Active Directory Administration Cookbook - Second Edition

By : Sander Berkouwer

Active Directory Administration Cookbook - Second Edition

By: Sander Berkouwer

Overview of this book

Updated to the Windows Server 2022, this second edition covers effective recipes for Active Directory administration that will help you leverage AD's capabilities for automating network, security, and access management tasks in the Windows infrastructure. Starting with a detailed focus on forests, domains, trusts, schemas, and partitions, this book will help you manage domain controllers, organizational units, and default containers. You'll then explore Active Directory sites management as well as identify and solve replication problems. As you progress, you'll work through recipes that show you how to manage your AD domains as well as user and group objects and computer accounts, expiring group memberships, and Group Managed Service Accounts (gMSAs) with PowerShell. Once you've covered DNS and certificates, you'll work with Group Policy and then focus on federation and security before advancing to Azure Active Directory and how to integrate on-premise Active Directory with Azure AD. Finally, you'll discover how Microsoft Azure AD Connect synchronization works and how to harden Azure AD. By the end of this AD book, you’ll be able to make the most of Active Directory and Azure AD Connect.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Code in Action

Download the color images

Conventions used

Get in touch

Share Your Thoughts

Chapter 1: Optimizing Forests, Domains, and Trusts

Choosing between a new domain or forest

Listing the domains in your forest

Using adprep.exe to prepare for new Active Directory functionality

Raising the domain functional level to Windows Server 2016

Raising the forest functional level to Windows Server 2016

Creating the right trust

Removing a trust

Verifying and resetting a trust

Securing a trust

Extending the schema

Enabling the Active Directory Recycle Bin

Managing UPN suffixes

Free Chapter

Chapter 2: Managing Domain Controllers

Preparing a Windows server to become a domain controller

Promoting a server to a domain controller

Promoting a server to a read-only domain controller

Using Install From Media

Using domain controller cloning

Determining whether a virtual domain controller has a VM-GenerationID

Demoting a domain controller

Demoting a domain controller forcefully

Inventory domain controllers

Decommissioning a compromised read-only domain controller

Chapter 3: Managing Active Directory Roles and Features

About FSMO roles

Querying FSMO role placement

Transferring FSMO roles

Configuring the PDC Emulator to synchronize time with a reliable source

Managing time synchronization for virtual domain controllers

Managing global catalogs

Chapter 4: Managing Containers and Organizational Units

Differences between OUs and containers

Creating an OU

Deleting an OU

Modifying an OU

Delegating control of an OU

Modifying the default location for new user and computer objects

Chapter 5: Managing Active Directory Sites and Troubleshooting Replication

What do Active Directory sites do?

Modifying replication settings for an Active Directory site link

Creating a site link bridge

Managing bridgehead servers

Managing the ISTG and KCC

Managing UGMC

Working with repadmin.exe

Forcing replication

Managing inbound and outbound replication

Modifying the tombstone lifetime period

Managing strict replication consistency

Upgrading SYSVOL replication from FRS to DFSR

Checking for and remediating lingering objects

Chapter 6: Managing Active Directory Users

Creating a user

Deleting a user

Modifying several users at once

Moving a user

Renaming a user

Enabling and disabling a user

Finding locked-out users

Unlocking a user

Managing userAccountControl

Using account expiration

Chapter 7: Managing Active Directory Groups

Creating a group

Deleting a group

Managing the direct members of a group

Managing expiring group memberships

Changing the scope or type of a group

Viewing nested group memberships

Finding empty groups

Chapter 8: Managing Active Directory Computers

Creating a computer

Deleting a computer

Joining a computer to the domain

Renaming a computer

Testing the secure channel for a computer

Resetting a computer's secure channel

Chapter 9: Managing DNS

Managing the DNS server role on domain controllers

Creating a DNS zone

Managing the DNS zone properties

Deleting a DNS zone

Creating a DNS record

Deleting a DNS record

Verifying the domain controller SRV DNS records

Creating a DNS conditional forwarder

Chapter 10: Getting the Most Out of Group Policy

Creating a GPO

Copying a GPO

Deleting a GPO

Modifying the settings of a GPO

Assigning scripts

Installing applications

Linking a GPO to an OU

Blocking inheritance of GPOs on an OU

Enforcing the settings of a GPO Link

Applying security filters

Creating and applying WMI filters

Refreshing GPO settings

Configuring loopback processing

Restoring a default GPO

Creating the Group Policy Central Store

Chapter 11: Securing Active Directory

Applying fine-grained password and account lockout policies

Backing up and restoring GPOs

Backing up and restoring Active Directory

Working with Active Directory snapshots

Managing the DSRM passwords on domain controllers

Protecting important objects from accidental deletion

Implementing LAPS

Managing deleted objects

Working with gMSAs

Configuring diagnostic logging

Configuring the advanced security audit policy

Resetting the KRBTGT secret

Using the SCW to secure domain controllers

Leveraging the Protected Users group

Putting authentication policies and authentication policy silos to good use

Configuring Extranet Smart Lockout

Chapter 12: Managing Certificates

Deciding between your own CA and a public CA

Setting up a CA

Setting up an online responder

Removing a certificate template

Duplicating and editing a certificate template

Requesting a web server certificate

Issuing domain controller certificates

Managing certificate autoenrollment

Revoking a certificate

Decommissioning a CA

Chapter 13: Managing Federation

Choosing the right AD FS farm deployment method

Installing the AD FS server role

Setting up an AD FS farm with WID

Setting up an AD FS farm with SQL Server

Adding additional AD FS servers to an AD FS farm

Removing AD FS servers from an AD FS farm

Creating an RPT

Deleting an RPT

Configuring branding

Migrating a WID-based AD FS farm to an SQL Server

Setting up a WAP

Decommissioning a WAP

Chapter 14: Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and DSSO)

Choosing the right authentication method

Signing up for Azure AD

Verifying your DNS domain name

Implementing PHS with Express Settings

Implementing PTA and Seamless SSO

Implementing SSO using AD FS

Managing AD FS with Azure AD Connect

Implementing Azure Traffic Manager for AD FS geo-redundancy

Migrating from AD FS to PTA for SSO to Office 365

Making PTA (geo)redundant

Chapter 15: Handling Synchronization in a Hybrid World (Azure AD Connect)

Choosing the right source anchor attribute for user objects

Configuring staging mode

Switching to a staging-mode server

Configuring domain and OU filtering

Configuring Azure AD app and attribute filtering

Configuring hybrid Azure AD join

Configuring device writeback

Configuring password writeback

Configuring group writeback

Changing passwords for Azure AD Connect service accounts

Chapter 16: Hardening Azure AD

Setting contact information

Preventing non-privileged users from accessing the Azure portal

Viewing all privileged users in Azure AD

Preventing users from registering or consenting to apps

Preventing users from inviting guests

Allowing and blocking invitations for Azure AD B2B

Configuring Azure AD join and Azure AD registration

Configuring Intune auto-enrollment upon Azure AD join

Choosing between Security defaults and Conditional Access

Configuring Conditional Access

Accessing Azure AD Connect Health

Configuring Azure AD Connect Health for AD FS

Configuring Azure AD Connect Health for AD DS

Configuring Azure AD PIM

Configuring Azure AD Identity Protection

Implementing Defender for Identity

Why subscribe?

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Demoting a domain controller

Every domain controller has a life cycle. After a certain period, it should make room for newer, better, more agile, or even more cost-efficient domain controllers, or other solutions, such as Azure Active Directory Domain Services.

Getting ready

Before you demote a domain controller, you should ensure of the following:

It no longer hosts any FSMO roles.
It no longer offers networking services, such as DNS, LDAP, RADIUS, or WINS. These protocols are manually configured on networking devices and other servers. Demoting a domain controller that offers these services might negatively impact the networking infrastructure. Reconfigure networking devices and servers to use alternative domain controllers or services first.
It is not an Enterprise Root Certification Authority (CA). When a domain controller is configured as an Enterprise Root CA using Active Directory Certificate Services (AD CS), it cannot be demoted. First, the CA needs to be migrated.
There are other global catalog servers available when you remove a domain controller that is also configured to be a global catalog server.

For successful demotions, the domain controller you intend to demote needs to have at least one network interface card attached to the network. Other domain controllers should be reachable and Active Directory replication should be working properly.

How to do it...

This recipe describes two supported ways to demote a domain controller graciously:

Using the Remove Server Roles and Features Wizard
Using the Active Directory module for Windows PowerShell

Using the Remove Server Roles and Features Wizard

To demote a domain controller graciously using Server Manager, perform these steps:

Press Start.
Search for Server Manager and click its corresponding search result, or run servermanager.exe. The Server Manager window appears.
In the gray top bar of Server Manager, click Manage.
Select Remove Server Roles and Features from the context menu. The Remove Roles and Features Wizard window appears.
On the Before you begin screen, click Next.
On the Select destination server screen, select the local Windows Server installation from the server pool list, and then click Next.
On the Select server roles screen, deselect the Active Directory Domain Services role from the list of installed roles. The Remove Roles and Features Wizard pop-up window appears.
In the pop-up window, click the Remove Features button to remove features that are required for Active Directory Domain Services:

Figure 2.14 – The Remove Roles and Features Wizard pop-up screen

On the Validation Results screen, follow the Demote this domain controller link to acknowledge that the domain controller needs to be demoted before the Active Directory Domain Services role can be removed:

Figure 2.15 – Validation Results for the Remove Roles and Features Wizard

The Active Directory Domain Services Configuration Wizard window appears. On the Credentials screen, optionally enter the credentials to perform the demotion, or click Next > to perform the operation with the credentials of the account you signed in with.
On the Warnings screen, select the Proceed with removal option and click Next >:

Figure 2.16 – The Warnings screen of the Active Directory Domain Services Configuration Wizard

On the Removal Options screen, select the Remove DNS delegation option and click Next >.
On the New administrator password screen, enter the new password for the built-in administrator account. Click Next > to proceed to the next screen.
On the Review Options screen, click Demote.
When configuration of the Active Directory Domain Services server role is done, click Close to close the Remove Roles and Features Wizard.

Using the Active Directory module for Windows PowerShell

To demote a domain controller graciously, you can use the Uninstall-ADDSDomainController PowerShell cmdlet like this:

Uninstall-ADDSDomainController

This removes the domain controller from the Active Directory domain and prompts you for the new password for the built-in administrator account after demotion. Replace the values in the previous sample file with the values of your choice.

To remove the Active Directory Domain Services role after demotion, use the following line of Windows PowerShell:

Uninstall-WindowsFeature AD-Domain-Services -IncludeManagementTools

The domain controller is then demoted, and the Active Directory Domain Services role is removed.

How it works...

Every domain controller has its information stored in numerous places throughout the Active Directory database.

To remove this information and stop other domain controllers from replicating to non-existing domain controllers, the domain controllers should be demoted.

There's more...

Proper demotion of a domain controller will remove all the references to the domain controller from Active Directory.

However, it is a recommended practice to check the following tools manually after demotion:

DNS: (dnsmgmt.msc)
Active Directory Sites and Services (dssite.msc)

Active Directory Administration Cookbook - Second Edition

By : Sander Berkouwer

Active Directory Administration Cookbook - Second Edition

By: Sander Berkouwer

Overview of this book

Related Content you might be interested in

Current Title:

Active Directory Administration Cookbook - Second Edition

Identity with Windows Server 2016: Microsoft 70-742 MCSA Exam Guide

Mastering Active Directory, Third Edition

Mastering Active Directory

Demoting a domain controller

Getting ready

How to do it...

Using the Remove Server Roles and Features Wizard

Using the Active Directory module for Windows PowerShell

How it works...

There's more...