Identity with Windows Server 2016: Microsoft 70-742 MCSA Exam Guide E-Book

Identity with Windows Server 2016: Microsoft 70-742 MCSA Exam Guide

Copyright © 2019 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Kartikey PandeyAcquisition Editor: Shrilekha InaniContent Development Editor:Ronn KurienTechnical Editor: Aditya KhadyeCopy Editor:Safis EditingLanguage Support Editor: Mary McGowanProject Coordinator:Jagdish PrabhuProofreader: Safis EditingIndexer:Pratik ShirodkarGraphics:Tom ScariaProduction Coordinator: Deepika Naik

First published: January 2019

Production reference: 1310119

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-83855-513-9

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

Packt.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the authors

Vladimir Stefanovic is a Microsoft Certified Trainer (MCT) and system engineer with more than 10 years of experience in the IT industry. Over his IT career, Vladimir has worked in all areas of IT administration, from IT technician to his current system engineer position. As a lead system engineer at Serbian IT company SuperAdmins and lead technician trainer at Admin Training Center, he successfully delivered numerous projects and courses. He is also an active conference speaker, having spoken at a long list of conferences, such as MCT Summits (in the USA, Germany, and Greece), ATD, WinDays, KulenDayz, and Sinergija (Regional Conferences). He is the leader of a few user groups and is an active community member, with the mission to share knowledge as much as possible.

Sasha Kranjac is a security and Azure expert and instructor with more than two decades of experience in the field. He began programming in Assembler on Sir Clive Sinclair's ZX, met Windows NT 3.5, and the love has existed ever since. Sasha owns an IT training and consulting company that helps companies and individuals to embrace the cloud and be safe in cyberspace. He is a Microsoft MVP, MCT, MCT Regional Lead, Certified EC-Council Instructor (CEI), and currently holds more than 60 technical certifications. Sasha is a frequent speaker at various international conferences, and is a consultant and trainer for some of the largest Fortune 500 companies.

About the reviewer

Mustafa Toroman is a program architect and senior system engineer with Authority Partners. With years of experience of designing and monitoring infrastructure solutions, lately he focuses on designing new solutions in the cloud and migrating existing solutions to the cloud. He is very interested in DevOps processes, and he's also an Infrastructure-as-Code enthusiast. Mustafa has over 30 Microsoft certificates and has been an MCT for the last 6 years. He often speaks at international conferences about cloud technologies, and he has been awarded MVP for Microsoft Azure for the last three years in a row. Mustafa also authored Hands-On Cloud Administration in Azure and co-authored Learn Node.js with Azure, both published by Packt.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Identity with Windows Server 2016: Microsoft 70-742 MCSA Exam Guide

About Packt

Why subscribe?

Packt.com

Contributors

About the authors

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Conventions used

Get in touch

Reviews

Installing and Configuring Active Directory

Introduction to Active Directory

Logical components

Partitions

Schemas

Domains

Domain trees

Forests

Sites

Organizational Units

Containers

Physical components

Domain controllers

Read-only domain controllers

Data stores

Global catalogs

What's new in AD DS in Windows Server 2016

AD DS administration tools

Installing and configuring the Active Directory

Installing a new forest and domain controller

Installing a new forest (GUI)

Installing a new forest on a Server Core installation

Installing a domain controller from Install from Media (IFM)

Removing a domain controller from a domain

Upgrading a domain controller

In-place upgrade

Domain-controller migration

Configuring a global catalog server

Transferring and seizing operation master roles

Transferring FSMO roles

Seizing FSMO roles

Installing and configuring a read-only domain controller (RODC)

Configuring domain controller cloning

Active Directory users and computers

Creating and managing users accounts

Creating and managing computer accounts

Configuring templates

Performing bulk Active Directory operations

Implementing offline domain joins

Managing accounts

Active Directory groups and organizational units

Creating, configuring, and deleting groups

Configuring group nesting

Converting groups

Managing group membership using Group Policy

Enumerating group memberships

Automating group-membership management using Windows PowerShell

Delegating the creation and management of Active Directory groups

Active Directory containers

Creating, configuring, and deleting OUs

Summary

Questions

Further reading

Managing and Maintaining Active Directory

Active directory authentication and account policies 

Creating and configuring managed service accounts 

Configuring Kerberos Constrained Delegation (KCD)

Managing service principal names (SPNs) 

Configuring domain and local user password policy settings 

Configuring and applying Password Settings Objects (PSOs)

Delegating password settings management

Configuring account lockout policy settings

Configuring the Kerberos policy settings within the group policy

Configuring authentication policies

Maintaining AD

Backing up AD and SYSVOL

Restoring AD

Non-authoritative restoration

Authoritative restoration

Managing the AD offline

Performing the offline defragmentation of an AD database

Configuring AD snapshots

Performing object-level and container-level recovery

AD Recycle Bin (configuring and restoring objects)

Configuring the Password Replication Policy (PRP) for RODC

Monitoring and managing replication

AD in enterprise scenarios

Configuring a multi-domain and multi-forest AD infrastructure

Upgrading existing domains and forests

Configuring the domain and forest functional levels

Configuring multiple user principal name (UPN) suffixes

Configuring external, forest, shortcut, and realm trusts

Configuring trust filtering

SID filtering

Selective authentication

Named suffix routing

Configuring sites and subnets

Creating and configuring site links

Moving domain controllers between sites

Summary

Questions

Further reading

Creating and Managing Group Policy

Creating and managing GPOs

Introduction to Group Policy

Managing starter GPOs

Configuring GPO links

Configuring multiple Local Group Policy

Backing up, importing, copying, and restoring GPOs

Resetting default GPOs

Delegate Group Policy management

Detecting health issues using Group Policy

Understanding Group Policy processing

Configuring the processing order and precedence

Configuring inheritance blocking

Configuring enforced policies

Configuring security filtering and WMI filtering

Configuring loopback processing

Configuring Group Policy caching

Forcing a Group Policy update

Configuring Group Policy settings and preferences

Defining network drive mappings

Configuring custom registry settings

Configuring the Control Panel settings

Configuring folder redirections

Configuring shortcut deployment

Configuring item-level targeting

Summary

Questions

Further reading

Understanding and Implementing Active Directory Certificate Services

Installing and configuring AD CS

An overview of AD CS

Installing Active Directory Integrated Enterprise Certificate Authority

Installing offline roots and subordinate CAs

Configuring Offline Root CA

Configuring the subordinate CA

Installing Standalone CAs

Configuring Certificate Revocation List (CRL) distribution points

Installing and configuring Online Responder

Implementing administrative role separation

Configuring CA backup and recovery

Backing up CA

Restoring CA

Managing certificates and templates

 Managing certificates

Managing certificate templates

Implementing and managing certificate deployment, validation, and revocation

Managing certificate renewal

Managing AD CS

Configuring and managing key archival and recovery

Summary

Questions

Further reading

Understanding and Implementing Federation and Rights Management

Installing and configuring Active Directory Federation Services (AD FS)

AD FS overview

Upgrading and migrating AD FS workloads to Windows Server 2016

Installing AD FS

Upgrading AD FS

Implementing claim-based authentication and relying party trust

Implementing and configuring device registration

Configuring AD FS for use with Microsoft Azure and Office 365

Installing and configuring Web Application Proxy

Installing and configuring WAP

Implementing WAP in pass-through mode and as AD FS proxy

Pass-through pre-authentication

AD FS pre-authentication

Publishing Remote Desktop Gateway applications

Installing and configuring the Active Directory Rights Management Services (AD RMS)

AD RMS overview

AD RMS certificates

How AD RMS works

Deploying the AD RMS Cluster

Managing AD RMS Service Connection Point (SCP)

Managing AD RMS templates

Configuring Exclusion Policies

Backing up and restoring AD RMS

Summary

Questions

Further reading

Assessements

Chapter 1:  Installing and Configuring Active Directory

Chapter 2: Managing and Maintaining Active Directory

Chapter 3: Creating and Managing Group Policy

Chapter 4: Understanding and Implementing Active Directory Certificate Services

Chapter 5: Understanding and Implementing Federation and Rights Management

Preface

Welcome to Identity with MCSA Windows Server 2016 Certification Guide: Exam 70-742. This book is designed to give you a deep understanding of identity solutions in Windows Server 2016 and prepare you for Exam 70-742: Identity with Windows Server 2016, which is a part of the MCSA: Windows Server 2016 Certification. The book will start with the installation and configuration of Active Directory Domain Services (AD DS) and then will covers implementing and managing Active Directory services in advanced scenarios. Group Policy and GPO implementation will be explained, as well as using Active Directory Certificate Services (AD CS) to manage certificates in a domain environment. Finally, Active Directory Federation Services (AD FS) as the Microsoft implementation of federated identity will be covered, as well as Active Directory Rights Management Services (AD RMS) as a document protection solution will be covered.

Who this book is for

This book is aimed at anyone who wants to learn about identity in Windows Server 2016 and earn some valuable Microsoft certifications. To better understand the content of this book, you should to have knowledge of Windows Server operating systems, and experience of working with them.

What this book covers

Chapter 1, Installing and Configuring Active Directory, will give you deep understanding of AD DS and how to install and configure AD DS in different scenarios.

Chapter 2, Managing and Maintaining Active Directory, covers advanced AD DS configuration and services that are tightly related to Active Directory environments, such as Active Directory Domains and Trusts and Active Directory Sites and Services.

Chapter 3, Creating and Managing Group Policy, will explain you what a Group Policy is, how to configure and manage Group Policy Objects (GPOs), and how to implement GPOs in different environments.

Chapter 4, Understanding and Implementing Active Directory Certificate Services, explains the Public Key Infrastructure (PKI)  and AD CS and covers how to implement and manage AD CS in Windows Server 2016.

Chapter 5, Understanding and Implementing Federation and Rights Management, covers the implementation and management of Microsoft's federated identity solution, AD FS, and Rights Management solution implementation using AD RMS.

To get the most out of this book

Before you start with this book in order to prepare for Exam 70-742, you should have understanding of Active Directory environment and related services. Experience of configuring Windows Server 2012 and Windows Server 2016 is required to better understand Active Directory-related services. The following Windows Server roles and services will be used in this book:

Active Directory Domain Services (AD DS)

Active Directory Domains and Trusts

Active Directory Sites and Services

Group Policy Management

Active Directory Federation Services (AD FS)

Active Directory Rights Management Services (AD RMS)

Domain Name System (DNS)

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "By default, the location of the AD DS database is C:\Windows\NTDS\ntds.dit."

Any command-line input or output is written as follows:

Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -

IncludeManagementTools

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Select Operation Masters."

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Installing and Configuring Active Directory

From Windows Server 2000, Active Directory Domain Services (AD DS) has become the default identity provider for Windows operating systems. AD DS represents a central point for authentication and management of all AD DS objects, such as users, groups, and computer accounts. The AD DS database, a central store in AD DS, stores information related to users, groups, computers, services, and all other resources in the AD DS hierarchical structure, and is also known as the directory. AD DS gives us the ability to search objects through the hierarchically organized directory structure and to apply configuration and security settings to all active directory objects.

In this chapter, you will learn why we need AD DS, the components of AD DS, how AD DS is installed and configured, and how to create and manage AD DS objects.

We will learn about the following topics in this chapter:

Introduction to Active Directory

Installing and configuring Active Directory

Active Directory users and computers

Active Directory groups and organizational units

Introduction to Active Directory

Every AD DS is composed of both logical and physical components. All components work together and each component has a specific role in the proper functioning of AD DS. In this section, you'll learn what those components are and why they're important. We'll also look at which tools can be used to manage AD DS and what's new in AD DS in Windows Server 2016.

The following table shows the logical and physical components of AD DS:

Logical components

Physical components

Partitions

Schema

Domains

Domain trees

Forests

Sites

Organizational units

Containers

Domain controllers

Read-only domain controllers

Data stores

Global catalog servers

Logical components

Logical components in AD DS are structures that are used to implement AD DS design. Different designs are appropriate for different organizations, so knowledge of logical components and their purpose is very important. In the following section, we'll describe the logical components in more detail.

Partitions

A partition is a portion of the AD DS database. Although the AD DS database stores all the data in one file, C:\Windows\NTDS\ntds.dit, the AD DS database is composed of a few different partitions and each partition contains different data. The AD DS database is logically separated into the following directory partitions:

Schema partition

: There is only one schema partition per forest. The schema partition is stored on all domain controllers in the forest and contains definitions of all objects and attributes of objects.

Configuration partition

: The configuration partition contains information about the forest-wide AD DS structure, as well as information about the domains and sites in a forest and the domain controllers that are installed in a forest.

Domain partition

: Domain partitions are stored on every domain controller in a domain and contain information about users, groups, computers, and organizational units. All objects from the domain partition are stored in the global catalog.

Application partition

: Every application in AD DS needs to store, categorize, and use specific information. This information is stored in the Application partition that can be domain- or forest-wide, depending on the application type.

Partitions are replicated through directory replication and are stored on every domain controller in the domain and forest.

Schemas

A schema defines all object classes and attributes that AD DS uses to store data. Each AD DS object has a lot of attributes that need to be populated, such as the name, sAMAccountname, the canonical name, and the location. All of these are controlled by the schema. All domains in a single forest contain a copy of the schema that applies to the forest level. Each change in the schema is replicated from the schema master to every domain controller in the forest. The schema master is typically the first domain controller installed in a forest. An AD DS schema can be changed or modified, but only when necessary. The schema is responsible for information-storage controls, and every untested schema change can potentially affect other applications in the forest that use AD DS. Any schema changes must be performed by the Schema Admins and from the schema master.

Domains

The domain is a logical component that acts as a central administrative point for AD DS objects, such as users, groups, and computers. Domains use a specific portion of the AD DS database and can be connected to other domains in a parent-child structure or a tree structure. The AD DS database stores all domain objects, and each domain controller holds a copy of the AD DS database.

AD DS uses a multi-master replication model. This means that every domain controller in the domain can make a change to the objects in the domain and that change will be replicated in all other domain controllers.

The AD DS domain provides authentication and authorization for domain-joined users. Every time the domain user wants to sign in to a domain-joined computer, AD DS must authenticate the login. Windows operating systems use authorization and access-control technologies to allow authenticated users to access resources.

Every domain in a forest has some objects that are unique to that domain:

Domain Admins group

: By default, every domain has an administrator account and a Domain Admins group. The administrator account is a member of the Domain Admins groups, and the Domain Admins groups is, also by default, a member of the local Administrators group on each domain-joined computer.

RID master role

: The 

Relative Identifier

(

RID

) master role is a domain-specific role that's responsible for assigning a unique SID to the new AD DS object. If the RID master server isn't online, you might have issues adding new objects to the domain.

Infrastructure master role

: This FSMO role is responsible for inter-domain object references, when objects from one domain are part of a group in another domain. If servers with this role are unavailable, domain controllers that 

aren't configured as a global catalog servers 

won't be able to authenticate users.

PDC emulator role

: The

Primary Domain Controller

(

PDC

) emulator FSMO role is responsible for time synchronization. The PDC master is the time source for a domain and all PDC masters in the forest synchronize their time with the PDC in the forest root domain. The PDC master is a domain controller that receives information if the user changes their password and replicates that information to other domain controllers. The PDC emulator also plays a big role in editing the GPO, because a PDC holds an editing copy. This prevents potential issues if multiple administrators want to edit the same GPO at the same time.

Domain trees

A domain tree is a hierarchical collection of domains in the same forest that share the same root domain name. In the domain tree structure, AD DS domains are organized as parent-child domains.

Forests