Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Active Directory Administration Cookbook
  • Table Of Contents Toc
  • Feedback & Rating feedback
Active Directory Administration Cookbook

Active Directory Administration Cookbook

By : Sander Berkouwer
5 (2)
Buy this Book
close
close
Active Directory Administration Cookbook

Active Directory Administration Cookbook

5 (2)
By: Sander Berkouwer
Buy this Book

Overview of this book

Active Directory is an administration system for Windows administrators to automate network, security and access management tasks in the Windows infrastructure. This book starts off with a detailed focus on forests, domains, trusts, schemas and partitions. Next, you'll learn how to manage domain controllers, organizational units and the default containers. Going forward, you'll explore managing Active Directory sites as well as identifying and solving replication problems. The next set of chapters covers the different components of Active Directory and discusses the management of users, groups and computers. You'll also work through recipes that help you manage your Active Directory domains, manage user and group objects and computer accounts, expiring group memberships and group Managed Service Accounts (gMSAs) with PowerShell. You'll understand how to work with Group Policy and how to get the most out of it. The last set of chapters covers federation, security and monitoring. You will also learn about Azure Active Directory and how to integrate on-premises Active Directory with Azure AD. You'll discover how Azure AD Connect synchronization works, which will help you manage Azure AD. By the end of the book, you have learned about Active Directory and Azure AD in detail.
Table of Contents (16 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Sections
Icon
Get in touch
Lock Free Chapter
1
Optimizing Forests, Domains, and Trusts
chevron up
Icon
Optimizing Forests, Domains, and Trusts
Icon
Choosing between a new domain or forest
Icon
Listing the domains in your forest
Icon
Using adprep.exe to prepare for new Active Directory functionality
Icon
Raising the domain functional level to Windows Server 2016
Icon
Raising the forest functional level to Windows Server 2016
Icon
Creating the right trust
Icon
Verifying and resetting a trust
Icon
Securing a trust
Icon
Extending the schema
Icon
Enabling the Active Directory Recycle Bin
Icon
Managing UPN suffixes
2
Managing Domain Controllers
Icon
Managing Domain Controllers
Icon
Preparing a Windows Server to become a domain controller
Icon
Promoting a server to a domain controller
Icon
Promoting a server to a read-only domain controller
Icon
Using Install From Media
Icon
Using domain controller cloning
Icon
Determining whether a virtual domain controller has a VM-GenerationID
Icon
Demoting a domain controller
Icon
Demoting a domain controller forcefully
Icon
Inventory domain controllers
Icon
Decommissioning a compromised read-only domain controller
3
Managing Active Directory Roles and Features
Icon
Managing Active Directory Roles and Features
Icon
About FSMO roles
Icon
Querying FSMO role placement
Icon
Transferring FSMO roles
Icon
Seizing FSMO roles
Icon
Configuring the Primary Domain Controller emulator to synchronize time with a reliable source
Icon
Managing time synchronization for virtual domain controllers
Icon
Managing global catalogs
4
Managing Containers and Organizational Units
Icon
Managing Containers and Organizational Units
Icon
Differences between OUs and containers
Icon
Creating an OU
Icon
Deleting an OU
Icon
Modifying an OU
Icon
Delegating control of an OU
Icon
Modifying the default location for new user and computer objects
5
Managing Active Directory Sites and Troubleshooting Replication
Icon
Managing Active Directory Sites and Troubleshooting Replication
Icon
What do Active Directory sites do?
Icon
Recommendations
Icon
Creating a site
Icon
Managing a site
Icon
Managing subnets
Icon
Creating a site link
Icon
Managing a site link
Icon
Modifying replication settings for an Active Directory site link
Icon
Creating a site link bridge
Icon
Managing bridgehead servers
Icon
Managing the Inter-site Topology Generation and Knowledge Consistency Checker
Icon
Managing universal group membership caching
Icon
Working with repadmin.exe
Icon
Forcing replication
Icon
Managing inbound and outbound replication
Icon
Modifying the tombstone lifetime period
Icon
Managing strict replication consistency
Icon
Upgrading SYSVOL replication from File Replication Service to Distributed File System Replication
Icon
Checking for and remediating lingering objects
6
Managing Active Directory Users
Icon
Managing Active Directory Users
Icon
Creating a user
Icon
Deleting a user
Icon
Modifying several users at once
Icon
Moving a user
Icon
Renaming a user
Icon
Enabling and disabling a user
Icon
Finding locked-out users
Icon
Unlocking a user
Icon
Managing userAccountControl
Icon
Using account expiration
7
Managing Active Directory Groups
Icon
Managing Active Directory Groups
Icon
Creating a group
Icon
Deleting a group
Icon
Managing the direct members of a group
Icon
Managing expiring group memberships
Icon
Changing the scope or type of a group
Icon
Viewing nested group memberships
Icon
Finding empty groups
8
Managing Active Directory Computers
Icon
Managing Active Directory Computers
Icon
Creating a computer
Icon
Deleting a computer
Icon
Joining a computer to the domain
Icon
Renaming a computer
Icon
Testing the secure channel for a computer
Icon
Resetting a computer's secure channel
Icon
Changing the default quota for creating computer objects
9
Getting the Most Out of Group Policy
Icon
Getting the Most Out of Group Policy
Icon
Creating a Group Policy Object (GPO)
Icon
Copying a GPO
Icon
Deleting a GPO
Icon
Modifying the settings of a GPO
Icon
Assigning scripts
Icon
Installing applications
Icon
Linking a GPO to an OU
Icon
Blocking inheritance of GPOs on an OU
Icon
Enforcing the settings of a GPO Link
Icon
Applying security filters
Icon
Creating and applying WMI Filters
Icon
Configuring loopback processing
Icon
Restoring a default GPO
Icon
Creating the Group Policy Central Store
10
Securing Active Directory
Icon
Securing Active Directory
Icon
Applying fine-grained password and account lockout policies
Icon
Backing up and restoring GPOs
Icon
Backing up and restoring Active Directory
Icon
Working with Active Directory snapshots
Icon
Managing the DSRM passwords on domain controllers
Icon
Implementing LAPS
Icon
Managing deleted objects
Icon
Working with group Managed Service Accounts
Icon
Configuring the advanced security audit policy
Icon
Resetting the KRBTGT secret
Icon
Using SCW to secure domain controllers
Icon
Leveraging the Protected Users group
Icon
Putting authentication policies and authentication policy silos to good use
Icon
Configuring Extranet Smart Lock-out
11
Managing Federation
Icon
Managing Federation
Icon
Choosing the right AD FS farm deployment method
Icon
Installing the AD FS server role
Icon
Setting up an AD FS farm with Windows Internal Database
Icon
Setting up an AD FS farm with SQL Server
Icon
Adding additional AD FS servers to an AD FS farm
Icon
Removing AD FS servers from an AD FS farm
Icon
Creating a Relying Party Trust (RPT)
Icon
Deleting an RPT
Icon
Configuring branding
Icon
Setting up a Web Application Proxy
Icon
Decommissioning a Web Application Proxy
12
Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and 3SO)
Icon
Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and 3SO)
Icon
Choosing the right authentication method
Icon
Verifying your DNS domain name
Icon
Implementing Password Hash Sync with Express Settings
Icon
Implementing Pass-through Authentication
Icon
Implementing single sign-on to Office 365 using AD FS
Icon
Managing AD FS with Azure AD Connect
Icon
Implementing Azure Traffic Manager for AD FS geo-redundancy
Icon
Migrating from AD FS to Pass-through Authentication for single sign-on to Office 365
Icon
Making Pass-through Authentication (geo)redundant
13
Handling Synchronization in a Hybrid World (Azure AD Connect)
Icon
Handling Synchronization in a Hybrid World (Azure AD Connect)
Icon
Choosing the right sourceAnchor
Icon
Configuring staging mode
Icon
Switching to a staging mode server
Icon
Configuring Domain and OU filtering
Icon
Configuring Azure AD app and attribute filtering
Icon
Configuring MinSync
Icon
Configuring Hybrid Azure AD Join
Icon
Configuring Device writeback
Icon
Configuring Password writeback
Icon
Configuring Group writeback
Icon
Changing the passwords for Azure AD Connects service accounts
14
Hardening Azure AD
Icon
Hardening Azure AD
Icon
Setting the contact information
Icon
Preventing non-privileged users from accessing the Azure portal
Icon
Viewing all privileged users in Azure AD
Icon
Preventing users from registering or consenting to apps
Icon
Preventing users from inviting guests
Icon
Configuring whitelisting or blacklisting for Azure AD B2B
Icon
Configuring Azure AD Join and Azure AD Registration
Icon
Configuring Intune auto-enrollment upon Azure AD Join
Icon
Configuring baseline policies
Icon
Configuring Conditional Access
Icon
Accessing Azure AD Connect Health
Icon
Configuring Azure AD Connect Health for AD FS
Icon
Configuring Azure AD Connect Health for AD DS
Icon
Configuring Azure AD Privileged Identity Management
Icon
Configuring Azure AD Identity Protection
15
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Leave a review - let other readers know what you think

Enabling the Active Directory Recycle Bin

The Active Directory Recycle Bin was introduced as a new Active Directory feature with Windows Server 2008 R2. It enables administrators to restore (accidentally) deleted objects.

There were features available to administrators before the advent of the Active Directory Recycle Bin – such as the Directory Services Restore Mode (DSRM) mode and object reanimation. In contrast to booting into the DSRM, the Active Directory Recycle Bin saves admins time. In contrast to reanimating objects, the Active Directory Recycle Bin prevents the typical loss of attributes and group memberships.

There are also numerous third-party solutions that are available to restore objects and their attributes. They typically expand on the functionality that is offered by the Active Directory Recycle Bin, by offering granular attribute restore and group policy versioning. These are two areas where the Active Directory Recycle Bin doesn't offer a solution.

Getting ready

The Active Directory forest needs to run the Windows Server 2008 R2 FFL (or a later version).

Microsoft recommends enabling the Active Directory Recycle Bin on the Active Directory domain controller that holds the Domain Naming Master FSMO role.

To find this domain controller, run the following command on any domain-joined device, member server, or domain controller:

netdom.exe query fsmo

Alternatively, use the following PowerShell commands on a domain-joined system that has the Active Directory module for Windows PowerShell installed:

Import-Module ActiveDirectory

Get-ADForest | Format-List DomainNamingMaster

Required permissions

Sign in to the preceding domain controller using an account that is a member of the Enterprise Admins group in Active Directory.

How to do it...

You can enable the Active Directory Recycle Bin from within the Active Directory Administrative Center, when you're signed in with an account that is a member of the Enterprise Admins group on a domain controller that runs Windows Server with Desktop Experience. To do this, perform the following steps:

  1. Open the Active Directory Administrative Center (dsac.exe).
  2. Select the forest name in the left navigation pane.
  1. In the action pane on the right, click the Enable Recycle Bin link.
    Alternatively, you can right-click the domain name in the left navigation pane, and select the Enable Recycle Bin… option from the context menu.
    The Enable Recycle Bin Confirmation popup appears:
  1. In the Enable Recycle Bin Confirmation pop up, click OK.
  2. The popup message labeled Active Directory Administrative Center appears:
  1. Click OK:
  1. After you refresh, a new container underneath the domain root named Deleted Objects appears.

On Server Core installations of Windows Server, use the following PowerShell commands:

Import-Module ActiveDirectory

Enable-ADOptionalFeature -Identity "CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=lucernpub,DC=com" -Scope ForestOrConfigurationSet –Target "lucernpub.com"

Replace lucernpub, lucernpub, and com with values for your Active Directory environment.

How it works...

Since the inception of Active Directory, when an object such as a computer or a user is deleted, the isDeleted attribute is set to true. This allows the domain controller to replicate the change for the object. Each domain controller has the time configured as the tombstone lifetime period to replicate this change. Only after the tombstone lifetime period is the object removed from the database by each domain controller.

The Active Directory Recycle Bin introduces a new recycle lifetime and a new attribute: isRecycled. With the Active Directory Recycle Bin enabled, when an object is deleted it's isDeleted attribute is still set to true, but it's isRecycled attribute is untouched. This is the period where the object is visible in the deleted objects container, where it can be restored by simply right-clicking on it. After the recycle lifetime has expired, the isRecycled attribute is also set to true. This is when the tombstone lifetime kicks in. Only after the tombstone lifetime period has expired the object is removed from the database by each domain controller.

Visually different images
CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Active Directory Administration Cookbook
End of Section 1
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist download Download options
font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon