Book Image

Active Directory Administration Cookbook

By : Sander Berkouwer
Book Image

Active Directory Administration Cookbook

By: Sander Berkouwer

Overview of this book

Active Directory is an administration system for Windows administrators to automate network, security and access management tasks in the Windows infrastructure. This book starts off with a detailed focus on forests, domains, trusts, schemas and partitions. Next, you'll learn how to manage domain controllers, organizational units and the default containers. Going forward, you'll explore managing Active Directory sites as well as identifying and solving replication problems. The next set of chapters covers the different components of Active Directory and discusses the management of users, groups and computers. You'll also work through recipes that help you manage your Active Directory domains, manage user and group objects and computer accounts, expiring group memberships and group Managed Service Accounts (gMSAs) with PowerShell. You'll understand how to work with Group Policy and how to get the most out of it. The last set of chapters covers federation, security and monitoring. You will also learn about Azure Active Directory and how to integrate on-premises Active Directory with Azure AD. You'll discover how Azure AD Connect synchronization works, which will help you manage Azure AD. By the end of the book, you have learned about Active Directory and Azure AD in detail.
Table of Contents (16 chapters)

Optimizing Forests, Domains, and Trusts

Back in the year 2000, when Active Directory was introduced to the larger public, we lived in a different world. The internet was only just starting to deliver value to businesses. That's why, in Windows 2000 Server, Active Directory was largely disconnected from the internet. Windows 2000 Server's default Domain Name System (DNS) settings even came with a root domain; so, if you wanted to connect to the internet, you'd need to delete the . DNS zone manually.

Fast forward to today, and the internet and cloud services seem omnipresent. The default . DNS zone has disappeared from Windows Server, but the concepts of trees and forests in Active Directory has persisted, and they still allow for some confusion among Active Directory admins.

To explain domains, trees, and forests in Active Directory, we need to acknowledge Active Directory's past. To create anything in Active Directory, you'll need to create a domain. It starts with the name. For a hypothetical organization, Lucern Publishing, four typical domain names would be as follows:

Type Domain Name
Public DNS domain name
Internal part of a public DNS domain name
Non-public DNS domain name lucernpub.local
Single-label domain name lucernpubcom

The first two options are the preferred options, as they adhere to RFC 822 ( The third option is a common option, but doesn't comply with RFC 2606 ( and should be avoided. The fourth option is a typical single-label domain. They are usually the result of a common error among Active Directory admins migrating from Windows NT 4 Server's model to Active Directory. Products that once supported Windows NT 4 Server's single-label domains are no longer around, or they no longer support single-label domain names, including Microsoft.

Lucern Publishing may be quite a successful organization, so they might expand their operations from Switzerland to Europe, North America, and Asia. For reasons that we'll discuss later, they might want to separate Active Directory domains for each of their territories, but they want them to keep working together like one organization. This is where a domain tree comes into play. Now, Lucern Publishing might choose to create three subdomains under


They've created a tree of Active Directory domains, sharing the same DNS namespace. Of course, Lucern Publishing might also choose to create multiple trees, next to the domain or tree, to accommodate an organizational layout with different names for their global expansions, such as Austin Publishing and Wuhan Publishing. In this case, it will make sense to create separate domains such as and Effectively, Lucern Publishing will create three trees this way, belonging to the same Active Directory forest. Yes, some Active Directory environments are large structures with many large trees, but the default Active Directory forest consists of just one tree, with one Active Directory domain.

In this chapter, we'll discuss the reasoning behind creating domains and forests. We'll also discuss userPrincipalName (UPN) suffixes and trusts. The goal of this chapter is to help you make the right choices in terms of your Active Directory structure.

The following recipes will be covered in the chapter:

  • Listing the domains in your forest
  • Using adprep.exe to prepare for new AD functionality
  • Raising the domain functional level to Windows Server 2016
  • Raising the forest functional level to Windows Server 2016
  • Creating the right trust
  • Verifying a trust
  • Securing a trust
  • Extending the schema
  • Enabling the Active Directory Recycle Bin
  • Managing UPN suffixes

Before going through these recipes, we will look at a few aspects that you will need to know for this chapter.

Let's begin!