Client
Authentication (User Account)
Certificate
Issued by & Issued To
Validation Date
Public Key Infrastructure (PKI)
Public Key: ---.cer
Public + Private Key: ---.pfx (Password)
Self-sign or CA (Private or Public)

One Way Encryption: Hashing (No Key)

MD5: 128 Bits
SHA: SHA1 (160 Bits) / SHA256 / SHA512
Digest: Data -> f(x) -> Code

Hashing Function Specification:

1- f(a)=b ‫معکوس پذیر نیست‬

2- f(1 bit) -> 128 bit

f(100 bits) -> 128 bit

3- f(a) = C
=> a = b
f(b) = C
Exm: Data A = Data B -> Help us for Integrity
digiboy.ir , Google.com

1) P.txt + secret key -> f(x) => C.txt

2) P.txt + Public Key -> f(x) => C.txt

3) P.txt + Private Key -> f(x) => C.txt ---> Authentication

4) P.txt + Private key -> f(x) => C.txt + Publuc Key -> f(x) => C'.txt --->
Confidentiality + Integrity

5) P.txt + Secrect Key -> f(x) => C.txt + Private key -> f(x) => c'.txt --->
Confidentiality + Integrity

6) P.txt -> Symmetric => C.txt

Secret Key + Public -> f(x)
P.txt -> Hash (SHA1) -> Digest 160 Bits + Private -> f(x) => DS

DS : Hash data + Private key

Certificate: Public Key + DS (Public Key)

How to create a certificate?!

CA

How a client can authenticate server?!

Example: Web Server & Web Client

Self Signed

CA: Private CA (Internal)

Public CA (Commercial)

SRV:
1- Submit a request -> .pfx
2- Install or Import
3- Binding

Client:
1- Trust to CA -> CTL
2- Expiration Date
3- Issued To!?
4- Revoke?! -> CRL & CDP: Base CRL & Delta CRL

Certificate Errors?!

What is wild card Certificate?!

What is SAN (Subject Alternative Name) Certificate?!

Example:
https://www.contoso.com
Certlm.msc

*** EFS (Encrypting File System) ***

1- Feature of NTFS
2- Usecase & Problems
3- How to Encrypt File & Folders
Encryption: Symmetric (AES-256 bits) + Asymmetric (Public Key for Keys) -> Self
signed Certificate

4- Who can Decrypt?

Certmgr.msc
Note: EFS works Transparent

How to Disable EFS by Policy?

How to Backup Certificates?

Exportable

What is the final solution?

File Server

User With Multiple Certificates

User Accounts Applet

Recovery Agent
Domain Administrator -> For Doman-Based Networks
Certificate for File Recovery
cipher /r
Bind by Policy
Add Recovery Agent
Install Certificate

Encrypt File for Multiple Users

Advance -> Details

****** CA ******
Internal CA or Private CA
External CA or Public CA

Root CA
Subordinate CA
Issuer CA
Offline Root CA

Microsoft CA
Stand-Alone (Workgroup & Domain Model)
Enterprise (Domain Model)

Server Manager
1-Install ADCS Role
CA Web Enrollment (IIS)

2-Configure CA
Certlm.msc -> Computer
inetmgr
 Certsrv.msc -> CA Mangement Tool (Console)
Request Filtering?!
Certificate Templates
Pending Requests
properties -> Policy Modules -> Properties

3-Web based Request

http://CA/certsrv
Binding https

4-Install Certificate
Certmgr.msc -> User
Export?

Extensions

Create Certificates
Web Based
By Service Console
By Certlm Console
By Policiy

What's the Problem -> Private Key

Create Public Key (Request) by Console
Submit by CA
Complete Request