Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Title Page
Copyright and Credits
Mastering Active Directory Second Edition
Dedication
About Packt
Why subscribe?
Contributors
About the author
About the reviewer
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Reviews
Section 1: Active Directory Planning, Design, and Installation
Active Directory Fundamentals
Benefits of using Active Directory
Centralized data repository
Replication of data
High availability
Security
Auditing capabilities
Single sign-on (SSO)
Schema modification
Querying and indexing
Understanding Active Directory components
Logical components
Forests
Domains
Domain trees
Organizational units
Physical components
Domain controllers
Global catalog server
Active Directory sites
Understanding Active Directory objects
Globally unique identifiers and security identifiers
Distinguished names
Active Directory server roles
Active Directory Domain Services
Read-only domain controllers
Active Directory Federation Services
Active Directory Lightweight Directory Services
Active Directory Rights Management Services
Active Directory Certificate Services
Azure AD
Centralized identity and access management
SSO experience
Domain services
Azure AD Application Proxy
Azure AD B2B
Azure AD B2C
Azure AD versions
Summary
Active Directory Domain Services 2016
Features of AD DS 2016
Deprecation of Windows Server 2003's forest and domain functional levels
Deprecation of File Replication Services
PAM
What does PAM have to do with AD DS 2016?
What is the logic behind PAM?
Time-based group memberships
Microsoft Passport
AD FS improvements
Time sync improvements
Azure AD join
Azure AD joined devices
Hybrid Azure AD join devices
Windows' current devices
Windows' down-level devices
Summary
Designing an Active Directory Infrastructure
What makes a good system?
New business requirements
Correcting legacy design mistakes
Gathering business data
Defining security boundaries
Identifying the physical computer network structure
Designing the forest structure
Single forest
Multiple forest
Creating the forest structure
Autonomy
Isolation
Selecting forest design models
The organizational forest model
The resource forest model
The restricted access forest model
Designing the domain structure
Single domain model
The regional domain model
The number of domains
Deciding on domain names
The forest root domain
Deciding on the domain and forest functional levels
Designing the OU structure
Designing the physical topology of Active Directory
Physical or virtual domain controllers
Domain controller placement
Global catalog server placement
Designing a Hybrid Identity
Cloud approach
Identifying business needs
Synchronization
Cost
Summary
Active Directory Domain Name System
What is DNS?
Hierarchical naming structures
How DNS works
DNS essentials
DNS records
Start of authority record
A and AAAA records
NS records
Mail exchanger records
Canonical name records
Pointer records
SRV records
Zones
Primary zone
Secondary zone
Stub zones
Reverse lookup zones
DNS server operation modes
Zone transfers
DNS delegation
DNS service providers
Summary
Placing Operations Master Roles
FSMO roles
Schema operations master
Domain-naming operations master
Primary domain controller emulator operations master
Relative ID operations master role
Infrastructure operations master
FSMO role placement
Active Directory's logical and physical topology
Connectivity
The number of domain controllers
Capacity
Moving FSMO roles
Seizing FSMO roles
Summary
Migrating to Active Directory 2016
AD DS installation prerequisites
Hardware requirements
Virtualized environment requirements
Additional requirements
AD DS installation methods
AD DS deployment scenarios
Setting up a new forest root domain
AD DS installation checklist for the first domain controller
Design topology
Installation steps
Setting up an additional domain controller
AD DS installation checklist for an additional domain controller
Design topology
Installation steps
Setting up a new domain tree
AD DS installation checklist for a new domain tree
Design topology
Installation steps
Setting up a new child domain
AD DS installation checklist for a new child domain
Design topology
Installation steps
How to plan Active Directory migrations
Migration life cycle
Auditing
Active Directory logical and physical topology
Active Directory health check
SCOM and Azure Monitor
Application auditing
Planning
Implementation
Active Directory migration checklist
Design topology
Installation steps
Verification
Maintenance
Summary
Section 2: Active Directory Administration
Managing Active Directory Objects
Tools and methods for managing objects
Active Directory Administrative Center
The ADUC MMC
AD object administration with PowerShell
Creating, modifying, and removing objects in AD
Creating AD objects
Creating user objects
Creating computer objects
Modifying AD objects
Removing AD objects
Finding objects in AD
Finding objects using PowerShell
Summary
Managing Users, Groups, and Devices
Object attributes
Custom attributes
User accounts
MSAs
gMSAs
Uninstalling MSAs
Groups
Group scope
Converting groups
Setting up groups
Devices and other objects
Best practices
Summary
Designing the OU Structure
OUs in operations
Organizing objects
Delegating control
Group policies
Containers versus OUs
OU design models
The container model
The object type model
The geographical model
The department model
Managing the OU structure
Delegating control
Summary
Managing Group Policies
Benefits of group policies
Maintaining standards
Automating administration tasks
Preventing users from changing system settings
Flexible targeting
No modifications to target
Group Policy capabilities
Group Policy objects
The Group Policy container
The Group Policy template
Group Policy processing
Group Policy inheritance
Group Policy conflicts
Group Policy mapping and status
Administrative templates
Group Policy filtering
Security filtering
WMI filtering
Group Policy preferences
Item-level targeting
Loopback processing
Group Policy best practices
Summary
Section 3: Active Directory Service Management
Active Directory Services
Overview of AD LDS
Where to use LDS?
Application developments
Hosted applications
Distributed data stores for AD-integrated applications
Migrating from other directory services
The LDS installation
AD replication
FRS versus DFSR
Prepared state
Redirected state
Eliminated state
AD sites and replication
Replication
Authentication
Service locations
Sites
Subnets
Site links
Site link bridges
Managing AD sites and other components
Managing sites
Managing site links
The site link cost
Inter-site transport protocols
Replication intervals
Replication schedules
The site link bridge
Bridgehead servers
Managing subnets
How does replication work?
Intra-site replications
Inter-site replications
The KCC
How do updates occur?
The Update Sequence Number (USN)
The Directory Service Agent (DSA) GUID and invocation ID
The High Watermark Vector (HWMV) table
The Up-To-Dateness Vector (UTDV) table
RODCs
AD database maintenance
The ntds.dit file
The edb.log file
The edb.chk file
The temp.edb file
Offline defragmentation
AD backup and recovery
Preventing the accidental deletion of objects
AD Recycle Bin
AD snapshots
AD system state backup
AD recovery from system state backup
Summary
Active Directory Certificate Services
PKI in action
Symmetric keys versus asymmetric keys
Digital encryption
Digital signatures
Signing, encryption, and decryption
SSL certificates
Types of certification authorities
How do certificates work with digital signatures and encryption?
What can we do with certificates?
AD CS components
The CA
Certificate Enrollment Web Service
Certificate Enrollment Policy Web Service
Certification Authority Web Enrollment
Network Device Enrollment Service
Online Responder
The types of CA
Planning PKI
Internal or public CAs
Identifying the correct object types
The cryptographic key length
Hash algorithms
The certificate validity period
The CA hierarchy
High availability
Deciding certificate templates
The CA boundary
PKI deployment models
The single-tier model
The two-tier model
Three-tier models
Setting up a PKI
Setting up a standalone root CA
DSConfigDN
CDP locations
AIA locations
CA time limits
CRL time limits
The new CRL
Publishing the root CA data to AD
Setting up the issuing CA
Issuing a certificate for the issuing CA
Post-configuration tasks
CDP locations
AIA locations
CA and CRL time limits
Certificate templates
Requesting certificates
Summary
Active Directory Federation Services
How does AD FS work?
What is a claim?
Security Assertion Markup Language (SAML)
WS-Trust
WS-Federation
AD FS components
Federation service
AD FS 1.0
AD FS 1.1
AD FS 2.0
AD FS 2.1
AD FS 3.0
AD FS 4.0
What is new in AD FS 2019?
The Web Application Proxy
AD FS configuration database
AD FS deployment topologies
Single federation server
Single federation server and single Web Application Proxy server
Multiple federation servers and multiple Web Application Proxy servers with SQL Server
AD FS deployment
DNS records
SSL certificates
Installing the AD FS role
Installing WAP
Configuring the claims-aware application with new federation servers
Creating a relying party trust
Configuring the Web Application Proxy
Integrating with Azure MFA
Prerequisites
Creating a certificate in an AD FS farm to connect to Azure MFA
Enabling AD FS servers to connect with the Azure Multi-Factor Authentication client
Enabling the AD FS farm to use Azure MFA
Enabling Azure MFA for authentication
Summary
Active Directory Rights Management Services
What is AD RMS?
AD RMS components
Active Directory Domain Services (AD DS)
The AD RMS cluster
Web server
SQL Server
The AD RMS client
Active Directory Certificate Service (AD CS)
How does AD RMS work?
How do we deploy AD RMS?
Single forest–single cluster
Single forest–multiple clusters
AD RMS in multiple forests
AD RMS with AD FS
AD RMS configuration
Setting up an AD RMS root cluster
Installing the AD RMS role
Configuring the AD RMS role
Testing – protecting data using the AD RMS cluster
Testing – applying permissions to the document
Summary
Section 4: Best Practices and Troubleshooting
Active Directory Security Best Practices
AD authentication
The Kerberos protocol
Authentication in an AD environment
Delegating permissions
Predefined AD administrator roles
Using object ACLs
Using the delegate control method in AD
Implementing fine-grained password policies
Limitations
Resultant Set of Policy (RSoP)
Configuration
Pass-the-hash attacks
The Protected Users security group
Restricted admin mode for RDP
Authentication policies and authentication policy silos
Authentication policies
Authentication policy silos
Creating authentication policies
Creating authentication policy silos
JIT administration and JEA
JIT administration
JEA
Azure AD PIM
License requirements
Implementation guidelines
Implementation
AIP
Data classification
Azure Rights Management Services (Azure RMS)
Azure RMS versus AD RMS
How does Azure RMS work?
AIP scanner
AIP implementation
Summary
Advanced AD Management with PowerShell
AD management with PowerShell – preparation
AD management commands and scripts
Replication
Replicating a specific object
Users and Groups
Last logon time
Last login date report
Login failures report
Finding the locked-out account
Password expire report
JEA
JEA configuration
Testing
Azure Active Directory PowerShell
Installation
General commands
Managing users
Managing groups
Summary
Azure Active Directory Hybrid Setup
Integrating Azure AD with on-premises AD
Evaluating the present business requirements
Evaluating an organization's infrastructure road map
Evaluating the security requirements
Selecting the Azure AD version
Deciding on a sign-in method
Password hash synchronization
Federation with Azure AD
Pass-through authentication
Azure AD Seamless SSO
Synchronization between on-premises AD and Azure AD Managed Domain
Azure AD Connect
Azure AD Connect deployment topology
Staging the server
Step-by-step guide to integrating an on-premises AD environment with Azure AD
Creating a virtual network
Setting up Azure AD Managed Domain
Adding DNS server details to the virtual network
Creating a global administrator account for Azure AD Connect
Setting up Azure AD Connect
Installing the pass-through authentication agent
Azure AD Connect configuration
Syncing NTLM and Kerberos credential hashes to Azure AD
Summary
Active Directory Audit and Monitoring
Auditing and monitoring AD using in-built Windows tools and techniques
Windows Event Viewer
Custom views
Windows Logs
Applications and Services Logs
Subscriptions
Active Directory Domain Service event logs
Active Directory Domain Service log files
AD audit
Audit Directory Service Access
Audit Directory Service Changes
Audit Directory Service Replication
Audit Detailed Directory Service Replication
Demonstration
Reviewing events
Setting up event subscriptions
Security event logs from domain controllers
Enabling advanced security audit policies
Enforcing advanced auditing
Reviewing events with PowerShell
Microsoft ATA
What is Microsoft ATA?
ATA benefits
ATA components
The ATA Center
The ATA Gateway
The ATA Lightweight Gateway
ATA deployment
ATA deployment prerequisites
Demonstration
Installing the ATA Center
Installing the ATA Lightweight Gateway
ATA testing
Azure Monitor
The benefits of Azure Monitor
Azure Monitor in a hybrid environment
What benefits will it have for AD?
Demonstration
Enabling Azure Monitor AD solutions
Installing Log Analytics agents
Viewing analyzed data
Azure AD Connect Health
Prerequisites
Demonstration
Summary
Active Directory Troubleshooting
Troubleshooting AD DS replication issues
Identifying replication issues
Event Viewer
System Center Operation Manager (SCOM)
Azure Monitor
Troubleshooting replication issues
Lingering objects
Strict replication consistency
Removing lingering objects
Issues involving DFS Replication
Troubleshooting
Verifying the connection
SYSVOL share status
DFS Replication Status
DFSR crash due to the dirty shutdown of the domain controller (event ID 2213)
Content Freshness
Non-authoritative DFS Replication
Authoritative DFS Replication
How to troubleshoot Group Policy issues
Troubleshooting
Forcing Group Policy processing
Resultant Set of Policy (RSoP)
GPRESULT
Group Policy Results Wizard
Group Policy Modeling Wizard
How to troubleshoot AD DS database-related issues
Integrity checking to detect low-level database corruption
AD database recovery
Summary
Other Books You May Enjoy
Leave a review - let other readers know what you think
← Prev
Back
Next →
← Prev
Back
Next →