Tag Archives: windows server 2016

Windows Server Active Directory Group Scopes

Microsoft Windows Server, ,

Group Scopes

Overview of Group Scopes

It is time for us to review the group scopes available in Windows Server technologies. It is critical that you understand these scopes as well as the conversion possibilities for success in the MCSA 70-742 exam for Windows Server 2016.

Domain Local Group Scope

The domain local groups are ideal for assigning permissions to objects in the active directory. To scale things, we like to place global groups inside them. These global groups contain the actual user accounts that need access.

Can Include As Members:

  • Accounts from any domain
  • Global groups from any domain
  • Universal groups from any domain
  • Domain local groups but only from the same domain as the parent domain local group

Can Be Assigned Permissions In:

  • Only within the same domain as the parent domain local group

Group Scope Can Be Converted To:

  • Universal (as long as no other domain local groups exist as members)

Global Group Scope

As mentioned above, we love to use global groups to gather user accounts that need permissions assigned to domain local groups.

Can Include As Members:

  • Accounts from the same domain as the parent global group
  • Global groups from the same domain as the parent global group

Can Be Assigned Permissions In:

  • Any domain

Group Scope Can Be Converted To:

  • Universal (as long as it is not a member of any other global groups)

Universal Group Scope

Use groups with universal scope to consolidate groups that span domains. To do this, add the accounts to groups with global scope, and then nest these groups within groups that have universal scope. When you use this strategy, any membership changes in the groups that have global scope do not affect the groups with universal scope.

Can Include As Members:

  • Accounts from any domain within the forest in which this Universal Group resides
  • Global groups from any domain within the forest in which this Universal Group resides
  • Universal groups from any domain within the forest in which this Universal Group resides

Can Be Assigned Permissions In:

  • Any domain or forest

Group Scope Can Be Converted To:

  • Domain local
  • Global (as long as no other universal groups exist as members)

Pearson Education (InformIT)

Cloning Windows Server 2016 Domain Controllers

Microsoft Windows Server, , ,

Cloning

Overview

Using virtualization technologies certainly sounds exciting when it comes to your Domain Controllers in a Windows Server 2016 environment. After all, think about scalability. You need more of it, just clone an existing Domain Controller and add the additional clone to your infrastructure.

The Steps

To ensure cloning is a success, Microsoft outlines a process for us and provides us with some new tools.

Step 1: On the virtual machine you want to clone (the source VM), run the Get-ADDCCloningExcludedApplicationList cmdlet. This shows you services and applications you might have installed on the Domain Controller that do not support cloning. Uninstall any that are true concerns.

Step 2: Rerun Get-ADDCCloningExcludedApplicationList with the -GenerateXml and -Path arguments in order to create an allow list XML file.

Step 3: Add your source VM you want to clone to the Cloneable Domain Controllers group. You can use the Add-ADGroupMember cmdlet or the GUI for this.

Step 4: Create a cloning configuration file for your new system. This XML file provides parameters like computer name and IP address for the new virtual machine. The easiest way to create this file is to use the PowerShell cmdlet of New-ADDCCloneConfigFile cmdlet.

Step 5: Shut down your source VM and duplicate it to create your clone. I recommend the Export and Import approach for the VM to ensure you get all your snapshots and other goodies.

Step 6: Boot your cloned Domain Controller and watch as the process of AD Cloning completes at startup.