Mastering Active Directory

Mastering Active Directory

by Dishan Francis
Released June 2017
Publisher(s): Packt Publishing
ISBN: 9781787289352

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Become a master at managing enterprise identity infrastructure by leveraging Active Directory

About This Book

  • Manage your Active Directory services for Windows Server 2016 effectively
  • Automate administrative tasks in Active Directory using PowerShell
  • Manage your organization’s network with ease

Who This Book Is For

If you are an Active Directory administrator, system administrator, or network professional who has basic knowledge of Active Directory and are looking to gain expertise in this topic, this is the book for you.

What You Will Learn

  • Explore the new features in Active Directory Domain Service 2016
  • Automate AD tasks with PowerShell
  • Get to know the advanced functionalities of the schema
  • Learn about Flexible Single Master Operation (FSMO) roles and their placement
  • Install and migrate Active directory from older versions to Active Directory 2016
  • Manage Active Directory objects using different tools and techniques
  • Manage users, groups, and devices effectively
  • Design your OU structure in the best way
  • Audit and monitor Active Directory
  • Integrate Azure with Active Directory for a hybrid setup

In Detail

Active Directory is a centralized and standardized system that automates networked management of user data, security, and distributed resources and enables interoperation with other directories. If you are aware of Active Directory basics and want to gain expertise in it, this book is perfect for you.

We will quickly go through the architecture and fundamentals of Active Directory and then dive deep into the core components, such as forests, domains, sites, trust relationships, OU, objects, attributes, DNS, and replication. We will then move on to AD schemas, global catalogs, LDAP, RODC, RMS, certificate authorities, group policies, and security best practices, which will help you gain a better understanding of objects and components and how they can be used effectively. We will also cover AD Domain Services and Federation Services for Windows Server 2016 and all their new features. Last but not least, you will learn how to manage your identity infrastructure for a hybrid-cloud setup. All this will help you design, plan, deploy, manage operations on, and troubleshoot your enterprise identity infrastructure in a secure, effective manner.

Furthermore, I will guide you through automating administrative tasks using PowerShell cmdlets. Toward the end of the book, we will cover best practices and troubleshooting techniques that can be used to improve security and performance in an identity infrastructure.

Style and approach

This step-by-step guide will help you master the core functionalities of Active Directory services using Microsoft Server 2016 and PowerShell, with real-world best practices at the end.

Table of contents

  1. Preface
    1. Why subscribe?
    2. What this book covers
    3. What you need for this book
    4. Who this book is for
    5. Conventions
    6. Reader feedback
    7. Customer support
      1. Downloading the example code
      2. Downloading the color images of this book
      3. Errata
      4. Piracy
      5. Questions
  2. Active Directory Fundamentals
    1. Benefits of using Active Directory
      1. Centralized data repository
      2. Replication of data
      3. High availability
      4. Security
      5. Auditing capabilities
      6. Single sign-on
      7. Schema modification
      8. Querying and indexing
    2. Active Directory components
      1. Logical components
        1. Forests
        2. Domains
        3. Domain trees
        4. Organizational units
      2. Physical components
        1. Domain controllers
        2. Global catalog server
        3. Active Directory sites
    3. Active Directory objects
      1. Globally unique identifier and security identifier
      2. Distinguished names
    4. Active Directory server roles
      1. Active Directory Domain Service
        1. Read-only domain controllers
      2. Active Directory Federation Services
      3. Active Directory Lightweight Directory Services
      4. Active Directory Rights Management Services
      5. Active Directory Certification Services
    5. Summary
  3. Active Directory Domain Services 2016
    1. AD DS 2016 features
      1. Deprecation of Windows Server 2003 domain and forest functional levels
      2. Deprecation of File Replication Services
    2. Privileged Access Management
      1. What is it to do with AD DS 2016?
        1. What is the logic behind PAM?
    3. Time-based group memberships
    4. Microsoft Passport
    5. Active Directory Federation Services improvements
    6. Time sync improvements
    7. Summary
  4. Designing Active Directory Infrastructure
    1. What makes a good system?
      1. New business requirements
      2. Correcting legacy design mistakes
    2. Gathering business data
      1. Defining security boundaries
      2. Identifying the physical computer network structure
    3. Designing the forest structure
      1. Single forest
      2. Multiple forest
      3. Creating the forest structure
        1. Autonomy
        2. Isolation
      4. Selecting forest design models
        1. Organizational forest model
        2. Resource forest model
        3. Restricted access forest model
    4. Designing the domain structure
      1. Single domain model
      2. Regional domain model
      3. The number of domains
      4. Deciding domain names
      5. Forest root domain
      6. Deciding domain and forest functional levels
    5. Designing the OU structure
    6. Designing the physical topology of Active Directory
      1. Physical or virtual domain controllers
      2. Domain controller placement
    7. Global catalog server placement
    8. Summary
  5. Active Directory Domain Name System
    1. What is DNS?
    2. Hierarchical naming structure
    3. How DNS works
    4. DNS essentials
      1. DNS records
        1. Start of authority record
        2. A and AAAA records
        3. NS records
        4. MX records
        5. Canonical name record
        6. PTR record
        7. SRV records
      2. Zones
        1. Primary zone
        2. Secondary zone
        3. Stub zone
        4. Reverse lookup zone
        5. DNS server operation modes
        6. Zone transfers
      3. DNS delegation
    5. Summary
  6. Placing Operations Master Roles
    1. FSMO roles
      1. Schema operations master
      2. Domain naming operations master
      3. Primary domain controller emulator operations master
      4. Relative ID operations master role
      5. Infrastructure operations master
    2. FSMO roles placement
      1. Active Directory logical and physical topology
      2. Connectivity
      3. The number of domain controllers
      4. Capacity
    3. Moving FSMO roles
    4. Seize FSMO roles
    5. Summary
  7. Migrating to Active Directory 2016
    1. Active Directory Domain Service installation prerequisites
      1. Hardware requirements
      2. Virtualized environment requirements
      3. Additional requirements
      4. Active Directory Domain Service installation methods
    2. Active Directory Domain Service deployment scenarios
      1. Setting up a new forest root domain
        1. Active Directory Domain Service installation checklist for first domain controller
        2. Design topology
        3. Installation steps
      2. Setting up an additional domain controller
        1. Active Directory Domain Service installation checklist for an additional domain controller
        2. Design topology
        3. Installation steps
      3. Setting up a new domain tree
        1. Active Directory Domain Service installation checklist for a new domain tree
        2. Design topology
        3. Installation steps
      4. Setting up a new child domain
        1. Active Directory Domain Service installation checklist for a new child domain
        2. Design topology
        3. Installation steps
    3. How to plan Active Directory migrations
      1. Migration life cycle
        1. Audit
          1. Active Directory logical and physical topology
          2. Active Directory health check
          3. System Center Operation Manager and Operation Management Suite
          4. Active Directory health checklist
          5. Application audit
        2. Plan
        3. Implementation
          1. Active Directory migration checklist
          2. Design topology
          3. Installation steps
          4. Verification
        4. Maintain
    4. Summary
  8. Managing Active Directory Objects
    1. Tools and methods to manage objects
      1. Active Directory Administrative Center
      2. The Active Directory Users and Computers MMC
      3. Active Directory object administration with PowerShell
    2. Creating, modifying, and removing objects in Active Directory
      1. Creating Active Directory objects
        1. Creating user objects
        2. Creating computer objects
      2. Modifying Active Directory objects
      3. Removing Active Directory objects
    3. Finding objects in Active Directory
      1. Finding objects using PowerShell
    4. Summary
  9. Managing Users, Groups, and Devices
    1. Object attributes
      1. Custom attributes
    2. User accounts
      1. Managed Service Accounts
      2. Group Managed Service Accounts
        1. Uninstalling Managed Service Account
    3. Groups
      1. Group scope
        1. Converting groups
        2. Setting up groups
    4. Devices and other objects
    5. Best practices
    6. Summary
  10. Designing the OU Structure
    1. OUs in operations
      1. Organizing objects
      2. Delegating control
      3. Group policies
      4. Containers versus OUs
    2. OU design models
      1. The container model
      2. The object type model
      3. The geographical model
      4. The department model
    3. Managing the OU structure
      1. Delegating control
    4. Summary
  11. Managing Group Policies
    1. Benefits of group policies
      1. Maintaining standards
      2. Automating administration tasks
      3. Preventing users from changing system settings
      4. Flexible targeting
      5. No modifications to target
    2. Group Policy capabilities
    3. Group Policy objects
      1. Group Policy container
      2. The Group Policy template
    4. Group Policy processing
    5. Group Policy inheritance
    6. Group Policy conflicts
    7. Group Policy mapping and status
      1. Administrative templates
    8. Group Policy filtering
      1. Security filtering
      2. WMI filtering
    9. Group Policy preferences
    10. Item-level targeting
    11. Loopback processing
    12. Group Policy best practices
    13. Summary
  12. Active Directory Services
    1. The AD LDS overview
      1. Where to use LDS?
        1. Application developments
        2. Hosted applications
        3. Distributed data stores for Active Directory integrated applications
        4. Migrating from other directory services
      2. The LDS installation
    2. The Active Directory replication
      1. FRS versus DFSR
        1. Prepared state
        2. Redirected state
        3. Eliminated state
    3. Active Directory sites and replication
      1. Replication
      2. Authentication
      3. Service locations
    4. Sites
      1. Subnets
      2. Site links
      3. Site link bridges
    5. Managing Active Directory sites and other components
      1. Managing sites
      2. Managing site links
        1. The site cost
        2. Inter-site transport protocols
        3. Replication intervals
        4. Replication schedules
        5. Site link bridge
        6. Bridgehead servers
        7. Managing subnets
    6. How does replication work?
      1. Intra-site replications
      2. Inter-site replications
      3. Knowledge Consistency Checker
      4. How update occurs ?
        1. The update sequence number
        2. Directory Service Agent GUID and invocation ID
        3. The high watermark vector table
        4. The up-to-dateness vector table
    7. The read-only domain controllers
    8. Active Directory database maintenance
      1. The ntds.dit file
      2. The edb.log file
      3. The edb.chk file
      4. The temp.edb file
      5. Offline defragmentation
    9. Active Directory backup and recovery
      1. Preventing accidental deletion of objects
      2. Active Directory Recycle Bin
      3. Active Directory snapshots
      4. Active Directory system state backup
      5. Active Directory recovery from system state backup
    10. Summary
  13. Active Directory Certificate Services
    1. PKI in action
      1. Symmetric keys versus asymmetric keys
      2. Digital encryption
      3. Digital signatures
      4. Signing, encryption, and decryption
      5. Secure Sockets Layer certificates
        1. Types of certification authorities
        2. How do certificates work with digital signatures and encryption?
        3. What can we do with certificates?
        4. Active Directory Certificate Service components
          1. The certification authority
          2. Certificate Enrollment Web Service
          3. Certificate Enrollment Policy Web Service
          4. Certification Authority Web Enrollment
          5. Network Device Enrollment Service
          6. Online Responder
          7. The types of CA
    2. Planning PKI
      1. Internal or public CAs
      2. Identifying the object types
      3. Cryptographic provider
      4. The cryptography key length
      5. Hash algorithms
      6. The certificate validity period
      7. The CA hierarchy
      8. High availability
      9. Deciding certificate templates
      10. The CA boundary
    3. PKI deployment models
      1. The single-tier model
      2. The two-tier model
      3. Three-tier models
    4. Setting up PKI
      1. Setting up a stand-alone root CA
        1. DSConfigDN
        2. CDP locations
        3. AIA locations
        4. CA time limits
        5. CRL time limits
        6. The new CRL
      2. Publishing the root CA data into the Active Directory
      3. Setting up the issuing CA
      4. Issuing a certificate for the issuing CA
      5. Post configuration tasks
        1. CDP locations
        2. AIA locations
        3. CA and CRL time limits
      6. Certificate templates
      7. Requesting certificates
    5. Summary
  14. Active Directory Federation Services
    1. How does AD FS work?
      1. Security Assertion Markup Language (SAML)
      2. WS-Trust
      3. WS-Federation
    2. AD FS components
      1. Federation Service
        1. AD FS 1.0
        2. AD FS 1.1
        3. AD FS 2.0
        4. AD FS 2.1
        5. AD FS 3.0
        6. AD FS 4.0
      2. The Web Application Proxy
      3. AD FS configuration database
    3. AD FS deployment topologies
      1. Single Federation Server
      2. Single federation server and single Web Application Proxy server
      3. Multiple federation servers and multiple Web Application Proxy servers with SQL Server
    4. AD FS deployment
      1. DNS records
      2. SSL certificates
      3. Installing the AD FS role
      4. Installing WAP
      5. Configuring the claim aware app with new federation servers
      6. Creating a relaying party trust
      7. Configuring the Web Application Proxy
    5. Integrating with Azure MFA
      1. Prerequisites
      2. Creating a certificate in an AD FS farm to connect to Azure MFA
      3. Enabling AD FS servers to connect with Azure Multi-Factor Auth Client
      4. Enabling AD FS farm to use Azure MFA
      5. Enabling Azure MFA for authentication
    6. Summary
  15. Active Directory Rights Management Services
    1. What is AD RMS?
    2. AD RMS components
      1. Active Directory Domain Services
        1. The AD RMS cluster
        2. Web server
        3. SQL Server
        4. AD RMS client
        5. Active Directory Certificate Service
    3. How does AD RMS work?
    4. AD RMS deployment
      1. Single forest – single cluster
      2. Single forest – multiple clusters
      3. AD RMS in multiple forests
      4. AD RMS with AD FS
    5. AD RMS configuration
      1. Setting up AD RMS root cluster
      2. Installing the AD RMS role
      3. Configuring the AD RMS role
      4. Testing by protecting data using the AD RMS cluster
      5. To protect the document
    6. Summary
  16. Active Directory Security Best Practices
    1. Active Directory authentication
    2. Delegating permissions
      1. Predefined Active Directory administrator roles
      2. Using object ACLs
      3. Using the delegate control method in AD
    3. Fine-grained password policies
      1. Limitations
      2. Resultant Set of Policy
      3. Configuration
    4. Pass-the-hash attacks
      1. Protected Users security group
      2. Restricted admin mode for RDP
      3. Authentication policies and authentication policy silos
        1. Authentication policies
        2. Authentication policy silos
        3. Creating authentication policies
        4. Creating authentication policy silos
    5. Just-in-time administration and just enough administration
      1. Just-in-time administration
      2. Just enough administration
    6. Summary
  17. Advanced AD Management with PowerShell
    1. AD management with PowerShell – preparation
      1. AD management commands and scripts
        1. Replication
        2. Replicating a specific object
      2. User and Groups
        1. Last log on time
        2. Last log in date report
        3. Login failures report
        4. Finding the locked out account
        5. Password expire report
      3. JEA
        1. JEA configuration
        2. Testing
      4. Summary
  18. Azure Active Directory Hybrid Setup
    1. What is Azure AD?
      1. Benefits of Azure AD
      2. Azure AD limitations
      3. Azure AD editions
        1. Azure AD free version
        2. Azure AD Basic
        3. Azure AD Premium P1
        4. Azure AD Premium P2
    2. Integrate Azure AD with on-premises AD
      1. Azure AD Connect
      2. Azure AD Connect deployment topology
        1. Staging server
        2. Before installing the AD Connect server
    3. Step-by-step guide to integrate on-premises AD environment with Azure AD
      1. Creating a virtual network
      2. Creating an Azure AD instance
      3. Add DNS server details to the virtual network
      4. Create an AAD DC administrator group
      5. Creating a global administrator account for Azure AD Connect
      6. Add a custom domain to Azure AD
      7. Setting up Azure AD Connect
      8. Password synchronization
        1. Syncing NTLM and Kerberos credential hashes to Azure AD
    4. Manage Azure AD Domain Services using virtual server
      1. Creating virtual server in Azure in same virtual network
      2. Join virtual server to Azure AD
      3. Install RSAT tools and managing Azure AD through a virtual server
    5. Summary
  19. Active Directory Audit and Monitoring
    1. Auditing and monitoring Active Directory using inbuilt Windows tools and techniques
      1. Windows Event Viewer
        1. Custom views
        2. Windows logs
        3. Applications and Services logs
        4. Subscriptions
        5. Active Directory Domain Service event logs
        6. Active Directory Domain Service log files
    2. Active Directory audit
      1. Audit Directory Service Access
      2. Audit Directory Service Changes
      3. Audit Directory Service Replication
      4. Audit Detailed Directory Service Replication
    3. Demonstration
      1. Reviewing events
      2. Setting up event subscriptions
      3. Security event log from domain controllers
      4. Enabling advanced security audit policies
      5. Enforcing advanced auditing
      6. Reviewing events with PowerShell
    4. Microsoft Advanced Threat Analytics
      1. ATA benefits
      2. ATA components
        1. ATA center
        2. ATA gateway
        3. ATA Lightweight Gateway
      3. ATA deployments
        1. ATA deployment prerequisites
    5. Demonstration
      1. Installing ATA center
      2. Installing ATA Lightweight Gateway
      3. ATA testing
    6. Microsoft Operations Management Suite (OMS)
      1. Benefits of OMS
      2. OMS services
      3. OMS in a hybrid environment
      4. What benefits will it have for Active Directory?
    7. Demonstration
      1. Enabling OMS AD solutions
      2. Installing OMS agents
      3. Viewing analyzed data
      4. Collecting Windows logs for analysis
    8. Summary
  20. Active Directory Troubleshooting
    1. How to troubleshoot AD DS replication issues
      1. Identifying replication issues
      2. Event Viewer
        1. System Center Operation Manager
        2. Microsoft Operation Management Suite (OMS)
    2. Troubleshooting replication issues
      1. Lingering objects
        1. Strict replication consistency
      2. Removing lingering objects
    3. DFS replication issues
      1. Troubleshooting
        1. Verifying the connection ;
        2. SYSVOL share status
        3. DFS replication status
        4. DFSR crash due to dirty shutdown of the domain controller (event ID 2213)
        5. Content freshness
        6. Non-authoritative DFS replication
        7. Authoritative DFS replication
    4. How to troubleshoot Group Policy issues
      1. Troubleshooting
        1. Forcing Group Policy processing
        2. Resultant Set of Policy (RSoP)
        3. GPRESULT
        4. Group Policy Results Wizard
        5. Group Policy Modeling Wizard
    5. How to troubleshoot AD DS database-related issues
      1. Integrity checking to detect low-level database corruption
      2. AD database recovery
    6. Summary

Product information

  • Title: Mastering Active Directory
  • Author(s): Dishan Francis
  • Release date: June 2017
  • Publisher(s): Packt Publishing
  • ISBN: 9781787289352