KETS Active Directory Operations Guide Kentucky Department of Education Version 1.0.3 11/18/2014 Table of Contents Contents Change Log _________________________________________________________________ 1 1. Introduction _____________________________________________________________ 2 1.1. Audience ____________________________________________________________ 2 1.2. Technologies/Terminologies ____________________________________________ 3 1.4. Document Feedback ___________________________________________________ 4 1.5. Document Updates/Location ____________________________________________ 5 2. “Need to Know” Items _____________________________________________________ 6 2.1. Technologies _________________________________________________________ 6 2.1.1. Active Directory__________________________________________________ 6 2.1.2. DNS ___________________________________________________________ 8 2.1.3. DHCP __________________________________________________________ 8 2.1.4. Group Policy ___________________________________________________ 10 2.1.5. WINS _________________________________________________________ 10 2.1.6. NTP __________________________________________________________ 10 2.2. Support ____________________________________________________________ 11 2.2.1. KETS Service Desk Support ________________________________________ 11 2.3. Responsibilities ______________________________________________________ 12 2.3.1. KIDS __________________________________________________________ 12 2.3.2. District ________________________________________________________ 12 2.4. User Principal Name __________________________________________________ 12 2.5. Password Synchronization between AD and Office 365 ______________________ 12 2.6. Availability _________________________________________________________ 13 3. Administrative Tasks _____________________________________________________ 14 3.1. AD Administration ___________________________________________________ 14 3.1.1. Administrative Access ____________________________________________ 16 KETS Active Directory Operations Guide Table of Contents 3.1.2. AD Basics ______________________________________________________ 16 3.1.3. OU Structure ___________________________________________________ 17 3.1.4. AD Attributes___________________________________________________ 19 3.1.5. Password Policies _______________________________________________ 23 3.1.5.1. Default Domain Policy __________________________________________ 23 3.1.5.2. Fine-Grained Password Policies ___________________________________ 24 3.1.5.3. Forcing Password Changes _______________________________________ 26 3.1.6. Machine Name Uniqueness _______________________________________ 28 3.1.6.1. Background on Unique Computer Names ___________________________ 28 3.1.6.2. Identifying the Problem _________________________________________ 29 3.1.6.3. Preemptively Checking Uniqueness ________________________________ 31 3.1.6.4. Naming Recommendations ______________________________________ 33 3.1.7. AD Recycle Bin __________________________________________________ 33 3.1.7.1. Recovering Deleted Objects ______________________________________ 33 3.1.7.2. Technical Background __________________________________________ 33 3.1.8. Applications Pointing To AD _______________________________________ 34 3.2. DNS Administration __________________________________________________ 35 3.2.1. Tertiary DNS Entries _____________________________________________ 36 3.2.2. DNS Scavenging _________________________________________________ 37 3.2.2.1. DNS Server Scavenging _________________________________________ 37 3.2.2.2. DNS Zone Aging _______________________________________________ 38 3.2.3. Static DNS Record Requests _______________________________________ 39 3.2.4. _VLMCS SRV Records ____________________________________________ 39 3.3. DHCP Administration _________________________________________________ 40 3.3.1. DHCP Options __________________________________________________ 41 3.3.2. DHCP Lease Duration ____________________________________________ 42 3.3.3. DHCP/Dynamic DNS _______________________________________________ 43 KETS Active Directory Operations Guide Table of Contents 3.4. Group Policy Administration ___________________________________________ 44 3.4.1. Group Policy Objects _____________________________________________ 45 3.4.2. ADM vs. ADMX Templates ________________________________________ 46 3.4.3. Group Policy Delegation __________________________________________ 46 3.4.4. Common Questions______________________________________________ 48 KETS Active Directory Operations Guide Pg. 01 Change Log Change Log Version Date Editor Description 2/19/14 John v0.1 Document Creation Fabry 4/4/14 John v0.2 First Draft Completed Fabry 4/22/14 John v0.5 First Round Of Revisions Completed Fabry 4/24/14 John V0.9 Additional proofreading and AD structure graphic Fabry added 4/29/14 Garrett V0.9.1 Removed section about DHCP conflict detection Dutton and added section on Dynamic DNS config in DHCP. Reformatted doc to be in line with KETS Operations Guides. 5/13/14 John V1.0 Final MADS proofreading. Fabry 5/23/14 John V1.0.1 Updated proofreading from Kenny Brakefield. Fabry 7/7/14 John V1.0.2 Added sections on applications connecting to AD Fabry and tertiary DNS entries for clients. 11/14/14 John V1.0.3 Added information on forest-wide machine name Fabry uniqueness and AD Recycle Bin. KETS Active Directory Operations Guide Introduction Pg. 02 1. Introduction Check this space throughout the document for important information or links to additional Welcome to the Microsoft Windows Server 2012 R2 Active Directory Operations content and documentation. Guide. This guide outlines the technologies and steps involved in administering the Kentucky Education Technology System (KETS) Active Directory Domain Services 2012 R2 environment. The focus of this guide is to convey the necessary tasks for carrying out routine operations required to administer your district’s Active Directory 2012 R2 system. Specifically, this guide will provide explicit guidance on KETS-specific aspects of Active Directory while pointing to authoritative sources from Microsoft for general information related to Active Directory Domain Services. The KETS deployment of Microsoft’s Windows Server 2012 R2 Active Directory Domain Services (AD DS) is not complex; it’s simply large. Many of the changes when moving from the previous Windows Server 2008 environment to the new Windows Server 2012 R2 one are optional; while you are encouraged to leverage the new tools and capabilities of Windows Server 2012 R2 AD DS, the old tools you may be familiar with will continue to function. For instance, while you can manage users through the new Active Directory Admin Center (ADAC) and Windows PowerShell now, you can still continue to use Active Directory Users and Computers (ADUC.) This guide will also include brief discussions regarding several other services that run on the domain controllers in conjunction with Active Directory Domain Services and that are commonly integrated with it, such as DNS and DHCP. 1.1. Audience This guide was written and is kept up-to-date for the technical administrators and user managers of Kentucky school districts’ directory services system. KETS Active Directory Operations Guide Introduction Pg. 03 1.2. Technologies/Terminologies There are acronyms and technology terms that are used when discussing Active Directory Domain Services. The technology field is riddled with these terminologies which can cause confusion if not properly defined. It’s important, though, to again reiterate that technical administrators in this K-12 environment are the audience for this document. The term “KETS” will be utilized throughout this document, referring to all users and technologies which utilize enterprise services delivered to the 175 (including KSB and KSD) school districts by KIDS (the Office of Knowledge, Information, and Data Services) which was formerly the Office of Education Technology (OET.) KIDS is the technology office of the Kentucky Department of Education (KDE.) Messaging and Directory Services or MADS is the team in the Office of KIDS responsible for maintaining the AD DS environment along with Office 365. Windows Server 2012 R2 Active Directory Domain Services (also known as Active Directory or AD DS) is utilized by KETS. The Active Directory Domain Controllers, the servers which run the service, utilize Windows Server 2012 R2 Hyper-V technology. Microsoft’s Windows Server 2012 R2 Hyper-V provides virtualization of operating systems and their services. KETS also utilizes Domain Name Services (DNS) which resides within Active Directory as well as external to Active Directory on other platforms. Office 365 or O365 is Microsoft’s cloud service which provides access to email, instant messaging, web conferencing, and collaboration. While not directly a part of AD DS, O365 is connected to AD through the Online Provisioning System (OLPS.) OLPS allows for accounts created in AD to automatically have a corresponding account created in Office 365. Password Change Notification Service or PCNS allows for passwords in Active Directory and Office 365 to be in sync. Since Microsoft Organization IDs (OrgIDs) will be the same as each user’s SMTP address and that address is used as the User Principal Name (UPN) in Active Directory, users can have the same login between Active Directory and Office 365. PCNS runs KETS Active Directory Operations Guide Introduction Pg. 04 as a service on every domain