Book Image

Mastering Active Directory, Third Edition - Third Edition

By : Dishan Francis
5 (2)
Book Image

Mastering Active Directory, Third Edition - Third Edition

5 (2)
By: Dishan Francis

Overview of this book

Mastering Active Directory, Third Edition is a comprehensive guide for Information Technology professionals looking to improve their knowledge about MS Windows Active Directory Domain Service. The book will help you to use identity elements effectively and manage your organization’s infrastructure in a secure and efficient way. This third edition has been fully updated to reflect the importance of cloud-based strong authentication and other tactics to protect identity infrastructure from emerging security threats. Mastering Active Directory, Third Edition provides extensive coverage of AD Domain Services and helps you explore their capabilities as you update to Windows Server 2022. This book will also teach you how to extend on-premises identity presence to cloud via Azure AD hybrid setup. By the end of this Microsoft Active Directory book, you’ll feel confident in your ability to design, plan, deploy, protect, and troubleshoot your enterprise identity infrastructure.

Related Content you might be interested in

Current Title:

Small book image
Mastering Active Directory, Third Edition - Third Edition
Dishan Francis
Nov, 2021 | 780 pages
Small book image
Identity with Windows Server 2016: Microsoft 70-742 MCSA Exam Guide
Sasha Kranjac | Vladimir Stefanovic
Jan, 2019 | 232 pages
Small book image
Active Directory Administration Cookbook
Sander Berkouwer
May, 2019 | 620 pages
Small book image
Active Directory Administration Cookbook, Second Edition
Sander Berkouwer
Jul, 2022 | 696 pages
Table of Contents (22 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
Free Chapter
1
Active Directory Fundamentals
Active Directory Fundamentals
Modern access management
The future of Identity and Access Management (IAM)
Hybrid Identity and Active Directory Domain Services
Benefits of using Active Directory
Understanding Active Directory components
Understanding Active Directory objects
Summary
2
Active Directory Domain Services 2022
Active Directory Domain Services 2022
The features of AD DS 2022
Privileged Access Management (PAM)
What does PAM have to do with AD DS 2022?
Windows Hello for Business
PowerShell 7
Summary
3
Designing an Active Directory Infrastructure
Designing an Active Directory Infrastructure
What makes a good system?
Gathering business requirements
Designing the forest structure
Creating the forest structure
Selecting forest design models
Designing the domain structure
Deciding on the domain and forest functional levels
Designing the OU structure
Designing the physical topology of Active Directory
Designing a hybrid identity
Identifying business needs
Summary
4
Active Directory Domain Name System
Active Directory Domain Name System
What is DNS?
Hierarchical naming structures
How DNS works
DNS infrastructure design
DNS essentials
Conditional forwarders
DNS policies
Secure DNS client over HTTPS (DoH)
DNS server operation modes
Zone transfers
DNS delegation
DNS service providers
Summary
5
Placing Operations Master Roles
Placing Operations Master Roles
FSMO roles
Active Directory's logical and physical topology
Best practices
Moving FSMO roles
Seizing FSMO roles
Summary
6
Migrating to Active Directory 2022
Migrating to Active Directory 2022
AD DS installation prerequisites
AD DS installation methods
AD DS deployment scenarios
How to plan AD migrations
Summary
7
Managing Active Directory Objects
Managing Active Directory Objects
Tools and methods for managing objects
AD object administration with PowerShell
Creating computer objects
Modifying AD objects
Removing AD objects
Finding objects in AD
Preventing the accidental deletion of objects
AD recycle bin
Summary
8
Managing Users, Groups, and Devices
Managing Users, Groups, and Devices
Object attributes
Custom attributes
Syncing custom attributes to Azure AD
User accounts
Groups
Devices and other objects
Best practices
Summary
9
Designing the OU Structure
Designing the OU Structure
OUs in operations
Containers vs. OUs
Active Directory Groups vs. OUs
OU design models
Managing the OU structure
Summary
10
Managing Group Policies
Managing Group Policies
Benefits of group policies
Group Policy capabilities
Group Policy objects
The Group Policy template
Group Policy processing
Group Policy inheritance
Group Policy conflicts
Administrative templates
Group Policy filtering
Group Policy preferences
Item-level targeting
Loopback processing
Group Policy best practices
Useful group policies
Summary
11
Active Directory Services – Part 01
Active Directory Services – Part 01
Overview of AD LDS
Where to use LDS
The LDS installation
AD replication
Sites
Summary
12
Active Directory Services – Part 02
Active Directory Services – Part 02
Active Directory trusts
RODCs
Active Directory database maintenance
Active Directory Backup and Recovery
Summary
13
Active Directory Certificate Services
Active Directory Certificate Services
PKI in action
SSL certificates
AD CS components
Planning PKI
PKI deployment models
Setting up a PKI
Certificate templates
Requesting certificates
Migrating AD CS from Windows Server 2008 R2 to Windows Server 2022
AD CS disaster recovery
Summary
14
Active Directory Federation Services
Active Directory Federation Services
How does AD FS work?
AD FS components
AD FS configuration database
AD FS deployment topologies
AD FS deployment
Azure AD federation with AD FS
Summary
15
Active Directory Rights Management Services
Active Directory Rights Management Services
What is AD RMS?
AD RMS components
How does AD RMS work?
How do we deploy AD RMS?
Azure Information Protection (AIP)
Summary
16
Active Directory Security Best Practices
Active Directory Security Best Practices
AD authentication
The Kerberos protocol
Authentication in an AD environment
Delegating permissions
Predefined AD administrator roles
Using object ACLs
Using the delegate control method in AD
Implementing fine-grained password policies
Limitations
Resultant Set of Policy (RSoP)
Configuration
Pass-the-hash attacks
The Protected Users security group
Restricted admin mode for RDP
Authentication policies and authentication policy silos
Authentication policies
Authentication policy silos
Creating authentication policies
Creating authentication policy silos
Secure LDAP
Microsoft Local Administrator Password Solution (LAPS)
On-prem Azure AD Password Protection
Summary
17
Advanced AD Management with PowerShell
Advanced AD Management with PowerShell
AD management with PowerShell – preparation
AD management commands and scripts
Replication
Replicating a specific object
Users and groups
Last logon time
Last login date report
Login failures report
Finding the locked-out account
Password expire report
Review the membership of the high-level administrative groups
Dormant accounts
Users with the Password Never Expires setting
Azure Active Directory PowerShell
Installation
General commands
Managing users
Managing groups
Microsoft Graph
Microsoft Graph Explorer
Summary
18
Hybrid Identity
Hybrid Identity
Extending on-prem AD to Azure AD
Evaluating the present business requirements
Evaluating an organization's infrastructure road map
Evaluating the security requirements
Selecting the Azure AD version
Federation with Azure AD
Step-by-step guide to integrating an on-prem AD environment with Azure AD
Creating a virtual network
Setting up an Azure AD managed domain
Adding DNS server details to the virtual network
Creating a Global Administrator account for Azure AD Connect
Setting up Azure AD Connect
Installing the Pass-through Authentication agent
Azure AD Connect configuration
Syncing NTLM and Kerberos credential hashes to Azure AD
Enabling secure LDAP (LDAPS) for an Azure AD DS managed domain
Enable secure LDAP (LDAPS)
Summary
19
Active Directory Audit and Monitoring
Active Directory Audit and Monitoring
Auditing and monitoring AD using built-in Windows tools and techniques
Windows Event Viewer
Custom Views
Windows Logs
Applications and Services Logs
Subscriptions
AD DS event logs
AD DS log files
AD audit
Demonstration
Setting up event subscriptions
Security event logs from domain controllers
Enabling advanced security audit policies
Enforcing advanced auditing
Reviewing events with PowerShell
Microsoft Defender for Identity
What is Microsoft Defender for Identity?
Defender for Identity benefits
Azure AD Connect Health
Prerequisites
Configuration
Summary
20
Other Books You May Enjoy
Other Books You May Enjoy
21
Index
Index

Enabling advanced security audit policies

As we have seen previously, for successful auditing, we need to have a SACL configured for the relevant AD objects. If there is no SACL entry, no events will be generated against that object. In order to configure the SACL, we need Domain Admin or Enterprise Admin privileges. To add a SACL entry, perform the following steps:

  1. Open AD Users and Computers.
  2. Click on View | Advanced Features.
  3. Right-click on the OU or the object that you'd like to enable auditing for. Then click on Properties. In my example, I am using the root container, as I wish to enable it globally.
  4. Click on the Security tab and then on Advanced.
  5. Click on the Auditing tab and then click on the Add button to add a new security principle to the SACL. In our scenario, I am using Everyone as I'd like to audit everything.
  6. For Type, I have selected the Success event type. Also, I've applied it to This object and all descendant...
Previous Section
End of Section 14
Next Section