Active Directory Administration Cookbook - Second Edition

By : Sander Berkouwer

Active Directory Administration Cookbook - Second Edition

By: Sander Berkouwer

Overview of this book

Updated to the Windows Server 2022, this second edition covers effective recipes for Active Directory administration that will help you leverage AD's capabilities for automating network, security, and access management tasks in the Windows infrastructure. Starting with a detailed focus on forests, domains, trusts, schemas, and partitions, this book will help you manage domain controllers, organizational units, and default containers. You'll then explore Active Directory sites management as well as identify and solve replication problems. As you progress, you'll work through recipes that show you how to manage your AD domains as well as user and group objects and computer accounts, expiring group memberships, and Group Managed Service Accounts (gMSAs) with PowerShell. Once you've covered DNS and certificates, you'll work with Group Policy and then focus on federation and security before advancing to Azure Active Directory and how to integrate on-premise Active Directory with Azure AD. Finally, you'll discover how Microsoft Azure AD Connect synchronization works and how to harden Azure AD. By the end of this AD book, you’ll be able to make the most of Active Directory and Azure AD Connect.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Code in Action

Download the color images

Conventions used

Get in touch

Share Your Thoughts

Chapter 1: Optimizing Forests, Domains, and Trusts

Choosing between a new domain or forest

Listing the domains in your forest

Using adprep.exe to prepare for new Active Directory functionality

Raising the domain functional level to Windows Server 2016

Raising the forest functional level to Windows Server 2016

Creating the right trust

Removing a trust

Verifying and resetting a trust

Securing a trust

Extending the schema

Enabling the Active Directory Recycle Bin

Managing UPN suffixes

Free Chapter

Chapter 2: Managing Domain Controllers

Preparing a Windows server to become a domain controller

Promoting a server to a domain controller

Promoting a server to a read-only domain controller

Using Install From Media

Using domain controller cloning

Determining whether a virtual domain controller has a VM-GenerationID

Demoting a domain controller

Demoting a domain controller forcefully

Inventory domain controllers

Decommissioning a compromised read-only domain controller

Chapter 3: Managing Active Directory Roles and Features

About FSMO roles

Querying FSMO role placement

Transferring FSMO roles

Configuring the PDC Emulator to synchronize time with a reliable source

Managing time synchronization for virtual domain controllers

Managing global catalogs

Chapter 4: Managing Containers and Organizational Units

Differences between OUs and containers

Creating an OU

Deleting an OU

Modifying an OU

Delegating control of an OU

Modifying the default location for new user and computer objects

Chapter 5: Managing Active Directory Sites and Troubleshooting Replication

What do Active Directory sites do?

Modifying replication settings for an Active Directory site link

Creating a site link bridge

Managing bridgehead servers

Managing the ISTG and KCC

Managing UGMC

Working with repadmin.exe

Forcing replication

Managing inbound and outbound replication

Modifying the tombstone lifetime period

Managing strict replication consistency

Upgrading SYSVOL replication from FRS to DFSR

Checking for and remediating lingering objects

Chapter 6: Managing Active Directory Users

Creating a user

Deleting a user

Modifying several users at once

Moving a user

Renaming a user

Enabling and disabling a user

Finding locked-out users

Unlocking a user

Managing userAccountControl

Using account expiration

Chapter 7: Managing Active Directory Groups

Creating a group

Deleting a group

Managing the direct members of a group

Managing expiring group memberships

Changing the scope or type of a group

Viewing nested group memberships

Finding empty groups

Chapter 8: Managing Active Directory Computers

Creating a computer

Deleting a computer

Joining a computer to the domain

Renaming a computer

Testing the secure channel for a computer

Resetting a computer's secure channel

Chapter 9: Managing DNS

Managing the DNS server role on domain controllers

Creating a DNS zone

Managing the DNS zone properties

Deleting a DNS zone

Creating a DNS record

Deleting a DNS record

Verifying the domain controller SRV DNS records

Creating a DNS conditional forwarder

Chapter 10: Getting the Most Out of Group Policy

Creating a GPO

Copying a GPO

Deleting a GPO

Modifying the settings of a GPO

Assigning scripts

Installing applications

Linking a GPO to an OU

Blocking inheritance of GPOs on an OU

Enforcing the settings of a GPO Link

Applying security filters

Creating and applying WMI filters

Refreshing GPO settings

Configuring loopback processing

Restoring a default GPO

Creating the Group Policy Central Store

Chapter 11: Securing Active Directory

Applying fine-grained password and account lockout policies

Backing up and restoring GPOs

Backing up and restoring Active Directory

Working with Active Directory snapshots

Managing the DSRM passwords on domain controllers

Protecting important objects from accidental deletion

Implementing LAPS

Managing deleted objects

Working with gMSAs

Configuring diagnostic logging

Configuring the advanced security audit policy

Resetting the KRBTGT secret

Using the SCW to secure domain controllers

Leveraging the Protected Users group

Putting authentication policies and authentication policy silos to good use

Configuring Extranet Smart Lockout

Chapter 12: Managing Certificates

Deciding between your own CA and a public CA

Setting up a CA

Setting up an online responder

Removing a certificate template

Duplicating and editing a certificate template

Requesting a web server certificate

Issuing domain controller certificates

Managing certificate autoenrollment

Revoking a certificate

Decommissioning a CA

Chapter 13: Managing Federation

Choosing the right AD FS farm deployment method

Installing the AD FS server role

Setting up an AD FS farm with WID

Setting up an AD FS farm with SQL Server

Adding additional AD FS servers to an AD FS farm

Removing AD FS servers from an AD FS farm

Creating an RPT

Deleting an RPT

Configuring branding

Migrating a WID-based AD FS farm to an SQL Server

Setting up a WAP

Decommissioning a WAP

Chapter 14: Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and DSSO)

Choosing the right authentication method

Signing up for Azure AD

Verifying your DNS domain name

Implementing PHS with Express Settings

Implementing PTA and Seamless SSO

Implementing SSO using AD FS

Managing AD FS with Azure AD Connect

Implementing Azure Traffic Manager for AD FS geo-redundancy

Migrating from AD FS to PTA for SSO to Office 365

Making PTA (geo)redundant

Chapter 15: Handling Synchronization in a Hybrid World (Azure AD Connect)

Choosing the right source anchor attribute for user objects

Configuring staging mode

Switching to a staging-mode server

Configuring domain and OU filtering

Configuring Azure AD app and attribute filtering

Configuring hybrid Azure AD join

Configuring device writeback

Configuring password writeback

Configuring group writeback

Changing passwords for Azure AD Connect service accounts

Chapter 16: Hardening Azure AD

Setting contact information

Preventing non-privileged users from accessing the Azure portal

Viewing all privileged users in Azure AD

Preventing users from registering or consenting to apps

Preventing users from inviting guests

Allowing and blocking invitations for Azure AD B2B

Configuring Azure AD join and Azure AD registration

Configuring Intune auto-enrollment upon Azure AD join

Choosing between Security defaults and Conditional Access

Configuring Conditional Access

Accessing Azure AD Connect Health

Configuring Azure AD Connect Health for AD FS

Configuring Azure AD Connect Health for AD DS

Configuring Azure AD PIM

Configuring Azure AD Identity Protection

Implementing Defender for Identity

Why subscribe?

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Decommissioning a compromised read-only domain controller

One of the benefits of deploying read-only domain controllers is their ability to recover quickly from an information security breach.

Since only the passwords for a subset of users are cached on the read-only domain controller when these users signed on through the read-only domain controller and the passwords for really sensitive accounts weren't allowed to be cached on the read-only domain controller, the impact of a stolen read-only domain controller is small, compared to a fully writable domain controller.

How to do it...

To render the read-only domain controller useless to an attacker or thief, perform these steps:

Press Start.
Search for Active Directory Users and Computers and click its corresponding search result, or run dsa.msc. The Active Directory Users and Computers window appears.
In the left navigation pane, expand the domain name.
In the left navigation pane, expand the Domain Controllers OU.
Right-click the compromised read-only domain controller and select Delete:

Figure 2.21 – Deleting a read-only domain controller in Active Directory Users and Computers

In the Active Directory Domain Services pop-up window, click Yes to answer the Are you sure you want to delete the Computer? question.
On the Deleting Domain Controller screen, select the Reset all passwords for user accounts that were cached on this Read-only Domain Controller option:

Figure 2.22 – The Deleting Domain Controller window

Since the persons associated with the user accounts will be forced to have their passwords reset by service desk personnel, it's a recommended practice to also check the Export the list of accounts that were cached on this Read-only Domain Controller to this file option and to specify a file. This way, the service desk may proactively approach affected colleagues.
Click Delete.
In the Delete Domain Controller pop-up window, click OK.
In the Delete Domain Controller pop-up window, click Yes to continue with this deletion.

How it works...

Each read-only domain controller caches the hashes of the passwords for users signing in through the read-only domain controller. For this functionality, the read-only domain controller contacts a writable domain controller.

When a user account is denied having its password cached, the password is not cached. For accounts on which the passwords have been cached, the best remedy is to reset these passwords.

Every Kerberos ticket that is given to devices or user accounts is encrypted using the separate krbtgt account for the read-only domain controller. These tickets are bound to the read-only domain controller. When the read-only domain controller is removed from the Active Directory domain, these Kerberos tickets become useless.

Active Directory Administration Cookbook - Second Edition

By : Sander Berkouwer

Active Directory Administration Cookbook - Second Edition

By: Sander Berkouwer

Overview of this book

Related Content you might be interested in

Current Title:

Active Directory Administration Cookbook - Second Edition

Identity with Windows Server 2016: Microsoft 70-742 MCSA Exam Guide

Mastering Active Directory, Third Edition

Mastering Active Directory

Decommissioning a compromised read-only domain controller

How to do it...

How it works...