Active Directory Administration Cookbook, Second Edition E-Book

Active Directory Administration Cookbook

Second Edition

Proven solutions to everyday identity and authentication challenges for both on-premises and the cloud

Sander Berkouwer

BIRMINGHAM—MUMBAI

Active Directory Administration Cookbook Second Edition

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Vijin Boricha

Publishing Product Manager: Mohd Riyan Khan

Senior Editor: Arun Nadar

Content Development Editor: Sujata Tripathi

Technical Editor: Rajat Sharma

Copy Editor: Safis Editing

Project Coordinator: Shagun Saini

Proofreader: Safis Editing

Indexer: Sejal Dsilva

Production Designer: Roshan Kawale

Marketing Coordinator: Hemangi Lotlikar

First published: May 2019

Second edition: July 2022

Production reference: 1080622

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80324-250-7

www.packt.com

Contributors

About the author

Sander Berkouwer calls himself an Active Directory aficionado; he's done everything with Active Directory and Azure AD, including decommissioning. He has been MCSA-, MCSE-, and MCITP-certified for ages, as well as an MCT and a Microsoft Most Valuable Professional (MVP) on Directory Services and Enterprise Mobility for over a decade. Sander is also decorated with Veeam Vanguard and VMware vExpert awards for his international cross-platform knowledge, experience, and passion.

His background in industrial design engineering explains a lot of his creativity. His qualities extend beyond the typical four As in identity and access management. Of course, administration, authentication, authorization, auditing are necessities, but his out-of-the-box solutions get the most out of software, hardware, and the cloud.

His work as a consultant, blogger, author, and trainer are all means to achieve his goal to help people with technology so that IT is not a mere hurdle, but an infinite enabler.

About the reviewers

Carl Webster, aka Webster, specializes in Citrix, Active Directory, and technical documentation. He is the most active person in the Citrix zone on Experts Exchange and serves the broader Citrix community by writing articles and providing free PowerShell scripts at CarlWebster.com. Webster, a CTP since 2009, is a founding member of the Citrix Technology Professional Fellow program. He has a long history in the IT industry, starting with mainframes in 1977, moving to PCs and application development in 1986, and then shifting to Active Directory and networks in 2001. Webster has worked on hundreds of Active Directory troubleshooting, remediation, and migration projects since 2001. Admins in small to mid-sized businesses appreciate his PowerShell scripts and his detailed and thorough approach and prescriptive guidance.

James Mendez is a customer engineer at Microsoft working with customers using Active Directory, Windows Server platforms, and various Azure cloud services. He has worked in the IT industry for over 25 years, obtaining different IT certifications and also holding roles such as senior systems engineer and lead IT systems architect. He has gained experience and exposure to a variety of technologies (such as Microsoft, Cisco, and VMware) over the years, which include scripting, web development, ETL data integration, networking, virtualization, hyper-converged infrastructure. Outside of work, he has several interests, including music (composing), traveling, cycling, running, reading, continuously learning, and spending time with family.

I'd like to thank:

My brother, for the encouragement and support, being a mentor, and also sharing his invaluable experience and insight throughout the introductory years of my career.

My parents, for instilling a strong and honest work ethic in me and always encouraging me to invest 200% into anything I am passionate about.

The few but genuine friends I have (domestic and international), for truly being there and believing in me.

Table of Contents

Preface

Chapter 1: Optimizing Forests, Domains, and Trusts

Choosing between a new domain or forest

Why would you have a new domain?

What are the downsides of a new domain?

Why would you create a new forest?

What are the downsides of a new forest?

Listing the domains in your forest

Getting ready

How to do it...

How it works...

Using adprep.exe to prepare for new Active Directory functionality

Getting ready

How to do it...

How it works...

There's more...

Raising the domain functional level to Windows Server 2016

Getting ready

How to do it...

How it works...

Raising the forest functional level to Windows Server 2016

Getting ready

How to do it...

How it works...

Creating the right trust

Trust direction

Trust transitivity

One-way or two-way trust

Getting ready

How to do it...

See also

Removing a trust

Getting ready

How to do it...

How it works...

Verifying and resetting a trust

Getting ready

How to do it...

How it works...

Securing a trust

Getting ready

How to do it...

How it works...

There's more...

Extending the schema

Getting ready

How to do it...

There's more...

Enabling the Active Directory Recycle Bin

Getting ready

How to do it...

How it works...

Managing UPN suffixes

Getting ready

How to do it...

How it works...

There's more...

Chapter 2: Managing Domain Controllers

Preparing a Windows server to become a domain controller

Intending to do the right thing

Dimensioning the servers properly

Preparing the Windows Server installations

Preconfiguring the Windows servers

Documenting the passwords

See also

Promoting a server to a domain controller

Getting ready

How to do it...

See also

Promoting a server to a read-only domain controller

Getting ready

How to do it...

Checking proper promotion

How it works...

See also

Using Install From Media

Getting ready

How to do it...

How it works...

Using domain controller cloning

Getting ready

How to do it...

How it works...

See also

Determining whether a virtual domain controller has a VM-GenerationID

How to do it...

How it works...

Demoting a domain controller

Getting ready

How to do it...

How it works...

There's more...

Demoting a domain controller forcefully

Getting ready

How to do it...

See also

Inventory domain controllers

How to do it...

Decommissioning a compromised read-only domain controller

How to do it...

How it works...

Chapter 3: Managing Active Directory Roles and Features

About FSMO roles

Recommended practices for FSMO roles

Querying FSMO role placement

Getting ready

How to do it...

How it works...

Transferring FSMO roles

Getting ready

How to do it...

How it works...

Seizing FSMO roles

Getting ready

How to do it...

How it works...

Configuring the PDC Emulator to synchronize time with a reliable source

Getting ready

How to do it...

How it works...

Managing time synchronization for virtual domain controllers

Getting ready

How to do it...

How it works...

Managing global catalogs

Getting ready

How to do it...

How it works

Chapter 4: Managing Containers and Organizational Units

Differences between OUs and containers

Containers

OUs

OUs versus Active Directory domains

Creating an OU

Getting ready

How to do it...

How it works...

There's more...

Deleting an OU

Getting ready

How to do it...

How it works...

There's more...

Modifying an OU

Getting ready

How to do it...

How it works...

There's more...

See also

Delegating control of an OU

Getting ready

How to do it...

How it works...

See also

Modifying the default location for new user and computer objects

Getting ready

How to do it...

How it works...

See also

Chapter 5: Managing Active Directory Sites and Troubleshooting Replication

What do Active Directory sites do?

Recommendations

Creating a site

Getting ready

How to do it...

See also

Managing a site

Getting ready

How to do it...

How it works...

See also

Managing subnets

Getting ready

How to do it...

How it works...

See also

Creating a site link

Getting ready

How to do it...

How it works...

See also

Managing a site link

Getting ready

How to do it...

See also

Modifying replication settings for an Active Directory site link

Getting ready

How to do it...

How it works...

See also

Creating a site link bridge

Getting ready

How to do it...

See also

Managing bridgehead servers

Getting ready

How to do it...

How it works...

See also

Managing the ISTG and KCC

Getting ready

How to do it...

How it works...

See also

Managing UGMC

Getting ready

How to do it...

How it works...

See also

Working with repadmin.exe

Getting ready

How to do it...

How it works...

See also

Forcing replication

Getting ready

How to do it...

How it works…

See also

Managing inbound and outbound replication

Getting ready

How to do it...

How it works...

There's more...

See also

Modifying the tombstone lifetime period

Getting ready

How to do it...

How it works...

See also

Managing strict replication consistency

Getting ready

How to do it...

How it works...

Upgrading SYSVOL replication from FRS to DFSR

Getting ready

How to do it...

How it works...

See also

Checking for and remediating lingering objects

Getting ready

How to do it...

How it works...

See also

Chapter 6: Managing Active Directory Users

Creating a user

Getting ready

How to do it...

How it works...

There's more...

Deleting a user

Getting ready

How to do it...

How it works...

See also

Modifying several users at once

Getting ready

How to do it...

How it works...

There's more...

Moving a user

Getting ready

How to do it...

How it works...

Renaming a user

Getting ready

How to do it...

How it works...

Enabling and disabling a user

Getting ready

How to do it...

How it works...

There's more...

Finding locked-out users

Getting ready

How to do it...

How it works...

See also

Unlocking a user

Getting ready

How to do it...

Managing userAccountControl

Getting ready

How to do it...

How it works...

Using account expiration

Getting ready

How to do it...

How it works...

Chapter 7: Managing Active Directory Groups

Creating a group

Getting ready

How to do it...

How it works...

Deleting a group

Getting ready

How to do it...

How it works...

Managing the direct members of a group

Getting ready

How to do it...

How it works...

Managing expiring group memberships

Getting ready

How to do it...

How it works...

Changing the scope or type of a group

Getting ready

How to do it...

How it works...

See also…

Viewing nested group memberships

Getting ready

How to do it...

How it works...

Finding empty groups

Getting ready

How to do it...

How it works...

Chapter 8: Managing Active Directory Computers

Creating a computer

Getting ready

How to do it...

How it works...

There's more...

Deleting a computer

Getting ready

How to do it...

How it works...

See also

Joining a computer to the domain

Getting ready

How to do it...

How it works...

There's more...

See also

Renaming a computer

Getting ready

How to do it...

How it works...

There's more...

Testing the secure channel for a computer

Getting ready

How to do it...

How it works...

See also

Resetting a computer's secure channel

Getting ready

How to do it...

How it works...

Getting ready

How to do it...

How it works...

Chapter 9: Managing DNS

Managing the DNS server role on domain controllers

Getting ready

How to do it…

How it works…

See also

Creating a DNS zone

Getting ready

How to do it…

How it works…

Managing the DNS zone properties

Getting ready

How to do it…

How it works…

Deleting a DNS zone

Getting ready

How to do it…

How it works…

Creating a DNS record

Getting ready

How to do it…

How it works…

Deleting a DNS record

Getting ready

How to do it…

How it works…

Verifying the domain controller SRV DNS records

Getting ready

How to do it…

How it works…

Creating a DNS conditional forwarder

Getting ready

How to do it...

How it works…

See also

Chapter 10: Getting the Most Out of Group Policy

Creating a GPO

Getting ready

How to do it...

How it works...

See also

Copying a GPO

Getting ready

How to do it...

How it works...

There's more...

Deleting a GPO

Getting ready

How to do it...

How it works...

See also

Modifying the settings of a GPO

Getting ready

How to do it...

How it works...

Assigning scripts

Getting ready

How to do it...

How it works...

Installing applications

Getting ready

How to do it...

How it works...

Linking a GPO to an OU

Getting ready

How to do it...

How it works...

There's more...

Blocking inheritance of GPOs on an OU

Getting ready

How to do it...

How it works...

Enforcing the settings of a GPO Link

Getting ready

How to do it...

How it works...

Applying security filters

Getting ready

How to do it...

How it works...

Creating and applying WMI filters

Getting ready

How to do it...

How it works...

There's more...

Refreshing GPO settings

Getting ready

How to do it…

How it works…

Configuring loopback processing

Getting ready

How to do it...

How it works...

Restoring a default GPO

Getting ready

How to do it...

How it works...

There's more...

Creating the Group Policy Central Store

Getting ready

How to do it...

How it works...

There's more...

Chapter 11: Securing Active Directory

Applying fine-grained password and account lockout policies

Getting ready

How to do it...

How it works...

There's more...

Backing up and restoring GPOs

Getting ready

How to do it...

How it works...

There's more...

Backing up and restoring Active Directory

Getting ready

How to do it...

How it works...

See also…

Working with Active Directory snapshots

Getting ready

How to do it...

How it works...

There's more...

See also

Managing the DSRM passwords on domain controllers

Getting ready

How to do it...

How it works...

Protecting important objects from accidental deletion

Getting ready

How to do it…

How it works…

There's more…

Implementing LAPS

Getting ready

How to do it...

How it works...

See also

Managing deleted objects

Getting ready

How to do it...

How it works...

There's more...

See also

Working with gMSAs

Getting ready

How to do it...

How it works...

There's more...

Configuring diagnostic logging

Getting ready

How to do it…

How it works…

Configuring the advanced security audit policy

Getting ready

How to do it...

How it works...

Resetting the KRBTGT secret

Getting ready

How to do it...

How it works...

There's more...

Using the SCW to secure domain controllers

Getting ready

How to do it

How it works...

Leveraging the Protected Users group

Getting ready

How to do it...

How it works...

See also

Putting authentication policies and authentication policy silos to good use

Getting ready

How to do it...

How it works...

Configuring Extranet Smart Lockout

Getting ready

How to do it...

How it works...

Chapter 12: Managing Certificates

Deciding between your own CA and a public CA

How to do it…

How it works…

See also

There's more…

Setting up a CA

Getting ready

How to do it…

How it works…

There's more…

Setting up an online responder

Getting ready

How to do it…

How it works…

See also

Removing a certificate template

Getting ready

How to do it…

How it works…

Duplicating and editing a certificate template

Getting ready

How to do it…

How it works…

Requesting a web server certificate

Getting ready

How to do it…

How it works…

See also

Issuing domain controller certificates

Getting ready

How to do it…

How it works…

Managing certificate autoenrollment

Getting ready

How to do it…

How it works…

See also

Revoking a certificate

Getting ready

How to do it…

How it works…

Decommissioning a CA

Getting ready

How to do it…

How it works…

Chapter 13: Managing Federation

Choosing the right AD FS farm deployment method

Getting ready

How to do it...

How it works...

There's more...

See also

Installing the AD FS server role

Getting ready

How to do it...

How it works...

Setting up an AD FS farm with WID

Getting ready

How to do it...

How it works...

There's more...

See also

Setting up an AD FS farm with SQL Server

Getting ready

How to do it...

How it works...

There's more...

See also

Adding additional AD FS servers to an AD FS farm

Getting ready

How to do it...

How it works...

Removing AD FS servers from an AD FS farm

Getting ready

How to do it...

How it works...

There's more...

Creating an RPT

Getting ready

How to do it...

How it works...

Deleting an RPT

Getting ready

How to do it...

How it works...

Configuring branding

Getting ready

How to do it...

How it works...

Migrating a WID-based AD FS farm to an SQL Server

Getting ready

How to do it...

How it works…

Setting up a WAP

Getting ready

How to do it...

How it works...

There's more...

Decommissioning a WAP

Getting ready

How to do it...

How it works...

Chapter 14: Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and DSSO)

Choosing the right authentication method

Getting ready

How to do it...

How it works...

There's more...

Signing up for Azure AD

Getting ready

How to do it

How it works…

Verifying your DNS domain name

Getting ready

How to do it...

How it works...

Implementing PHS with Express Settings

Getting ready

How to do it...

How it works...

Implementing PTA and Seamless SSO

Getting ready

How to do it...

How it works...

There's more...

Implementing SSO using AD FS

Getting ready

How to do it...

How it works...

There's more...

Managing AD FS with Azure AD Connect

Getting ready

How to do it...

How it works...

Implementing Azure Traffic Manager for AD FS geo-redundancy

Getting ready

How to do it...

How it works...

There's more...

Migrating from AD FS to PTA for SSO to Office 365

Getting ready

How to do it...

How it works...

There's more...

Making PTA (geo)redundant

Getting ready

How to do it...

How it works...

Chapter 15: Handling Synchronization in a Hybrid World (Azure AD Connect)

Choosing the right source anchor attribute for user objects

Getting ready

How to do it...

How it works...

There's more...

Configuring staging mode

Getting ready

How to do it...

How it works...

See also

Switching to a staging-mode server

Getting ready

How to do it...

How it works...

Configuring domain and OU filtering

Getting ready

How to do it...

How it works...

Configuring Azure AD app and attribute filtering

Getting ready

How to do it...

How it works...

Configuring hybrid Azure AD join

Getting ready

How to do it...

How it works...

Configuring device writeback

Getting ready

How to do it...

How it works...

Configuring password writeback

Getting ready

How to do it...

How it works...

Configuring group writeback

Getting ready

How to do it...

How it works...

Changing passwords for Azure AD Connect service accounts

Getting ready

How to do it...

How it works...

Chapter 16: Hardening Azure AD

Setting contact information

Getting ready

How to do it...

How it works...

See also

Preventing non-privileged users from accessing the Azure portal

Getting ready

How to do it...

How it works...

Viewing all privileged users in Azure AD

Getting ready

How to do it...

How it works...

Preventing users from registering or consenting to apps

Getting ready

How to do it...

How it works...

Preventing users from inviting guests

Getting ready

How to do it...

How it works...

There's more...

See also

Allowing and blocking invitations for Azure AD B2B

Getting ready

How to do it...

How it works...

Configuring Azure AD join and Azure AD registration

Getting ready

How to do it...

How it works...

See also

Configuring Intune auto-enrollment upon Azure AD join

Getting ready

How to do it...

How it works...

Choosing between Security defaults and Conditional Access

Getting ready

How to do it...

How it works…

Configuring Conditional Access

Getting ready

How to do it...

How it works...

See also

Accessing Azure AD Connect Health

Getting ready

How to do it...

How it works...

There's more...

Configuring Azure AD Connect Health for AD FS

Getting ready

How to do it...

How it works...

There's more…

Configuring Azure AD Connect Health for AD DS

Getting ready

How to do it...

How it works...

Configuring Azure AD PIM

Getting ready

How to do it...

How it works...

Configuring Azure AD Identity Protection

Getting ready

How to do it...

How it works...

Implementing Defender for Identity

Getting ready

How to do it…

How it works…

Why subscribe?

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Preface

Active Directory (AD)is an administration system for Windows administrators to automate network, security, and access management tasks in the Windows infrastructure. This second edition is updated to cover Windows Server 2022 and guides you through effective recipes for AD administration.

The book starts with a detailed focus on forests, domains, trusts, schemas, and partitions. After that, you'll learn how to manage domain controllers, organizational units (OUs), and default containers. You'll explore how to manage Active Directory sites, as well as identifying and solving replication problems. Later chapters cover different object types in Active Directory: users, groups, and computers. You'll also work through recipes that help you manage your AD domains, as well as managing user and group objects and computer accounts, expiring group memberships, and group managed service accounts (gMSAs) with PowerShell. This book discusses how to manage DNS and certificates and how to work with Group Policy. You'll then focus on security and federation before going on to explore Azure Active Directory (Azure AD) and how to integrate on-premises Active Directory with Azure AD. Finally, you'll discover how Microsoft Azure AD Connect synchronization works and how to harden Azure AD.

By the end of this book, you'll be able to make the most of Active Directory, Azure AD and Azure AD Connect.

Who this book is for

This book is for administrators of existing Active Directory Domain Services (AD DS) environments and/or Azure AD tenants looking for guidance to optimize their day-to-day tasks. Basic networking and Windows Server operating system knowledge will be useful for getting the most out of this book.

What this book covers

Chapter 1, Optimizing Forests, Domains, and Trusts, discusses how Active Directory for large organizations entails managing many logical aspects of Active Directory. This chapter focuses on the intangible aspects of Active Directory: forests, domains, trusts, schemas, and partitions.

Chapter 2, Managing Domain Controllers, shows how domain controllers represent Active Directory towards devices, applications, and users. 

Chapter 3, Managing Active Directory Roles and Features, details how some domain controllers are created more equal than others. The differences between domain controllers and how to manage them are described in this chapter. 

Chapter 4, Managing Containers and Organizational Units, explains how there is a standard set of containers and OUs that are created during the installation of Active Directory. These are usually confused by Active Directory administrators. This chapter will help administrators understand when and why they need to use OUs instead of containers and how to perform all common tasks.

Chapter 5, Managing Active Directory Sites and Troubleshooting Replication, looks at how a site is a logical means to represent the physical aspects of AD. In this chapter, you will create and manage sites, subnets, and sitelinks. The focus here will also be on identifying, managing, and solving AD replication problems.

Chapter 6, Managing Active Directory Users, looks at Active Directory objects, which are where you manage the organization's resources. With the effective tips and tricks given in this chapter, you will be able to create, delete, and manage users. 

Chapter 7, Managing Active Directory Groups, looks at groups, which are the cornerstone to providing access in Active Directory. With the information in this chapter, you will be able to create, delete, and manage groups and change the scope of a group based on your requirements. 

Chapter 8, Managing Active Directory Computers, discusses how Active Directory computer objects offer single sign-on and a secure channel between devices, domain controllers, and resources. 

Chapter 9, Managing DNS, looks at Domain Name System (DNS), which is important to Active Directory. While not every domain controller is a DNS server, most are. You will learn how to manage DNS.

Chapter 10, Getting the Most Out of Group Policy, looks at Group Policy, which helps to control the settings deployed to the user objects and computers of your Active Directory infrastructure. In this chapter, we will cover recipes to work with Group Policy objects (GPOs) to help bring greater understanding to this topic.  

Chapter 11, Securing Active Directory, discusses how Active Directory plays a critical role in the IT infrastructure and safeguards the security of different network resources in an interconnected environment. In this chapter, we will cover a set of practical techniques that will help administrators protect an enterprise Active Directory environment.

Chapter 12, Managing Certificates, covers certificates. To secure communications between hosts and the internet, certificates can be issued by certification authorities (CAs). In this chapter, you'll learn how to set one up, manage it, and optionally decommission it.

Chapter 13, Managing Federation, looks at federation, which is the way organizations collaborate using open authentication standards. You will learn how to set up, configure, and manage Active Directory Federation Services (AD FS) servers and Web Application Proxy servers in this chapter.

Chapter 14, Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and DSSO), shows you how to integrate Active Directory identities with your Azure AD. The information in this chapter will revolve around managing AD FS, PHS, PTA, and DSSO.

Chapter 15, Handling Synchronization in a Hybrid World (Azure AD Connect), explains how synchronization works with Azure AD Connect and how to customize it. It helps you choose the right source anchor attribute and manage the Azure AD Connect service accounts.

Chapter 16, Hardening Azure AD, discusses how many organizations depend on the integrity of the privileged accounts that manage IT systems for the security of business assets. Cyber-attackers focus on Active Directory and Azure AD to gain access to an organization's sensitive data. This chapter will offer expert tips on hardening security with Azure AD.

To get the most out of this book

To get the most out of the book, it helps to have basic knowledge of Windows Server and Active Directory.

Many recipes are written to lift an aging Active Directory environment to new heights. It helps in these cases to know the old protocols, such asNT LAN Manager (NTLM), but an open mind is a more valuable asset when engaging with the recipes.

Some recipes in this cookbook require significant hardware, so if you're staging changes in development, test, or acceptance environments, make sure you have the computational power and storage to do so.

If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book's GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.

Download the example code files

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Active-Directory-Administration-Cookbook-Second-Edition. If there's an update to the code, it will be updated in the GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Code in Action

The Code in Action videos for this book can be viewed at http://bit.ly/2OQfDum.

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/Bookname_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Alternatively, you can search for its executable (servermanager.exe) in the Start menu."

Any command-line input or output is written as follows:

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: "In the User settings pane, change the Users can register applications setting to No."

Tips or Important Notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you've read Active Directory Administration Cookbook, Second Edition, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

Chapter 1: Optimizing Forests, Domains, and Trusts

Back in the year 2000, when Active Directory was introduced to the larger public, we lived in a different world. The internet was only just starting to deliver value to businesses. That's why, in Windows 2000 Server, Active Directory was largely disconnected from the internet. Windows 2000 Server's default Domain Name System (DNS) settings even came with a root domain; so, if you wanted to connect to the internet, you had to delete the. DNS zone manually.

Fast forward to today, and the internet and cloud services seem omnipresent. The default . DNS zone has disappeared from Windows Server, but the concepts of trees and forests in Active Directory has persisted, and they still allow for some confusion among Active Directory admins.

To explain domains, trees, and forests in Active Directory, we need to acknowledge Active Directory's past. To create anything in Active Directory, you'll need to create a domain. It starts with the name. For a hypothetical organization, Lucern Publishing, four typical domain names would be as follows:

Table 1.1 – Typical domain names

The first two options are the preferred options, as they adhere to RFC 822 (https://www.w3.org/Protocols/rfc822). The third option is a common option but doesn't comply with RFC 2606 (https://tools.ietf.org/html/rfc2606) and should be avoided. The fourth option is a typical single-label domain. They are usually the result of a common error among Active Directory admins migrating from Windows NT 4 Server's model to Active Directory. Products that once supported Windows NT 4 Server's single-label domains are no longer around, or they no longer support single-label domain names, including Microsoft.

Lucern Publishing may be quite a successful organization, so they might expand their operations from Switzerland to Europe, North America, and Asia. For reasons that we'll discuss later, they might want to separate Active Directory domains for each of their territories, but they want them to keep working together like one organization. This is where a domain tree comes into play. Now, Lucern Publishing might choose to create three subdomains under lucernpub.com:

They've created a tree of Active Directory domains, sharing the same DNS namespace. Of course, Lucern Publishing might also choose to create multiple trees, next to the lucernpub.com domain or tree, to accommodate an organizational layout with different names for their global expansions, such as Austin Publishing and Wuhan Publishing. In this case, it will make sense to create separate domains such as austinpub.com and wuhanpub.com. Effectively, Lucern Publishing will create three trees this way, belonging to the same Active Directory forest. Yes, some Active Directory environments are large structures with many large trees, but the default Active Directory forest consists of just one tree, with one Active Directory domain.

In this chapter, we'll discuss the reasoning behind creating domains and forests. We'll also discuss userPrincipalName (UPN) suffixes and trusts. The goal of this chapter is to help you make the right choices in terms of your Active Directory structure.

The following recipes are covered in the chapter:

Before going through these recipes, we will look at a few aspects that you will need to know for this chapter.

Let's begin!

Choosing between a new domain or forest

In organizations, sometimes, an expansion or business change requires changes in Active Directory too. In Active Directory terms, the change might require creating a new Active Directory domain or a new Active Directory forest. In this recipe, we'll look at the reasoning between these two choices, taking the entire life cycle of Active Directory into consideration.

Why would you have a new domain?

A new Active Directory domain – as either a subdomain of an existing domain or a new domain tree in an existing forest – provides a boundary.

The boundary of domains in Active Directory relates to the following:

However, the boundary of domains in Active Directory does not include the following:

Essentially, a new Active Directory domain is an administrative boundary, which you can create for an organization to allow for delegated management.

What are the downsides of a new domain?

Microsoft's advice is to keep Active Directory as simple as possible. When you create additional domains, the organization ends up with the following:

Why would you create a new forest?

A new Active Directory forest is basically a completely new Active Directory environment. When you create it, it does not have a relationship with an existing Active Directory environment, unless you choose to create Active Directory trusts afterward.

Since the new Active Directory forest is separate, a boundary is created for the following reasons:

When requirements apply in terms of schemas or replication, creating an Active Directory forest is the right choice. One thing that might be good here is to state that the forest is a security boundary as well as an administrative boundary.

Additionally, since the forest is a separate environment, by default, it can also be separated afterward. In acquisition and divestiture scenarios that can be overseen for the life cycle of Active Directory, an Active Directory forest is also the right choice.

What are the downsides of a new forest?

A separate Active Directory environment, of course, requires double the administrative effort of Active Directory admins. Additionally, since the environments are separate, creating an address list in Microsoft Exchange Server or sharing common applications, services, and/or systems can be challenging.

Now we can look at the recipes covered in this chapter.

Listing the domains in your forest

In an Active Directory environment with multiple domains and forests, it can be hard to distinguish the trees from the forest. As authentication is often per forest, an easy way to list the domains per forest is welcome.

Getting ready

Alas, the only reliable way to list the domains in a forest is to use PowerShell.

For this recipe, we'll need one of the following:

On domain controllers running Windows Server 2012 with Desktop Experience (and on newer versions of Windows Server), the Active Directory module for the Windows PowerShell feature is automatically installed, when promoted to a domain controller.

On domain controllers running Server Core installations of Windows Server 2012 (and on newer versions of Windows Server), the availability of the Active Directory module for Windows PowerShell depends on the -IncludeManagementTools option for the Install-WindowsFeature Windows PowerShell cmdlet used to install the Active Directory Domain Services role.

Installing the Active Directory module for Windows PowerShell on Windows Server

To install the Active Directory module for Windows PowerShell on a Windows Server with Desktop Experience, perform the following steps:

Figure 1.1 – The Active Directory module for Windows PowerShell feature in the Add Roles and Features Wizard

To install the Active Directory module for Windows PowerShell on the command line of a Server Core installation of Windows Server, run these two commands:

PowerShell.exe

Install-WindowsFeature RSAT-AD-PowerShell

Installing the Active Directory module for Windows PowerShell on Windows

To install the Active Directory module for Windows PowerShell on a device running Windows 8.1 and Windows 10 prior to version 1809, download the separately available Remote Server Administration Tools (RSAT) package for your version of Windows. After you install the package, all the RSAT will be available, including the Active Directory module for Windows PowerShell.

To install the Active Directory Domain Services and Lightweight Directory Services tools, including the Active Directory module for Windows PowerShell, on a device running Windows version 1809 (and newer versions of Windows), perform these steps:

Alternatively, on devices running Windows 10 version 1809 (and newer versions of Windows), you can use the following line of Windows PowerShell to install the Active Directory Domain Services and Lightweight Directory Services tools, including the Active Directory module for Windows PowerShell:

Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

To list all the domains in a forest, use an account that is a member of the Enterprise Admins group in Active Directory.

How to do it...

On the system, start an elevated Windows PowerShell window or Windows PowerShell ISE window using the domain credentials for any domain account.

Then, type the following line of Windows PowerShell:

Get-ADForest | Select-Object domains

The output of this line of Windows PowerShell lists all Active Directory domains.

How it works...

We use the Get-ADForest cmdlet from the Active Directory module to get the information for the current Active Directory forest. Then, we pipe the output of that command to select only the domains, since that's what we're after.

You can now make the best choices for implementing new domains and/or forests, and/or decommissioning domains and/or forests.

Using adprep.exe to prepare for new Active Directory functionality

The Active Directory schema defines the way that objects can be created, and what attributes are required or are optional for these objects. With previous versions of Windows Server, the base schema has been improved and extended.

Many features require certain schema versions for Active Directory. For instance, when you want to deploy a Windows Server 2016-based Active Directory Federation Services (AD FS) farm, you'll need the Windows Server 2016 schema or a higher version of the schema.

Since Windows Server 2012, Microsoft updates the Active Directory schema automatically when you promote the first Windows Server 2012-based member server to an Active Directory domain controller.

However, consider what will happen if you want to do any of the following:

In these situations, you'll want to update the Active Directory schema manually, using adprep.exe from the Windows Server installation media.

Getting ready

Copy the entire contents of the \support\adprep folder from the Windows Server installation media to a temporary folder on your system's hard disk.

Required permissions

The Active Directory preparation process consists of four separate stages. You'll need an account with the following group memberships for each stage:

Table 1.2 – Required permissions per Active Directory preparation step

How to do it...

Start Command Prompt in the File Explorer window of the folder that you've copied the files to.

You can simply type cmd in the address bar to achieve this.

The Active Directory preparation process consists of four separate stages:

After these steps, you'll want to check proper Active Directory replication.

Preparing the forest

Perform these steps to prepare the Active Directory forest:

adprep.exe /forestprep /forest lucernpub.com /user EntAdmin /userdomain lucernpub.com /password P@ssw0rd

Replace the value for the domain and the values for the credentials with values that make sense for your Active Directory environment.

The following line at the end of the output indicates the successful preparation of the Active Directory forest:

Adprep successfully updated the forest-wide information

When you see the preceding line appear, you can continue with the next step.

Preparing the forest for RODCs

The /rodcprep switch for adprep.exe triggers the preparation of the forest for RODCs. This action only needs to be performed when the intention is to run RODCs in the Active Directory forest:

adprep.exe /rodcprep /forest lucernpub.com /user DomAdmin /userdomain lucernpub.com /password P@ssw0rd

Replace the value for the domain and the values for the credentials with values that make sense for your Active Directory environment.

Rodcprep completed without errors. All partitions are updated. See the ADPrep.log in directory C:\Windows\debug\adprep\logs\<date> for more information.

When you see the preceding line appear, you can continue with the next step.

Preparing the domain

Perform these steps to prepare the domain:

adprep.exe /domainprep /domain lucernpub.com /user DomAdm /userdomain lucernpub.com /password P@ssw0rd

Replace the value for the domain and the values for the credentials with values that make sense for your Active Directory environment.

Adprep successfully updated the domain-wide information

When you see the preceding line appear, you can continue with the next step.

Updating filesystem and Active Directory permissions on existing GPOs

Group Policy preparation, as part of adprep.exe, adds two pieces of functionality to Active Directory:

GPOs are stored in both the System Volume (SYSVOL) and Active Directory. Both locations require an update of the permissions for existing GPOs, to take advantage of the preceding functionality.

If the Active Directory domain already contains custom or delegated permissions, Group Policy preparation kicks off the replication of all Group Policy files in the SYSVOL and may deny the functionality of RSoP to delegated admins until their permissions are recreated.

Note

Group Policy preparation does not need to be run with every upgrade. Admins need to run Group Policy preparation only once, and they only need to run it if an Active Directory domain has run on Windows 2000 Server-based domain controllers at one point in its existence. If an environment was created with domain controllers running Windows Server 2003, or newer versions of Windows Server, the Group Policy preparation step can be skipped.

To update filesystem and Active Directory permissions for GPOs, run the following command:

adprep.exe /domainprep /gpprep /domain lucernpub.com /user DomAdm /userdomain lucernpub.com /password P@ssw0rd

Replace the value for the domain and the values for the credentials with values that make sense for your Active Directory environment.

The following line at the end of the output indicates the successful preparation of the Active Directory domain:

Adprep successfully updated the Group Policy Object (GPO) information.

Checking the preparation replication

When done with the preparation steps, the Active Directory schema base version should be upgraded to a higher number, corresponding to the new schema version.

The following table shows the version numbers in accordance with the Active Directory level:

Table 1.3 – Schema version per Windows Server version

You can manually check the schema version per domain controller with the following command from any of your domain controllers:

repadmin.exe /showattr * "cn=schema,cn=configuration,dc=lucernpub,dc=com" /atts:objectVersion

Replace lucernpub and com with values for your Active Directory environment.

When all domain controllers report the same schema version, the Active Directory preparation has replicated successfully to all domain controllers.

How it works...

In Windows Server 2012 (and later versions), the entire Active Directory preparation process is automated. When you promote a Windows Server 2012-based member server (or any newer version of Windows Server) to an additional domain controller for a domain or upgrade a domain controller running a previous version to Windows Server 2012 (or any newer version of Windows Server), the Active Directory Domain Services Configuration Wizard determines whether the environment needs to be prepared as part of the promotion process.

Larger organizations often separate the schema or preparation work from the actual domain controller-promotion process work to minimize risk, adhere to small change windows, and more.

However, adprep.exe is still available to prepare the Active Directory forest and/or Active Directory domain(s) manually.

Windows Server 2022 is the first Windows Server version that does not require a schema upgrade since Active Directory was released with Windows 2000 Server.

There's more...

Unless there are compelling reasons not to, preparing for the latest available Active Directory schema version is the recommended approach. A reason not to do this is when an organization doesn't want to enable the promotion of the latest version(s) of Windows Server to domain controllers in a delegated environment.

Raising the domain functional level to Windows Server 2016

When implementing new Active Directory domain controllers and removing domain controllers running previous versions of Windows Server, many admins forget to raise the Active Directory domain functional level (DFL) to the earliest Windows Server version still running as domain controllers. After upgrading all domain controllers from Windows Server 2008 R2 to Windows Server 2012 R2, for instance, they would not raise the DFL to Windows Server 2012 R2 but keep it at the Windows Server 2008 R2 level.

It's a shame, really, because many new Active Directory features and optional Active Directory features are only available when the functional level is raised. Furthermore, the DFL dictates the lowest version of Windows Server that admins can use to promote new domain controllers. In addition, since Windows Server 2008 R2, the DFL can also be reverted, as long as no new optional features have been enabled and the Active Directory forest functional level (FFL) is the same as the DFL that you want to revert to, or lower.

The Windows 2016 domain is the highest available DFL for Active Directory; there is no Windows 2019 or Windows Server 2022 domain level.

From an Active Directory point of view, the Windows Server 2008 DFL (or any newer version of the DFL), is required when you want to deploy Windows Server 2016-based domain controllers and domain controllers running newer versions of Windows Server. Additionally, DFS replication needs to be in use to replicate the SYSVOL.

Getting ready

Microsoft recommends raising the DFL from the Active Directory domain controller that holds the Primary Domain Controller (PDC) Emulator Flexible Single Master Operations (FSMO) role.

To locate this domain controller, run the following command on any domain-joined device, member server, or domain controller:

netdom.exe query fsmo

Alternatively, use the following line of PowerShell on a domain-joined system that has the Active Directory module for Windows PowerShell installed:

Get-ADDomain | Format-List PDCEmulator

Use an account that is a member of the Domain Admins group in the Active Directory domain for which you want to raise the DFL.

How to do it...

On domain controllers running Windows Server with the Desktop Experience, perform the following steps:

Figure 1.2 – The Raise domain functional level window

Alternatively, you can use the following PowerShell command:

Set-ADDomainMode lucernpub.com Windows2016Domain

Replace lucernpub.com with values for your Active Directory environment.

Even when under time pressure, you'll want to check for the proper replication of changes to Active Directory functional levels before making any other changes in Active Directory that might depend on them. Especially in large environments with elaborate replication technologies, replication might take a while.

To check for the proper replication of changes to Active Directory functional levels, use the following command:

repadmin.exe /showattr *.lucernpub.com "dc=lucernpub,dc=com" /atts:msDS-Behavior-Version

Replace lucernpub.com, lucernpub, and com with values for your Active Directory environment.

The command checks the value for the msDS-Behavior-Version attribute on each of the domain controllers in the Active Directory domain and returns the value.

The following table shows the msDS-Behavior-Version attribute value per Active Directory DFL:

Table 1.4 – msDS-Behavior-Version attribute values per Active Directory DFL

The output shows the domain controllers that are replicating a change from a lower value to a higher value. When each domain controller returns the same value, the DFL has successfully replicated throughout the Active Directory environment.

How it works...

When a domain controller operates, it references the DFL to know how it can optimally interoperate with other domain controllers in the Active Directory domain. Additionally, when you want to enable optional Active Directory features, the msDS-Behavior-Version attribute is referenced to see whether it's a permissible action.

If there is a domain controller running a version of Windows Server that does not meet the requirements of a certain DFL, the level is grayed out in the Active Directory Domains and Trusts console and the level may not be raised to the desired level. In this case, when you try to raise the DFL using Windows PowerShell or other programmatic means, it will error out.

Raising the forest functional level to Windows Server 2016

Just like the Active Directory DFL, the FFL also determines the availability of new Active Directory functionality. Where the DFL dictates the minimum version of Windows Server to run as domain controllers, the FFL dictates the minimum version of the DFL in the Active Directory forest.

The new functionality that is unlocked by raising the FFL includes the following:

Getting ready

Microsoft recommends raising the FFL from the Active Directory domain controller that holds the Domain Naming Master FSMO role.

To locate this domain controller, run the following command on any domain-joined device, member server, or domain controller:

netdom.exe query fsmo

Alternatively, use the following line of Windows PowerShell on a domain-joined system that has the Active Directory module for Windows PowerShell installed:

Get-ADForest | Format-List DomainNamingMaster

Use an account that is a member of the Enterprise Admins group in the Active Directory forest for which you want to raise the FFL.

How to do it...

On domain controllers running Windows Server with the Desktop Experience, perform the following steps:

Figure 1.3 – The Raise forest functional level window

Alternatively, you can use the following line of Windows PowerShell:

Set-ADForestMode lucernpub.com Windows2016Forest

Replace lucernpub.com with values for your Active Directory environment.

How it works...

When a domain controller operates, it references the FFL to know how it can optimally interoperate with other domain controllers in the Active Directory forest. Additionally, when you want to enable optional Active Directory features, the msDS-Behavior-Version attribute is referenced to see whether it's a permissible action.

When a new Active Directory domain is added to an Active Directory forest, the available DFLs for the domain are shown, based on the msDS-Behavior-Version attribute for the forest too.

If there is a domain running a DFL that does not meet the requirements of a certain FFL, the level is grayed out in the Active Directory Domains and Trusts console and the level cannot be raised to this level. When you try to raise the FFL using Windows PowerShell or other programmatic means, it will error out.

Creating the right trust

In an Active Directory environment with multiple domains, you're bound to have trusts. Trusts allow people to access resources in a domain or forest other than the domain or forest where their user accounts reside.

When Active Directory domains are added to an existing Active Directory domain, two-way transitive trusts are automatically created. However, in other situations, trusts have to be created manually. With many different types of trusts, two trust directions, and a choice in transitivity, which trust is the right trust for which situation?

Let's look at the six types of trust first: