Microsoft Azure AZ-800 — Section 3: Deploy and manage AD DS domain controllers Part 6
28. Using the Integrated Scripting Environment (ISE)
Now, something else that a lot of people don’t realize about PowerShell is that it is its own scripting environment. It is its own programming environment. You can write programs, you can write scripting from within PowerShell. And I want to show you some basic fundamentals with that as well to assist you in your server administration.
So first thing we’re going to do. We’re just going to go straight into PowerShell is going to right click the Start button here, and I’m going to go to Windows PowerShell admin. And just to quickly show you, you know, one of the common things that we do when we write scripts. And in most programming languages is we use variables. Variables are important. They are words that are associated with an area of memory and allows us to call upon that information in any time.
Now in PowerShell, we can type get that variable and we can see the variables that are in memory right now.
OK, so here are all the things that are in memory this very moment.
Now I can also. Add something to a variable, I can say positive dollar sign number one equals five.
So, I’m going to store the number five in a variable called number one. And to do that, we’re putting a dollar sign there.
So there you go.
So, we’re going to say, call upon that variable. Oops. We just type dollar sign number one, hit Enter. There it is. The number five. We’re going to say dollar sign. Number two is 10.
So now if we say get variable, we should see both of those in memory right now. All right.
So there they are. Number one number two.
OK. I can also use operators like Subtract Addition Multiplication Division, all that I can say. Dollar sign number one times. Dollar sign. Number two. And it’s going to multiply. I’ll just put the up arrow going to change that to subtract symbol. All right.
So there’s subtraction will change it to ED. will change it to division.
OK, now you can store words in there as well. I can say dollar sign name equals. We’ll say NYC server one.
OK. Hit in or, oh, I forgot that term is it’s a it’s a string. Whenever you do a string, you got to put a quotation mark there.
So quotation mark hit Enter. It’s now a memory. It’s a dollar sign name. Hit enter. And there it is.
So what says I could say? Get process dash. Computer name. Dollar sign name. Hit enter and it’s going to. He’s going to display it, So, it’s going to use that variable.
Now, ultimately, it’s fine and dandy to try to run, you know, commands and stuff and write coding and stuff within the PowerShell environment itself. But PowerShell provides a scripting environment called the ISC, the integrated scripting environment. You can get into that by just simply typing ISC hit Enter. And this going to make your life a whole lot easier if you’re going to write scripts from within PowerShell.
OK.
So, I’ll just maximize this. I’m going to drop down the little script area, and this where you’re going to write your script.
OK, so check this out. I could say get -Event, Log -and look at that. It actually shows me the parameters are available. I can click on those if I want. Right? That’s really cool. We’ll say computer name. And then, you know, I could say NYC SVR one and then I’ll say -LogMeIn is the application log and then I’ll say -newest is, we’ll say 10. Hit play and it’s going to play that.
Now let’s add a little spice to the history. Let’s make it a little bit more interesting.
So, I’m going to use a command. I’m going to declare variable. Almost a dollar sign name equals, read -host. And I must say which. Computer, would you like to connect to? So, we’re going to have it pose a question, and the answer to that question is going to get stored in that variable. We’re going to do the same thing with with the log names. We’re going to say dollar sign log equals read host. Which log would you like to see? And then we’re going to say dollar sign amount, and we’re going to say, read -host, which RSA? How many of the newest entries would you like to see? All right.
So now we’re just going to trade these parameter values out for those variables.
So, we’re going to change computer name to dollar sign name. We’re going to change log name to dollar sign log. We’re going to change newest two dollar sign amount. And there you go. We’re going to hit play. And look at the bottom of the screen, it says, which computer would you like to connect to? Will say NYC SVR one, which law would you like to see? Let’s look at the security logs, security and then how many of the newest entries would you like? See seven, six five hit Enter. And there you go. All right. If I wanted it to format it as as a list instead of a Table, I can put the pipe symbol right there. Say format as a list. All right, we’ll do it again. Hit play.
OK, which computer is like? Say, Let’s do NYC DC one this time.
OK, which law would you like to see? Let’s do the system. Log this time and then how many entries would you like to see? Will say three. The newest three. And there they go. There is the newest three entries right there.
OK. I could also save this file save as and I could save this as a script.
OK. And I could I could run that script any time I want.
OK. All right.
So again, this pretty basic stuff, but I did want to just kind of introduce you to the IOC can make your life a whole lot easier. By the way, one of the little things, if you ever want to run just one line of the script that you’re typing, you can highlight it and then you can actually just hit play right here, run selection and you can do that. All right. But hopefully that gives you a better understanding now just what the IOC is and the fact that PowerShell is its own scripting language.
29. Visualizing flexible single master operations (FSMO) roles
I want to talk now about a concept known as Phasma Roles.
Now Fisman EF-S M.O. stands for flexible single master operations.
Now this a feature that has been part of Active Directory since the very beginning when Active Directory came out in the year 2000.
Now what this has to do with is before Active Directory came out in the year 2000. Back when it was Windows in ninety and we had what were called PDX and BDC Orthopedics, the primary domain control was a domain core that was readable. All other domain controllers were read only when Windows 2000 came out. Microsoft made the move to make all your domain controllers readable.
OK? Of course, fast forward down the road a little ways they came out what’s called a Rothesay, but let’s just focus on readable domain controllers for just a moment now. The problem with that is, is that it’s great, wonderful to think, Well, I can have changes that are going to be made to my domain controllers like right here and then very quickly thereafter. Those changes can replicate over to here. And that’s that’s great. I can modify users and groups and things like that, and replication will occur. But the issue you run into is there are certain jobs that Active Directory domain controllers have that you just can’t have multiple readable copies of these jobs because it can cause conflicts.
Now these jobs, there’s actually five of these. And so there are five flexible single master operation roles.
OK. Two of these roles are what we call forest level roles, and the other three are what we call domain level roles.
OK.
So to begin with, let’s look at our forest level roles and I’ll name those off.
So the first one is called the domain naming master. All right, and the second one is called the schema master.
So you have the domain naming master and you have the schema master. Those are your two domain level roles.
Now those two particular roles, you will only have one readable copy of those two roles for your forest.
OK, so, I’m going to put the letter f inside this little server. It’s going to represent ADC, and that’s going to represent a forest level role.
OK. And you will only have. You will have one readable copy of those two roles for your whole entire forest. Ordinarily, that readable copy would be in the root of your forest. That’s where it all kind of starts out. And that is generally where you would keep those.
So the root of my forest is exam land practicum. That would be where those two roles would reside.
Now, can the two roles reside on the same domain controller? Absolutely. And in some cases, it’s a good idea to do that, although you can’t spread some of them out to get better performance. In fact, just so you know, all five roles will start out on the very first domain controller that starts the domain.
So, in my case, where I’ve set up a domain or called NYC DC one, all five roles are on that server right now. But my point is that yes, you can keep the roles together. You can spread them out.
OK.
So then you have the schema master to go with that domain name and master. There’s two of them here and you have the domain name of master of the scheme, master. Those are your two forest level roles. All right.
Now what do they do exactly? So the domain naming master its job? Is it it? It handles the configuration partition of Active Directory. It knows about all the trust relationships in the forest. It also makes sure that all of your domain names are unique, so every single domain has to be. Every single domain in the forest has to be unique, as well as it keeps track of the trust relationships and in how all that is linked together. The next is the scheming, scheming master. The Schema Master is made up of the actual master copy of the Schema DaTabase. The Schema database is made up of all the objects and attributes for the entire forest. Every time actor director goes to create something, it has to go to the schema to know how to build whatever it’s going to create. Whether it’s a user, a group, a computer account, GPO group policy object, whatever it is, it’s got to have an object in that schema to know how to build it.
So you have a master readable copy of the Schema database, and it’s stored on that domain controller.
OK, so then we have the three domain level Phasma roles.
OK, the three domain rebel physical roles are the Revd Master.
OK, you have the infrastructure master.
OK. And then lastly, you have the PDC emulator master. Can you just fix that? There we go. And then finally, the PDC emulator master, OK. And those are your three domain level Fisman roles. All right.
Now, interestingly enough, and I’m just going to create another little icon to kind of represent those. And right. And. I need to smooth this out a little bit.
So this little icon of Macon is going to represent my domain level, physical roles, and again, there are a total of three of those grand total of three of those. All right. And we’ll just stack them on there like that. And the interesting thing about those is you will have a copy of those in every domain and your force, so every domain in the forests gets their own copy of those three rolls.
OK. There’s only one copy readable copy for the forest level roles. There are, you know, a copy of all of the domain level roles in every domain in the forest.
OK, now do they have to be all on the same on different machines or can they be on the same machines again? They can all be on the same machines, although there is some some benefits to separating the simulator. Master and read master. There’s some performance considerations there, but ultimately you could keep them all on the same server. All right. Of course, you may say, Well, you know what happens if? All of them. What if the whole server dies and I lose all five roles, we’ll talk a little bit more about that a minute, but the interesting thing I want you to be aware of is that you have a read only copy. Of all of these roles on every one of your domain dwarfs, every one of your domain controllers has a read only copy of all five of these roles.
So, interestingly enough, you can you can recover.
So there’s this thing called transferring that’ll let you transfer the rolls over to another domain.
So, if you want to separate them, you can do what’s called transferring. But if you ever want to convert a read only version to the readable version, that’s called seizing.
So you can transfer if you need to, you would transfer a role in a scenario where domain controllers haven’t gone down, so he’s want to move the role to a different domain. Sure, you can. But if you if a domain controller dies, that has that role on it and you need to convert a read only coffee to the right of a copy because the original died. That’s called seizing.
OK.
So again, we’ve got all five. We can have all five of the roles on the same box. Or we could we could separate them.
OK. And of course, you’re only going to have all five on the same box. If if you’re talking about the root domain, probably because you’re your forest level, physical roles will generally stay in the room. But again, all five of these roles, there’s at least a read only copy on every domain controller.
OK, so what are these other roles do? Well, you have the Revd Master. The Revd Master Hand is what’s known as the Relative ID master. See, every object in Active Directory gets this thing called a sit and read, and the set is a secure identifier. Revd is a unique identifier for the domain. Essentially, what it involves is every object must have a unique identifier to identify that object in the domain and in the form.
So that’s what the remaster does. The remaster is in charge of giving out these these IDs to your object.
So what happens is that your remaster is going to give what’s called a red pull out. It’s going to give a block of these IDs out to every domain controller. In every domain controller can issue those out to different objects that it’s creating. The red master’s job to is to make sure that there’s no objects in the domain that have the same I.D..
OK, so this what the remaster is going to do. Very important job to make sure that every object has your has an ID. All right. And other than just a name, because you can’t have some names that are the same an Active Directory, but the remaster makes sure that everything has an underlying ID.
OK, security and relative I.D..
So then you’ve got the infrastructure master. The infrastructure master handles what are known as Group two user references.
So as we start working with groups and we give permission across two different domains, we’re going to be occasionally linking one group to give permission to another group, for example, or to another area of our force, for example. I could I could give a group in the Scotland domain. I could give it access to a resource in the or I’m sorry, the UK domain could be given access to a resource in Scotland. The infrastructure master is going to help handle this group to user references between the domains.
So that’s what this job is. The last one is a PD simulator master. This guy has a lot of jobs. Number one, he handles password changes.
So, when you make changes to password, the PD simulator master is the is going to immediately find out about a password reset.
So, if there’s ever any conflicts between like, let’s see somebody changes their password on or in a certain areand then like, let’s say they’re in Dallas, Texas, and they change their password, they hop on a plane and fly to New York City and they log on. And replication hasn’t occurred between Dallas and New York. Well, that would cause a problem, right? The password wouldn’t be in sync. Well, it’s not a problem because whenever somebody puts a password in if the password isn’t, doesn’t, isn’t correct. The domain controller you’re authenticating with will call upon the PDC emulator master to find out of the PDC emulator. Master has an update on passwords. Because what happens is when somebody resets their password, the PDC emulator master is notified immediately. There’s been a password change.
So that’s a pretty important job. The simulator master also would act as a PDC for old he servers that were in your domain. It’s not really a job that hopefully you have to deal with anymore, but that’s one of the jobs it performed. And it also handles time synchronization.
Now this important because Active Directory uses a security protocol called Kerberos, and the PDC emulator master is going to keep everything in sync on time for the sake of Kerberos. Kerberos will only give a five minute leeway period if your machines are out of sync on time. And by the way, the time zone doesn’t affect that, but what you don’t want is for your computers to all be out of sync on time.
So the PC emulator may. There is going to be in charge of that, and lastly, the other thing he does is he handles GPOs group policy objects, the master readable copy of your group policies, which are very important things in the domain, are handled through him.
So again, he handles password changes.
OK. He handles Time S..
OK. He handles GPOs. And he also handles legacy into boxes. He acts as a PDC for those legacy in tee boxes, so he’s got a bunch of important jobs. A lot of times when you know, people set up a domain, they think, Oh, I don’t need a PDC emulator because I don’t have any legacy boxes, legacy and boxes in my environment anymore. Well, that’s the least of the things that that server actually does is the whole handle, legacy authentication and all that.
So these are all very important jobs, of course, that your environment is going to handle. All right. And remember that all of your domain controllers have at least a read only copy of all five of those jobs. Your domain is going to start out with all five of them. The rider will copy on all five will be on the DC, and then you can transfer these if you want to transfer them off.
OK. But right now, I just wanted to get this concept of the difference between forest level and domain and help you understand a little bit about each one of these.