Book Image

Active Directory Administration Cookbook - Second Edition

By : Sander Berkouwer
Book Image

Active Directory Administration Cookbook - Second Edition

By: Sander Berkouwer

Overview of this book

Updated to the Windows Server 2022, this second edition covers effective recipes for Active Directory administration that will help you leverage AD's capabilities for automating network, security, and access management tasks in the Windows infrastructure. Starting with a detailed focus on forests, domains, trusts, schemas, and partitions, this book will help you manage domain controllers, organizational units, and default containers. You'll then explore Active Directory sites management as well as identify and solve replication problems. As you progress, you'll work through recipes that show you how to manage your AD domains as well as user and group objects and computer accounts, expiring group memberships, and Group Managed Service Accounts (gMSAs) with PowerShell. Once you've covered DNS and certificates, you'll work with Group Policy and then focus on federation and security before advancing to Azure Active Directory and how to integrate on-premise Active Directory with Azure AD. Finally, you'll discover how Microsoft Azure AD Connect synchronization works and how to harden Azure AD. By the end of this AD book, you’ll be able to make the most of Active Directory and Azure AD Connect.

Related Content you might be interested in

Current Title:

Small book image
Active Directory Administration Cookbook - Second Edition
Sander Berkouwer
Jul, 2022 | 696 pages
Small book image
Identity with Windows Server 2016: Microsoft 70-742 MCSA Exam Guide
Sasha Kranjac | Vladimir Stefanovic
Jan, 2019 | 232 pages
Small book image
Mastering Active Directory, Third Edition
Dishan Francis
Nov, 2021 | 780 pages
Small book image
Mastering Active Directory
Dishan Francis
Jun, 2017 | 742 pages
Table of Contents (18 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Code in Action
Download the color images
Conventions used
Get in touch
Share Your Thoughts
1
Chapter 1: Optimizing Forests, Domains, and Trusts
Chapter 1: Optimizing Forests, Domains, and Trusts
Choosing between a new domain or forest
Listing the domains in your forest
Using adprep.exe to prepare for new Active Directory functionality
Raising the domain functional level to Windows Server 2016
Raising the forest functional level to Windows Server 2016
Creating the right trust
Removing a trust
Verifying and resetting a trust
Securing a trust
Extending the schema
Enabling the Active Directory Recycle Bin
Managing UPN suffixes
Free Chapter
2
Chapter 2: Managing Domain Controllers
Chapter 2: Managing Domain Controllers
Preparing a Windows server to become a domain controller
Promoting a server to a domain controller
Promoting a server to a read-only domain controller
Using Install From Media
Using domain controller cloning
Determining whether a virtual domain controller has a VM-GenerationID
Demoting a domain controller
Demoting a domain controller forcefully
Inventory domain controllers
Decommissioning a compromised read-only domain controller
3
Chapter 3: Managing Active Directory Roles and Features
Chapter 3: Managing Active Directory Roles and Features
About FSMO roles
Querying FSMO role placement
Transferring FSMO roles
Configuring the PDC Emulator to synchronize time with a reliable source
Managing time synchronization for virtual domain controllers
Managing global catalogs
4
Chapter 4: Managing Containers and Organizational Units
Chapter 4: Managing Containers and Organizational Units
Differences between OUs and containers
Creating an OU
Deleting an OU
Modifying an OU
Delegating control of an OU
Modifying the default location for new user and computer objects
5
Chapter 5: Managing Active Directory Sites and Troubleshooting Replication
Chapter 5: Managing Active Directory Sites and Troubleshooting Replication
What do Active Directory sites do?
Recommendations
Creating a site
Managing a site
Managing subnets
Creating a site link
Managing a site link
Modifying replication settings for an Active Directory site link
Creating a site link bridge
Managing bridgehead servers
Managing the ISTG and KCC
Managing UGMC
Working with repadmin.exe
Forcing replication
Managing inbound and outbound replication
Modifying the tombstone lifetime period
Managing strict replication consistency
Upgrading SYSVOL replication from FRS to DFSR
Checking for and remediating lingering objects
6
Chapter 6: Managing Active Directory Users
Chapter 6: Managing Active Directory Users
Creating a user
Deleting a user
Modifying several users at once
Moving a user
Renaming a user
Enabling and disabling a user
Finding locked-out users
Unlocking a user
Managing userAccountControl
Using account expiration
7
Chapter 7: Managing Active Directory Groups
Chapter 7: Managing Active Directory Groups
Creating a group
Deleting a group
Managing the direct members of a group
Managing expiring group memberships
Changing the scope or type of a group
Viewing nested group memberships
Finding empty groups
8
Chapter 8: Managing Active Directory Computers
Chapter 8: Managing Active Directory Computers
Creating a computer
Deleting a computer
Joining a computer to the domain
Renaming a computer
Testing the secure channel for a computer
Resetting a computer's secure channel
9
Chapter 9: Managing DNS
Chapter 9: Managing DNS
Managing the DNS server role on domain controllers
Creating a DNS zone
Managing the DNS zone properties
Deleting a DNS zone
Creating a DNS record
Deleting a DNS record
Verifying the domain controller SRV DNS records
Creating a DNS conditional forwarder
10
Chapter 10: Getting the Most Out of Group Policy
Chapter 10: Getting the Most Out of Group Policy
Creating a GPO
Copying a GPO
Deleting a GPO
Modifying the settings of a GPO
Assigning scripts
Installing applications
Linking a GPO to an OU
Blocking inheritance of GPOs on an OU
Enforcing the settings of a GPO Link
Applying security filters
Creating and applying WMI filters
Refreshing GPO settings
Configuring loopback processing
Restoring a default GPO
Creating the Group Policy Central Store
11
Chapter 11: Securing Active Directory
Chapter 11: Securing Active Directory
Applying fine-grained password and account lockout policies
Backing up and restoring GPOs
Backing up and restoring Active Directory
Working with Active Directory snapshots
Managing the DSRM passwords on domain controllers
Protecting important objects from accidental deletion
Implementing LAPS
Managing deleted objects
Working with gMSAs
Configuring diagnostic logging
Configuring the advanced security audit policy
Resetting the KRBTGT secret
Using the SCW to secure domain controllers
Leveraging the Protected Users group
Putting authentication policies and authentication policy silos to good use
Configuring Extranet Smart Lockout
12
Chapter 12: Managing Certificates
Chapter 12: Managing Certificates
Deciding between your own CA and a public CA
Setting up a CA
Setting up an online responder
Removing a certificate template
Duplicating and editing a certificate template
Requesting a web server certificate
Issuing domain controller certificates
Managing certificate autoenrollment
Revoking a certificate
Decommissioning a CA
13
Chapter 13: Managing Federation
Chapter 13: Managing Federation
Choosing the right AD FS farm deployment method
Installing the AD FS server role
Setting up an AD FS farm with WID
Setting up an AD FS farm with SQL Server
Adding additional AD FS servers to an AD FS farm
Removing AD FS servers from an AD FS farm
Creating an RPT
Deleting an RPT
Configuring branding
Migrating a WID-based AD FS farm to an SQL Server
Setting up a WAP
Decommissioning a WAP
14
Chapter 14: Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and DSSO)
Chapter 14: Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and DSSO)
Choosing the right authentication method
Signing up for Azure AD
Verifying your DNS domain name
Implementing PHS with Express Settings
Implementing PTA and Seamless SSO
Implementing SSO using AD FS
Managing AD FS with Azure AD Connect
Implementing Azure Traffic Manager for AD FS geo-redundancy
Migrating from AD FS to PTA for SSO to Office 365
Making PTA (geo)redundant
15
Chapter 15: Handling Synchronization in a Hybrid World (Azure AD Connect)
Chapter 15: Handling Synchronization in a Hybrid World (Azure AD Connect)
Choosing the right source anchor attribute for user objects
Configuring staging mode
Switching to a staging-mode server
Configuring domain and OU filtering
Configuring Azure AD app and attribute filtering
Configuring hybrid Azure AD join
Configuring device writeback
Configuring password writeback
Configuring group writeback
Changing passwords for Azure AD Connect service accounts
16
Chapter 16: Hardening Azure AD
Chapter 16: Hardening Azure AD
Setting contact information
Preventing non-privileged users from accessing the Azure portal
Viewing all privileged users in Azure AD
Preventing users from registering or consenting to apps
Preventing users from inviting guests
Allowing and blocking invitations for Azure AD B2B
Configuring Azure AD join and Azure AD registration
Configuring Intune auto-enrollment upon Azure AD join
Choosing between Security defaults and Conditional Access
Configuring Conditional Access
Accessing Azure AD Connect Health
Configuring Azure AD Connect Health for AD FS
Configuring Azure AD Connect Health for AD DS
Configuring Azure AD PIM
Configuring Azure AD Identity Protection
Implementing Defender for Identity
Why subscribe?
17
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Using domain controller cloning

The IFM feature for promoting domain controllers leverages the fact that the contents of the Active Directory database and the Active Directory SYSVOL are identical throughout all domain controllers within the domain. The domain controller cloning feature takes this one step further and leverages the fact that all domain controllers are largely identical – not just the Active Directory-related files but all operating system files, most agent installations, information security measures, and most configuration items.

When a domain controller is properly prepared and promoted, it can serve as a template.

Getting ready

The domain controller cloning feature requires the following:

  • A hypervisor platform offering the VM-GenerationID functionality
  • At least one domain controller running Windows Server 2012 or a newer version of Windows Server, promoted to a domain controller, holding the PDC Emulator FSMO role

The domain controller you intend to clone needs to adhere to the following requirements:

  • Running Windows Server 2012 or a newer version of Windows Server
  • Running on top of a VM-GenerationID-capable hypervisor platform
  • Running the latest stable integration components or VMware tools
  • Promoted as a domain controller
  • Not holding the PDC Emulator FSMO role
  • Not holding the RID Master FSMO role

When cloning domain controllers, check for proper Active Directory replication before cloning. This ensures that the domain controllers are up to date with all changes in Active Directory and can communicate the changes involved in adding a domain controller.

How to do it...

There are four steps to cloning a domain controller:

  • Making sure all agents and software packages are cloneable
  • Supplying the information for the new domain controller configuration
  • Adding the domain controller to the Cloneable Domain Controllers group
  • Cloning the domain controller from the hypervisor

Making sure all agents and software packages are cloneable

To successfully clone a domain controller, all agents and software packages that you've installed and configured on the domain controller you intend to clone need to support it.

When you install the Active Directory Domain Services role on a Windows Server 2012 installation, or on any newer version of Windows Server, there is the Get-ADDCCloningExcludedApplicationList PowerShell cmdlet that you can use. When you run this PowerShell cmdlet, it will return the applications and services that Microsoft does not know whether you can successfully clone.

All Microsoft services and add-on packages that ship with Windows Server are tested, so these are already part of the DefaultDCCloneAllowList.xml file. The contents of C:\Windows\System32\DefaultDCCloneAllowList.xml are shown as follows:

Figure 2.13 – Contents of the DefaultDCCloneAllowList.xml file

Figure 2.13 – Contents of the DefaultDCCloneAllowList.xml file

For any other service and/or application, the recommended practice is to ask the vendor whether domain controller cloning is supported. When all services and applications check out, you can run the following line of PowerShell to add them to your organization's CustomDCCloneAllowList.xml file:

Get-ADDCCloningExcludedApplicationList -GenerateXml -Path C:\Windows\NTDS -Force

In the preceding line of Windows PowerShell, the default path for the Active Directory database is supplied. Change it accordingly before running it.

After cloning, the domain controller picks up this file when you store it on removable media or in the same path as the Active Directory database.

Supplying the information for the new domain controller configuration

The new domain controller that is created when an existing domain controller is cloned will need to be different from the existing one. It will need a different hostname, IPv4 address(es), IPv6 address(es), possibly different DNS Server allocations, or a different Active Directory site.

Microsoft provides a way to supply this information through the DCCloneConfig.xml file. Again, after cloning, the domain controller picks up this file when you store it on removable media or in the same path as the Active Directory database.

If no DCCloneConfig.xml file is supplied, the new domain controller will boot into Directory Services Restore Mode.

If an empty DCCloneConfig.xml file is supplied, the new domain controller will be assigned the following:

  • IP addresses through DHCP
  • An automatically assigned hostname
  • The same Active Directory site as the source domain controller

If a specific hostname, Active Directory site, or IP address is needed, look at the parameters you can specify for New-ADDCCloningConfig, such as the -SiteName, -CloneComputerName, and -Static -IPv4Address parameters.

A sample PowerShell one-liner to create a new domain controller with the name DC04 in the Active Directory site named RemoteLocation with the correct IPv4 information would look like the following:

New-ADDCCloneConfigFile -CloneComputerName "DC04" -SiteName RemoteLocation -Static -IPv4Address "10.0.1.3" -IPv4SubnetMask "255.255.255.0" -IPv4DefaultGateway "10.0.1.1" -IPv4DNSResolver "10.0.0.2"   

Change the values for the -SiteName, -CloneComputerName, -Static, -IPv4Address, -IPv4SubnetMask, -IPv4DefaultGateway, and -IPv4DNSResolver parameters for parameters that make sense for your environment.

Adding the domain controller to the Cloneable Domain Controllers group

In large organizations, the team responsible for managing Active Directory is usually a different team from the one managing the hypervisor platform. Through the integration components and/or VMware tools, the latter team might configure domain controllers for cloning and clone them, adding to the management burden of the Active Directory management team.

Therefore, the Active Directory team must explicitly allow a domain controller to be cloned in Active Directory. The mechanism to do so is to add source domain controllers to the Cloneable Domain Controllers group.

The following line of PowerShell accomplishes this for a source domain controller named DC03 in the lucernpub.com Active Directory domain:

Add-ADGroupMember "Cloneable Domain Controllers" "CN=DC03,OU=Domain Controllers,DC=LucernPub,DC=com"

Replace the distinguishedName value of DC03 with the distinguishedName value of the domain controller you want to add to the Cloneable Domain Controllers group.

Cloning the domain controller from the hypervisor

Now, the hypervisor platform team can clone the source domain controller.

As an Active Directory administrator, shut down the domain controller you intend to clone. After cloning has been successful, remove the source domain controller from the Cloneable Domain Controllers group and start it again as one of the domain controllers for the domain, or leave it off and allow it to be cloned repeatedly for a maximum period of 60 to 180 days, depending on the current tombstone lifetime period settings.

How it works...

Domain controller cloning leverages the VM-GenerationID feature found in most modern hypervisor platforms. Through the specifications that Microsoft wrote for this feature, this ID is stored in every virtual machine's RAM and only changes under certain circumstances. These circumstances are the following:

  • When a virtual machine's hard disk is attached to a different virtual machine
  • When a previous snapshot for a virtual machine is applied

Active Directory Domain Services is the first server role to take advantage of the VM-GenerationID feature to do the following:

  • Increase the integrity of the contents of the Active Directory database and the Active Directory SYSVOL by employing virtualization safeguards
  • Clone a perfectly prepared domain controller using domain controller cloning

By storing the 128-bit value for the VM-GenerationID in RAM in the Active Directory database, and the domain controller checking the value stored in the database with the value in RAM before each major action, the domain controller can sense when a snapshot is applied or when the hard disk is reused.

Important Note

As the VM-GenerationID feature is a hypervisor platform feature, a domain controller cannot sense when a snapshot is applied or when the hard disk is reused when these actions originate from the storage fabric or otherwise outside of the hypervisor platform.

When a hard disk is reused and the domain controller is properly prepared to be cloned, domain controller cloning creates a perfect clone of the source domain controller.

Domain controller cloning only allows cloning of fully writable domain controllers. It does not apply to read-only domain controllers.

See also

Use the information in the Determining whether a virtual domain controller has a VM-GenerationID recipe to see whether the hypervisor platform supports domain controller cloning.

Refer to the Modifying the tombstone lifetime period recipe in Chapter 16, Hardening Azure AD, to find out whether domain controllers can be cloned for 60 or 180 days.

Previous Section
End of Section 6
Next Section