1
00:00:01,340 --> 00:00:02,530
In this demonstration,

2
00:00:02,530 --> 00:00:06,540
we're going to look at hardening a read‑only domain controller.

3
00:00:06,540 --> 00:00:10,040
We'll also look at authentication policy silos.

4
00:00:10,040 --> 00:00:13,260
Now you're looking at the desktop of a member server.

5
00:00:13,260 --> 00:00:14,090
Let's take a look.

6
00:00:14,090 --> 00:00:18,060
Let's go into Server Manager and Local Server.

7
00:00:18,060 --> 00:00:21,050
It looks like, I know the text may be small depending upon

8
00:00:21,050 --> 00:00:23,540
your screen size, I apologize about that.

9
00:00:23,540 --> 00:00:29,340
The computer name is rodc1, and I am joined to the timw.info

10
00:00:29,340 --> 00:00:32,740
Active Directory Domain Services domain.

11
00:00:32,740 --> 00:00:35,740
Now you might be accustomed to Add Roles and Features.

12
00:00:35,740 --> 00:00:39,220
We're also going to be working with Windows Admin Center a fair amount.

13
00:00:39,220 --> 00:00:43,940
Knowing all of the various first‑party admin tools is really crucial to

14
00:00:43,940 --> 00:00:46,920
your success as a hybrid cloud administrator.

15
00:00:46,920 --> 00:00:50,810
I'm talking both the inbox Windows Server Management tools, and

16
00:00:50,810 --> 00:00:53,650
also the main Microsoft‑provided Azure one.

17
00:00:53,650 --> 00:00:57,780
Speaking of which, we have the Visual Studio Code Editor,

18
00:00:57,780 --> 00:01:01,740
which I just strongly recommend that you standardize on.

19
00:01:01,740 --> 00:01:04,740
So what we've got here, let me zoom in the font quite a bit,

20
00:01:04,740 --> 00:01:08,420
I've got a script file called additional‑dc‑rodc‑timw.info,

21
00:01:08,420 --> 00:01:11,440
and it's walking you through,

22
00:01:11,440 --> 00:01:15,410
first of all, installing AD on a server. I'm going to actually run that

23
00:01:15,410 --> 00:01:20,330
right now by right‑clicking and running that selection. And then the rest

24
00:01:20,330 --> 00:01:22,470
of the script walks us through. First of all,

25
00:01:22,470 --> 00:01:24,500
we're setting up some variables.

26
00:01:24,500 --> 00:01:24,850
Now,

27
00:01:24,850 --> 00:01:27,570
are you going to want to put a plaintext password in

28
00:01:27,570 --> 00:01:30,130
source code control? Absolutely not.

29
00:01:30,130 --> 00:01:32,260
There's plenty of other ways to go about it,

30
00:01:32,260 --> 00:01:36,430
but this is a way for you to create a credential object by providing

31
00:01:36,430 --> 00:01:40,300
a password initially in plaintext and converting it to a secure

32
00:01:40,300 --> 00:01:45,210
string, as you can see on line 4. And then once you have Active

33
00:01:45,210 --> 00:01:47,010
Directory installed on the server,

34
00:01:47,010 --> 00:01:51,340
you then have the rest of the AD PowerShell commands at your disposal.

35
00:01:51,340 --> 00:01:56,310
So, Install‑ADDSDomainController allows us to bring this machine up,

36
00:01:56,310 --> 00:01:59,840
to promote this machine into the target domain.

37
00:01:59,840 --> 00:02:03,630
I would want it to be a DNS server, but then this is critical right here,

38
00:02:03,630 --> 00:02:05,740
ReadOnlyReplica:$true.

39
00:02:05,740 --> 00:02:08,030
That's going to make sure that the Active Directory

40
00:02:08,030 --> 00:02:12,040
database and the DNS zone are both read‑only.

41
00:02:12,040 --> 00:02:16,380
Then we have our Active Directory initial site designation. Then I

42
00:02:16,380 --> 00:02:19,630
have some sample code here for you to populate the

43
00:02:19,630 --> 00:02:23,860
Denied‑RODC‑Password‑Replication‑Group. This first one here on line

44
00:02:23,860 --> 00:02:27,660
15 is just a Get where you're looking to enumerate the current

45
00:02:27,660 --> 00:02:30,540
membership using the PowerShell pipeline.

46
00:02:30,540 --> 00:02:34,970
Then on 19, it looks like we're doing the same thing, basically.

47
00:02:34,970 --> 00:02:40,440
We're looking at the membership of Allowed‑RODC‑Password‑Replication‑Group.

48
00:02:40,440 --> 00:02:43,860
And then lastly, some prepopulate passwords if you want to bring

49
00:02:43,860 --> 00:02:47,360
over passwords for certain users to the RODC.

50
00:02:47,360 --> 00:02:51,840
That's going to be important if your RODC is in a disconnected environment.

51
00:02:51,840 --> 00:02:54,200
So do you have to use PowerShell to configure and

52
00:02:54,200 --> 00:02:57,240
harden an RODC? Absolutely not.

53
00:02:57,240 --> 00:02:59,960
But I want to make sure to include PowerShell in the course.

54
00:02:59,960 --> 00:03:04,320
I do give you the script file in the exercise files, by the way, because

55
00:03:04,320 --> 00:03:07,170
as I'm sure I've told you many, many times, you will see

56
00:03:07,170 --> 00:03:11,730
intermediate‑level PowerShell on your exam, and the way it will manifest

57
00:03:11,730 --> 00:03:15,870
is something like you'll see a script like this and interspersed you'll

58
00:03:15,870 --> 00:03:19,260
have these drop‑down list controls, these active elements.

59
00:03:19,260 --> 00:03:23,840
This is why Microsoft calls this an active screen exam item.

60
00:03:23,840 --> 00:03:27,350
And so, for instance, here this read‑only replica would be a

61
00:03:27,350 --> 00:03:30,780
drop‑down, and it would have that clause as one option, but then

62
00:03:30,780 --> 00:03:33,240
there would be several incorrect options.

63
00:03:33,240 --> 00:03:36,770
So, you do have to understand PowerShell, which is why I'm

64
00:03:36,770 --> 00:03:38,780
being sure to include it in the course.

65
00:03:38,780 --> 00:03:41,240
Well, other than the fact I believe in it.

66
00:03:41,240 --> 00:03:43,520
Let's do the promotion, though, graphically here.

67
00:03:43,520 --> 00:03:46,190
So let me come back to Server Manager,

68
00:03:46,190 --> 00:03:51,100
refresh the view, and you can see we now have AD DS as a management

69
00:03:51,100 --> 00:03:54,060
node. And if we open our notification window,

70
00:03:54,060 --> 00:03:56,860
we've got our traditional prompt to promote this

71
00:03:56,860 --> 00:03:58,590
server to be a domain controller.

72
00:03:58,590 --> 00:04:03,140
So, I'm actually showing you some ways out of the box

73
00:04:03,140 --> 00:04:08,840
to harden an RODC as you deploy it, which in my opinion is the best way to do it.

74
00:04:08,840 --> 00:04:13,240
So let me see, we're going to add a domain controller to an existing domain.

75
00:04:13,240 --> 00:04:16,310
Here's the domain, and I will use my current credentials.

76
00:04:16,310 --> 00:04:17,540
So that's fine.

77
00:04:17,540 --> 00:04:19,240
Let's go to Next.

78
00:04:19,240 --> 00:04:22,560
We want to make sure here to specify RODC.

79
00:04:22,560 --> 00:04:26,080
That's absolutely critical, as well as a unique

80
00:04:26,080 --> 00:04:28,840
Directory Services Restore Mode password.

81
00:04:28,840 --> 00:04:30,620
Remember, I've mentioned all that already.

82
00:04:30,620 --> 00:04:32,340
Let's click Next.

83
00:04:32,340 --> 00:04:35,780
This is where we have the administrator role separation.

84
00:04:35,780 --> 00:04:41,020
So let me select to browse our domain. And let me see, if memory

85
00:04:41,020 --> 00:04:45,140
serves, I believe I have an administrator named Carl.

86
00:04:45,140 --> 00:04:47,240
So let me bring Carl in, and carl,

87
00:04:47,240 --> 00:04:51,700
let's assume, is going to work as a local administrator at that branch office.

88
00:04:51,700 --> 00:04:56,200
And then we have our Allowed RODC Password Replication group.

89
00:04:56,200 --> 00:04:57,940
Anybody in here,

90
00:04:57,940 --> 00:05:02,070
let's say members of our accounting staff work out there, accounts that are

91
00:05:02,070 --> 00:05:06,940
allowed to replicate password besides the default one, I'm bringing in

92
00:05:06,940 --> 00:05:11,760
accounting separately, but we just as well could put those users in the

93
00:05:11,760 --> 00:05:15,120
Password Replication Group itself for convenience.

94
00:05:15,120 --> 00:05:19,770
And then notice that for Security, accounts that are in the Denied

95
00:05:19,770 --> 00:05:22,930
Password Replication group include administrators,

96
00:05:22,930 --> 00:05:26,190
server operators, and you may very well want to add your

97
00:05:26,190 --> 00:05:28,190
other high value groups to this list.

98
00:05:28,190 --> 00:05:32,010
Now, of course, you can change these RODC options after the fact.

99
00:05:32,010 --> 00:05:33,720
It's just that best practices,

100
00:05:33,720 --> 00:05:37,400
we're specifying this at deployment time so that the

101
00:05:37,400 --> 00:05:40,540
RODC, when it's being deployed out,

102
00:05:40,540 --> 00:05:46,570
comes on in a relatively secure way. Install from media, or IFM, is useful

103
00:05:46,570 --> 00:05:50,210
if your RODC is going to be installed in a branch office,

104
00:05:50,210 --> 00:05:55,040
particularly one with limited or no bandwidth to your read/write controllers.

105
00:05:55,040 --> 00:05:58,450
So you can do an export of the Active Directory database on a

106
00:05:58,450 --> 00:06:01,530
read/write DC, put it on removable media,

107
00:06:01,530 --> 00:06:06,740
let's say, go out to the branch office, and then install from that path.

108
00:06:06,740 --> 00:06:10,490
This is going to make that initial replication much easier because you won't

109
00:06:10,490 --> 00:06:14,030
have to have a connection to a read/write domain controller,

110
00:06:14,030 --> 00:06:18,880
it's just going to be any delta or update changes that the RODC

111
00:06:18,880 --> 00:06:23,600
will need to receive from either any DC, or you could specify to

112
00:06:23,600 --> 00:06:25,840
replicate from a particular DC.

113
00:06:25,840 --> 00:06:29,040
Just giving you control over bandwidth and scope.

114
00:06:29,040 --> 00:06:32,540
There's our directory service path and SYSVOL path.

115
00:06:32,540 --> 00:06:37,600
No big surprise there. We've got an automation script, which is basically the

116
00:06:37,600 --> 00:06:41,430
same thing that I showed you separately. Next, and then,

117
00:06:41,430 --> 00:06:44,130
as you know, once the prerequisites pass,

118
00:06:44,130 --> 00:06:53,000
which it looks like they have, we can install, and after reboot, the server will come back as a read‑only domain controller.