Book Image

Active Directory Administration Cookbook

By : Sander Berkouwer
Book Image

Active Directory Administration Cookbook

By: Sander Berkouwer

Overview of this book

Active Directory is an administration system for Windows administrators to automate network, security and access management tasks in the Windows infrastructure. This book starts off with a detailed focus on forests, domains, trusts, schemas and partitions. Next, you'll learn how to manage domain controllers, organizational units and the default containers. Going forward, you'll explore managing Active Directory sites as well as identifying and solving replication problems. The next set of chapters covers the different components of Active Directory and discusses the management of users, groups and computers. You'll also work through recipes that help you manage your Active Directory domains, manage user and group objects and computer accounts, expiring group memberships and group Managed Service Accounts (gMSAs) with PowerShell. You'll understand how to work with Group Policy and how to get the most out of it. The last set of chapters covers federation, security and monitoring. You will also learn about Azure Active Directory and how to integrate on-premises Active Directory with Azure AD. You'll discover how Azure AD Connect synchronization works, which will help you manage Azure AD. By the end of the book, you have learned about Active Directory and Azure AD in detail.

Related Content you might be interested in

Current Title:

Small book image
Active Directory Administration Cookbook
Sander Berkouwer
May, 2019 | 620 pages
Small book image
Identity with Windows Server 2016: Microsoft 70-742 MCSA Exam Guide
Sasha Kranjac | Vladimir Stefanovic
Jan, 2019 | 232 pages
Small book image
Mastering Active Directory, Third Edition
Dishan Francis
Nov, 2021 | 780 pages
Small book image
Mastering Active Directory.
Dishan Francis
Aug, 2019 | 786 pages
Table of Contents (16 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Sections
Get in touch
Free Chapter
1
Optimizing Forests, Domains, and Trusts
Optimizing Forests, Domains, and Trusts
Choosing between a new domain or forest
Listing the domains in your forest
Using adprep.exe to prepare for new Active Directory functionality
Raising the domain functional level to Windows Server 2016
Raising the forest functional level to Windows Server 2016
Creating the right trust
Verifying and resetting a trust
Securing a trust
Extending the schema
Enabling the Active Directory Recycle Bin
Managing UPN suffixes
2
Managing Domain Controllers
Managing Domain Controllers
Preparing a Windows Server to become a domain controller
Promoting a server to a domain controller
Promoting a server to a read-only domain controller
Using Install From Media
Using domain controller cloning
Determining whether a virtual domain controller has a VM-GenerationID
Demoting a domain controller
Demoting a domain controller forcefully
Inventory domain controllers
Decommissioning a compromised read-only domain controller
3
Managing Active Directory Roles and Features
Managing Active Directory Roles and Features
About FSMO roles
Querying FSMO role placement
Transferring FSMO roles
Seizing FSMO roles
Configuring the Primary Domain Controller emulator to synchronize time with a reliable source
Managing time synchronization for virtual domain controllers
Managing global catalogs
4
Managing Containers and Organizational Units
Managing Containers and Organizational Units
Differences between OUs and containers
Creating an OU
Deleting an OU
Modifying an OU
Delegating control of an OU
Modifying the default location for new user and computer objects
5
Managing Active Directory Sites and Troubleshooting Replication
Managing Active Directory Sites and Troubleshooting Replication
What do Active Directory sites do?
Recommendations
Creating a site
Managing a site
Managing subnets
Creating a site link
Managing a site link
Modifying replication settings for an Active Directory site link
Creating a site link bridge
Managing bridgehead servers
Managing the Inter-site Topology Generation and Knowledge Consistency Checker
Managing universal group membership caching
Working with repadmin.exe
Forcing replication
Managing inbound and outbound replication
Modifying the tombstone lifetime period
Managing strict replication consistency
Upgrading SYSVOL replication from File Replication Service to Distributed File System Replication
Checking for and remediating lingering objects
6
Managing Active Directory Users
Managing Active Directory Users
Creating a user
Deleting a user
Modifying several users at once
Moving a user
Renaming a user
Enabling and disabling a user
Finding locked-out users
Unlocking a user
Managing userAccountControl
Using account expiration
7
Managing Active Directory Groups
Managing Active Directory Groups
Creating a group
Deleting a group
Managing the direct members of a group
Managing expiring group memberships
Changing the scope or type of a group
Viewing nested group memberships
Finding empty groups
8
Managing Active Directory Computers
Managing Active Directory Computers
Creating a computer
Deleting a computer
Joining a computer to the domain
Renaming a computer
Testing the secure channel for a computer
Resetting a computer's secure channel
Changing the default quota for creating computer objects
9
Getting the Most Out of Group Policy
Getting the Most Out of Group Policy
Creating a Group Policy Object (GPO)
Copying a GPO
Deleting a GPO
Modifying the settings of a GPO
Assigning scripts
Installing applications
Linking a GPO to an OU
Blocking inheritance of GPOs on an OU
Enforcing the settings of a GPO Link
Applying security filters
Creating and applying WMI Filters
Configuring loopback processing
Restoring a default GPO
Creating the Group Policy Central Store
10
Securing Active Directory
Securing Active Directory
Applying fine-grained password and account lockout policies
Backing up and restoring GPOs
Backing up and restoring Active Directory
Working with Active Directory snapshots
Managing the DSRM passwords on domain controllers
Implementing LAPS
Managing deleted objects
Working with group Managed Service Accounts
Configuring the advanced security audit policy
Resetting the KRBTGT secret
Using SCW to secure domain controllers
Leveraging the Protected Users group
Putting authentication policies and authentication policy silos to good use
Configuring Extranet Smart Lock-out
11
Managing Federation
Managing Federation
Choosing the right AD FS farm deployment method
Installing the AD FS server role
Setting up an AD FS farm with Windows Internal Database
Setting up an AD FS farm with SQL Server
Adding additional AD FS servers to an AD FS farm
Removing AD FS servers from an AD FS farm
Creating a Relying Party Trust (RPT)
Deleting an RPT
Configuring branding
Setting up a Web Application Proxy
Decommissioning a Web Application Proxy
12
Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and 3SO)
Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and 3SO)
Choosing the right authentication method
Verifying your DNS domain name
Implementing Password Hash Sync with Express Settings
Implementing Pass-through Authentication
Implementing single sign-on to Office 365 using AD FS
Managing AD FS with Azure AD Connect
Implementing Azure Traffic Manager for AD FS geo-redundancy
Migrating from AD FS to Pass-through Authentication for single sign-on to Office 365
Making Pass-through Authentication (geo)redundant
13
Handling Synchronization in a Hybrid World (Azure AD Connect)
Handling Synchronization in a Hybrid World (Azure AD Connect)
Choosing the right sourceAnchor
Configuring staging mode
Switching to a staging mode server
Configuring Domain and OU filtering
Configuring Azure AD app and attribute filtering
Configuring MinSync
Configuring Hybrid Azure AD Join
Configuring Device writeback
Configuring Password writeback
Configuring Group writeback
Changing the passwords for Azure AD Connects service accounts
14
Hardening Azure AD
Hardening Azure AD
Setting the contact information
Preventing non-privileged users from accessing the Azure portal
Viewing all privileged users in Azure AD
Preventing users from registering or consenting to apps
Preventing users from inviting guests
Configuring whitelisting or blacklisting for Azure AD B2B
Configuring Azure AD Join and Azure AD Registration
Configuring Intune auto-enrollment upon Azure AD Join
Configuring baseline policies
Configuring Conditional Access
Accessing Azure AD Connect Health
Configuring Azure AD Connect Health for AD FS
Configuring Azure AD Connect Health for AD DS
Configuring Azure AD Privileged Identity Management
Configuring Azure AD Identity Protection
15
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Securing a trust

Trusts in Active Directory can be misused for purposes not intended by the admin of the trusting domain. There are three ways to secure a trust to make it more secure:

  • Enable SID Filtering
  • Enable Quarantine
  • Enable Selective Authentication

SID Filtering is enabled on all trust relationships, by default. SID Filtering operates on the same surface as trust transitivity. When enabled, SID Filtering filters the user accounts over the trust to user accounts from the domain tree that is explicitly trusted, only. In a way, it allows for more granular transitivity.

Quarantine is enabled on all trust relationships, by default. Quarantine for a trust allows granular access, too. Where SID Filtering allows for limiting access to a trusted domain tree, quarantine limits access to a trusted domain.

Selective authentication is not enabled, by default. Where SID Filtering and Quarantine limit access to user accounts from trusted domains, selective authentication limits access to devices, member servers and domain controllers in trusting domains. This means that in a default trust, all resources in the trusting domain can be accessed.

By default, Active Directory trusts are pretty secure, since the SID Filtering and Quarantine features are automatically enabled. You can heighten this default level of security by enabling and managing selective authentication.

Getting ready

To use the selective authentication feature, both Active Directory forests on either side of the trust need to run the Windows Server 2003 FFL, or a higher forest functional level.

It is recommended that you sign in to the domain controller that is running the Domain Naming Master FSMO role, or connect the Active Directory Domains and Trusts console to this specific domain controller, by right-clicking in the console on the Active Directory Domains and Trusts node and selecting Change Active Directory Domain Controller… from the context menu.

To find this domain controller, right-click the Active Directory Domains and Trusts node and select the Operations Master… from the context menu. Alternatively, run the following command from any domain-joined device, member server, or domain controller:

netdom.exe query fsmo

Otherwise, you can use the following PowerShell commands on a domain-joined system that has the Active Directory module for Windows PowerShell installed:

Import-Module ActiveDirectory

Get-ADForest | Format-List DomainNamingMaster

Required permissions

Sign in with the credentials of an admin account that is a member of the Enterprise Admins group.

How to do it...

SID Filtering and Quarantine on trusts can only be managed using netdom.exe:

  1. To enable SID Filtering for a trust, use the following command:
netdom.exe trust TrustingDomain.tld /Domain:TrustedDomain.tld /EnableSIDHistory:yes

Replace TrustingDomain.tld with the DNS domain name of the Active Directory environment that gives access to its resources, and then replace TrustedDomain.tld with the DNS domain name of the Active Directory environment that gains access to the resources.

  1. To disable SID Filtering for a trust, use the following command:

netdom.exe trust TrustingDomain.tld /Domain:TrustedDomain.tld /EnableSIDHistory:no

Replace TrustingDomain.tld with the DNS domain name of the Active Directory environment that gives access to its resources, and then replace TrustedDomain.tld with the DNS domain name of the Active Directory environment that gains access to the resources.

  1. To enable Quarantine on a trust, use the following command:

netdom.exe trust TrustingDomain.tld /Domain:TrustedDomain.tld /Quarantine:yes

Replace TrustingDomain.tld with the DNS domain name of the Active Directory environment that gives access to its resources, and then replace TrustedDomain.tld with the DNS domain name of the Active Directory environment that gains access to the resources.

  1. To disable Quarantine on a trust, use the following command:

netdom.exe trust TrustingDomain.tld /Domain:TrustedDomain.tld /Quarantine:no

Replace TrustingDomain.tld with the DNS domain name of the Active Directory environment that gives access to its resources, and then replace TrustedDomain.tld with the DNS domain name of the Active Directory environment that gains access to the resources.

To manage Selective Authentication, we can use the graphical user interface (GUI). To do so, follow these steps:

  1. Open Active Directory Domains and Trusts.
  2. In the console tree, right-click the domain that you want to configure selective authentication for, and then click Properties.
  3. Navigate to the Trusts tab.
  4. From the list of Domains trusts by this domain (outgoing trusts): or from the list of Domains that trust this domain (incoming trusts):, select the trust that you want to configure selective authentication for.
  5. Click the Properties button next to the corresponding list.
  1. Navigate to the Authentication tab as follows:
  1. On the Authentication tab, select or deselect Selective Authentication.
  2. Click OK to finish.

Of course, selective authentication for trusts is also available on the command line.

To enable selective authentication for a trust, use the following command:

netdom.exe trust TrustingDomain.tld /Domain:TrustedDomain.tld /SelectiveAuth:yes

Replace TrustingDomain.tld with the DNS domain name of the Active Directory environment that gives access to its resources, and then replace TrustedDomain.tld with the DNS domain name of the Active Directory environment that gains access to the resources.

To disable selective authentication for a trust, use the following command:

netdom.exe trust TrustingDomain.tld /Domain:TrustedDomain.tld / SelectiveAuth:no

Replace TrustingDomain.tld with the DNS domain name of the Active Directory environment that gives access to its resources, and then replace TrustedDomain.tld with the DNS domain name of the Active Directory environment that gains access to the resources.

Now, the actual domain-joined resources, which a user from another domain or forest has access to, is governed per object. Follow these steps to manage this setting:

  1. Open the Active Directory Administrative Center.
  2. Search for the domain-joined device, member server, or domain controller that you want to grant access to over the trust. Use the search box in the Global Search field on the Overview screen of the Active Directory Administrative Center, or use the left navigation pane.
  3. Right-click the object and select Properties from the context menu.
  4. In the left navigation pane of the object's properties, click Extensions.
  5. Click the Security tab.
  1. Select the user object(s) and/or group(s) that you want to grant access to, wielding the Add and Remove buttons underneath the field for Groups and user names:
  1. Select the Allow checkbox that is next to the Allowed to Authenticate permission.
  2. Click OK when you're done.

How it works...

Selective authentication leverages the Allowed to Authenticate option to give permission to allow or disallow requests coming from user accounts over the trust, because they are automatically added to the Authenticated Users group. When selective authentication is disabled (the default), every user account on the other side is allowed to authenticate. However, after selective authentication is enabled, only the user accounts with the Allowed to Authenticate permission explicitly set can authenticate to it over the trust, because they are not automatically added to the Authenticated Users group.

There's more...

To make managing the Active Directory trust possible for a trust that has selective authentication enabled, make sure that admins on both sides have the Allowed to Authenticate permission on each other's domain controllers. You can specify specific domain controllers only by fiddling with the DNS SRV records for domain controllers. However, make sure that you always include the domain controller holding the PDCe FSMO role, and at least one global catalog.

Previous Section
End of Section 9
Next Section