Mastering Active Directory - Second Edition

Mastering Active Directory - Second Edition

by Dishan Francis
Released August 2019
Publisher(s): Packt Publishing
ISBN: 9781789800203

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Become an expert at managing enterprise identity infrastructure by leveraging Active Directory

Key Features

  • Explore the new features in Active Directory Domain Service
  • Manage your Active Directory services for Windows Server 2016 effectively
  • Automate administrative tasks in Active Directory using PowerShell Core 6.x

Book Description

Active Directory (AD) is a centralized and standardized system that automates networked management of user data, security, and distributed resources and enables inter-operation with other directories.

This book will first help you brush up on the AD architecture and fundamentals, before guiding you through core components, such as sites, trust relationships, objects, and attributes. You will then explore AD schemas, LDAP, RMS, and security best practices to understand objects and components and how they can be used effectively. Next, the book will provide extensive coverage of AD Domain Services and Federation Services for Windows Server 2016, and help you explore their new features. Furthermore, you will learn to manage your identity infrastructure for a hybrid cloud setup. All this will help you design, plan, deploy, manage operations, and troubleshoot your enterprise identity infrastructure in a secure and effective manner. You'll later discover Azure AD Module, and learn to automate administrative tasks using PowerShell cmdlets. All along, this updated second edition will cover content based on the latest version of Active Directory, PowerShell 5.1 and LDAP.

By the end of this book, you'll be well versed with best practices and troubleshooting techniques for improving security and performance in identity infrastructures.

What you will learn

  • Design your Hybrid AD environment by evaluating business and technology requirements
  • Protect sensitive data in a hybrid environment using Azure Information Protection
  • Explore advanced functionalities of the schema
  • Learn about Flexible Single Master Operation (FSMO) roles and their placement
  • Install and migrate Active Directory from older versions to Active Directory 2016
  • Control users, groups, and devices effectively
  • Design your OU structure in the most effective way
  • Integrate Azure AD with Active Directory Domain Services for a hybrid setup

Who this book is for

If you are an Active Directory administrator, system administrator, or network professional who has basic knowledge of Active Directory and is looking to become an expert in this topic, this book is for you.

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. Mastering Active Directory Second Edition
  3. Dedication
  4. About Packt
    1. Why subscribe?
  5. Contributors
    1. About the author
    2. About the reviewer
    3. Packt is searching for authors like you
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the color images
      2. Conventions used
    4. Get in touch
      1. Reviews
  7. Section 1: Active Directory Planning, Design, and Installation
  8. Active Directory Fundamentals
    1. Benefits of using Active Directory
      1. Centralized data repository
      2. Replication of data
      3. High availability
      4. Security
      5. Auditing capabilities
      6. Single sign-on (SSO)
      7. Schema modification
      8. Querying and indexing
    2. Understanding Active Directory components
      1. Logical components
        1. Forests
        2. Domains
        3. Domain trees
        4. Organizational units
      2. Physical components
        1. Domain controllers
        2. Global catalog server
        3. Active Directory sites
    3. Understanding Active Directory objects
      1. Globally unique identifiers and security identifiers
      2. Distinguished names
    4. Active Directory server roles
      1. Active Directory Domain Services
        1. Read-only domain controllers
      2. Active Directory Federation Services
      3. Active Directory Lightweight Directory Services
      4. Active Directory Rights Management Services
      5. Active Directory Certificate Services
    5. Azure AD
      1. Centralized identity and access management
      2. SSO experience
      3. Domain services
      4. Azure AD Application Proxy
      5. Azure AD B2B
      6. Azure AD B2C
      7. Azure AD versions
    6. Summary
  9. Active Directory Domain Services 2016
    1. Features of AD DS 2016
      1. Deprecation of Windows Server 2003's forest and domain functional levels
      2. Deprecation of File Replication Services
    2. PAM
      1. What does PAM have to do with AD DS 2016?
        1. What is the logic behind PAM?
    3. Time-based group memberships
    4. Microsoft Passport
    5. AD FS improvements
    6. Time sync improvements
    7. Azure AD join
      1. Azure AD joined devices
      2. Hybrid Azure AD join devices
        1. Windows' current devices
        2. Windows' down-level devices
    8. Summary
  10. Designing an Active Directory Infrastructure
    1. What makes a good system?
      1. New business requirements
      2. Correcting legacy design mistakes
    2. Gathering business data
      1. Defining security boundaries
      2. Identifying the physical computer network structure
    3. Designing the forest structure
      1. Single forest
      2. Multiple forest
      3. Creating the forest structure
        1. Autonomy
        2. Isolation
      4. Selecting forest design models
        1. The organizational forest model
        2. The resource forest model
        3. The restricted access forest model
    4. Designing the domain structure
      1. Single domain model
      2. The regional domain model
      3. The number of domains
      4. Deciding on domain names
      5. The forest root domain
      6. Deciding on the domain and forest functional levels
    5. Designing the OU structure
    6. Designing the physical topology of Active Directory
      1. Physical or virtual domain controllers
      2. Domain controller placement
    7. Global catalog server placement
    8. Designing a Hybrid Identity
      1. Cloud approach
      2. Identifying business needs
      3. Synchronization
      4. Cost
    9. Summary
  11. Active Directory Domain Name System
    1. What is DNS?
    2. Hierarchical naming structures
    3. How DNS works
    4. DNS essentials
      1. DNS records
        1. Start of authority record
        2. A and AAAA records
        3. NS records
        4. Mail exchanger records
        5. Canonical name records
        6. Pointer records
        7. SRV records
      2. Zones
        1. Primary zone
        2. Secondary zone
        3. Stub zones
        4. Reverse lookup zones
        5. DNS server operation modes
        6. Zone transfers
      3. DNS delegation
        1. DNS service providers
    5. Summary
  12. Placing Operations Master Roles
    1. FSMO roles
      1. Schema operations master
      2. Domain-naming operations master
      3. Primary domain controller emulator operations master
      4. Relative ID operations master role
      5. Infrastructure operations master
    2. FSMO role placement
      1. Active Directory's logical and physical topology
      2. Connectivity
      3. The number of domain controllers
      4. Capacity
    3. Moving FSMO roles
    4. Seizing FSMO roles
    5. Summary
  13. Migrating to Active Directory 2016
    1. AD DS installation prerequisites
      1. Hardware requirements
      2. Virtualized environment requirements
      3. Additional requirements
      4. AD DS installation methods
    2. AD DS deployment scenarios
      1. Setting up a new forest root domain
        1. AD DS installation checklist for the first domain controller
        2. Design topology
        3. Installation steps
      2. Setting up an additional domain controller
        1. AD DS installation checklist for an additional domain controller
        2. Design topology
        3. Installation steps
      3. Setting up a new domain tree
        1. AD DS installation checklist for a new domain tree
        2. Design topology
        3. Installation steps
      4. Setting up a new child domain
        1. AD DS installation checklist for a new child domain
        2. Design topology
        3. Installation steps
    3. How to plan Active Directory migrations
      1. Migration life cycle
        1. Auditing
          1. Active Directory logical and physical topology
          2. Active Directory health check
          3. SCOM and Azure Monitor
          4. Application auditing
        2. Planning
        3. Implementation
          1. Active Directory migration checklist
          2. Design topology
          3. Installation steps
          4. Verification
        4. Maintenance
    4. Summary
  14. Section 2: Active Directory Administration
  15. Managing Active Directory Objects
    1. Tools and methods for managing objects
      1. Active Directory Administrative Center
      2. The ADUC MMC
      3. AD object administration with PowerShell
    2. Creating, modifying, and removing objects in AD
      1. Creating AD objects
        1. Creating user objects
        2. Creating computer objects
      2. Modifying AD objects
      3. Removing AD objects
    3. Finding objects in AD
      1. Finding objects using PowerShell
    4. Summary
  16. Managing Users, Groups, and Devices
    1. Object attributes
      1. Custom attributes
    2. User accounts
      1. MSAs
      2. gMSAs
        1. Uninstalling MSAs
    3. Groups
      1. Group scope
        1. Converting groups
        2. Setting up groups
    4. Devices and other objects
    5. Best practices
    6. Summary
  17. Designing the OU Structure
    1. OUs in operations
      1. Organizing objects
      2. Delegating control
      3. Group policies
      4. Containers versus OUs
    2. OU design models
      1. The container model
      2. The object type model
      3. The geographical model
      4. The department model
    3. Managing the OU structure
      1. Delegating control
    4. Summary
  18. Managing Group Policies
    1. Benefits of group policies
      1. Maintaining standards
      2. Automating administration tasks
      3. Preventing users from changing system settings
      4. Flexible targeting
      5. No modifications to target
    2. Group Policy capabilities
    3. Group Policy objects
      1. The Group Policy container
      2. The Group Policy template
    4. Group Policy processing
    5. Group Policy inheritance
    6. Group Policy conflicts
    7. Group Policy mapping and status
      1. Administrative templates
    8. Group Policy filtering
      1. Security filtering
      2. WMI filtering
    9. Group Policy preferences
    10. Item-level targeting
    11. Loopback processing
    12. Group Policy best practices
    13. Summary
  19. Section 3: Active Directory Service Management
  20. Active Directory Services
    1. Overview of AD LDS
      1. Where to use LDS?
        1. Application developments
        2. Hosted applications
        3. Distributed data stores for AD-integrated applications
        4. Migrating from other directory services
      2. The LDS installation
    2. AD replication
      1. FRS versus DFSR
        1. Prepared state
        2. Redirected state
        3. Eliminated state
    3. AD sites and replication
      1. Replication
      2. Authentication
      3. Service locations
    4. Sites
      1. Subnets
      2. Site links
      3. Site link bridges
    5. Managing AD sites and other components
      1. Managing sites
      2. Managing site links
        1. The site link cost
        2. Inter-site transport protocols
        3. Replication intervals
        4. Replication schedules
        5. The site link bridge
        6. Bridgehead servers
        7. Managing subnets
    6. How does replication work?
      1. Intra-site replications
      2. Inter-site replications
      3. The KCC
      4. How do updates occur?
        1. The Update Sequence Number (USN)
        2. The Directory Service Agent (DSA) GUID and invocation ID
        3. The High Watermark Vector (HWMV) table
        4. The Up-To-Dateness Vector (UTDV) table
    7. RODCs
    8. AD database maintenance
      1. The ntds.dit file
      2. The edb.log file
      3. The edb.chk file
      4. The temp.edb file
      5. Offline defragmentation
    9. AD backup and recovery
      1. Preventing the accidental deletion of objects
      2. AD Recycle Bin
      3. AD snapshots
      4. AD system state backup
      5. AD recovery from system state backup
    10. Summary
  21. Active Directory Certificate Services
    1. PKI in action
      1. Symmetric keys versus asymmetric keys
      2. Digital encryption
      3. Digital signatures
      4. Signing, encryption, and decryption
      5. SSL certificates
        1. Types of certification authorities
        2. How do certificates work with digital signatures and encryption?
        3. What can we do with certificates?
        4. AD CS components
          1. The CA
          2. Certificate Enrollment Web Service
          3. Certificate Enrollment Policy Web Service
          4. Certification Authority Web Enrollment
          5. Network Device Enrollment Service
          6. Online Responder
          7. The types of CA
    2. Planning PKI
      1. Internal or public CAs
      2. Identifying the correct object types
      3. The cryptographic key length
      4. Hash algorithms
      5. The certificate validity period
      6. The CA hierarchy
      7. High availability
      8. Deciding certificate templates
      9. The CA boundary
    3. PKI deployment models
      1. The single-tier model
      2. The two-tier model
      3. Three-tier models
    4. Setting up a PKI
      1. Setting up a standalone root CA
        1. DSConfigDN
        2. CDP locations
        3. AIA locations
        4. CA time limits
        5. CRL time limits
        6. The new CRL
      2. Publishing the root CA data to AD
      3. Setting up the issuing CA
      4. Issuing a certificate for the issuing CA
      5. Post-configuration tasks
        1. CDP locations
        2. AIA locations
        3. CA and CRL time limits
      6. Certificate templates
      7. Requesting certificates
    5. Summary
  22. Active Directory Federation Services
    1. How does AD FS work?
      1. What is a claim?
      2. Security Assertion Markup Language (SAML)
      3. WS-Trust
      4. WS-Federation
    2. AD FS components
      1. Federation service
        1. AD FS 1.0
        2. AD FS 1.1
        3. AD FS 2.0
        4. AD FS 2.1
        5. AD FS 3.0
        6. AD FS 4.0
        7. What is new in AD FS 2019?
      2. The Web Application Proxy
      3. AD FS configuration database
    3. AD FS deployment topologies
      1. Single federation server
      2. Single federation server and single Web Application Proxy server
      3. Multiple federation servers and multiple Web Application Proxy servers with SQL Server
    4. AD FS deployment
      1. DNS records
      2. SSL certificates
      3. Installing the AD FS role
      4. Installing WAP
      5. Configuring the claims-aware application with new federation servers
      6. Creating a relying party trust
      7. Configuring the Web Application Proxy
    5. Integrating with Azure MFA
      1. Prerequisites
      2. Creating a certificate in an AD FS farm to connect to Azure MFA
      3. Enabling AD FS servers to connect with the Azure Multi-Factor Authentication client
      4. Enabling the AD FS farm to use Azure MFA
      5. Enabling Azure MFA for authentication
    6. Summary
  23. Active Directory Rights Management Services
    1. What is AD RMS?
    2. AD RMS components
      1. Active Directory Domain Services (AD DS)
        1. The AD RMS cluster
        2. Web server
        3. SQL Server
        4. The AD RMS client
        5. Active Directory Certificate Service (AD CS)
    3. How does AD RMS work?
    4. How do we deploy AD RMS?
      1. Single forest–single cluster
      2. Single forest–multiple clusters
      3. AD RMS in multiple forests
      4. AD RMS with AD FS
    5. AD RMS configuration
      1. Setting up an AD RMS root cluster
      2. Installing the AD RMS role
      3. Configuring the AD RMS role
      4. Testing – protecting data using the AD RMS cluster
      5. Testing – applying permissions to the document
    6. Summary
  24. Section 4: Best Practices and Troubleshooting
  25. Active Directory Security Best Practices
    1. AD authentication
      1. The Kerberos protocol
      2. Authentication in an AD environment
    2. Delegating permissions
      1. Predefined AD administrator roles
      2. Using object ACLs
      3. Using the delegate control method in AD
    3. Implementing fine-grained password policies
      1. Limitations
      2. Resultant Set of Policy (RSoP)
      3. Configuration
    4. Pass-the-hash attacks
      1. The Protected Users security group
      2. Restricted admin mode for RDP
      3. Authentication policies and authentication policy silos
        1. Authentication policies
        2. Authentication policy silos
        3. Creating authentication policies
        4. Creating authentication policy silos
    5. JIT administration and JEA
      1. JIT administration
      2. JEA
    6. Azure AD PIM
      1. License requirements
        1. Implementation guidelines
        2. Implementation
    7. AIP
      1. Data classification
      2. Azure Rights Management Services (Azure RMS)
        1. Azure RMS versus AD RMS
        2. How does Azure RMS work?
        3. AIP scanner
        4. AIP implementation
    8. Summary
  26. Advanced AD Management with PowerShell
    1. AD management with PowerShell – preparation
      1. AD management commands and scripts
        1. Replication
        2. Replicating a specific object
      2. Users and Groups
        1. Last logon time
        2. Last login date report
        3. Login failures report
        4. Finding the locked-out account
        5. Password expire report
      3. JEA
        1. JEA configuration
        2. Testing
    2. Azure Active Directory PowerShell
      1. Installation
      2. General commands
      3. Managing users
      4. Managing groups
    3. Summary
  27. Azure Active Directory Hybrid Setup
    1. Integrating Azure AD with on-premises AD
      1. Evaluating the present business requirements
      2. Evaluating an organization's infrastructure road map
      3. Evaluating the security requirements
      4. Selecting the Azure AD version
      5. Deciding on a sign-in method
        1. Password hash synchronization
        2. Federation with Azure AD
        3. Pass-through authentication
        4. Azure AD Seamless SSO
        5. Synchronization between on-premises AD and Azure AD Managed Domain
        6. Azure AD Connect
        7. Azure AD Connect deployment topology
        8. Staging the server
    2. Step-by-step guide to integrating an on-premises AD environment with Azure AD
      1. Creating a virtual network
      2. Setting up Azure AD Managed Domain
      3. Adding DNS server details to the virtual network
      4. Creating a global administrator account for Azure AD Connect
      5. Setting up Azure AD Connect
        1. Installing the pass-through authentication agent
        2. Azure AD Connect configuration
      6. Syncing NTLM and Kerberos credential hashes to Azure AD
    3. Summary
  28. Active Directory Audit and Monitoring
    1. Auditing and monitoring AD using in-built Windows tools and techniques
      1. Windows Event Viewer
        1. Custom views
        2. Windows Logs
        3. Applications and Services Logs
        4. Subscriptions
        5. Active Directory Domain Service event logs
        6. Active Directory Domain Service log files
    2. AD audit
      1. Audit Directory Service Access
      2. Audit Directory Service Changes
      3. Audit Directory Service Replication
      4. Audit Detailed Directory Service Replication
    3. Demonstration
      1. Reviewing events
      2. Setting up event subscriptions
      3. Security event logs from domain controllers
      4. Enabling advanced security audit policies
      5. Enforcing advanced auditing
      6. Reviewing events with PowerShell
    4. Microsoft ATA
      1. What is Microsoft ATA?
      2. ATA benefits
      3. ATA components
        1. The ATA Center
        2. The ATA Gateway
        3. The ATA Lightweight Gateway
      4. ATA deployment
        1. ATA deployment prerequisites
    5. Demonstration
      1. Installing the ATA Center
      2. Installing the ATA Lightweight Gateway
      3. ATA testing
    6. Azure Monitor
      1. The benefits of Azure Monitor
      2. Azure Monitor in a hybrid environment
      3. What benefits will it have for AD?
    7. Demonstration
      1. Enabling Azure Monitor AD solutions
      2. Installing Log Analytics agents
      3. Viewing analyzed data
    8. Azure AD Connect Health
      1. Prerequisites
        1. Demonstration
    9. Summary
  29. Active Directory Troubleshooting
    1. Troubleshooting AD DS replication issues
      1. Identifying replication issues
      2. Event Viewer
        1. System Center Operation Manager (SCOM)
        2. Azure Monitor
    2. Troubleshooting replication issues
      1. Lingering objects
        1. Strict replication consistency
      2. Removing lingering objects
    3. Issues involving DFS Replication
      1. Troubleshooting
        1. Verifying the connection
        2. SYSVOL share status
        3. DFS Replication Status
        4. DFSR crash due to the dirty shutdown of the domain controller (event ID 2213)
        5. Content Freshness
        6. Non-authoritative DFS Replication
        7. Authoritative DFS Replication
    4. How to troubleshoot Group Policy issues
      1. Troubleshooting
        1. Forcing Group Policy processing
        2. Resultant Set of Policy (RSoP)
        3. GPRESULT
        4. Group Policy Results Wizard
        5. Group Policy Modeling Wizard
    5. How to troubleshoot AD DS database-related issues
      1. Integrity checking to detect low-level database corruption
      2. AD database recovery
    6. Summary
  30. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Mastering Active Directory - Second Edition
  • Author(s): Dishan Francis
  • Release date: August 2019
  • Publisher(s): Packt Publishing
  • ISBN: 9781789800203