Running an R2-Based Active Directory
(These preview discount sessions $399; final two-day sessions will be $1000)

 

 "Good troubleshooting, great management tips, and pointers on what I should be using now that I have R2 DCs, with some laughs and a few glimpses of Windows Server 8!"

a one-day course by Mark Minasi, author of Mastering Windows Server 2008 R2

Schedule of dates and cities •  Course Objectives  •   Course Outline  •   Course Materials  •  Bring a Class to Your Site • About the Instructor

Course Objectives

As Active Directory enters its "tweens," most AD admins and managers have moved from "how do I design and set this up?" to "now that I'm running a 10-year-old AD that someone else created and is now gone, how can I most easily and cheaply manage it, fix it, and streamline it?"  Active Directory consultant and expert Mark Minasi, author of the best-selling Mastering Windows Server book series, answers those questions every day for his clients... and now he can answer them for you. 

In a special one-day, reduced-price "hey, don'tcha know there's a depression on?" course, Mark begins by explaining the down-and-dirty details of troubleshooting DNS, which AD old-timers will know is the root of most AD problems, and dispels a pernicious myth about R2's DNS server and Extensions to DNS (EDNS).  Following that, you'll see how to kick nslookup to the curb, replacing it with the far more powerful (and free!) Domain Internet Groper tool, better known as "dig."  From there, you'll learn about using event logs, Netlogon logs and Kerberos logs to take logon troubleshooting to the next level, including step-by-step instructions on using Network Monitor to show what's exactly happening in a failed logon.  This "AD troubleshooting" first part ends with a quick examination of the ongoing security threat posed by NTLM logons, and how to find and eradicate them before someone uses them to penetrate your network.

Next, we'll move to Part Two, a multi-pronged discussion of virtualizing domain controllers.  We've been virtualizing various kinds of servers for years, but virtualizing DCs has always carried the faint whiff of "hey, go ahead and do that, but it's your funeral!" and so you'll learn how virtualizing affects clock synchronization, server imaging/duplicate SID issues, and replication.  Most important, though, you'll learn how to address each of those situations to ensure worry-free DC virtualization.

In Part Three, Mark leads you through an all-new, practical, example-filled guide to getting started using PowerShell to simplify a wide variety of admin tasks... even if you've never used PowerShell.  One recent attendee told Mark that he was able to clean up years of accumulated AD junk in an AD that he'd just inherited... and he got it done before the class was even over!  (We do recommend, however, that in general you'll want to be careful about actually modifying your production network while in class... but apparently it did work out well for at least one attendee.)  We're pretty sure that every attendee will walk away with at least one "hey, I could use that!" moment in the PowerShell section.

We'll be offering a longer two-day version of this course starting some time in 2012 with our standard hasn't-changed-since-1998 per-student price of $1000, but as times are still tough and because Mark's still working out the exact course flow and content, we're offering this one-day class for $399 per student for a limited number of sessions instead of the standard $500/student rate for a one-day class.  (And trust us, just avoiding one DC virtualization error or saving two days' work by creating a PowerShell one-liner will make the class more than pay for itself.)

Join Mark for a fun, fast-paced, lucid discourse on getting your AD work done better and faster!

Key Seminar Benefits

  • Learn how "QAAA" -- Question, Answer, Authority and Additional -- is the key to cracking even the most frustrating DNS name resolution puzzles
  • Discover where to get and how to use "dig," a great free DNS troubleshooting tool
  • Understand why the all-too-common advice to "disable EDNS," a bit of non-wisdom found on many Internet blogs, is a horribly bad idea, and how to identify and solve the problems supposedly created by EDNS
  • See the easy way to use Network Monitor or WireShark's power to troubleshoot DNS and Kerberos problems... anyone can do it!
  • Find out how to enable and read Netlogon's debug log to help you smoke out logon problems
  • Know how Kerberos logon tickets work and, sometimes, how they can not work (and what to do about it)
  • Understand Kerberos "token bloat" and "ticket bloat," how it's going to be more and more common as time goes on, and how to monitor and remediate such problems
  • Grasp the nature of network security threats posed in modern-day ADs by LM and NTLM logons and the tools that will enable you to eradicate them
  • Understand the basic problems that virtualization poses for domain controllers
  • Choose the right approach to time synchronization in virtualized environments
  • Learn how to avoid the most common problems arising from imaging virtual servers in an AD
  • Master the AD replication concepts that can lead to a serious -- and hard to eradicate -- AD failure called "USN bubbles," as these bubbles are, well, fairly hard to pop
  • Configure R2's nifty new AD-related PowerShell cmdlets so that you can use them even if your "newest" DC only runs Server 2003 R2
  • Save time by getting the scoop on what does and doesn't make sense AD-wise with PowerShell
  • Learn PowerShell basics "in passing" as you see how to solve thorny AD admin tasks with simple PowerShell "one-liners"
  • Uncover the "filter" commands and the "hammer" commands that, when glued together, let you accomplish in an hour or so what would have taken days of VBScript/ADSI coding... and start building your own library of PowerShell power tools

 

Course Outline

  1. DNS Queries Explained

    When DNS doesn't work, neither does AD, and the "atomic" part of DNS is the query.  We'll start off by examining queries in greater-than-usual detail, so we can understand how to fix them when they break.

    1. DNS servers and recursion across the Internet and inside the firewall
    2. Transient ports and transaction IDs
    3. UDP, TCP, and the answer to "why there are only 13 root servers?"

  2. Cracking Open Queries

    Now we're ready to take DNS queries down to the "bare metal" with an old friend, Network Monitor.  (What's that you say, Netmon and you aren't old friends?  Fear not... Mark's defanged Netmon for thousands, and you too will be a Netmon lover by the time we're done.)

    1. Netmon acquisition and setup for minimum annoyance
    2. Tips on getting traces
    3. Filtering in Netmon
    4. Picking apart a DNS packet
    5. Understanding QAAA
    6. Knowing your baseline:  a successful query, step by step in Netmon
    7. Next step:  a method of tracking dynamic DNS updates
    8. A better DNS tool:  DIG

  3. Extensions to DNS (EDNS)

    By now, you'll know plenty about DNS queries, and you'll also know that while DNS is an amazingly robust system, it's based on a bunch of quarter-century-old assumptions that don't really reflect the reality of today's TCP/IP networks, and that those assumptions are cramping DNS performance.  Fortunately there's a workaround for all of that called Extensions to DNS (EDNS).  Even more fortunately, Microsoft DNS has supported EDNS since 2003, if you enable it.  R2 finally did enable it, and many people think that's a bad idea.  Mark disagrees, but it's your call -- and this section will equip you to make that call.

    1. EDNS goals:  more flags, bigger packets
    2. Solving the all-important backward compatibility issue
    3. Firewalls and EDNS:  busting the "EDNS breaks DNS" myth
    4. Configuring EDNS on Windows DNS servers

  4. Logon Troubleshooting I:  Event Logs and Netlogon

    If it isn't DNS, it's time to put on that caving helmet with the light on it and start exploring Windows' labyrinthine logon processes.  Our first two guides:  event logs and the Netlogon log.  Here's how to do it.

    1. What to audit on event logs
    2. "Logon" events versus "Account logon" events
    3. Reminder:  event logs can be consolidated
    4. Activating Netlogon logs
    5. A plan for deciphering Netlogon logs

  5. Logon Troubleshooting II:  Cracking Open Kerberos

    Once we've established the specifics of a logon failure (what didn't log on when, and some of the "why"), we may still need to look deeper, and Kerberos is about as deep as you can go.  In this section, you'll quickly review how Kerberos works, see how to use Network Monitor to track it, and understand common sources of Kerberos failures.

    1. Kerberos basics:  users, services, tickets, and the Key Distribution Service
    2. Kerberos clues with KLIST
    3. Strengthening Kerberos with Server 2008/R2 and Windows 7/Vista
    4. Kerberos tracking with Network Monitor
    5. Kerberos uses UDP or TCP... when do you care?
    6. Activating Kerberos logging and finding sources to decipher the logs
    7. Understanding token bloat and ticket bloat
    8. Tools to track bloat
    9. Strategies to avoid bloat
    10. Future glimpse in brief:  how Windows 8 battles bloat

  6. Securing your AD from NTLM/LM

    As if you didn't already have enough to do, we're afraid Mark's got to make you worry about something else:  NTLM logons.  Yup, NTLM's been around for a long time, and yup, it's always been one of those "one of these days we'll have to worry about this..." things, and unfortunately, it's one of those days.  In this section, you'll learn why you give a hoot about NTLM logons and, best of all, how R2's making your life a bit easier in tracking down and eradicating those logons.

    1. The NTLM and LM threat:  why now?
    2. How NTLM creeps into Kerberos-centric ADs
    3. NTLM restriction policies
    4. A sample test that'll produce NTLM every time... via a bug in the NET command

  7. Virtualized DCs and Time

    In this section, we start the second part of the class, where we'll explain how to safely run your DCs as virtual machines.  The first trouble spot is time synchronization. 

    1. Time sync drift review in Windows
    2. How VMs cause troubles for time
    3. An alternative time sync strategy
    4. Implementing the strategy most easily

  8. Virtualized DCs and Imaging

    The ease of system rollout with an imaging tool like Ghost or ImageX revolutionized desktop OS deployment back in 1995.  Since then, the simplicity of imaging virtual server images has led to many organizations rolling out legions of member servers, and some of those servers bear security IDs (SIDs) that are identical to their cybernetic brethren's and sistren's.  Is running a bunch of servers with the same SIDs a bad thing?  Well, asking that question in a room full of server admins can actually generate more heat than the "which is better, PC or Mac" question, but there is a right answer to the question.  As you'll find out in this section, duplicate SIDs can lead to a bunch of serious problems... and you'll find out how to handle those problems in this section.   (By the way, Mark asked us to assure our readers that "sistren" is indeed an English word, albeit one not used in quite a while, and here a while means a Canterbury Tales' timeframe.)

    1. Review: SIDs, systems  and security
    2. Some things you may not know about SIDs
    3. Where duplicate SIDs get domains in trouble
    4. The case for Sysprep

  9. Looking After Replication in a Virtual Environment

    AD replication is really quite robust -- Mark's only seen a few serious replication failures in the past decade or so -- but the rise of virtualized DCs, in combination with snapshots has changed that story.  AD's replication structure is well thought-out, with a lot of internal consistency checking and an impressive ability to detect and heal replication problems.  It has one flaw, however:  the AD folks at Microsoft designed AD with the assumption that time always goes forward.  With virtual machines, though, that's not a good assumption, as restoring a snapshot does what only H.G. Wells and Doctor Who had done previously -- running time backward.  In this section, you'll learn exactly what happens when the clock runs backwards for AD, and how you can step into Jean-Claude Van Damme's role as Time Cop and avoid polluting your AD's time stream.

    1. AD replication review:  USNs, high-watermarks, up-to-dateness vector tables, and all that other stuff that you used to know but have forgotten because AD replication works so well that you never had to worry about it
    2. How restoring snapshots creates "USN bubbles" and why they are so very bad
    3. Database identifiers: how the Invocation ID makes life easier for us time cops
    4. Safe time travel with a couple of Registry entries
    5. A very brief trip into the future for a glimpse of how Windows 8 Server makes AD time travel safer

  10. AD's New PowerShell Tools:  A Brief Intro

    For many of us, PowerShell's been a great-sounding idea that we've skipped so far because, well, it surely sounds nice but it's not clear how it'll make our AD administrative tasks all that much easier, right?  Well, not really right any more, as Microsoft has released 76 PowerShell tools ("cmdlets," in PowerShell-speak) that not only make tasks that once took days into ones that you can accomplish in an hour or two, they didn't make us upgrade to R2 to use them.  In this section, we'll quickly cover the barest of PowerShell basics so we're ready to meet some real power tools.

    1. Getting PowerShell for your AD
    2. The sort of stuff that PowerShell's good at, versus what it's not so good at
    3. PowerShell power tools:  a taste of why PowerShell will win you over
    4. The PowerShell AD automation approach:  the "filter" and the "hammer"

  11. Collecting the Users:  Understanding PowerShell's AD Filters

    Some AD tasks are one-off, single user jobs that take a moment and so really may not justify automation in all admin's minds.  In other cases, though and in particular tasks involving ADs that have had a few generations of administrators, can be jobs that look like "find all of the users with such-and-such problem or characteristic and do such-and-such to those users."  Solving such tasks manually can be time-consuming and mind-numbing, which is why we'll want to know how to attack them with PowerShell.  (Another reason why we'll want to know that is because if we don't attack them with PowerShell and enjoy the speed and efficiency that automation offers, then, well, we soon might not have a job that involves AD administration, if you know what we mean.)  In this section, you'll learn about four PowerShell cmdlets that make finding users under a given set of criteria a snap.  In the process, you'll also learn the basic "tricks of the trade" that all PowerShell users need to know.

    1. Using get-aduser to collect users by attributes and location in the forest
    2. Zeroing in on account problems:  search-adaccount lets you find inactive, disabled, locked etc users
    3. Get-adobject:  a more complex, but wider-spectrum search tool
    4. Get-adgroupmember:  grabbing users by their group memberships

  12. Dropping the Hammer:  Now That You've Got 'Em...

    Once you've winnowed out just the users that you want, what do you want to do to them?  Change their manager?  Delete them?  Unlock their accounts?  Force them to set a new password when next they log on?  There's an app -- or, rather, a cmdlet -- for all of those, and many more, as you'll learn in our last section.

    1. Changing attributes with set-aduser
    2. Changing passwords
    3. Account changes:  unlocking, enabling, disabling and more
    4. Moving and deleting accounts
    5. Changing group memberships
    6. Next steps:  where to go from here to explore PowerShell more thoroughly

 

Course Materials and Course Format

The class works from PowerPoint presentations.  Every attendee gets a printed copy of the PowerPoints.  To make it possible to run this course in just two days, this runs in mainly lecture/demo format.  You'll see an R2-based AD run through its paces in a series of interesting and explanatory demonstrations. 

Arranging a Course At Your Location

We offer this class as a public seminar occasionally; you can view the current schedule www.minasi.com/pubsems.htm.  But you needn't wait — Mark can come to your organization to teach it on-site. On-site classes offer you the flexibility to lengthen or shorten the class, add hands-on labs, modify the course's focus and zero in on your group's specific needs.  For more info, please contact out office at (757) 426-1431 between noon and five PM Eastern time or email assistant@minasi.com to discuss scheduling and fees.