Sign In Start Free Trial

Book Overview & Buying
Table Of Contents

Active Directory Administration Cookbook

By : Sander Berkouwer

5 (2)

Active Directory Administration Cookbook

5 (2)

By: Sander Berkouwer

Overview of this book

Active Directory is an administration system for Windows administrators to automate network, security and access management tasks in the Windows infrastructure. This book starts off with a detailed focus on forests, domains, trusts, schemas and partitions. Next, you'll learn how to manage domain controllers, organizational units and the default containers. Going forward, you'll explore managing Active Directory sites as well as identifying and solving replication problems. The next set of chapters covers the different components of Active Directory and discusses the management of users, groups and computers. You'll also work through recipes that help you manage your Active Directory domains, manage user and group objects and computer accounts, expiring group memberships and group Managed Service Accounts (gMSAs) with PowerShell. You'll understand how to work with Group Policy and how to get the most out of it. The last set of chapters covers federation, security and monitoring. You will also learn about Azure Active Directory and how to integrate on-premises Active Directory with Azure AD. You'll discover how Azure AD Connect synchronization works, which will help you manage Azure AD. By the end of the book, you have learned about Active Directory and Azure AD in detail.

Preface

Preface

Who this book is for

What this book covers

To get the most out of this book

Sections

Get in touch

Free Chapter

Optimizing Forests, Domains, and Trusts

Optimizing Forests, Domains, and Trusts

Choosing between a new domain or forest

Listing the domains in your forest

Using adprep.exe to prepare for new Active Directory functionality

Raising the domain functional level to Windows Server 2016

Raising the forest functional level to Windows Server 2016

Creating the right trust

Verifying and resetting a trust

Securing a trust

Extending the schema

Enabling the Active Directory Recycle Bin

Managing UPN suffixes

Managing Domain Controllers

Managing Domain Controllers

Preparing a Windows Server to become a domain controller

Promoting a server to a domain controller

Promoting a server to a read-only domain controller

Using Install From Media

Using domain controller cloning

Determining whether a virtual domain controller has a VM-GenerationID

Demoting a domain controller

Demoting a domain controller forcefully

Inventory domain controllers

Decommissioning a compromised read-only domain controller

Managing Active Directory Roles and Features

Managing Active Directory Roles and Features

About FSMO roles

Querying FSMO role placement

Transferring FSMO roles

Seizing FSMO roles

Configuring the Primary Domain Controller emulator to synchronize time with a reliable source

Managing time synchronization for virtual domain controllers

Managing global catalogs

Managing Containers and Organizational Units

Managing Containers and Organizational Units

Differences between OUs and containers

Creating an OU

Deleting an OU

Modifying an OU

Delegating control of an OU

Modifying the default location for new user and computer objects

Managing Active Directory Sites and Troubleshooting Replication

Managing Active Directory Sites and Troubleshooting Replication

What do Active Directory sites do?

Recommendations

Creating a site

Managing a site

Managing subnets

Creating a site link

Managing a site link

Modifying replication settings for an Active Directory site link

Creating a site link bridge

Managing bridgehead servers

Managing the Inter-site Topology Generation and Knowledge Consistency Checker

Managing universal group membership caching

Working with repadmin.exe

Forcing replication

Managing inbound and outbound replication

Modifying the tombstone lifetime period

Managing strict replication consistency

Upgrading SYSVOL replication from File Replication Service to Distributed File System Replication

Checking for and remediating lingering objects

Managing Active Directory Users

Managing Active Directory Users

Creating a user

Deleting a user

Modifying several users at once

Moving a user

Renaming a user

Enabling and disabling a user

Finding locked-out users

Unlocking a user

Managing userAccountControl

Using account expiration

Managing Active Directory Groups

Managing Active Directory Groups

Creating a group

Deleting a group

Managing the direct members of a group

Managing expiring group memberships

Changing the scope or type of a group

Viewing nested group memberships

Finding empty groups

Managing Active Directory Computers

Managing Active Directory Computers

Creating a computer

Deleting a computer

Joining a computer to the domain

Renaming a computer

Testing the secure channel for a computer

Resetting a computer's secure channel

Changing the default quota for creating computer objects

Getting the Most Out of Group Policy

Getting the Most Out of Group Policy

Creating a Group Policy Object (GPO)

Copying a GPO

Deleting a GPO

Modifying the settings of a GPO

Assigning scripts

Installing applications

Linking a GPO to an OU

Blocking inheritance of GPOs on an OU

Enforcing the settings of a GPO Link

Applying security filters

Creating and applying WMI Filters

Configuring loopback processing

Restoring a default GPO

Creating the Group Policy Central Store

Securing Active Directory

Securing Active Directory

Applying fine-grained password and account lockout policies

Backing up and restoring GPOs

Backing up and restoring Active Directory

Working with Active Directory snapshots

Managing the DSRM passwords on domain controllers

Implementing LAPS

Managing deleted objects

Working with group Managed Service Accounts

Configuring the advanced security audit policy

Resetting the KRBTGT secret

Using SCW to secure domain controllers

Leveraging the Protected Users group

Putting authentication policies and authentication policy silos to good use

Configuring Extranet Smart Lock-out

Managing Federation

Managing Federation

Choosing the right AD FS farm deployment method

Installing the AD FS server role

Setting up an AD FS farm with Windows Internal Database

Setting up an AD FS farm with SQL Server

Adding additional AD FS servers to an AD FS farm

Removing AD FS servers from an AD FS farm

Creating a Relying Party Trust (RPT)

Deleting an RPT

Configuring branding

Setting up a Web Application Proxy

Decommissioning a Web Application Proxy

Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and 3SO)

Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and 3SO)

Choosing the right authentication method

Verifying your DNS domain name

Implementing Password Hash Sync with Express Settings

Implementing Pass-through Authentication

Implementing single sign-on to Office 365 using AD FS

Managing AD FS with Azure AD Connect

Implementing Azure Traffic Manager for AD FS geo-redundancy

Migrating from AD FS to Pass-through Authentication for single sign-on to Office 365

Making Pass-through Authentication (geo)redundant

Handling Synchronization in a Hybrid World (Azure AD Connect)

Handling Synchronization in a Hybrid World (Azure AD Connect)

Choosing the right sourceAnchor

Configuring staging mode

Switching to a staging mode server

Configuring Domain and OU filtering

Configuring Azure AD app and attribute filtering

Configuring MinSync

Configuring Hybrid Azure AD Join

Configuring Device writeback

Configuring Password writeback

Configuring Group writeback

Changing the passwords for Azure AD Connects service accounts

Hardening Azure AD

Hardening Azure AD

Setting the contact information

Preventing non-privileged users from accessing the Azure portal

Viewing all privileged users in Azure AD

Preventing users from registering or consenting to apps

Preventing users from inviting guests

Configuring whitelisting or blacklisting for Azure AD B2B

Configuring Azure AD Join and Azure AD Registration

Configuring Intune auto-enrollment upon Azure AD Join

Configuring baseline policies

Configuring Conditional Access

Accessing Azure AD Connect Health

Configuring Azure AD Connect Health for AD FS

Configuring Azure AD Connect Health for AD DS

Configuring Azure AD Privileged Identity Management

Configuring Azure AD Identity Protection

Other Books You May Enjoy

Other Books You May Enjoy

Leave a review - let other readers know what you think

Managing expiring group memberships

Group memberships can alternatively be configured to expire.

Getting ready

To use the expiring group membership, the Active Directory FFL needs to be Windows Server 2012 R2, or a later version.

The optional Privileged Access Management feature needs to be enabled. This can be achieved using the following lines of PowerShell on a system with the Active Directory Module for Windows PowerShell installed:

Import-Module ActiveDirectory

Enable-ADOptionalFeature "Privileged Access Management Feature" -Scope ForestOrConfigurationSet -Target lucernpub.com

To manage a group, you should sign in to a domain controller, a member server, and/or a device with the RSAT for Active Directory Domain...

CONTINUE READING

83

Tech Concepts

36

Programming languages

73

Tech Tools

Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.

Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.

50+ new titles added per month and exclusive early access to books as they are being written.

Active Directory Administration Cookbook

Search

Your notes and bookmarks