Microsoft Azure AZ-800 — Section 5: Create and manage AD DS security principals Part 3
41. The universal group membership caching feature
Now we’ve learned about universal groups in a previous lesson, however, there are a couple of considerations that I need to explain about universal groups. Number one, that being that universal groups get replicated with global catalog servers only. They get managed through global catalog servers only, and there are some considerations there that you have to think about.
So, I want to get into that with you now. And so to do that, it’s going to make a little drawing here. We’ll put create a domain, and I want to talk a little bit about how we’ve got a computer here. All right. And we’ve got a couple of domain controllers. All right.
So this a domain controller. We’re going to just lower the font here. All right.
So, we have a couple of disease. This our first DC and this our second DC. All right. And the second DC is going to be a global catalog.
So, we’re the first DC is not a global catalog server case, so here is global catalog. All right now, the global catalog servers contain a list known as the Universal Group membership list. Universal Group List.
OK, So, we’re just going to. Put a little box around there, and then this list is located only on global catalog servers.
OK, So, we’re going to put this right here.
OK, so this also means now when when a user authenticates with your domain, it’s going to authenticate using Kerberos. All right.
So, we’ve got authentication occurring. All right. This little arrow off, and that’s going to happen through her voice.
Now the problem is Kerberos is going to build a token that lets you basically authenticate. This will involve what are known as Kerberos tickets and all that. And in order to build this token so that you can access everything you need access in a domain, Kerberos needs to know what universal groups this person is a member of well, only global catalogs containing that information.
So what ends up happening is the domain controller will have to also send a message over to the global catalog to check the Universal Group list. All right. And at that point? Your. Global catalog will respond back with this list. All right. It’ll respond back with the list to the user and then the domain catcher is able to build the correct token and allow this user to log on.
OK, the user is able to authenticate OK with your to make sure. All right. No, this fine. This Danny who happens very quickly. There’s not usually a whole lot of a big deal there, but there could be an instance where there is a big deal. And let me kind of give you this in like a scenario based because, OK, take an exam, there could be a scenario based, right? And that would be this. You have user users who are authenticating and the users are complaining that the authentication process is a bit slow.
OK. You suspect it’s slow due to the global catalog? Now let’s talk about why that might be. It might be. The reason that it’s slow is because maybe the global catalog servers are in different sites. The global catalog servers in a different site, and we just kind of draw that out for you visually.
So perhaps you’ve got a site here and then you’ve got a site here, and maybe this site is New York, and maybe this site is Dallas.
OK? And so the problem you’re running into is that the users in New York are complaining it’s taking too long to log on because it’s having to send a request over to Dallas. And perhaps we don’t have a really fast connection between New York and Dallas.
OK.
So what do we do? So there’s a couple of options. One option would be to make this domain controller a global catalog server, and that totally would solve this problem. And honestly, if you can do that, and that’s the way I would do it, OK, I would make that a global K12 server. But what if the company does not want to add any additional replication load to that server? OK, any additional replication or I should say a lot of additional replication because global catalogues do generate a good bit of additional replication. If you’re if you’re in a big environment, then that wouldn’t be a good idea.
So Microsoft made another solution for this. And the solution is to enable this feature, known as Universal Group membership for caching, which I’m going to call you GMC.
OK, Universal Group membership caching. And you can enable that on a per site basis.
So, I can just enable that for the New York site if I want Yuji IMSI enabled. And what’ll happen is every eight hours by default, your domain controller in New York will cache this list. All right. Every eight hours. By default, you can alter that, by the way, if you need to the frequency every eight hours, the list gets cashed.
Now what happens is because the year domain controllers all in New York now have a copy of that list. It’s a it’s a read only cached copy. But because they’ve got a cash copy, your users in New York are going to be able to authenticate very quickly.
So this what Universal Group membership caching is all about. Again, I recommend if you can make the Domain Control a global global catalog server itself. However, you should have it in perfect world. You should have a global catalog server, at least one and every site. However, if that because you’re not, you’re concerned about replication load being added to the site, then you could use Universal Group membership caching.
OK. And that’s what that’s going to do for you now. I’d like to show you how we can turn that on.
So here we are on in CDK1, we’re going to click start, we’re going to go to server manager.
OK. Once server manager is done loading up, we can open up the Active Directory sites and services tool, So, we’re going to go to ols. We’re going to click on Active Directory sites and services.
OK, we’re going to let that load up. And then they’ve put this in kind of a strange place. A lot of people in the past have had problems finding it.
So, I’m going to show you exactly where to look. All right.
So what you’re going to do is to enable this on a site. You’re going to click the site you want.
OK.
So, in my case, if I wanted to turn on. This cashing feature in the default for name for Dallas and New York, you’re going to click on whichever one of these you want. I was going to do this in New York. I would click New York and then I’m going to right click. If you look over to the right, you’re going to see an object called in TD’s site settings. You’re going to right click that object. You’re going to go to properties. And then there it is right there. Enable Universal Group membership caching. That’s where you’re going to turn that on it.
OK. And so you get to turn that on and then the refresh cache from you can say, where do you want to refresh it from? And the default means it’s just going to choose the closest global catalog server that you’ve got to where you are, and it’ll do some latency testing to figure that out. If I wanted to choose a specific site like default for site name, which of course, is where my global catalog server actually is, that would be the one I would select at that point. I click OK, and just like that, I’ve now enabled Universal Group membership caching.
42. Using PowerShell for AD DS Users, organizational units, and Groups
So, we’ve spent some time now getting into creating organizational units, users groups, all that using the graphical tools. I want to spend some time now showing you how we can do some of this with PowerShell.
OK.
So, we’re just going to jump right into PowerShell. I’m going to it’s going to do a search here. We’re going to go right into PowerShell. We’re going to open up the ISC. By the way, this the integrated scripting environment because it’s a little easier to write this kind of command inside the ISC. But just so you know, you could also do this in PowerShell directly as well. Doesn’t matter. It’s just I’m going to write it in this because it’s helpful. If you were going to write a script or something, you could do it through the integrated scripting environment. It’s going to be a little easier than if you were doing it directly through PowerShell self. Remember that one way to get into the ISC is once you open up PowerShell, you can just type ISC and hit it, or it’ll bring you into this integrated scripting environment.
OK.
So this where I am going to write my a little bit of code here for this, I’m just going to up the font a little bit, make it a little easier to view. All right. The other thing I want to clarify is remember that the Microsoft has documents online for every one of their commands, so use those to your benefit.
OK.
So here I am on top of my domain controller and I want I’m going to create an organizational unit, right? Don’t forget that if I if I don’t remember the command I’m looking for, I could always do this. I could say Get command -noun and we’ll say star or star. You can see every command that has the word org in it. And so, I’m going to use this new organizational unit command.
So, if I didn’t know how to do this, I could open up my web browser. Just go to Google and do a search on that command. New -organization? No. Unit. And then search it, you’ll find the command you’re looking for organizational unit. And then you can read examples on how to do it.
OK, but so, If you don’t know how to use a command, use these help articles. I encourage you to do that. Often I get messages, get emails from students that are like, I can’t get a command to work. And if you just go to the article and look at the examples, you can see examples on how to use the command. It’ll really, really help you.
OK, so, let’s say I want to create an organizational unit. I’m going to say new -organizational unit space -name.
OK, we’re going to call it let’s call it research.
OK. And then we’re going to do path because we have to specify where an Active Directory is going to be and we have to specify the distinguished name. This going to be where we want this to be.
So, if we want this 0U to be in the route of Active Directory, meaning right here, then we’re going to we’re going to type this out a certain way. We’re going to say DC equals that’s a domain component, equals exam lab practice. And then we’re going to do comma DC equals column. You cannot have any periods.
So, we’ll say DC equals call. All right. If we wanted to put research under a different 0U, like let’s say, we wanted to put research under the ITU, then what we would have done is we would have said 0U equals it. Comma DC equals exam lab practice, Carmody’s equals comp. We’re not going to do that. We’re going to put it in the root.
OK. All right. From there, we’re just going to hit play on the script and see if it ran. We’re going to go here and direct. You’re going to refresh it and see if it’s there. And as you can see, the O.U is appeared in Active Directory, so, it did work. All right.
So now we’re ready to create a user. First thing I’m going to do, though, is just show you how we can search for our users. We can use this command called Get -80 user and we’ll just say Filter. If you wanted to search for specific user, you could filter by the specific user’s name or I can just put star and that’ll show me every user that’s that I’ve got.
So, if I just highlight that I’m going to click run selection and it’ll show you all of the users that I currently have inside of my environment here. All right. All right.
So now what I’m going to do is I’m going to create a user, though, and this a little bit more complicated.
So bear with me. We’re going to say new -80 user. All right. And we’re going to say -name. We’re going to create a user named Bill Johnson.
OK. The given name is going to be the first name that will be Bill. And then the surname is the last name that will be Johnson.
OK. And then from there, we’ll specify the same account name that’s the same account name as the free Windows 2000 name would have saved Bill Johnson. And we’re going to do the user principal name, which the user principal name is the email address tightening that’s going to be Bill Johnson at Examlabpractice.com.
OK, from there, we’ll say path. And the path is going to be the one is going to put him in the research, are you critics will say, Oh, you equals research, OK? Karma D.C. equals exam lab practice. Comma D.C. equals calm.
OK. And then from there, we’ll specify the account password, and this where it gets a little interesting. The account password. What we’re going to do is we’re going to make it where it prompts me instead of me typing in on the screen here, I’m going to I’m going to make it primary, so, I’m going to say in parentheses, read host. That’s the command that’s going to make it prompt. And we’re going to do as secure string, which means it’s going to encrypted. It’s not going to show it, it’s going to encrypt it. And then we’re going to say just input password. This just the message it’s going to display from there. Closing parentheses and we’re going to say enabled in the dollar sign. True, this going to make it where it’s going to go ahead and enable the account. All right.
So, we’re going to go ahead and just run this one line.
OK, it’s going to prompt for the password and we put the password in here and hopefully it worked. Looks like it did. I didn’t get an error.
So let’s jump over to Active Directory. We’re going to refresh and there’s Bill Johnson right there.
So Bill Johnson didn’t get created. That user didn’t get created with the account info that I specified.
So that did work, and that is now a valid account that I have inside my Active Directory. All right.
So now and if we want, we can even run that line again. And there is Bill Johnson showing up. All right. But now what I want to do, I want to look at creating creating group.
OK, so to create a group, we’re going to use a campaign called New -80 Group. And again, you can look up the document online very easy. It shows you how to use this command, but it’s also a new -eight group -name.
OK. And we’re going to call this group. Let’s call it research and development. All right. That’s going to be the name of the group. And we’re going to do the same account name is going to be the same thing, research and development. All right. And the group categories so that that is actually going to be a security group. That’s the group type. They call it group category in PowerShell. And then from there, we’re going to do group scope and the group scope. Let’s make it a global group.
OK, as you can see the different options there, we’ll do a global group. All right. And then from there, we’ll say the display name is going to be research. Oops. Here we go. The media hit internet research and development, and that’s going to be the display name for it. All right. It’s kind of like the friendly name and then the path -path we’re going to put it in. Same thing you equals research. Karma D.C. equals exam lab practice. Comma D.C. equals column, by the way, that doesn’t have to be capitalized. I’m capitalizing it to make it look neat, but it does not have to be capitalized. Is not case sensitive. Password is case sensitive on user accounts and all that, but not the not this path. All right.
So Research Comma D.C. equals easy online practice. Carmody’s equals. Com. All right. And then from there we could give it a description if we want don’t have to. But you could say this the R and D group. There you go. From there, we should be able to hit Enter or actually let me not hit and run this line. And hopefully it worked.
So, we’ll go over here. We’re going to refresh. All right. And there it is, our group is created.
So how would we add a member, OK? Well, I encourage you to try that. I’m not going to demonstrate this one. But if you want to add a member, there’s going to be a command for that. Add member to a group and you’ll find it. Here it is. Add -80 group members. I encourage you to try that out. Try adding a user to the group on your own and see if you can do that. But it shows you right here how you can do it. All right. All right.
So again, the big thing I want to encourage you to do is get used to using these documents because this going to really make a big difference. You know, people are so, intimidated over PowerShell, but if you actually use their help documents and you look at their examples, it’s going to make it so much easier. And you’re, you know, you’re going to be able to tackle all sorts of things in the wonderful world of PowerShell, but you got to be willing to dig in and read through those documents.