book

Active Directory Administration Cookbook, Second Edition - Second Edition

by Sander Berkouwer

July 2022

Intermediate to advanced

696 pages

13h 30m

English

Packt Publishing

Read now

Unlock full access

ContributorsAbout the authorAbout the reviewers
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesCode in ActionDownload the color imagesConventions usedGet in touchShare Your Thoughts
Choosing between a new domain or forestWhy would you have a new domain?What are the downsides of a new domain?Why would you create a new forest?What are the downsides of a new forest?Listing the domains in your forestGetting readyHow to do it...How it works...Using adprep.exe to prepare for new Active Directory functionalityGetting readyHow to do it...How it works...There's more...Raising the domain functional level to Windows Server 2016Getting readyHow to do it...How it works...Raising the forest functional level to Windows Server 2016Getting readyHow to do it...How it works...Creating the right trustTrust directionTrust transitivityOne-way or two-way trustGetting readyHow to do it...See alsoRemoving a trustGetting readyHow to do it...How it works...Verifying and resetting a trustGetting readyHow to do it...How it works...Securing a trustGetting readyHow to do it...How it works...There's more...Extending the schemaGetting readyHow to do it...There's more...Enabling the Active Directory Recycle BinGetting readyHow to do it...How it works...Managing UPN suffixesGetting readyHow to do it...How it works...There's more...
Preparing a Windows server to become a domain controllerIntending to do the right thingDimensioning the servers properlyPreparing the Windows Server installationsPreconfiguring the Windows serversDocumenting the passwordsSee alsoPromoting a server to a domain controllerGetting readyHow to do it...See alsoPromoting a server to a read-only domain controllerGetting readyHow to do it...Checking proper promotionHow it works...See alsoUsing Install From MediaGetting readyHow to do it...How it works...Using domain controller cloningGetting readyHow to do it...How it works...See alsoDetermining whether a virtual domain controller has a VM-GenerationIDHow to do it...How it works...Demoting a domain controllerGetting readyHow to do it...How it works...There's more...Demoting a domain controller forcefullyGetting readyHow to do it...See alsoInventory domain controllersHow to do it...Decommissioning a compromised read-only domain controllerHow to do it...How it works...
About FSMO rolesRecommended practices for FSMO rolesQuerying FSMO role placementGetting readyHow to do it...How it works...Transferring FSMO rolesGetting readyHow to do it...How it works...Seizing FSMO rolesGetting readyHow to do it...How it works...Configuring the PDC Emulator to synchronize time with a reliable sourceGetting readyHow to do it...How it works...Managing time synchronization for virtual domain controllersGetting readyHow to do it...How it works...Managing global catalogsGetting readyHow to do it...How it works
Differences between OUs and containersContainersOUsOUs versus Active Directory domainsCreating an OUGetting readyHow to do it...How it works...There's more...Deleting an OUGetting readyHow to do it...How it works...There's more...Modifying an OUGetting readyHow to do it...How it works...There's more...See alsoDelegating control of an OUGetting readyHow to do it...How it works...See alsoModifying the default location for new user and computer objectsGetting readyHow to do it...How it works...See also
What do Active Directory sites do?RecommendationsCreating a siteGetting readyHow to do it...See alsoManaging a siteGetting readyHow to do it...How it works...See alsoManaging subnetsGetting readyHow to do it...How it works...See alsoCreating a site linkGetting readyHow to do it...How it works...See alsoManaging a site linkGetting readyHow to do it...See alsoModifying replication settings for an Active Directory site linkGetting readyHow to do it...How it works...See alsoCreating a site link bridgeGetting readyHow to do it...See alsoManaging bridgehead serversGetting readyHow to do it...How it works...See alsoManaging the ISTG and KCCGetting readyHow to do it...How it works...See alsoManaging UGMCGetting readyHow to do it...How it works...See alsoWorking with repadmin.exeGetting readyHow to do it...How it works...See alsoForcing replicationGetting readyHow to do it...How it works…See alsoManaging inbound and outbound replicationGetting readyHow to do it...How it works...There's more...See alsoModifying the tombstone lifetime periodGetting readyHow to do it...How it works...See alsoManaging strict replication consistencyGetting readyHow to do it...How it works...Upgrading SYSVOL replication from FRS to DFSRGetting readyHow to do it...How it works...See alsoChecking for and remediating lingering objectsGetting readyHow to do it...How it works...See also
Creating a userGetting readyHow to do it...How it works...There's more...Deleting a userGetting readyHow to do it...How it works...See alsoModifying several users at onceGetting readyHow to do it...How it works...There's more...Moving a userGetting readyHow to do it...How it works...Renaming a userGetting readyHow to do it...How it works...Enabling and disabling a userGetting readyHow to do it...How it works...There's more...Finding locked-out usersGetting readyHow to do it...How it works...See alsoUnlocking a userGetting readyHow to do it...Managing userAccountControlGetting readyHow to do it...How it works...Using account expirationGetting readyHow to do it...How it works...
Creating a groupGetting readyHow to do it...How it works...Deleting a groupGetting readyHow to do it...How it works...Managing the direct members of a groupGetting readyHow to do it...How it works...Managing expiring group membershipsGetting readyHow to do it...How it works...Changing the scope or type of a groupGetting readyHow to do it...How it works...See also…Viewing nested group membershipsGetting readyHow to do it...How it works...Finding empty groupsGetting readyHow to do it...How it works...
Creating a computerGetting readyHow to do it...How it works...There's more...Deleting a computerGetting readyHow to do it...How it works...See alsoJoining a computer to the domainGetting readyHow to do it...How it works...There's more...See alsoRenaming a computerGetting readyHow to do it...How it works...There's more...Testing the secure channel for a computerGetting readyHow to do it...How it works...See alsoResetting a computer's secure channelGetting readyHow to do it...How it works...Getting readyHow to do it...How it works...

Managing the DNS server role on domain controllersGetting readyHow to do it…How it works…See alsoCreating a DNS zoneGetting readyHow to do it…How it works…Managing the DNS zone propertiesGetting readyHow to do it…How it works…Deleting a DNS zoneGetting readyHow to do it…How it works…Creating a DNS recordGetting readyHow to do it…How it works…Deleting a DNS recordGetting readyHow to do it…How it works…Verifying the domain controller SRV DNS records Getting readyHow to do it…How it works…Creating a DNS conditional forwarderGetting readyHow to do it...How it works…See also
Creating a GPOGetting readyHow to do it...How it works...See alsoCopying a GPOGetting readyHow to do it...How it works...There's more...Deleting a GPOGetting readyHow to do it...How it works...See alsoModifying the settings of a GPOGetting readyHow to do it...How it works...Assigning scriptsGetting readyHow to do it...How it works...Installing applicationsGetting readyHow to do it...How it works...Linking a GPO to an OUGetting readyHow to do it...How it works...There's more...Blocking inheritance of GPOs on an OUGetting readyHow to do it...How it works...Enforcing the settings of a GPO LinkGetting readyHow to do it...How it works...Applying security filtersGetting readyHow to do it...How it works...Creating and applying WMI filtersGetting readyHow to do it...How it works...There's more...Refreshing GPO settingsGetting readyHow to do it…How it works…Configuring loopback processingGetting readyHow to do it...How it works...Restoring a default GPOGetting readyHow to do it...How it works...There's more...Creating the Group Policy Central StoreGetting readyHow to do it...How it works...There's more...
Applying fine-grained password and account lockout policiesGetting readyHow to do it...How it works...There's more...Backing up and restoring GPOsGetting readyHow to do it...How it works...There's more...Backing up and restoring Active DirectoryGetting readyHow to do it...How it works...See also…Working with Active Directory snapshotsGetting readyHow to do it...How it works...There's more...See alsoManaging the DSRM passwords on domain controllersGetting readyHow to do it...How it works...Protecting important objects from accidental deletion Getting readyHow to do it…How it works…There's more…Implementing LAPSGetting readyHow to do it...How it works...See alsoManaging deleted objectsGetting readyHow to do it...How it works...There's more...See alsoWorking with gMSAsGetting readyHow to do it...How it works...There's more...Configuring diagnostic loggingGetting readyHow to do it…How it works…Configuring the advanced security audit policyGetting readyHow to do it...How it works...Resetting the KRBTGT secretGetting readyHow to do it...How it works...There's more...Using the SCW to secure domain controllersGetting readyHow to do itHow it works...Leveraging the Protected Users groupGetting readyHow to do it...How it works...See alsoPutting authentication policies and authentication policy silos to good useGetting readyHow to do it...How it works...Configuring Extranet Smart LockoutGetting readyHow to do it...How it works...
Deciding between your own CA and a public CAHow to do it…How it works…See alsoThere's more…Setting up a CAGetting readyHow to do it…How it works…There's more…Setting up an online responderGetting readyHow to do it…How it works…See alsoRemoving a certificate templateGetting readyHow to do it…How it works…Duplicating and editing a certificate templateGetting readyHow to do it…How it works…Requesting a web server certificateGetting readyHow to do it…How it works…See alsoIssuing domain controller certificatesGetting readyHow to do it…How it works…Managing certificate autoenrollmentGetting readyHow to do it…How it works…See alsoRevoking a certificateGetting readyHow to do it…How it works…Decommissioning a CAGetting readyHow to do it…How it works…
Choosing the right AD FS farm deployment methodGetting readyHow to do it...How it works...There's more...See alsoInstalling the AD FS server roleGetting readyHow to do it...How it works...Setting up an AD FS farm with WIDGetting readyHow to do it...How it works...There's more...See alsoSetting up an AD FS farm with SQL ServerGetting readyHow to do it...How it works...There's more...See alsoAdding additional AD FS servers to an AD FS farmGetting readyHow to do it...How it works...Removing AD FS servers from an AD FS farmGetting readyHow to do it...How it works...There's more...Creating an RPTGetting readyHow to do it...How it works...Deleting an RPTGetting readyHow to do it...How it works...Configuring brandingGetting readyHow to do it...How it works...Migrating a WID-based AD FS farm to an SQL ServerGetting readyHow to do it...How it works…Setting up a WAPGetting readyHow to do it...How it works...There's more...Decommissioning a WAPGetting readyHow to do it...How it works...
Choosing the right authentication methodGetting readyHow to do it...How it works...There's more...Signing up for Azure ADGetting readyHow to do itHow it works…Verifying your DNS domain nameGetting readyHow to do it...How it works...Implementing PHS with Express SettingsGetting readyHow to do it...How it works...Implementing PTA and Seamless SSOGetting readyHow to do it...How it works...There's more...Implementing SSO using AD FSGetting readyHow to do it...How it works...There's more...Managing AD FS with Azure AD ConnectGetting readyHow to do it...How it works...Implementing Azure Traffic Manager for AD FS geo-redundancyGetting readyHow to do it...How it works...There's more...Migrating from AD FS to PTA for SSO to Office 365Getting readyHow to do it...How it works...There's more...Making PTA (geo)redundantGetting readyHow to do it...How it works...
Choosing the right source anchor attribute for user objectsGetting readyHow to do it...How it works...There's more...Configuring staging modeGetting readyHow to do it...How it works...See alsoSwitching to a staging-mode serverGetting readyHow to do it...How it works...Configuring domain and OU filteringGetting readyHow to do it...How it works...Configuring Azure AD app and attribute filteringGetting readyHow to do it...How it works...Configuring hybrid Azure AD joinGetting readyHow to do it...How it works...Configuring device writebackGetting readyHow to do it...How it works...Configuring password writebackGetting readyHow to do it...How it works...Configuring group writebackGetting readyHow to do it...How it works...Changing passwords for Azure AD Connect service accountsGetting readyHow to do it...How it works...
Setting contact informationGetting readyHow to do it...How it works...See alsoPreventing non-privileged users from accessing the Azure portalGetting readyHow to do it...How it works...Viewing all privileged users in Azure ADGetting readyHow to do it...How it works...Preventing users from registering or consenting to appsGetting readyHow to do it...How it works...Preventing users from inviting guestsGetting readyHow to do it...How it works...There's more...See alsoAllowing and blocking invitations for Azure AD B2BGetting readyHow to do it...How it works...Configuring Azure AD join and Azure AD registrationGetting readyHow to do it...How it works...See alsoConfiguring Intune auto-enrollment upon Azure AD joinGetting readyHow to do it...How it works...Choosing between Security defaults and Conditional AccessGetting readyHow to do it...How it works…Configuring Conditional AccessGetting readyHow to do it...How it works...See alsoAccessing Azure AD Connect HealthGetting readyHow to do it...How it works...There's more...Configuring Azure AD Connect Health for AD FSGetting readyHow to do it...How it works...There's more…Configuring Azure AD Connect Health for AD DSGetting readyHow to do it...How it works...Configuring Azure AD PIMGetting readyHow to do it...How it works...Configuring Azure AD Identity ProtectionGetting readyHow to do it...How it works...Implementing Defender for IdentityGetting readyHow to do it…How it works…
Other Books You May EnjoyPackt is searching for authors like youShare Your Thoughts

Content preview from Active Directory Administration Cookbook, Second Edition - Second Edition

Chapter 13: Managing Federation

Active Directory Domain Services (AD DS) has been around for 20 years. Its interactions are based on protocols—such as New Technology LAN Manager (NTLM) and Kerberos—that Microsoft has invented and/or expanded on. In fact, these protocols originated before some companies were even connected to the internet era; they were intended for safe networks. However, today, there's a need for open protocols that are usable on all networks, allowing for interactions without technology boundaries. Active Directory Federation Services (AD FS) allows for these interactions.

AD FS was initially purposed for organization-to-organization collaboration without a need to set up and maintain Active Directory trusts. Recently, it ...