G->TechLink: G->Pointer's Technology Link

Bottom line of the linked article is that the permissions should be managed at the NTFS level, while the share should be set to Everyone - Full Control. Sources: Best Practices for Share Permissions in Windows Server 2016

Managing accounts with a security-first approach will help to avoid costly incursions. Sources: 10 Tips for Securing Active Directory Environments

There is a nice article on Azure AD on the things to consider when thinking about working with Azure Active Directory. "Microsoft's identity and access management (IAM) strategy has mostly been playing out in the cloud with its Azure AD service." "Microsoft has three components that power its Azure IAM solutions." Azure cloud computing services, which serve as Microsoft's infrastructure-as-a-service (IaaS) solution Azure AD Premium, [..] Microsoft's "Identity Management as a Service" offering (abbreviated as "IDaaS"). Microsoft's IDaaS provides IAM services for Azure services that are built on the Azure platform. "identity bridge" solutions. An identity bridge is an on-premises component that's used to synchronize local directories to Microsoft's IDaaS and enable single sign-on to IDaaS. Microsoft's identity bridge solutions can bridge Kerberos and LDAP to JSON over REST, as well as SAML. Mark Dio...

For those playing with networking at home and who have an Domain Controller with Active Directory set up (although it would not be needed) and likely have that main server running as a virtual machine it is interesting to know if it has any side effects to revert back to old snapshots. Asking yourself this question, you will pretty quickly find many articles and posts that this would be a bad idea. The why is likely not found so quickly. The linked blog post nicely explains why. In short: You do not want your update sequence number (USN) getting out of sync. Furthermore starting with Windows Server 2012 cloning an AD server IS supported. Sources: Virtual Domain Controller Cloning in Windows Server 2012 Never Snapshot a Domain Controller! Here’s Why… Snapshots and Domain Controllers - Are they ALWAYS bad??? Keywords: Windows Server, Active Directory, Domain Controller, Virtualization, Snapshot

By default a domain controller is a read/write domain controller. So, it can be used to authenticate against it, but also to e.g. set a new password. That password will then be replicated out to other domain controllers on your network. Why would you need a read-only domain controller now? In short: for security reasons (not performance, availability, ...). The assumption is that remote offices will be less secured than the company headquarters for many reasons (e.g. reducing IT costs on security). As such it is handy to have a local domain controller that clients can use to authenticate on-site. Yet, those should not be allowed to replicate data back to the central system, as they are assumed to be more vulnerable to attacks and breaches than the (hopefully) fortified HQ. Sources: Introduction to Active Directory Infrastructure in Windows Server 2012 @ ~20:00

For those playing with networking at home and who have an Domain Controller with Active Directory set up (although it would not be needed) and regularly shut down that main server it is interesting to know if it has any side effects. As long as you do not keep the Domain Controller shut down longer than the days set for the Active Directory forest's tombstone lifetime you should be safe. ADSIEdit can be used to check the set tombstoneLifetime for that particular server. The default for Windows 2008 R2 and upward is 180 days. See the linked TechNet article on how to determine the tombstone lifetime for the forest. Sources: DC offline for 2 months, best way to handle? Determine the tombstone lifetime for the forest Keywords: Windows Server, Active Directory, Domain Controller, TSL, Tombstone Lifetime

It can be done with the certutil command line tool or the GUI. Just perform these steps: Go to the Certificate Authority (e.g. through Server Manager / Tools or Administrative Tools) Right-click the CA to backup All tasks Backup... Similar if you want to restore a CA. Sources: Training Guide Configuring Advanced Windows Server 2012 R2 Services (MCSA), page 216f Keywords: Windows Server 2012 R2, Active Directory, Certification Authority

"The root of the trust chain in any PKI is the Root Certification Authority." For security reasons the machine that you will be using is an isolated / standalone / non-domain joined machine. You want to limit access to this machine as much as possible. The function of the Root CA is to "generate the server certificates that will be installed on the subordinate CAs. And those subordinate CAs will actually distribute user and computer certificates." Note that the default hash algorithm SHA-1 has been flagged as weak meanwhile. As this will be the root CA you can and should go for something strong like SHA512 and a key length of 4096 bits. Sources: Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part II, Installing a Root Certification Authority with the GUI Step by Step Install Root Certificate Authority on Windows Server 2012 R2 Designing and Implementing a PKI: Part II Implementation Phases and Certificate Authority Installation TechNet ...

For the Kerberos protocol, which is used on Active Directory to work properly all machines need to be in sync regarding their local time. Linked are two articles on how to configure Network Time Protocol (NTP) servers correctly with the Windows Server 2012 R2. In essence the following needs to be done in the powershell: w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:MANUAL Stop-Service w32time Start-Service w32time You can use the event log in case you need to troubleshoot issues. In case you get the error message "The computer did not resync because no time data was available" the problem could lie in the fact that you need to modify the group policy settings accordingly. Also see linked MS KB article on that issue. You can retrieve the current configuration with: w32tm /query /configuration To resync right away: w32tm /resync Sources: Sysadmin Lab Blog: Configuring NTP on Windows Server 2012 Microsoft Knowledge Base Article for ...

Sizing discussions can range from exact numbers to the vague statement of "it depends [on the usage/applications/...]". But even an "it depends"-discussion has to start with some bare numbers as a basis. Harddisk (Storage/Database Size) 40KB to 60KB for each user RAM Database Size Base operating system recommendations (SYSVOL) Third-party applications (Anti-Virus, Monitoring, Backup, ...) Storage/Database Size 40KB to 60KB for each user Network 1 Gb CPU 1000 concurrent users for each core It is recommended to size in cycles, such as through "a three step process [that] will be used as part of the capacity planning cycle." Measure the existing environment, determine where the system bottlenecks currently are, and get environmental basics necessary to plan the amount of capacity needed. Determine the hardware needed according to the criteria outlined in step 1. Monitor and validate that...

Quite moderate minimum requirements for the basic hardware requirements, but depending on usage (as always) the more RAM the better. Processor Minimum: Single processor with 1.4 GHz (x64 processor) or 1.3GHz (Dual Core) Memory Minimum: 512 MB RAM Disk Space Requirements Minimum: 32 GB or greater Usually the question also goes hand-in-hand with the other tasks that machine can perform: "There are certain roles that typically get folded in with the domain controller in all but the biggest networks (e.g. DNS/DHCP/WINS/Cert Server) with little harm." "There are some that get folded into a DC and will cause performance issues on all but the smallest networks (e.g. File Server/intranet server/WDS Server) but these issues are probably manageable depending on load. These previous two classes of role are a case of a balancing act, how concerned you are about performance on your DCs vs. the resources you have available to provision your network. It's b...