Active Directory Administration Cookbook E-Book

Active Directory Administration Cookbook

Copyright © 2019 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Pavan RamchandaniAcquisition Editor: Rohit RajkumarContent Development Editor: Aishwarya MorayTechnical Editor:Rutuja PatadeCopy Editor:Safis EditingProject Coordinator: Jagdish PrabhuProofreader: Safis EditingIndexer: Priyanka DhadkeGraphics: Tom ScariaProduction Coordinator: Deepika Naik

First published: May 2019

Production reference: 1030519

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78980-698-4

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

Packt.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the author

Sander Berkouwer calls himself an Active Directory aficionado; he's done everything with Active Directory and Azure Active Directory, including decommissioning. He has been MCSA, MCSE, and MCITP-certified for ages, an MCT for the past 5 years and a Microsoft Most Valuable Professional (MVP) on Directory Services and Enterprise Mobility for over a decade. As the CTO at SCCT, Sander leads a team of architects performing many projects, most of them identity-related, throughout Europe.

About the reviewer

Brian Svidergol designs and builds infrastructure, cloud, and hybrid solutions. He holds many industry certifications, including Microsoft Certified Solutions Expert (MCSE) – Cloud Platform and Infrastructure. Brian is the author of several books, covering everything from on-premises infrastructure technologies to hybrid cloud environments. He has extensive real-world experience, from start-up organizations to large Fortune 500 companies on design, implementation, and migration projects.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Active Directory Administration Cookbook

About Packt

Why subscribe?

Packt.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Sections

Getting ready

How to do it…

How it works…

There's more…

See also

Get in touch

Reviews

Optimizing Forests, Domains, and Trusts

Choosing between a new domain or forest

Why would you have a new domain?

What are the downsides of a new domain?

Why would you create a new forest?

What are the downsides of a new forest?

Listing the domains in your forest

Getting ready

Installing the Active Directory module for Windows PowerShell on Windows Server

Installing the Active Directory module for Windows PowerShell on Windows 

Required permissions

How to do it...

How it works...

Using adprep.exe to prepare for new Active Directory functionality

Getting ready

Required permissions

How to do it...

Preparing the forest

Preparing the forest for RODCs

Preparing the domain

Fixing up Group Policy permissions

Checking the preparation replication

How it works...

There's more...

Raising the domain functional level to Windows Server 2016

Getting ready

Required permissions

How to do it...

How it works...

Raising the forest functional level to Windows Server 2016

Getting ready

Required permissions

How to do it...

How it works...

Creating the right trust

Trust direction

Trust transitivity

One-way or two-way trust

Getting ready

Required permissions

How to do it...

Verifying and resetting a trust

Getting ready

Required permissions

How to do it...

How it works...

Securing a trust

Getting ready

Required permissions

How to do it...

How it works...

There's more...

Extending the schema

Getting ready

Required permissions

How to do it...

There's more...

Enabling the Active Directory Recycle Bin

Getting ready

Required permissions

How to do it...

How it works...

Managing UPN suffixes

Getting ready

How to do it...

How it works...

There's more...

Managing Domain Controllers

Preparing a Windows Server to become a domain controller

Intending to do the right thing

Dimensioning the servers properly

Preparing the Windows Server installations

Preconfigure the Windows Servers

Document the passwords

Promoting a server to a domain controller

Getting ready

How to do it...

Promoting a domain controller using the wizard

Installing the Active Directory Domain Services role

Promoting the server to a domain controller

Promoting a domain controller using dcpromo.exe

Promoting a domain controller using Windows PowerShell

Checking proper promotion

See also

Promoting a server to a read-only domain controller

Getting ready

How to do it...

Installing the Active Directory Domain Services role

Promoting the server to a read-only domain controller

Promoting a read-only domain controller using dcpromo.exe

Promoting a domain controller using Windows PowerShell

Checking proper promotion

How it works...

See also

Using Install From Media

How to do it...

Creating the IFM package

Leveraging the IFM package

Using the Active Directory Domain Services Configuration Wizard

Using dcpromo.exe

Using the Install-ADDSDomainController PowerShell cmdlet

How it works...

Using domain controller cloning

Getting ready

How to do it...

Making sure all agents and software packages are cloneable

Supplying the information for the new domain controller configuration

Adding the domain controller to the Cloneable Domain Controllers group

Cloning the domain controller from the hypervisor

How it works...

See also

Determining whether a virtual domain controller has a VM-GenerationID

How to do it...

How it works...

Demoting a domain controller

Getting ready

How to do it...

Using the wizard

Using the Active Directory module for Windows PowerShell

How it works...

There's more...

Demoting a domain controller forcefully

How to do it...

Using the Active Directory Domain Services Configuration Wizard

Using manual steps

Performing metadata cleanup

Deleting the domain controller from DNS

Deleting the computer object for the domain controller

Deleting the SYSVOL replication membership

Deleting the domain controller from Active Directory Sites and Services

Deleting an orphaned domain

See also

Inventory domain controllers

How to do it...

Using Active Directory Users and Computers to inventory domain controllers

Using the Active Directory module for Windows PowerShell to inventory domain controllers

Decommissioning a compromised read-only domain controller

How to do it...

How it works...

Managing Active Directory Roles and Features

About FSMO roles

Recommended practices for FSMO roles

Querying FSMO role placement

Getting ready

How to do it...

How it works...

Transferring FSMO roles

Getting ready

How to do it...

Transferring FSMO roles using the MMC snap-ins

Transferring FSMO roles using the ntdsutil command-line tool

Transferring FSMO roles using Windows PowerShell

How it works...

Seizing FSMO roles

Getting ready

How to do it...

Seizing FSMO roles using the ntdsutil command-line tool

Seizing FSMO roles using Windows PowerShell

How it works...

Configuring the Primary Domain Controller emulator to synchronize time with a reliable source

Getting ready

How to do it...

How it works...

Managing time synchronization for virtual domain controllers

Getting ready

How to do it...

Managing time synchronization for virtual domain controllers running on VMware vSphere

Managing time synchronization for virtual domain controllers running on Microsoft Hyper-V

How it works...

Managing global catalogs

Getting ready

How to do it...

How it works

Managing Containers and Organizational Units

Differences between OUs and containers

Containers

OUs

OUs versus Active Directory domains

Creating an OU

Getting ready

How to do it...

Using the Active Directory Administrative Center

Using the command line

Using Windows PowerShell

How it works...

There's more...

Deleting an OU

Getting ready

How to do it...

Using the Active Directory Administrative Center

Using the command line

Using Windows PowerShell

How it works...

There's more...

Modifying an OU

Getting ready

How to do it...

Using the Active Directory Administrative Center

Using the command line

Using Windows PowerShell

How it works...

There's more...

See also

Delegating control of an OU

Getting ready

How to do it...

Using Active Directory Users and Computers

Using the command line

How it works...

Using the built-in groups

Using delegation of control

See also

Modifying the default location for new user and computer objects

Getting ready

How to do it...

How it works...

See also

Managing Active Directory Sites and Troubleshooting Replication

What do Active Directory sites do?

Recommendations

Creating a site

Getting ready

How to do it...

Using Active Directory Sites and Services

Using Windows PowerShell

See also

Managing a site

Getting ready

How to do it...

Using Active Directory Sites and Services

Using Windows PowerShell

How it works...

See also

Managing subnets

Getting ready

How to do it...

Using Active Directory Sites and Services

Using Windows PowerShell

How it works...

See also

Creating a site link

Getting ready

How to do it...

Using Active Directory Sites and Services

Using Windows PowerShell

How it works...

See also

Managing a site link

Getting ready

How to do it...

Using Active Directory Sites and Services 

Using Windows PowerShell

See also

Modifying replication settings for an Active Directory site link

Getting ready

How to do it...

Using Active Directory Sites and Services

Using Windows PowerShell

How it works...

Site-link costs

Site-link replication schedules

See also

Creating a site link bridge

Getting ready

How to do it...

See also

Managing bridgehead servers

Getting ready

How to do it...

Using Active Directory Sites and Services

Using Windows PowerShell

How it works...

See also

Managing the Inter-site Topology Generation and Knowledge Consistency Checker

Getting ready

How to do it...

Using Active Directory Sites and Services

Using Windows PowerShell

How it works...

See also

Managing universal group membership caching

Getting ready

How to do it...

Using Active Directory Sites and Services

Using Windows PowerShell

How it works...

See also

Working with repadmin.exe

Getting ready

How to do it...

How it works...

See also

Forcing replication

Getting ready

How to do it...

How it works...

See also

Managing inbound and outbound replication

Getting ready

How to do it...

How it works...

There's more...

See also

Modifying the tombstone lifetime period

Getting ready

How to do it...

Using ADSI Edit

Using Windows PowerShell

How it works...

See also

Managing strict replication consistency

Getting ready

How to do it...

How it works...

Upgrading SYSVOL replication from File Replication Service to Distributed File System Replication

Getting ready

How to do it...

The initial state

The prepared state

The redirected state

The eliminated state

How it works...

See also

Checking for and remediating lingering objects

Getting ready

How to do it...

How it works...

See also

Managing Active Directory Users

Creating a user

Getting ready

How to do it...

Using Active Directory Users and Computers

Using the Active Directory Administrative Center

Using command-line tools

Using Windows PowerShell

How it works...

There's more...

Deleting a user

Getting ready

How to do it...

Using Active Directory Users and Computers

Using the Active Directory Administrative Center

Using command-line tools

Using Windows PowerShell

How it works...

See also

Modifying several users at once

Getting ready

How to do it...

Using Active Directory Users and Computers

Using the Active Directory Administrative Center

Using Windows PowerShell

How it works...

There's more...

Moving a user

Getting ready

How to do it...

Using Active Directory Users and Computers

Using the Active Directory Administrative Center

Using command-line tools

Using Windows PowerShell

How it works...

Renaming a user

Getting ready

How to do it...

Using Active Directory Users and Computers

Using the Active Directory Administrative Center

Using command-line tools

Using Windows PowerShell

How it works...

Enabling and disabling a user

Getting ready

How to do it...

Using Active Directory Users and Computers

Using the Active Directory Administrative Center

Using command-line tools

Using Windows PowerShell

How it works...

There's more...

Finding locked-out users

Getting ready

How to do it...

Using the Active Directory Administrative Center

Using Windows PowerShell

How it works...

See also

Unlocking a user

Getting ready

How to do it...

Using the Active Directory Administrative Center

Using Windows PowerShell

Managing userAccountControl

Getting ready

How to do it...

Reading the userAccountControl attribute

Using Active Directory Users and Computers

Using the Active Directory Administrative Center

Using Windows PowerShell

Setting the userAccountControl attribute

Using ADSI Edit

Using Windows PowerShell

How it works...

Using account expiration

Getting ready

How to do it...

Using Active Directory Users and Computers 

Using the Active Directory Administrative Center

Using command-line tools

Using Windows PowerShell

How it works...

Managing Active Directory Groups

Creating a group

Getting ready

How to do it...

Using Active Directory Users and Computers

Using the Active Directory Administrative Center

Using command-line tools

Using Windows PowerShell

How it works...

Group scopes

Group types

Deleting a group

Getting ready

How to do it...

Using Active Directory Groups and Computers

Using the Active Directory Administrative Center

Using command-line tools

Using Windows PowerShell

How it works...

Managing the direct members of a group

Getting ready

How to do it...

Using Active Directory Groups and Computers

Using the Active Directory Administrative Center

Using Windows PowerShell

How it works...

Managing expiring group memberships

Getting ready

How to do it...

How it works...

Changing the scope or type of a group

Getting ready

How to do it...

Using Active Directory Groups and Computers

Using the Active Directory Administrative Center

Using command-line tools

Using Windows PowerShell

How it works...

Group scopes

Group types

Viewing nested group memberships

Getting ready

How to do it...

How it works...

Finding empty groups

Getting ready

How to do it...

How it works...

Managing Active Directory Computers

Creating a computer

Getting ready

How to do it...

Using Active Directory Users and Computers

Using the Active Directory Administrative Center

Using command-line tools

Using Windows PowerShell

How it works...

There's more...

Deleting a computer

Getting ready

How to do it...

Using Active Directory Users and Computers

Using the Active Directory Administrative Center

Using command-line tools

Using Windows PowerShell

How it works...

See also

Joining a computer to the domain

Getting ready

How to do it...

Using the GUI

Using Windows PowerShell

How it works...

There's more...

See also

Renaming a computer

Getting ready

How to do it...

Using the settings app

Using the command line

Using Windows PowerShell

How it works...

There's more...

Testing the secure channel for a computer

Getting ready

How to do it...

Using the command line

Using Windows PowerShell

How it works...

See also

Resetting a computer's secure channel

Getting ready

How to do it...

Using Active Directory Users and Computers

Using the Active Directory Administrative Center

Using the command line

Using Windows PowerShell

How it works...

Changing the default quota for creating computer objects

Getting ready

How to do it...

Using ADSI Edit

Using Windows PowerShell

How it works...

Getting the Most Out of Group Policy

Creating a Group Policy Object (GPO)

Getting ready

How to do it...

Using the Group Policy Management Console

Using Windows PowerShell

How it works...

See also

Copying a GPO

Getting ready

How to do it...

Using the Group Policy Management Console

Using Windows PowerShell

How it works...

There's more...

Deleting a GPO

Getting ready

How to do it...

Using the Group Policy Management Console

Using Windows PowerShell

How it works...

See also

Modifying the settings of a GPO

Getting ready

How to do it...

How it works...

Assigning scripts

Getting ready

How to do it...

How it works...

Installing applications

Getting ready

How to do it...

How it works...

Linking a GPO to an OU

Getting ready

How to do it...

How it works...

There's more...

Blocking inheritance of GPOs on an OU

Getting ready

How to do it...

How it works...

Enforcing the settings of a GPO Link

Getting ready

How to do it...

How it works...

Applying security filters

Getting ready

How to do it...

How it works...

Creating and applying WMI Filters

Getting ready

How to do it...

How it works...

There's more...

Configuring loopback processing

Getting ready

How to do it...

How it works...

Restoring a default GPO

Getting ready

How to do it...

How it works...

There's more...

Creating the Group Policy Central Store

Getting ready

How to do it...

How it works...

There's more...

Securing Active Directory

Applying fine-grained password and account lockout policies

Getting ready

How to do it...

Using the Active Directory Administrative Center

Using the Active Directory Module for Windows PowerShell

How it works...

There's more...

Backing up and restoring GPOs

Getting ready

How to do it...

How it works...

There's more...

Backing up and restoring Active Directory

Getting ready

How to do it...

How it works...

Working with Active Directory snapshots

Getting ready

How to do it...

How it works...

There's more...

Managing the DSRM passwords on domain controllers

Getting ready

How to do it...

How it works...

Implementing LAPS

Getting ready

How to do it...

Implementing LAPS

Extending the schema

Setting permissions

Creating the GPO to install the LAPS Client-side Extensions

Linking the GPO to OUs with devices

Managing passwords

Viewing an administrator password

Resetting an Administrator password

How it works...

See also

Managing deleted objects

Getting ready

How to do it...

Using the Active Directory Administrative Center

Using Windows PowerShell

How it works...

There's more...

See also

Working with group Managed Service Accounts

Getting ready

How to do it...

How it works...

There's more...

Configuring the advanced security audit policy

Getting ready

How to do it...

How it works...

Resetting the KRBTGT secret

Getting ready

How to do it...

How it works...

There's more...

Using SCW to secure domain controllers

Getting ready

How to do it

Secure a representative domain controller using SCW

Roll-out the security settings to all domain controllers using Group Policy

How it works...

Leveraging the Protected Users group

Getting ready

How to do it...

Using Active Directory Users and Computers 

Using the Active Directory Administrative Center

Using Windows PowerShell

How it works...

Putting authentication policies and authentication policy silos to good use

Getting ready

How to do it...

Enable domain controller support for claims

Enable compound claims on devices in scope for an authentication policy

Create an Authentication Policy

Create an Authentication Policy Silo

Assign the Authentication Policy Silo

How it works...

Configuring Extranet Smart Lock-out

Getting ready

How to do it...

How it works...

Managing Federation

Choosing the right AD FS farm deployment method

Getting ready

How to do it...

How it works...

There's more...

See also

Installing the AD FS server role

Getting ready

How to do it...

How it works...

Setting up an AD FS farm with Windows Internal Database

Getting ready

How to do it...

Configuring AD FS

Checking the proper AD FS configuration

How it works...

There's more...

See also

Setting up an AD FS farm with SQL Server

Getting ready

How to do it...

Creating a gMSA

Creating the script

Creating the databases

Configuring AD FS

Checking the proper AD FS configuration

How it works...

There's more...

See also

Adding additional AD FS servers to an AD FS farm

Getting ready

How to do it...

How it works...

See also

Removing AD FS servers from an AD FS farm

Getting ready

How to do it...

How it works...

There's more...

Creating a Relying Party Trust (RPT)

Getting ready

How to do it...

How it works...

Deleting an RPT

Getting ready

How to do it...

How it works...

Configuring branding

Getting ready

How to do it...

How it works...

Setting up a Web Application Proxy

Getting ready

How to do it...

Installing the Web Application Proxy feature

Configuring the Web Application Proxy

Checking the proper Web Application Proxy configuration

How it works...

There's more...

Decommissioning a Web Application Proxy

Getting ready

How to do it...

How it works...

Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and 3SO)

Choosing the right authentication method

Getting ready

How to do it...

How it works...

Active Directory Federation Services or PingFederate

Password Hash Sync

Pass-through authentication 

Seamless Single Sign-on

Cloud-only

There's more...

Verifying your DNS domain name

Getting ready

How to do it...

How it works...

Implementing Password Hash Sync with Express Settings

Getting ready

How to do it...

How it works...

Implementing Pass-through Authentication

Getting ready

How to do it...

Adding the Azure AD Authentication Service to the intranet sites

Configuring Azure AD Connect

How it works...

There's more...

Implementing single sign-on to Office 365 using AD FS

Getting ready

How to do it...

How it works...

There's more...

Managing AD FS with Azure AD Connect

Getting ready

How to do it...

Reset Azure AD trust

Federate an Azure AD domain

Update the AD FS SSL certificate

Deploy an AD FS server

Add a Web Application Proxy server

Verify federated login

How it works...

There's more...

Implementing Azure Traffic Manager for AD FS geo-redundancy

Getting ready

How to do it...

Configuring the Web Application Proxies for probing

Configuring Azure Traffic Manager

Adding DNS records

How it works...

There's more...

Migrating from AD FS to Pass-through Authentication for single sign-on to Office 365

Getting ready

How to do it...

Adding the Azure AD Authentication Service to the intranet sites

Configuring Azure AD Connect

Checking domains in the Azure portal

Disabling federation in Azure AD

Deleting the Office 365 Identity Platform relying party trust

How it works...

There's more...

Making Pass-through Authentication (geo)redundant

Getting ready

How to do it...

Installing and configuring the PTA Agent

Checking proper installation and configuration

How it works...

Handling Synchronization in a Hybrid World (Azure AD Connect)

Choosing the right sourceAnchor

Getting ready

How to do it...

How it works...

There's more...

Configuring staging mode

Getting ready

How to do it...

How it works...

See also

Switching to a staging mode server

Getting ready

How to do it...

How it works...

Configuring Domain and OU filtering

Getting ready

How to do it...

Configuring Azure AD Connect initially

Reconfiguring Azure AD Connect

How it works...

Configuring Azure AD app and attribute filtering

Getting ready

How to do it...

Configuring Azure AD Connect initially

Reconfiguring Azure AD Connect

How it works...

Configuring MinSync

Getting ready

How to do it...

Configuring Azure AD Connect initially

Reconfiguring Azure AD Connect

How it works...

Configuring Hybrid Azure AD Join

Getting ready

How to do it...

Adding the Azure AD Device Registration Service to the intranet sites

Distributing Workplace Join for non-Windows 10 computers

Setting the Group Policy to register for down-level Windows devices

Link the Group Policy to the right Organizational Units

Configuring Hybrid Azure AD Join in Azure AD Connect

How it works...

Configuring Device writeback

Getting ready

How to do it...

How it works...

Configuring Password writeback

Getting ready

How to do it...

Configuring the proper permissions for Azure AD Connect service accounts

Configuring Azure AD Connect

Configuring Azure AD Connect initially

Reconfiguring Azure AD Connect

How it works...

Configuring Group writeback

Getting ready

How to do it...

Creating the Organizational Unit where groups are to be written back

Configuring Azure AD Connect

Configuring Azure AD Connect initially

Reconfiguring Azure AD Connect

Configuring the proper permissions for Azure AD Connect service accounts

How it works...

Changing the passwords for Azure AD Connects service accounts

Getting ready

How to do it...

Managing the service account connecting to Active Directory

Managing the service account connecting to Azure AD

Managing the computer account for Seamless Single Sign-on

How it works...

The service account running the Azure AD Connect service

The service account connecting to Active Directory

The service account connecting to Azure AD

The computer account for Seamless Single Sign-on

Hardening Azure AD

Setting the contact information

Getting ready

How to do it...

How it works...

Preventing non-privileged users from accessing the Azure portal

Getting ready

How to do it...

How it works...

Viewing all privileged users in Azure AD

Getting ready

How to do it...

Using the Azure AD PowerShell

Using the Azure Cloud Shell

How it works...

Preventing users from registering or consenting to apps

Getting ready

How to do it...

How it works...

There's more...

Preventing users from inviting guests

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring whitelisting or blacklisting for Azure AD B2B

Getting ready

How to do it...

How it works...

Configuring Azure AD Join and Azure AD Registration

Getting ready

How to do it...

Limiting who can join Azure AD devices

Limiting who can register Azure AD devices

Configuring additional administrators

Enabling Enterprise State Roaming

How it works...

See also

Configuring Intune auto-enrollment upon Azure AD Join

Getting ready

How to do it...

How it works...

Configuring baseline policies

Getting ready

How to do it...

How it works...

Configuring Conditional Access

Getting ready

How to do it...

How it works...

See also

Accessing Azure AD Connect Health

Getting ready

How to do it...

How it works...

There's more...

Configuring Azure AD Connect Health for AD FS

Getting ready

How to do it...

Downloading the agent

Installing and configuring the agent

Consuming the information in the Azure AD Connect Health dashboard

How it works...

Configuring Azure AD Connect Health for AD DS

Getting ready

How to do it...

Downloading the agent

Installing and configuring the agent

Consuming the information in the Azure AD Connect Health dashboard

How it works...

Configuring Azure AD Privileged Identity Management

Getting ready

How to do it...

How it works...

There's more...

Configuring Azure AD Identity Protection

Getting ready

How to do it...

How it works...

MFA registration

User risk policies

Sign-in risk policies

There's more...

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

Active Directory is an administration system for Windows administrators to automate network, security, and access management tasks in Microsoft-oriented networking infrastructures. Bundled with Microsoft's cloud-based Azure Active Directory (AD) service, it offers a comprehensive Identity and Access Management (IAM) solution to organizations that want to manage on-premises and cloud-based resources.  

Who this book is for

Active Directory can be overwhelming, but the straightforward recipes in this cookbook break it down into easy-to-follow tasks, backed by substantial real-world experience and clear explanations of what's going on under the hood.

This cookbook offers essential recipes for day-to-day Active Directory and Azure AD administration for both novices in managing Active Directory and Azure AD, and seasoned administrators with several Active Directory migrations and consolidations under their belts.

Because today's identity in the world of Microsoft technologies is no longer about just on-premises Active Directory, this book also offers three chapters with recipes for Azure AD, as well as an entire chapter dedicated to Active Directory Federation Services (ADFS).

Whether you just need a hand, want to take out the guesswork, or have a read-up before messing it up, this book helps admins at each stage of their careers to make the right choices, check the right boxes, and automate the repeatable tasks that become tedious after some time. 

What this book covers

This book consists of fourteen chapters:

Chapter 1, Optimizing Forests, Domains, and Trusts, provides recipes for structuring the logical components of Active Directory, including UPN suffixes, trusts, domains, and forests. Several recipes help lift Active Directory to new heights, where others help expand the functionality of Active Directory in terms of collaboration.

Chapter 2, Managing Domain Controllers, shows how to promote, demote, and inventory both domain controllers and read-only domain controllers; these are Active Directory's physical components.

Chapter 3, Managing Active Directory Roles and Features, covers Flexible Single Operations Master (FSOM) roles and global catalog servers for addressing all your organization's multi-forest and multi-domain needs.

Chapter 4, Managing Containers and Organizational Units, provides Active Directory admins who like cleanliness, with the rationale and steps necessary to categorize objects into organizational units and containers. Lazy admins learn how to properly delegate, too.

Chapter 5, Managing Active Directory Sites and Troubleshooting Replication, details how to optimize multiple domain controllers in multiple geographic locations using sites, site links, and bridgehead servers, and how to troubleshoot replication.

Chapter 6, Managing Active Directory Users, contains recipes to help out colleagues when they start working, leave the organization, and every change in between. The proactive recipe on finding locked-out accounts helps admins to stay ahead of the game.

Chapter 7, Managing Active Directory Groups, covers all types of groups in Active Directory, along with how to create, modify, and delete them, no matter how nested these groups are. Getting rid of empty groups is easy with the last recipe in this chapter.

Chapter 8, Managing Active Directory Computers, provides ways to keep your organization's devices in check. Of course, it also details how to prevent non-privileged users to join devices to your environment. 

Chapter 9, Getting the Most Out of Group Policy, enables admins to get the most out of Group Policy! Managing tens or thousands of devices won't be an issue anymore with the recipes in this chapter.

Chapter 10, Securing Active Directory, provides ways to improve the security stance of your Active Directory environment. Each recipe in this chapter makes your environment less attractive to attackers.

Chapter 11, Managing Federation, covers ADFS. Build the perfect ADFS farm using the recipes, or decommission one.

Chapter 12, Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and 3SO), details hybrid identity between Active Directory and Azure AD in terms of ADFS, Password Hash Synchronization (PHS), Pass-Through Authentication (PTA), and Seamless Single Sign-on (SSO).

Chapter 13, Handling Synchronization in a Hybrid World (Azure AD Connect), covers Azure AD Connect and the key role it plays in synchronizing between Active Directory and Azure AD.

Chapter 14,  Hardening Azure AD, provides recipes to keep your organization's Azure AD tenant in check. The recipes explore the many possibilities of Azure AD, including conditional access and Azure AD Identity Protection.

To get the most out of this book

To get the most out of the book, it helps to have basic knowledge of Windows Server and Active Directory.

Many recipes are written to lift an aging Active Directory environment to new heights. It helps in these cases to know the old protocols, such as NT Lan Manager (NTLM), but an open mind is a more valuable asset when engaging with the recipes.

Some recipes in this cookbook require significant hardware, so if you're staging changes in development, test, or acceptance environments, make sure you have the computational power and storage to do so. 

Download the example code files

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packt.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

Log in or register at

www.packt.com

.

Select the

SUPPORT

tab.

Click on

Code Downloads & Errata

.

Enter the name of the book in the

Search

box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR/7-Zip for Windows

Zipeg/iZip/UnRarX for Mac

7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Active-Directory-Administration-Cookbook. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/Bookname_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "To work withrepadmin.exe, sign into a domain controller."

New-AdfsWebTheme

–

Name custom -SourceName default

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example:      "The Multiple Users window appears:"

Sections

In this book, you will find several headings that appear frequently (Getting ready, How to do it..., How it works..., There's more..., and See also).

To give clear instructions on how to complete a recipe, use these sections as follows:

Getting ready

This section tells you what to expect in the recipe and describes how to set up any software or any preliminary settings required for the recipe.

How to do it…

This section contains the steps required to follow the recipe.

How it works…

This section usually consists of a detailed explanation of what happened in the previous section.

There's more…

This section consists of additional information about the recipe in order to make you more knowledgeable about the recipe.

See also

This section provides helpful links to other useful information for the recipe.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Optimizing Forests, Domains, and Trusts

Back in the year 2000, when Active Directory was introduced to the larger public, we lived in a different world. The internet was only just starting to deliver value to businesses. That's why, in Windows 2000 Server, Active Directory was largely disconnected from the internet. Windows 2000 Server's default Domain Name System (DNS) settings even came with a root domain; so, if you wanted to connect to the internet, you'd need to delete the . DNS zone manually.

Fast forward to today, and the internet and cloud services seem omnipresent. The default . DNS zone has disappeared from Windows Server, but the concepts of trees and forests in Active Directory has persisted, and they still allow for some confusion among Active Directory admins.

To explain domains, trees, and forests in Active Directory, we need to acknowledge Active Directory's past. To create anything in Active Directory, you'll need to create a domain. It starts with the name. For a hypothetical organization, Lucern Publishing, four typical domain names would be as follows:

Type

Domain Name

Public DNS domain name

lucernpub.com

Internal part of a public DNS domain name

ad.lucernpub.com

Non-public DNS domain name

lucernpub.local

Single-label domain name

lucernpubcom

The first two options are the preferred options, as they adhere to RFC 822 (https://www.w3.org/Protocols/rfc822). The third option is a common option, but doesn't comply with RFC 2606 (https://tools.ietf.org/html/rfc2606) and should be avoided. The fourth option is a typical single-label domain. They are usually the result of a common error among Active Directory admins migrating from Windows NT 4 Server's model to Active Directory. Products that once supported Windows NT 4 Server's single-label domains are no longer around, or they no longer support single-label domain names, including Microsoft.

Lucern Publishing may be quite a successful organization, so they might expand their operations from Switzerland to Europe, North America, and Asia. For reasons that we'll discuss later, they might want to separate Active Directory domains for each of their territories, but they want them to keep working together like one organization. This is where a domain tree comes into play. Now, Lucern Publishing might choose to create three subdomains underlucernpub.com:

eu.lucernpub.com

usa.lucernpub.com

asia.lucernpub.com

They've created a tree of Active Directory domains, sharing the same DNS namespace. Of course, Lucern Publishing might also choose to create multiple trees, next to the lucernpub.com domain or tree, to accommodate an organizational layout with different names for their global expansions, such as Austin Publishing and Wuhan Publishing. In this case, it will make sense to create separate domains such as austinpub.com and wuhanpub.com. Effectively, Lucern Publishing will create three trees this way, belonging to the same Active Directory forest. Yes, some Active Directory environments are large structures with many large trees, but the default Active Directory forest consists of just one tree, with one Active Directory domain.

In this chapter, we'll discuss the reasoning behind creating domains and forests. We'll also discuss userPrincipalName (UPN) suffixes and trusts. The goal of this chapter is to help you make the right choices in terms of your Active Directory structure. 

The following recipes will be covered in the chapter:

Listing the domains in your forest

Using adprep.exe t

o 

prepare for new AD functionality

Raising the domain functional level

to Windows Server 2016

Raising the forest functional level

to Windows Server 2016

Creating the right trust

Verifying a trust

Securing a trust

Extending the schema

Enabling the Active Directory Recycle Bin

Managing UPN suffixes

Before going through these recipes, we will look at a few aspects that you will need to know for this chapter.

Let's begin!

Choosing between a new domain or forest

In organizations, sometimes, an expansion or business change requires changes in Active Directory too. In Active Directory terms, the change might require creating a new Active Directory domain or a new Active Directory forest. In this recipe, we'll look at the reasoning between these two choices, taking the entire life cycle of Active Directory into consideration.

Why would you have a new domain?

A new Active Directory domain—as either a subdomain of an existing domain, or a new domain tree in an existing forest—provides a boundary.

The boundary of domains in Active Directory relates to the following:

DNS name

: An additional domain tree offers the possibility to add a DNS domain name to the organization to, for instance, correctly label a new business venture. An alternative might be to add an additional UPN suffix.

Domain DNS zones replication

: Throughout an Active Directory forest, all domain controllers replicate to exchange information on objects, schema, and configuration. Between domains, a distinction can be made to limit the replication of information on Active Directory-integrated DNS zones. That way, this information is only replicated within the domain.

Password and account lock-out policies

: Fine-grained password and account lock-out

policies can only be applied within an Active Directory domain. The information can be viewed by any account in the domain. If you want to shield this information or create completely separate policies, an additional domain is

the route

to go.

Group Policy

:

Group Policy Objects

 (

GPOs

)

only replicate within a domain. The only exception is the GPOs that are linked to Active Directory sites; these are copied between domains instead, since Active Directory sites are created at the forest level.

However, the boundary of domains in Active Directory does not include the following:

An Active Directory schema

The scope of the enterprise administrators group

Essentially, a new Active Directory domain is an administrative boundary, which you can create for an organization to allow for delegated management.

What are the downsides of a new domain?

Microsoft's advice is to keep Active Directory as simple as possible. When you create additional domains, the organization ends up with the following:

At least two additional domain controllers

Active Directory trusts between the current domain(s) and the new domain

An increase in administrative burden

Why would you create a new forest?

A new Active Directory forest is basically a completely new Active Directory environment. When you create it, it does not have a relationship with an existing Active Directory environment, unless you choose to create Active Directory trusts afterward.

Since the new Active Directory forest is separate, a boundary is created for the following reasons:

Schema and configuration partitions

: The schema and configuration partitions hold information on the way that objects can be created, what attributes are required for these objects, what attributes are optional for these objects, and the domains within the forest. Since many applications require Active Directory schema extensions, introducing a legacy or cutting-edge application might result in schema conflicts. In these types of scenarios, creating an additional Active Directory forest is the best way forward. An alternative might be to add an

Active Directory

Lightweight Directory Services

(

AD-LDS

) instance to the environment.

Global catalog replication

: Domain controllers with the additional global catalog role hold partial information on the most requested attributes for objects in Active Directory. With multiple

global catalog

s, the information is replicated throughout the forest. To shield this information, an additional Active Directory forest can be created.

Forest DNS zones replication

: To overcome the default boundary for Active Directory-integrated DNS zones, the Forest DNS zone replication scope, an additional Active Directory forest can be created.

When requirements apply in terms of schema or replication, creating an Active Directory forest is the right choice. One thing that might be good here is to state that the forest is a security boundary as well as an administrative boundary.

Additionally, since the forest is a separate environment, by default, it can also be separated afterward. In acquisition and divestiture scenarios that can be overseen for the life cycle of Active Directory, an Active Directory forest is also the right choice.

What are the downsides of a new forest?

A separate Active Directory environment, of course, requires double the administrative effort of Active Directory admins. Additionally, since the environments are separate, creating an address list in Microsoft Exchange Server or sharing common applications, services, and/or systems is hard.

Now we can look at the recipes covered in this chapter.

Listing the domains in your forest

In an Active Directory environment with multiple domains and forests, it can be hard to distinguish the trees from the forest. As authentication is often per forest, an easy way to list the domains per forest will be welcome.

Getting ready

Alas, the only reliable way to list the domains in a forest is to use PowerShell.

For this recipe, we'll need one of the following:

A domain controller running Windows Server 2012 with

Desktop Experience

 (or a newer version of Windows Server)

A domain-joined member server

running Windows Server 2012 with Desktop Experience

 (or a newer version of Windows Server) with the Active Directory module for Windows PowerShell installed

A domain-joined device running Windows 8.1 (or a newer version of Windows)

with the Active Directory module for Windows PowerShell installed

Installing the Active Directory module for Windows PowerShell on Windows Server

To install the Active Directorymodule for Windows PowerShell on a Windows Server with Desktop Experience, follow these steps:

Open

Server Manager 

(

servermanager.exe

).

In the top gray pane, click 

Manage.

Select 

Add Roles and Features

from the context menu.

In 

Add Roles and Features Wizard

, click 

N

ext

>

until you reach the

Select Features

screen.

On the

Select Features

screen, scroll down in the list of features until you reach

Remote Server Administration Tools.

Expand

Remote Server Administration Tools.

Expand

Role Administration Tools

.

Expand

AD DS and AD LDS Tools

.

Select the 

Active Directory module for Windows PowerShell

 feature:

Click 

N

ext >

until you reach the 

Confirm installation

selections page.

Click 

Install.

Click 

Close.

To install the Active Directory module for Windows PowerShell on a Server Core installation of Windows Server, run these two commands:

PowerShell

Install-WindowsFeature

RSAT-AD-PowerShell

Installing the Active Directory module for Windows PowerShell on Windows 

To install the Active Directory module for Windows PowerShell on a Windows device, download the separately available Remote Server Administration Tools (RSAT) package for your version of Windows. After you install the package, all the RSAT will be available, including the Active Directory module for Windows PowerShell.

Required permissions

To list all the domains in a forest, use an account that is a member of the Enterprise Admins group in Active Directory.

How to do it...

On the system, start an elevated Windows PowerShell window or Windows PowerShell ISE window using the domain credentials for any account.

Then, type the following lines of PowerShell:

Import-Module ActiveDirectory

Get-ADForest | select domains

How it works...

On the first line, we verify that the Active Directory module for Windows PowerShell is installed, correctly configured, and ready.

On the second line, we use the Get-ADForest cmdlet from the Active Directory module to get the information for the current Active Directory forest. Then, we pipe the output of that command to select only the domains, since that's what we're after.

You can now make the best choices for implementing new domains and/or forests, and/or decommissioning domains and/or forests.

Using adprep.exe to prepare for new Active Directory functionality

The Active Directory schema defines the way that objects can be created, and what attributes are required or are optional for these objects. With every version of Windows Server, the base schema has been improved and extended.

Many features require certain schema versions for Active Directory. For instance, when you want to deploy a Windows Server 2016-based Active Directory Federation Services (AD FS) farm, you'll need the Windows Server 2016 schema.

Since Windows Server 2012, Microsoft updates the Active Directory schema automatically when you promote the first Windows Server 2012-based member server to an Active Directory domain controller.

However, consider what will happen if you want to do any of the following:

Update the Active Directory schema only, because your organization doesn't want domain controllers running the latest version

Delegate the promotion of the first domain controller to a lesser-privileged user, instead of an admin that is a member of the Schema Admins group

Control the proper replication of the schema update to all domain controllers, before promoting the first domain controller

Avoid the default time-out that the Active Directory Configuration Wizard provides for proper replication

Perform all Active Directory preparations, including the Group Policy preparation step

In these situations, you'll want to update the Active Directory schema manually, using adprep.exe from the Windows Server installation media.

Getting ready

Copy the entire contents of the \support\adprep folder from the Windows Server installation media to a temporary folder on your system's hard disk.

Required permissions

The Active Directory preparation process consists of four separate stages. You'll need an account with the following group memberships for each stage:

Stage

Required group memberships

Preparing the forest

Enterprise Admins

Schema Admins

Domain Admins in the forest root domain

Preparing the forest for Read-only Domain Controllers (RODCs)

Domain Admins in the forest root domain

Preparing the domain

Domain Admins

Fixing up Group Policy permissions

Domain Admins

How to do it...

Start Command Prompt in the file explorer window of the folder where you've copied the files to.

The Active Directory preparation process consists of four separate stages:

Preparing the forest

Preparing the forest for

RODCs

Preparing the domain

Fixing up Group Policy permissions

After these steps, you'll want to check proper Active Directory replication.

Preparing the forest

Perform these steps to prepare the Active Directory forest:

To prepare the Active Directory forest, run the following command:

adprep.exe /forestprep /forest

lucernpub.com

/user

EntAdmin

/userdomain

lucernpub.com

/password

P@ssw0rd

Replace the value for the domain and the values for the credentials with values that make sense for your Active Directory environment.

Next, you issue the c command type, followed by Enter.

The following line at the end of the output indicates the successful preparation of the Active Directory forest:

Adprep successfully updated the forest-wide information

Preparing the forest for RODCs

The /rodcprep switch for adprep.exe triggers the preparation of the forest for RODCs. This action only needs to be performed when the intention is to run RODCs in the Active Directory forest:

To prepare the Active Directory forest for RODCs, run the following command:

adprep.exe /rodcprep /forest

lucernpub.com

/user

DomAdmin

/userdomain

lucernpub.com

/password

P@ssw0rd

Replace the value for the domain and the values for the credentials with values that make sense for your Active Directory environment.

The following line at the end of the output indicates the successful preparation of the Active Directory forest for RODCs:

Rodcprep completed without errors. All partitions are updated. See the ADPrep.log in directory C:\Windows\debug\adprep\logs\

<date>

for more information.

Preparing the domain

Perform these steps to prepare the domain:

To prepare the Active Directory domain, run the following command:

adprep.exe /domainprep /domain

lucernpub.com

/user

DomAdm

/userdomain

lucernpub

/password

P@ssw0rd

Replace the value for the domain and the values for the credentials with values that make sense for your Active Directory environment.

The following line at the end of the output indicates the successful preparation of the Active Directory domain:

Adprep successfully updated the domain-wide information

Fixing up Group Policy permissions

Group Policy preparation, as part of adprep.exe, adds two pieces of functionality to Active Directory:

Cross-domain planning functionality for Group Policy

Resultant Set of Policy

(

RSoP

) planning mode

GPOs are stored in both the System Volume (SYSVOL) and Active Directory. Both locations require an update of the permissions for existing GPOs, in order to take advantage of the preceding functionality.

If the Active Directory domain already contains custom or delegated permissions, Group Policy preparation kicks off the replication of all Group Policy files in the SYSVOL, and may deny the functionality of RSoP to delegated admins until their permissions are recreated.

To fix up Group Policy permissions, run the following command:

adprep.exe /domainprep /gpprep /domain

lucernpub.com

/user

DomAdm

/userdomain

lucernpub.com

/password

P@ssw0rd

Replace the value for the domain and the values for the credentials with values that make sense for your Active Directory environment.

The following line at the end of the output indicates the successful preparation of the Active Directory domain:

Adprep successfully updated the Group Policy Object (GPO) information.