37,19 €
Updated to the Windows Server 2022, this second edition covers effective recipes for Active Directory administration that will help you leverage AD's capabilities for automating network, security, and access management tasks in the Windows infrastructure.
Starting with a detailed focus on forests, domains, trusts, schemas, and partitions, this book will help you manage domain controllers, organizational units, and default containers. You'll then explore Active Directory sites management as well as identify and solve replication problems. As you progress, you'll work through recipes that show you how to manage your AD domains as well as user and group objects and computer accounts, expiring group memberships, and Group Managed Service Accounts (gMSAs) with PowerShell. Once you've covered DNS and certificates, you'll work with Group Policy and then focus on federation and security before advancing to Azure Active Directory and how to integrate on-premise Active Directory with Azure AD. Finally, you'll discover how Microsoft Azure AD Connect synchronization works and how to harden Azure AD.
By the end of this AD book, you’ll be able to make the most of Active Directory and Azure AD Connect.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 682
Veröffentlichungsjahr: 2022
Proven solutions to everyday identity and authentication challenges for both on-premises and the cloud
Sander Berkouwer
BIRMINGHAM—MUMBAI
Copyright © 2022 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Vijin Boricha
Publishing Product Manager: Mohd Riyan Khan
Senior Editor: Arun Nadar
Content Development Editor: Sujata Tripathi
Technical Editor: Rajat Sharma
Copy Editor: Safis Editing
Project Coordinator: Shagun Saini
Proofreader: Safis Editing
Indexer: Sejal Dsilva
Production Designer: Roshan Kawale
Marketing Coordinator: Hemangi Lotlikar
First published: May 2019
Second edition: July 2022
Production reference: 1080622
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-80324-250-7
www.packt.com
Sander Berkouwer calls himself an Active Directory aficionado; he's done everything with Active Directory and Azure AD, including decommissioning. He has been MCSA-, MCSE-, and MCITP-certified for ages, as well as an MCT and a Microsoft Most Valuable Professional (MVP) on Directory Services and Enterprise Mobility for over a decade. Sander is also decorated with Veeam Vanguard and VMware vExpert awards for his international cross-platform knowledge, experience, and passion.
His background in industrial design engineering explains a lot of his creativity. His qualities extend beyond the typical four As in identity and access management. Of course, administration, authentication, authorization, auditing are necessities, but his out-of-the-box solutions get the most out of software, hardware, and the cloud.
His work as a consultant, blogger, author, and trainer are all means to achieve his goal to help people with technology so that IT is not a mere hurdle, but an infinite enabler.
Carl Webster, aka Webster, specializes in Citrix, Active Directory, and technical documentation. He is the most active person in the Citrix zone on Experts Exchange and serves the broader Citrix community by writing articles and providing free PowerShell scripts at CarlWebster.com. Webster, a CTP since 2009, is a founding member of the Citrix Technology Professional Fellow program. He has a long history in the IT industry, starting with mainframes in 1977, moving to PCs and application development in 1986, and then shifting to Active Directory and networks in 2001. Webster has worked on hundreds of Active Directory troubleshooting, remediation, and migration projects since 2001. Admins in small to mid-sized businesses appreciate his PowerShell scripts and his detailed and thorough approach and prescriptive guidance.
James Mendez is a customer engineer at Microsoft working with customers using Active Directory, Windows Server platforms, and various Azure cloud services. He has worked in the IT industry for over 25 years, obtaining different IT certifications and also holding roles such as senior systems engineer and lead IT systems architect. He has gained experience and exposure to a variety of technologies (such as Microsoft, Cisco, and VMware) over the years, which include scripting, web development, ETL data integration, networking, virtualization, hyper-converged infrastructure. Outside of work, he has several interests, including music (composing), traveling, cycling, running, reading, continuously learning, and spending time with family.
I'd like to thank:
My brother, for the encouragement and support, being a mentor, and also sharing his invaluable experience and insight throughout the introductory years of my career.
My parents, for instilling a strong and honest work ethic in me and always encouraging me to invest 200% into anything I am passionate about.
The few but genuine friends I have (domestic and international), for truly being there and believing in me.
Active Directory (AD)is an administration system for Windows administrators to automate network, security, and access management tasks in the Windows infrastructure. This second edition is updated to cover Windows Server 2022 and guides you through effective recipes for AD administration.
The book starts with a detailed focus on forests, domains, trusts, schemas, and partitions. After that, you'll learn how to manage domain controllers, organizational units (OUs), and default containers. You'll explore how to manage Active Directory sites, as well as identifying and solving replication problems. Later chapters cover different object types in Active Directory: users, groups, and computers. You'll also work through recipes that help you manage your AD domains, as well as managing user and group objects and computer accounts, expiring group memberships, and group managed service accounts (gMSAs) with PowerShell. This book discusses how to manage DNS and certificates and how to work with Group Policy. You'll then focus on security and federation before going on to explore Azure Active Directory (Azure AD) and how to integrate on-premises Active Directory with Azure AD. Finally, you'll discover how Microsoft Azure AD Connect synchronization works and how to harden Azure AD.
By the end of this book, you'll be able to make the most of Active Directory, Azure AD and Azure AD Connect.
This book is for administrators of existing Active Directory Domain Services (AD DS) environments and/or Azure AD tenants looking for guidance to optimize their day-to-day tasks. Basic networking and Windows Server operating system knowledge will be useful for getting the most out of this book.
Chapter 1, Optimizing Forests, Domains, and Trusts, discusses how Active Directory for large organizations entails managing many logical aspects of Active Directory. This chapter focuses on the intangible aspects of Active Directory: forests, domains, trusts, schemas, and partitions.
Chapter 2, Managing Domain Controllers, shows how domain controllers represent Active Directory towards devices, applications, and users.
Chapter 3, Managing Active Directory Roles and Features, details how some domain controllers are created more equal than others. The differences between domain controllers and how to manage them are described in this chapter.
Chapter 4, Managing Containers and Organizational Units, explains how there is a standard set of containers and OUs that are created during the installation of Active Directory. These are usually confused by Active Directory administrators. This chapter will help administrators understand when and why they need to use OUs instead of containers and how to perform all common tasks.
Chapter 5, Managing Active Directory Sites and Troubleshooting Replication, looks at how a site is a logical means to represent the physical aspects of AD. In this chapter, you will create and manage sites, subnets, and sitelinks. The focus here will also be on identifying, managing, and solving AD replication problems.
Chapter 6, Managing Active Directory Users, looks at Active Directory objects, which are where you manage the organization's resources. With the effective tips and tricks given in this chapter, you will be able to create, delete, and manage users.
Chapter 7, Managing Active Directory Groups, looks at groups, which are the cornerstone to providing access in Active Directory. With the information in this chapter, you will be able to create, delete, and manage groups and change the scope of a group based on your requirements.
Chapter 8, Managing Active Directory Computers, discusses how Active Directory computer objects offer single sign-on and a secure channel between devices, domain controllers, and resources.
Chapter 9, Managing DNS, looks at Domain Name System (DNS), which is important to Active Directory. While not every domain controller is a DNS server, most are. You will learn how to manage DNS.
Chapter 10, Getting the Most Out of Group Policy, looks at Group Policy, which helps to control the settings deployed to the user objects and computers of your Active Directory infrastructure. In this chapter, we will cover recipes to work with Group Policy objects (GPOs) to help bring greater understanding to this topic.
Chapter 11, Securing Active Directory, discusses how Active Directory plays a critical role in the IT infrastructure and safeguards the security of different network resources in an interconnected environment. In this chapter, we will cover a set of practical techniques that will help administrators protect an enterprise Active Directory environment.
Chapter 12, Managing Certificates, covers certificates. To secure communications between hosts and the internet, certificates can be issued by certification authorities (CAs). In this chapter, you'll learn how to set one up, manage it, and optionally decommission it.
Chapter 13, Managing Federation, looks at federation, which is the way organizations collaborate using open authentication standards. You will learn how to set up, configure, and manage Active Directory Federation Services (AD FS) servers and Web Application Proxy servers in this chapter.
Chapter 14, Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and DSSO), shows you how to integrate Active Directory identities with your Azure AD. The information in this chapter will revolve around managing AD FS, PHS, PTA, and DSSO.
Chapter 15, Handling Synchronization in a Hybrid World (Azure AD Connect), explains how synchronization works with Azure AD Connect and how to customize it. It helps you choose the right source anchor attribute and manage the Azure AD Connect service accounts.
Chapter 16, Hardening Azure AD, discusses how many organizations depend on the integrity of the privileged accounts that manage IT systems for the security of business assets. Cyber-attackers focus on Active Directory and Azure AD to gain access to an organization's sensitive data. This chapter will offer expert tips on hardening security with Azure AD.
To get the most out of the book, it helps to have basic knowledge of Windows Server and Active Directory.
Many recipes are written to lift an aging Active Directory environment to new heights. It helps in these cases to know the old protocols, such asNT LAN Manager (NTLM), but an open mind is a more valuable asset when engaging with the recipes.
Some recipes in this cookbook require significant hardware, so if you're staging changes in development, test, or acceptance environments, make sure you have the computational power and storage to do so.
If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book's GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.
You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Active-Directory-Administration-Cookbook-Second-Edition. If there's an update to the code, it will be updated in the GitHub repository.
We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!
The Code in Action videos for this book can be viewed at http://bit.ly/2OQfDum.
We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/Bookname_ColorImages.pdf.
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Alternatively, you can search for its executable (servermanager.exe) in the Start menu."
Any command-line input or output is written as follows:
redirusr.exe "OU=Redirected Users OU,DC=LucernPub,DC=com"redircmp.exe "OU=Redirected Computers OU,DC=LucernPub,DC=com"Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: "In the User settings pane, change the Users can register applications setting to No."
Tips or Important Notes
Appear like this.
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Once you've read Active Directory Administration Cookbook, Second Edition, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.
Back in the year 2000, when Active Directory was introduced to the larger public, we lived in a different world. The internet was only just starting to deliver value to businesses. That's why, in Windows 2000 Server, Active Directory was largely disconnected from the internet. Windows 2000 Server's default Domain Name System (DNS) settings even came with a root domain; so, if you wanted to connect to the internet, you had to delete the. DNS zone manually.
Fast forward to today, and the internet and cloud services seem omnipresent. The default . DNS zone has disappeared from Windows Server, but the concepts of trees and forests in Active Directory has persisted, and they still allow for some confusion among Active Directory admins.
To explain domains, trees, and forests in Active Directory, we need to acknowledge Active Directory's past. To create anything in Active Directory, you'll need to create a domain. It starts with the name. For a hypothetical organization, Lucern Publishing, four typical domain names would be as follows:
Table 1.1 – Typical domain names
The first two options are the preferred options, as they adhere to RFC 822 (https://www.w3.org/Protocols/rfc822). The third option is a common option but doesn't comply with RFC 2606 (https://tools.ietf.org/html/rfc2606) and should be avoided. The fourth option is a typical single-label domain. They are usually the result of a common error among Active Directory admins migrating from Windows NT 4 Server's model to Active Directory. Products that once supported Windows NT 4 Server's single-label domains are no longer around, or they no longer support single-label domain names, including Microsoft.
Lucern Publishing may be quite a successful organization, so they might expand their operations from Switzerland to Europe, North America, and Asia. For reasons that we'll discuss later, they might want to separate Active Directory domains for each of their territories, but they want them to keep working together like one organization. This is where a domain tree comes into play. Now, Lucern Publishing might choose to create three subdomains under lucernpub.com:
eu.lucernpub.comusa.lucernpub.comasia.lucernpub.comThey've created a tree of Active Directory domains, sharing the same DNS namespace. Of course, Lucern Publishing might also choose to create multiple trees, next to the lucernpub.com domain or tree, to accommodate an organizational layout with different names for their global expansions, such as Austin Publishing and Wuhan Publishing. In this case, it will make sense to create separate domains such as austinpub.com and wuhanpub.com. Effectively, Lucern Publishing will create three trees this way, belonging to the same Active Directory forest. Yes, some Active Directory environments are large structures with many large trees, but the default Active Directory forest consists of just one tree, with one Active Directory domain.
In this chapter, we'll discuss the reasoning behind creating domains and forests. We'll also discuss userPrincipalName (UPN) suffixes and trusts. The goal of this chapter is to help you make the right choices in terms of your Active Directory structure.
The following recipes are covered in the chapter:
Choosing between a new domain or forestListing the domains in your forestUsing adprep.exe to prepare for new Active Directory functionalityRaising the domain functional level to Windows Server 2016Raising the forest functional level to Windows Server 2016Creating the right trustRemoving a trustVerifying and resetting a trustSecuring a trustExtending the schemaEnabling the Active Directory Recycle BinManaging UPN suffixesBefore going through these recipes, we will look at a few aspects that you will need to know for this chapter.
Let's begin!
In organizations, sometimes, an expansion or business change requires changes in Active Directory too. In Active Directory terms, the change might require creating a new Active Directory domain or a new Active Directory forest. In this recipe, we'll look at the reasoning between these two choices, taking the entire life cycle of Active Directory into consideration.
A new Active Directory domain – as either a subdomain of an existing domain or a new domain tree in an existing forest – provides a boundary.
The boundary of domains in Active Directory relates to the following:
DNS name: An additional domain tree offers the possibility to add a DNS domain name to the organization to, for instance, correctly label a new business venture. An alternative might be to add an additional UPN suffix.Domain DNS zones replication: Throughout an Active Directory forest, all domain controllers replicate to exchange information on objects, schemas, and configuration. Between domains, a distinction can be made to limit the replication of information on Active Directory-integrated DNS zones. That way, this information is only replicated within the domain.Password and account lock-out policies: Fine-grained password and account lock-out policies can only be applied within an Active Directory domain. The information can be viewed by any account in the domain. If you want to shield this information or create separate policies, an additional domain is the route to go.Group Policy: Group Policy Objects (GPOs) only replicate within a domain. The only exception is the GPOs that are linked to Active Directory sites; these are copied between domains instead since Active Directory sites are created at the forest level.However, the boundary of domains in Active Directory does not include the following:
An Active Directory schemaThe scope of the Enterprise Admins groupEssentially, a new Active Directory domain is an administrative boundary, which you can create for an organization to allow for delegated management.
Microsoft's advice is to keep Active Directory as simple as possible. When you create additional domains, the organization ends up with the following:
At least two additional domain controllersActive Directory trusts between the current domain(s) and the new domainAn increase in administrative burdenA new Active Directory forest is basically a completely new Active Directory environment. When you create it, it does not have a relationship with an existing Active Directory environment, unless you choose to create Active Directory trusts afterward.
Since the new Active Directory forest is separate, a boundary is created for the following reasons:
Schema and configuration partitions: The schema and configuration partitions hold information on the way that objects can be created, what attributes are required for these objects, what attributes are optional for these objects, and the domains within the forest. Since many applications require Active Directory schema extensions, introducing a legacy or cutting-edge application might result in schema conflicts. In these types of scenarios, creating an additional Active Directory forest is the best way forward. An alternative might be to add an Active Directory Lightweight Directory Services (AD-LDS) instance to the environment.Global catalog replication: Domain controllers with the additional global catalog role hold partial information on the most requested attributes for objects in Active Directory. With multiple global catalogs, the information is replicated throughout the forest. To shield this information, an additional Active Directory forest can be created.Forest DNS zones replication: To overcome the default boundary for Active Directory-integrated DNS zones, the Forest DNS zone replication scope, an additional Active Directory forest can be created.When requirements apply in terms of schemas or replication, creating an Active Directory forest is the right choice. One thing that might be good here is to state that the forest is a security boundary as well as an administrative boundary.
Additionally, since the forest is a separate environment, by default, it can also be separated afterward. In acquisition and divestiture scenarios that can be overseen for the life cycle of Active Directory, an Active Directory forest is also the right choice.
A separate Active Directory environment, of course, requires double the administrative effort of Active Directory admins. Additionally, since the environments are separate, creating an address list in Microsoft Exchange Server or sharing common applications, services, and/or systems can be challenging.
Now we can look at the recipes covered in this chapter.
In an Active Directory environment with multiple domains and forests, it can be hard to distinguish the trees from the forest. As authentication is often per forest, an easy way to list the domains per forest is welcome.
Alas, the only reliable way to list the domains in a forest is to use PowerShell.
For this recipe, we'll need one of the following:
A domain controller running Windows Server 2012 with Desktop Experience (or a newer version of Windows Server)A domain-joined member server running Windows Server 2012 with Desktop Experience (or a newer version of Windows Server) with the Active Directory module for Windows PowerShell installedA domain-joined device running Windows 8.1 (or a newer version of Windows) with the Active Directory module for Windows PowerShell installedOn domain controllers running Windows Server 2012 with Desktop Experience (and on newer versions of Windows Server), the Active Directory module for the Windows PowerShell feature is automatically installed, when promoted to a domain controller.
On domain controllers running Server Core installations of Windows Server 2012 (and on newer versions of Windows Server), the availability of the Active Directory module for Windows PowerShell depends on the -IncludeManagementTools option for the Install-WindowsFeature Windows PowerShell cmdlet used to install the Active Directory Domain Services role.
To install the Active Directory module for Windows PowerShell on a Windows Server with Desktop Experience, perform the following steps:
Press Start.Search for Server Manager and select it from the search results or run servermanager.exe. The Server Manager window appears.In the top gray pane, click Manage.Select Add Roles and Features from the context menu.In Add Roles and Features Wizard, click Next > until you reach the Select Features screen.On the Select Features screen, scroll down in the list of features until you reach Remote Server Administration Tools.Expand Remote Server Administration Tools.Expand Role Administration Tools.Expand AD DS and AD LDS Tools.Select the Active Directory module for Windows PowerShell feature:Figure 1.1 – The Active Directory module for Windows PowerShell feature in the Add Roles and Features Wizard
Click Next > until you reach the Confirm installation selections page.Click Install.Click Close.To install the Active Directory module for Windows PowerShell on the command line of a Server Core installation of Windows Server, run these two commands:
PowerShell.exe
Install-WindowsFeature RSAT-AD-PowerShell
To install the Active Directory module for Windows PowerShell on a device running Windows 8.1 and Windows 10 prior to version 1809, download the separately available Remote Server Administration Tools (RSAT) package for your version of Windows. After you install the package, all the RSAT will be available, including the Active Directory module for Windows PowerShell.
To install the Active Directory Domain Services and Lightweight Directory Services tools, including the Active Directory module for Windows PowerShell, on a device running Windows version 1809 (and newer versions of Windows), perform these steps:
Right-click Start.Select the Apps and Features option from the context menu. The Apps and Features screen from Settings appears.Follow the Optional features link.On the Optional features screen, click the Add a feature button at the top. The Add a feature pop-up window appears.Search for RSAT: Active Directory Domain Services and Lightweight Directory Services Tools.Select the item from the search results.Click Install to install the feature and close the Add a feature pop-up window.After the tools have been installed, close the Apps and Features screen.Alternatively, on devices running Windows 10 version 1809 (and newer versions of Windows), you can use the following line of Windows PowerShell to install the Active Directory Domain Services and Lightweight Directory Services tools, including the Active Directory module for Windows PowerShell:
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
To list all the domains in a forest, use an account that is a member of the Enterprise Admins group in Active Directory.
On the system, start an elevated Windows PowerShell window or Windows PowerShell ISE window using the domain credentials for any domain account.
Then, type the following line of Windows PowerShell:
Get-ADForest | Select-Object domains
The output of this line of Windows PowerShell lists all Active Directory domains.
We use the Get-ADForest cmdlet from the Active Directory module to get the information for the current Active Directory forest. Then, we pipe the output of that command to select only the domains, since that's what we're after.
You can now make the best choices for implementing new domains and/or forests, and/or decommissioning domains and/or forests.
The Active Directory schema defines the way that objects can be created, and what attributes are required or are optional for these objects. With previous versions of Windows Server, the base schema has been improved and extended.
Many features require certain schema versions for Active Directory. For instance, when you want to deploy a Windows Server 2016-based Active Directory Federation Services (AD FS) farm, you'll need the Windows Server 2016 schema or a higher version of the schema.
Since Windows Server 2012, Microsoft updates the Active Directory schema automatically when you promote the first Windows Server 2012-based member server to an Active Directory domain controller.
However, consider what will happen if you want to do any of the following:
Update the Active Directory schema only, because your organization doesn't want domain controllers running the latest version.Delegate the promotion of the first domain controller to a less-privileged user, instead of an admin that is a member of the Schema Admins group.Control the proper replication of the schema update to all domain controllers, before promoting the first domain controller.Avoid the default time-out that the Active Directory Configuration Wizard provides for proper replication.Perform all Active Directory preparations, including the Group Policy preparation step.In these situations, you'll want to update the Active Directory schema manually, using adprep.exe from the Windows Server installation media.
Copy the entire contents of the \support\adprep folder from the Windows Server installation media to a temporary folder on your system's hard disk.
The Active Directory preparation process consists of four separate stages. You'll need an account with the following group memberships for each stage:
Table 1.2 – Required permissions per Active Directory preparation step
Start Command Prompt in the File Explorer window of the folder that you've copied the files to.
You can simply type cmd in the address bar to achieve this.
The Active Directory preparation process consists of four separate stages:
Preparing the forestPreparing the forest for RODCsPreparing the domainUpdating filesystem / Active Directory permissions on existing GPOsAfter these steps, you'll want to check proper Active Directory replication.
Perform these steps to prepare the Active Directory forest:
To prepare the Active Directory forest, run the following command:adprep.exe /forestprep /forest lucernpub.com /user EntAdmin /userdomain lucernpub.com /password P@ssw0rd
Replace the value for the domain and the values for the credentials with values that make sense for your Active Directory environment.
Next, type c, followed by Enter to continue.The following line at the end of the output indicates the successful preparation of the Active Directory forest:
Adprep successfully updated the forest-wide information
When you see the preceding line appear, you can continue with the next step.
The /rodcprep switch for adprep.exe triggers the preparation of the forest for RODCs. This action only needs to be performed when the intention is to run RODCs in the Active Directory forest:
To prepare the Active Directory forest for RODCs, run the following command:adprep.exe /rodcprep /forest lucernpub.com /user DomAdmin /userdomain lucernpub.com /password P@ssw0rd
Replace the value for the domain and the values for the credentials with values that make sense for your Active Directory environment.
The following line at the end of the output indicates the successful preparation of the Active Directory forest for RODCs:Rodcprep completed without errors. All partitions are updated. See the ADPrep.log in directory C:\Windows\debug\adprep\logs\<date> for more information.
When you see the preceding line appear, you can continue with the next step.
Perform these steps to prepare the domain:
To prepare the Active Directory domain, run the following command:adprep.exe /domainprep /domain lucernpub.com /user DomAdm /userdomain lucernpub.com /password P@ssw0rd
Replace the value for the domain and the values for the credentials with values that make sense for your Active Directory environment.
The following line at the end of the output indicates the successful preparation of the Active Directory domain:Adprep successfully updated the domain-wide information
When you see the preceding line appear, you can continue with the next step.
Group Policy preparation, as part of adprep.exe, adds two pieces of functionality to Active Directory:
Cross-domain planning functionality for Group PolicyResultant Set of Policy (RSoP) planning modeGPOs are stored in both the System Volume (SYSVOL) and Active Directory. Both locations require an update of the permissions for existing GPOs, to take advantage of the preceding functionality.
If the Active Directory domain already contains custom or delegated permissions, Group Policy preparation kicks off the replication of all Group Policy files in the SYSVOL and may deny the functionality of RSoP to delegated admins until their permissions are recreated.
Note
Group Policy preparation does not need to be run with every upgrade. Admins need to run Group Policy preparation only once, and they only need to run it if an Active Directory domain has run on Windows 2000 Server-based domain controllers at one point in its existence. If an environment was created with domain controllers running Windows Server 2003, or newer versions of Windows Server, the Group Policy preparation step can be skipped.
To update filesystem and Active Directory permissions for GPOs, run the following command:
adprep.exe /domainprep /gpprep /domain lucernpub.com /user DomAdm /userdomain lucernpub.com /password P@ssw0rd
Replace the value for the domain and the values for the credentials with values that make sense for your Active Directory environment.
The following line at the end of the output indicates the successful preparation of the Active Directory domain:
Adprep successfully updated the Group Policy Object (GPO) information.
When done with the preparation steps, the Active Directory schema base version should be upgraded to a higher number, corresponding to the new schema version.
The following table shows the version numbers in accordance with the Active Directory level:
Table 1.3 – Schema version per Windows Server version
You can manually check the schema version per domain controller with the following command from any of your domain controllers:
repadmin.exe /showattr * "cn=schema,cn=configuration,dc=lucernpub,dc=com" /atts:objectVersion
Replace lucernpub and com with values for your Active Directory environment.
When all domain controllers report the same schema version, the Active Directory preparation has replicated successfully to all domain controllers.
In Windows Server 2012 (and later versions), the entire Active Directory preparation process is automated. When you promote a Windows Server 2012-based member server (or any newer version of Windows Server) to an additional domain controller for a domain or upgrade a domain controller running a previous version to Windows Server 2012 (or any newer version of Windows Server), the Active Directory Domain Services Configuration Wizard determines whether the environment needs to be prepared as part of the promotion process.
Larger organizations often separate the schema or preparation work from the actual domain controller-promotion process work to minimize risk, adhere to small change windows, and more.
However, adprep.exe is still available to prepare the Active Directory forest and/or Active Directory domain(s) manually.
Windows Server 2022 is the first Windows Server version that does not require a schema upgrade since Active Directory was released with Windows 2000 Server.
Unless there are compelling reasons not to, preparing for the latest available Active Directory schema version is the recommended approach. A reason not to do this is when an organization doesn't want to enable the promotion of the latest version(s) of Windows Server to domain controllers in a delegated environment.
When implementing new Active Directory domain controllers and removing domain controllers running previous versions of Windows Server, many admins forget to raise the Active Directory domain functional level (DFL) to the earliest Windows Server version still running as domain controllers. After upgrading all domain controllers from Windows Server 2008 R2 to Windows Server 2012 R2, for instance, they would not raise the DFL to Windows Server 2012 R2 but keep it at the Windows Server 2008 R2 level.
It's a shame, really, because many new Active Directory features and optional Active Directory features are only available when the functional level is raised. Furthermore, the DFL dictates the lowest version of Windows Server that admins can use to promote new domain controllers. In addition, since Windows Server 2008 R2, the DFL can also be reverted, as long as no new optional features have been enabled and the Active Directory forest functional level (FFL) is the same as the DFL that you want to revert to, or lower.
The Windows 2016 domain is the highest available DFL for Active Directory; there is no Windows 2019 or Windows Server 2022 domain level.
From an Active Directory point of view, the Windows Server 2008 DFL (or any newer version of the DFL), is required when you want to deploy Windows Server 2016-based domain controllers and domain controllers running newer versions of Windows Server. Additionally, DFS replication needs to be in use to replicate the SYSVOL.
Microsoft recommends raising the DFL from the Active Directory domain controller that holds the Primary Domain Controller (PDC) Emulator Flexible Single Master Operations (FSMO) role.
To locate this domain controller, run the following command on any domain-joined device, member server, or domain controller:
netdom.exe query fsmo
Alternatively, use the following line of PowerShell on a domain-joined system that has the Active Directory module for Windows PowerShell installed:
Get-ADDomain | Format-List PDCEmulator
Use an account that is a member of the Domain Admins group in the Active Directory domain for which you want to raise the DFL.
On domain controllers running Windows Server with the Desktop Experience, perform the following steps:
Sign in to the domain controller holding the PDC Emulator FSMO role.Press Start.Search for Active Directory Domains and Trusts and select it from the search results or run domain.msc. The Active Directory Domains and Trusts window appears.In the left navigation pane, right-click the domain for which you want to raise the functional level, and then click Raise Domain Functional Level. The Raise domain functional level window appears:Figure 1.2 – The Raise domain functional level window
From the Select an available forest functional level drop-down list, select the desired DFL, and then click Raise.The Raise domain functional level pop-up screen appears, stating that this change affects the entire domain and that after you raise the DFL, it is possible that you may not be able to reverse it. Click OK. This raises the DFL to the desired level.Another Raise domain functional level pop-up screen appears, stating that the DFL was raised successfully. Click OK to acknowledge.Alternatively, you can use the following PowerShell command:
Set-ADDomainMode lucernpub.com Windows2016Domain
Replace lucernpub.com with values for your Active Directory environment.
Even when under time pressure, you'll want to check for the proper replication of changes to Active Directory functional levels before making any other changes in Active Directory that might depend on them. Especially in large environments with elaborate replication technologies, replication might take a while.
To check for the proper replication of changes to Active Directory functional levels, use the following command:
repadmin.exe /showattr *.lucernpub.com "dc=lucernpub,dc=com" /atts:msDS-Behavior-Version
Replace lucernpub.com, lucernpub, and com with values for your Active Directory environment.
The command checks the value for the msDS-Behavior-Version attribute on each of the domain controllers in the Active Directory domain and returns the value.
The following table shows the msDS-Behavior-Version attribute value per Active Directory DFL:
Table 1.4 – msDS-Behavior-Version attribute values per Active Directory DFL
The output shows the domain controllers that are replicating a change from a lower value to a higher value. When each domain controller returns the same value, the DFL has successfully replicated throughout the Active Directory environment.
When a domain controller operates, it references the DFL to know how it can optimally interoperate with other domain controllers in the Active Directory domain. Additionally, when you want to enable optional Active Directory features, the msDS-Behavior-Version attribute is referenced to see whether it's a permissible action.
If there is a domain controller running a version of Windows Server that does not meet the requirements of a certain DFL, the level is grayed out in the Active Directory Domains and Trusts console and the level may not be raised to the desired level. In this case, when you try to raise the DFL using Windows PowerShell or other programmatic means, it will error out.
Just like the Active Directory DFL, the FFL also determines the availability of new Active Directory functionality. Where the DFL dictates the minimum version of Windows Server to run as domain controllers, the FFL dictates the minimum version of the DFL in the Active Directory forest.
The new functionality that is unlocked by raising the FFL includes the following:
Privileged Access Management (PAM), which requires the Windows Server 2016 FFLActive Directory Recycle Bin, which requires the Windows Server 2008 R2 FFLLinked-value replication, which requires the Windows Server 2003 FFLMicrosoft recommends raising the FFL from the Active Directory domain controller that holds the Domain Naming Master FSMO role.
To locate this domain controller, run the following command on any domain-joined device, member server, or domain controller:
netdom.exe query fsmo
Alternatively, use the following line of Windows PowerShell on a domain-joined system that has the Active Directory module for Windows PowerShell installed:
Get-ADForest | Format-List DomainNamingMaster
Use an account that is a member of the Enterprise Admins group in the Active Directory forest for which you want to raise the FFL.
On domain controllers running Windows Server with the Desktop Experience, perform the following steps:
Sign in to the domain controller holding the Domain Naming Master FSMO role.Press Start.Search for Active Directory Domains and Trusts and select it from the search results or run domain.msc. The Active Directory Domains and Trusts window appears.In the left navigation pane, right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level. The Raise forest functional level window appears:Figure 1.3 – The Raise forest functional level window
From the Select an available forest functional level drop-down list, select the desired FFL, and then click Raise.The Raise forest functional level pop-up screen appears, stating that this change affects the entire forest and that after you raise the FFL, it is possible that you may not be able to reverse it. Click OK. This raises the FFL to the desired level.Another Raise forest functional level pop-up screen appears, stating that the FFL was raised successfully. Click OK to acknowledge.Alternatively, you can use the following line of Windows PowerShell:
Set-ADForestMode lucernpub.com Windows2016Forest
Replace lucernpub.com with values for your Active Directory environment.
When a domain controller operates, it references the FFL to know how it can optimally interoperate with other domain controllers in the Active Directory forest. Additionally, when you want to enable optional Active Directory features, the msDS-Behavior-Version attribute is referenced to see whether it's a permissible action.
When a new Active Directory domain is added to an Active Directory forest, the available DFLs for the domain are shown, based on the msDS-Behavior-Version attribute for the forest too.
If there is a domain running a DFL that does not meet the requirements of a certain FFL, the level is grayed out in the Active Directory Domains and Trusts console and the level cannot be raised to this level. When you try to raise the FFL using Windows PowerShell or other programmatic means, it will error out.
In an Active Directory environment with multiple domains, you're bound to have trusts. Trusts allow people to access resources in a domain or forest other than the domain or forest where their user accounts reside.
When Active Directory domains are added to an existing Active Directory domain, two-way transitive trusts are automatically created. However, in other situations, trusts have to be created manually. With many different types of trusts, two trust directions, and a choice in transitivity, which trust is the right trust for which situation?
Let's look at the six types of trust first:
Parent-child trust: The parent-child trust is a trust type that is automatically created when you add a domain to a tree root. For example, a parent-child trust is automatically created between adatum.com and sub.adatum.com. You cannot manually create a parent-child trust.Tree-root trust: The tree-root trust is a trust type that is also automatically created, just like the parent-child trust. However, the tree-root trust is created when you add a new domain tree to an Active Directory forest; for example, when you add the domain to a forest that contains only the adatum.com domain. The difference between the tree-root trust and the parent-child trust is that with the former, you break the domain tree, whereas, with the latter, you expand on it. You cannot manually create a tree-root trust.Forest trust: A forest trust is a trust type that you will have to create manually. When accounts in two separate Active Directory forests require access to each other's resources, then this is the right trust type to create between the two forest root domains. Creating a forest trust is highly preferable over creating an external trust, because the latter only supports older authentication schemes, whereas a forest trust supports Kerberos authentication.Realm trust