Mastering Active Directory E-Book

BIRMINGHAM - MUMBAI

Mastering Active Directory

Copyright © 2017 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: June 2017

Production reference: 1280617

Published by Packt Publishing Ltd. Livery Place 35 Livery Street BirminghamB3 2PB, UK.

ISBN 978-1-78728-935-2

www.packtpub.com

Credits

Author

Dishan Francis

Copy Editors

Yesha Gangani Alpha Singh Stuti Srivastava Madhusudan Uchil

Reviewers

Daniel Dieterle David Green Florian Klaffenbach Paul Silva

Project Coordinator

Virginia Dias

Acquisition Editor

Heramb Bhavsar

Proofreader

Safis Editing

Content Development Editor

Sweeny Dias

Indexer

Rekha Nair

Technical Editors

Komal Karne

Vishal Kamal Mewada

Khushbu Sutar

Graphics

Kirk D'Penha

Production Coordinator

Aparna Bhagat

About the Author

DishanFrancis is a technology consultant with 12 plus years of experience in the planning, design, and implementation of network technologies. His background includes hands-on experience with multiplatform and LAN/WAN environments. He has a demonstrated record of success in troubleshooting servers, increasing efficiency, and optimizing the access to and utilization of shared information. He is a specialist in extending technology services from corporate headquarters to field operations.

Dishan is a dedicated and enthusiastic information technology expert who enjoys professional recognition and accreditation from several respected institutions. When it comes to managing innovative identity infrastructure solutions to improve system stability, functionality, and efficiency, his level of knowledge and experience place him among the very best in the field.

He is a three-time Microsoft Most Valuable Professional Awardee in Enterprise Mobility. He is also a Microsoft Imagine Cup judge. He has maintained a technology blog called www.rebeladmin.com over the years, with useful articles that focus on Active Directory services. Also, he spends his free time mentoring students and professionals. He currently works with Frontier Technology Limited.

Acknowledgement

It was a dream to write a book one day, but I didn't expect it to happen this soon. I was writing to my blog and for Microsoft blogs for years but it is not the same when it comes to a book. Although I wrote this book, there were many behind me thoughout this journey. Without their support, it would have been an impossible task to complete. First of all, my thanks go to the great editorial team at Packt Publishing Limited, for giving me opportunity to write and publish this book--especially Heramb Bhavsar, Sweeny Dias, and Khushbu Sutar who made this whole experience smooth and fun. Also, I'd like to express my gratitude to all the reviewers and editors. Their comments made this book more valued. I would like to express my sincere appreciation to my friends in Microsoft Canada, especially Simran Chaudhry, MVP Community Program Manager, and Anthony Bartolo. They are the people who bring me to you via lots of community events, public speaking, and blogs. I would like to express my deepest gratitude to my current employer, Edwin Wong, MD of Frontier Technology Ltd, and my former employer, Dominic Macchione, CEO of Rebelnetworks Inc, for giving me opportunity to enhance my knowledge and apply it to practice. As always, I'd like to thank my lovely wife Kanchana Dilrukshi and my little girl Selena Rosemary for the support and courage they give. For months, I was only able to spend hour or less per day with them. I missed many play sessions, and swimming sessions with my daughter. I missed many family functions. But still they understood my commitment to the book and helped me to stay focused. Also, I'd like to thanks my parents for everything they did to make me who I am today. My extended gratitude goes to my parents-in-law and all other relations. Although most of them do not know about Active Directory, they were checking from time to time to see how I was doing with the book and encouraged me to stay focused and finish it.

About the Reviewers

Daniel Dieterle has over 20 years of IT experience. A former Microsoft MCSE and HP-certified Network Integration Specialist, he performed server installs, administration, and services for companies throughout Upstate New York and across Northern Pennsylvania. Currently, he is an internationally published IT author who focuses on testing the security of Microsoft-based systems.

David Green is an IT professional from the South of England, with a wealth of experience from both the public and private sectors. He currently works as a senior systems consultant at the Coretek Group, who provide IT support, consultancy, and infrastructure services to businesses and education, covering on-premises, hybrid, and cloud services.

Previously, David has worked in Formula OneTM food manufacturing; and the education sector, where he always looked to provide robust and scalable IT solutions that contributed to business objectives.

David also writes a blog where he posts solutions he finds to problems, and a fair amount of PowerShell-related content. He always tries to help where he can and generally tries to learn something useful every day.

This is another opportunity David has had to contribute to a book. Previous opportunities include Getting Started with PowerShell by Michael Shepard and Active Directory with PowerShell by Uma Yellapragada.

More information, including contact details, can be found on his website at http://www.tookitaway.co.uk.

Florian Klaffenbach started his IT career in 2004 as a 1st and 2nd level IT support technician and IT salesman trainee for a B2B online shop. After that, he moved to a small company, working as an IT project manager planning, implementing, and integrating from industrial plants and laundries to enterprise IT. After spending a few years there, he moved to Dell Germany. There, he started from scratch as an enterprise technical support analyst, and later worked on a project to start Dell technical communities and support over social media in Europe and outside of the U.S. Currently, he is working as a solutions architect and consultant for Microsoft Infrastructure and Cloud, specializing in Microsoft Hyper-V, File Services, System Center Virtual Machine Manager, and Microsoft Azure IaaS.

As well as his job, he is active as a Microsoft blogger and lecturer. He blogs, for example, on his own page, Datacenter-Flo.de, or the Brocade Germany Community. Together with a very good friend, he founded the Windows Server User Group Berlin to create network of Microsoft IT pros in Berlin. Florian maintains a very tight network with many vendors such as Cisco, Dell, and Microsoft and their communities. This has helped him to gain experience and get the best out of a solution for his customers. Since 2016, he has also been Co-Chairman of the Azure Community Germany. In April 2016, Microsoft made him a Microsoft Most Valuable Professional for Cloud and Datacenter Management.

Taking Control with System Center App Controller

Microsoft Azure Storage Essentials

Mastering Microsoft Azure Development

Mastering Microsoft Deployment Toolkit 2013

Windows Server 2016 Cookbook

Implementing Azure Solutions

www.PacktPub.com

For support files and downloads related to your book, please visit www.PacktPub.com. Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.comand as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www.packtpub.com/mapt

Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Customer Feedback

Thanks for purchasing this Packt book. At Packt, quality is at the heart of our editorial process. To help us improve, please leave us an honest review on this book's Amazon page at https://www.amazon.com/dp/1787289354.

If you'd like to join our team of regular reviewers, you can e-mail us at [email protected]. We award our regular reviewers with free eBooks and videos in exchange for their valuable feedback. Help us be relentless in improving our products!

Table of Contents

Preface

Why subscribe?

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Downloading the color images of this book

Errata

Piracy

Questions

Active Directory Fundamentals

Benefits of using Active Directory

Centralized data repository

Replication of data

High availability

Security

Auditing capabilities

Single sign-on

Schema modification

Querying and indexing

Active Directory components

Logical components

Forests

Domains

Domain trees

Organizational units

Physical components

Domain controllers

Global catalog server

Active Directory sites

Active Directory objects

Globally unique identifier and security identifier

Distinguished names

Active Directory server roles

Active Directory Domain Service

Read-only domain controllers

Active Directory Federation Services

Active Directory Lightweight Directory Services

Active Directory Rights Management Services

Active Directory Certification Services

Summary

Active Directory Domain Services 2016

AD DS 2016 features

Deprecation of Windows Server 2003 domain and forest functional levels

Deprecation of File Replication Services

Privileged Access Management

What is it to do with AD DS 2016?

What is the logic behind PAM?

Time-based group memberships

Microsoft Passport

Active Directory Federation Services improvements

Time sync improvements

Summary

Designing Active Directory Infrastructure

What makes a good system?

New business requirements

Correcting legacy design mistakes

Gathering business data

Defining security boundaries

Identifying the physical computer network structure

Designing the forest structure

Single forest

Multiple forest

Creating the forest structure

Autonomy

Isolation

Selecting forest design models

Organizational forest model

Resource forest model

Restricted access forest model

Designing the domain structure

Single domain model

Regional domain model

The number of domains

Deciding domain names

Forest root domain

Deciding domain and forest functional levels

Designing the OU structure

Designing the physical topology of Active Directory

Physical or virtual domain controllers

Domain controller placement

Global catalog server placement

Summary

Active Directory Domain Name System

What is DNS?

Hierarchical naming structure

How DNS works

DNS essentials

DNS records

Start of authority record

A and AAAA records

NS records

MX records

Canonical name record

PTR record

SRV records

Zones

Primary zone

Secondary zone

Stub zone

Reverse lookup zone

DNS server operation modes

Zone transfers

DNS delegation

Summary

Placing Operations Master Roles

FSMO roles

Schema operations master

Domain naming operations master

Primary domain controller emulator operations master

Relative ID operations master role

Infrastructure operations master

FSMO roles placement

Active Directory logical and physical topology

Connectivity

The number of domain controllers

Capacity

Moving FSMO roles

Seize FSMO roles

Summary

Migrating to Active Directory 2016

Active Directory Domain Service installation prerequisites

Hardware requirements

Virtualized environment requirements

Additional requirements

Active Directory Domain Service installation methods

Active Directory Domain Service deployment scenarios

Setting up a new forest root domain

Active Directory Domain Service installation checklist for first domain controller

Design topology

Installation steps

Setting up an additional domain controller

Active Directory Domain Service installation checklist for an additional domain controller

Design topology

Installation steps

Setting up a new domain tree

Active Directory Domain Service installation checklist for a new domain tree

Design topology

Installation steps

Setting up a new child domain

Active Directory Domain Service installation checklist for a new child domain

Design topology

Installation steps

How to plan Active Directory migrations

Migration life cycle

Audit

Active Directory logical and physical topology

Active Directory health check

System Center Operation Manager and Operation Management Suite

Active Directory health checklist

Application audit

Plan

Implementation

Active Directory migration checklist

Design topology

Installation steps

Verification

Maintain

Summary

Managing Active Directory Objects

Tools and methods to manage objects

Active Directory Administrative Center

The Active Directory Users and Computers MMC

Active Directory object administration with PowerShell

Creating, modifying, and removing objects in Active Directory

Creating Active Directory objects

Creating user objects

Creating computer objects

Modifying Active Directory objects

Removing Active Directory objects

Finding objects in Active Directory

Finding objects using PowerShell

Summary

Managing Users, Groups, and Devices

Object attributes

Custom attributes

User accounts

Managed Service Accounts

Group Managed Service Accounts

Uninstalling Managed Service Account

Groups

Group scope

Converting groups

Setting up groups

Devices and other objects

Best practices

Summary

Designing the OU Structure

OUs in operations

Organizing objects

Delegating control

Group policies

Containers versus OUs

OU design models

The container model

The object type model

The geographical model

The department model

Managing the OU structure

Delegating control

Summary

Managing Group Policies

Benefits of group policies

Maintaining standards

Automating administration tasks

Preventing users from changing system settings

Flexible targeting

No modifications to target

Group Policy capabilities

Group Policy objects

Group Policy container

The Group Policy template

Group Policy processing

Group Policy inheritance

Group Policy conflicts

Group Policy mapping and status

Administrative templates

Group Policy filtering

Security filtering

WMI filtering

Group Policy preferences

Item-level targeting

Loopback processing

Group Policy best practices

Summary

Active Directory Services

The AD LDS overview

Where to use LDS?

Application developments

Hosted applications

Distributed data stores for Active Directory integrated applications

Migrating from other directory services

The LDS installation

The Active Directory replication

FRS versus DFSR

Prepared state

Redirected state

Eliminated state

Active Directory sites and replication

Replication

Authentication

Service locations

Sites

Subnets

Site links

Site link bridges

Managing Active Directory sites and other components

Managing sites

Managing site links

The site cost

Inter-site transport protocols

Replication intervals

Replication schedules

Site link bridge

Bridgehead servers

Managing subnets

How does replication work?

Intra-site replications

Inter-site replications

Knowledge Consistency Checker

How update occurs ?

The update sequence number

Directory Service Agent GUID and invocation ID

The high watermark vector table

The up-to-dateness vector table

The read-only domain controllers

Active Directory database maintenance

The ntds.dit file

The edb.log file

The edb.chk file

The temp.edb file

Offline defragmentation

Active Directory backup and recovery

Preventing accidental deletion of objects

Active Directory Recycle Bin

Active Directory snapshots

Active Directory system state backup

Active Directory recovery from system state backup

Summary

Active Directory Certificate Services

PKI in action

Symmetric keys versus asymmetric keys

Digital encryption

Digital signatures

Signing, encryption, and decryption

Secure Sockets Layer certificates

Types of certification authorities

How do certificates work with digital signatures and encryption?

What can we do with certificates?

Active Directory Certificate Service components

The certification authority

Certificate Enrollment Web Service

Certificate Enrollment Policy Web Service

Certification Authority Web Enrollment

Network Device Enrollment Service

Online Responder

The types of CA

Planning PKI

Internal or public CAs

Identifying the object types

Cryptographic provider

The cryptography key length

Hash algorithms

The certificate validity period

The CA hierarchy

High availability

Deciding certificate templates

The CA boundary

PKI deployment models

The single-tier model

The two-tier model

Three-tier models

Setting up PKI

Setting up a stand-alone root CA

DSConfigDN

CDP locations

AIA locations

CA time limits

CRL time limits

The new CRL

Publishing the root CA data into the Active Directory

Setting up the issuing CA

Issuing a certificate for the issuing CA

Post configuration tasks

CDP locations

AIA locations

CA and CRL time limits

Certificate templates

Requesting certificates

Summary

Active Directory Federation Services

How does AD FS work?

Security Assertion Markup Language (SAML)

WS-Trust

WS-Federation

AD FS components

Federation Service

AD FS 1.0

AD FS 1.1

AD FS 2.0

AD FS 2.1

AD FS 3.0

AD FS 4.0

The Web Application Proxy

AD FS configuration database

AD FS deployment topologies

Single Federation Server

Single federation server and single Web Application Proxy server

Multiple federation servers and multiple Web Application Proxy servers with SQL Server

AD FS deployment

DNS records

SSL certificates

Installing the AD FS role

Installing WAP

Configuring the claim aware app with new federation servers

Creating a relaying party trust

Configuring the Web Application Proxy

Integrating with Azure MFA

Prerequisites

Creating a certificate in an AD FS farm to connect to Azure MFA

Enabling AD FS servers to connect with Azure Multi-Factor Auth Client

Enabling AD FS farm to use Azure MFA

Enabling Azure MFA for authentication

Summary

Active Directory Rights Management Services

What is AD RMS?

AD RMS components

Active Directory Domain Services

The AD RMS cluster

Web server

SQL Server

AD RMS client

Active Directory Certificate Service

How does AD RMS work?

AD RMS deployment

Single forest – single cluster

Single forest – multiple clusters

AD RMS in multiple forests

AD RMS with AD FS

AD RMS configuration

Setting up AD RMS root cluster

Installing the AD RMS role

Configuring the AD RMS role

Testing by protecting data using the AD RMS cluster

To protect the document

Summary

Active Directory Security Best Practices

Active Directory authentication

Delegating permissions

Predefined Active Directory administrator roles

Using object ACLs

Using the delegate control method in AD

Fine-grained password policies

Limitations

Resultant Set of Policy

Configuration

Pass-the-hash attacks

Protected Users security group

Restricted admin mode for RDP

Authentication policies and authentication policy silos

Authentication policies

Authentication policy silos

Creating authentication policies

Creating authentication policy silos

Just-in-time administration and just enough administration

Just-in-time administration

Just enough administration

Summary

Advanced AD Management with PowerShell

AD management with PowerShell – preparation

AD management commands and scripts

Replication

Replicating a specific object

User and Groups

Last log on time

Last log in date report

Login failures report

Finding the locked out account

Password expire report

JEA

JEA configuration

Testing

Summary

Azure Active Directory Hybrid Setup

What is Azure AD?

Benefits of Azure AD

Azure AD limitations

Azure AD editions

Azure AD free version

Azure AD Basic

Azure AD Premium P1

Azure AD Premium P2

Integrate Azure AD with on-premises AD

Azure AD Connect

Azure AD Connect deployment topology

Staging server

Before installing the AD Connect server

Step-by-step guide to integrate on-premises AD environment with Azure AD

Creating a virtual network

Creating an Azure AD instance

Add DNS server details to the virtual network

Create an AAD DC administrator group

Creating a global administrator account for Azure AD Connect

Add a custom domain to Azure AD

Setting up Azure AD Connect

Password synchronization

Syncing NTLM and Kerberos credential hashes to Azure AD

Manage Azure AD Domain Services using virtual server

Creating virtual server in Azure in same virtual network

Join virtual server to Azure AD

Install RSAT tools and managing Azure AD through a virtual server

Summary

Active Directory Audit and Monitoring

Auditing and monitoring Active Directory using inbuilt Windows tools and techniques

Windows Event Viewer

Custom views

Windows logs

Applications and Services logs

Subscriptions

Active Directory Domain Service event logs

Active Directory Domain Service log files

Active Directory audit

Audit Directory Service Access

Audit Directory Service Changes

Audit Directory Service Replication

Audit Detailed Directory Service Replication

Demonstration

Reviewing events

Setting up event subscriptions

Security event log from domain controllers

Enabling advanced security audit policies

Enforcing advanced auditing

Reviewing events with PowerShell

Microsoft Advanced Threat Analytics

ATA benefits

ATA components

ATA center

ATA gateway

ATA Lightweight Gateway

ATA deployments

ATA deployment prerequisites

Demonstration

Installing ATA center

Installing ATA Lightweight Gateway

ATA testing

Microsoft Operations Management Suite (OMS)

Benefits of OMS

OMS services

OMS in a hybrid environment

What benefits will it have for Active Directory?

Demonstration

Enabling OMS AD solutions

Installing OMS agents

Viewing analyzed data

Collecting Windows logs for analysis

Summary

Active Directory Troubleshooting

How to troubleshoot AD DS replication issues

Identifying replication issues

Event Viewer

System Center Operation Manager

Microsoft Operation Management Suite (OMS)

Troubleshooting replication issues

Lingering objects

Strict replication consistency

Removing lingering objects

DFS replication issues

Troubleshooting

Verifying the connection ;

SYSVOL share status

DFS replication status

DFSR crash due to dirty shutdown of the domain controller (event ID 2213)

Content freshness

Non-authoritative DFS replication

Authoritative DFS replication

How to troubleshoot Group Policy issues

Troubleshooting

Forcing Group Policy processing

Resultant Set of Policy (RSoP)

GPRESULT

Group Policy Results Wizard

Group Policy Modeling Wizard

How to troubleshoot AD DS database-related issues

Integrity checking to detect low-level database corruption

AD database recovery

Summary

Preface

For support files and downloads related to your book, please visit www.PacktPub.com. Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.comand as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www.packtpub.com/mapt

Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Microsoft Active Directory is the most widely used identity management solution. It can centrally manage identities across the infrastructure. It is equipped with different role services, features, and components that helps us handle identities securely and effectively according to business requirements. For the last 20 years, Microsoft kept improving Active Directory, and the recent release of Active Directory 2016 further emperies its approach to rectify industry requirements and protect identity infrastructures with emerging security threats. However, a technology-rich product is not simply going to make a productive, reliable, scaleable, secure identity infrastructure. It needs the knowledge about Active Directory roles services, components, and features. It also needs knowledge about how to use those effectively to match different operation requirements. Then only we can plan, design, manage, and maintain robust identity infrastructure. That's what is exactly covered in this book. Throughout, this book talks about Active Directory roles service, technologies, and features and then, how to implement those according to best practices.

What this book covers

Chapter 1, Active Directory Fundamentals, explains what is Active Directory and its characteristic. It also explains the main components (physical and logical structure), objects types, and role services of the products. It also covers the new features available in AD DS 2016 in a nutshell.

Chapter 2, Active Directory Domain Services 2016, explains what's new in AD DS 2016 and how it will help improve your organization's identity infrastructure.

Chapter 3, Designing Active Directory Infrastructure, talks about what needs to be considered for Active Directory infrastructure design. It also describes how to place the AD DS logical and physical components in the AD DS environment.

Chapter 4, Active Directory Domain Name System, explains how DNS works in the AD DS infrastructure. It also includes information about the DNS server component, different types of DNS records, zones, and DNS delegation.

Chapter 5, Placing Operations Master Roles, talks about the FSMO roles and its responsibilities. It also describes the best way to place those in different AD deployment topologies.

Chapter 6, Migrating to Active Directory 2016, covers the AD DS installation with different deployment topologies. It also provides step-by-step guide to migrate from an older version of AD DS to new AD DS 2016.

Chapter 7, Managing Active Directory Objects, explains how to manage Active Directory objects using different snaps-in, MMC, and PowerShell commands. It will also demonstrate how to create objects (small scale and large scale) using different methods. It also explains how to query about objects in AD.

Chapter 8, Managing Users, Groups, and Devices, explains in detail the different types of objects and how to use those with different infrastructure requirements.

Chapter 9, Designing OU structure, teaches you how to design the OU structure properly using different models. It will also describe how to manage the OU structure and delegate control.

Chapter 10, Managing Group Policies, explains Group Policy objects and its capabilities. It also talks about how to use those appropriately in an infrastructure.

Chapter 11, Active Directory Services, walks us through the more advanced Active Directory topics, such as AD LDS, Active Directory replication, Active Directory sites, Active Directory database maintenance, RODC, AD DS backup, and recovery.

Chapter 12, Active Directory Certificate Services, explains planning, deployment, and maintenance of Active Directory Certificate Services.

Chapter 13, Active Directory Federation Services, focuses on AD Federation Services planning, designing, deployment, and maintenance. It also explains the new features of AD FS 2016.

Chapter 14: Active Directory Rights Management Services, explains the AD role, Active Directory Rights Management Service, and how to use it to protect organization data.

Chapter 15, Active Directory Security Best Practices, covers the Active Directory security best practices and new concepts that you can use to secure your identity infrastructure and protect your workloads from emerging threats.

Chapter 16, Advanced AD Management with PowerShell, is full of PowerShell scripts that can be used to manage, secure, audit, and monitor Active Directory environment.

Chapter 17, Azure Active Directory for Hybrid Setup, explains how you can extend your on-premises AD DS infrastructure into Azure Active Directory.

Chapter 18, Active Directory Audit and Monitoring, teaches you how to monitor your AD DS infrastructure using different tools and method. It also demonstrates how to audit Active Directory environment.

Chapter 19, Active Directory Troubleshooting, explains how to troubleshoot the most common Active Directory infrastructure issue using different tools and methods.

What you need for this book

This book is written to demonstrate the management of Active Directory in the Windows Server 2016 environment. While all code samples provided here work in the Windows Server 2016 environment, some will work in the Windows Server 2012 R2 and Windows Server 2012 environments as well:

Readers of this book need a basic knowledge about Microsoft Active Directory Domain Service and related terms.

PowerShell commands and scripts have been used heavily in this book. Readers should have basic knowledge and experience on PowerShell and relevant tools.

All the PowerShell commands and scripts were tested on PowerShell Version 5; these may not be compatible with the older PowerShell versions.

PowerShell scripts have been represented in the way readers can easily understand. Therefore when using those in the environment, pay attention to the extra spaces and line breaks. It is recommended to use PowerShell ISE to run the scripts.

All the configuration examples are tested on systems which run Windows Server 2016. Some of these may not be applicable for older version of AD DS and role services.

Who this book is for

This book is ideal for IT professionals, system engineers, and administrators who have a basic knowledge about Active Directory Domain Services. A basic knowledge of PowerShell is also required, as most of the role deployment, configuration, and maintenance is explained using PowerShell commands and scripts.

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book-what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of. To send us general feedback, simply e-mail [email protected], and mention the book's title in the subject of your message. If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Downloading the example code

You can download the example code files for this book from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you. You can download the code files by following these steps:

Log in or register to our website using your e-mail address and password.

Hover the mouse pointer on the

SUPPORT

tab at the top.

Click on

Code Downloads & Errata

.

Enter the name of the book in the

Search

box.

Select the book for which you're looking to download the code files.

Choose from the drop-down menu where you purchased this book from.

Click on

Code Download

.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR / 7-Zip for Windows

Zipeg / iZip / UnRarX for Mac

7-Zip / PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Mastering-Active-Directory. We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Downloading the color images of this book

We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from https://www.packtpub.com/sites/default/files/downloads/MasteringActiveDirectory_ColorImages.pdf.

Errata

Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books-maybe a mistake in the text or the code-we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title. To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.

Piracy

Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy. Please contact us at [email protected] with a link to the suspected pirated material. We appreciate your help in protecting our authors and our ability to bring you valuable content.

Questions

If you have a problem with any aspect of this book, you can contact us at [email protected], and we will do our best to address the problem.

Active Directory Fundamentals

Welcome to the world of managing identities! Doesn't it sound fun? As system administrators, system engineers, and infrastructure engineers, we spend a significant amount of time every day managing identities in organizations. These identities can be user accounts, applications, or other resources. Over 15 years, Microsoft Active Directory has maintained its premier position in the market by helping organizations build their identity infrastructures. As a directory service, it stores an organization's identity data in a central repository and allows us to arrange it in a hierarchical organizational structure to satisfy the business' needs.

Over the years, Microsoft has been releasing a new version of Active Directory with new features and enhancements. For the last 12 years, I have worked on thousands of different Active Directory-related projects and answered lots of questions through my blog. For me, it's straightforward: providing a feature-rich product is not enough to maintain a secure, efficient, and reliable identity infrastructure. Just two Christmases ago, I gave a pack of watercolors to my little girl, Selena, as her present. I still remember the excitement in her eyes and how much fun it was trying different colors on a canvas and her Christmas dress. In the end, it was just a bunch of lines and color patches. This Christmas too, I (Santa) gave her a new drawing pad and watercolor pack. Now she knows how to draw different objects and place them nicely on the canvas and make something meaningful. It is practice, creativity, and guidance that have helped her do it. This book is meant to equip you with knowledge using in-depth analysis and best practices in order to use the Microsoft Active Directory service and its components in a secure, efficient way to address modern identity infrastructure requirements.

Even though this book is more for administrators and engineers who have basic knowledge of Active Directory, it is not a bad idea to re-read and refresh your memory about the building blocks of the Microsoft Active Directory service before we dive into advanced topics. In this chapter, you will learn the following:

Benefits of using Active Directory

Understanding Active Directory components

Understanding Active Directory objects

Active Directory server roles

Benefits of using Active Directory

A few years ago, I was working on an Active Directory restructuring project for a world-famous pharmaceutical company. According to the company policy, I had to travel to their headquarters to perform the project tasks. So, on a rare sunny English morning, I walked into the company's reception area. After I explained who I am and why I was there, the nice lady at the reception, Linda, handed me a set of forms to fill in. They asked for my personal details, such as name, phone number, how long I will be there, and in which department. Once I filled out the forms, I handed them over to Linda, and she had to make a few calls to verify whether my visit was expected and confirm my access to different buildings with the respective department managers. Then she made a card with my details and handed it over to me. She instructed me on how to use it and which buildings I was allowed into.

When you think about this process, you'll find that it contains the functions of a directory service:

The forms that Linda handed over to me contained certain questions to help her understand who the person was. They were predefined questions and I had to answer them in order to register my information in their system.

Once I submitted the forms, she didn't hand over the electronic card right away. She made calls to verify my identity and also confirm which buildings I would have access to. Then, my details were registered with the system, and it generated an electronic card that had my photo and a bar code. With that, I became a part of their system, and that particular card was my unique identity within their organization. There would be no other visitor with the same bar code and identification number at the same time.

If I needed to get access to buildings, I needed to tap the card at the entrance. Could I use my name or any other cards to get through? No! The locking system of the building doors only recognized me if I presented the correct card. So, having a unique identity in their system was not enough; I needed to present it in the correct way to get the required access.

I went to another building and tried to tap the card. Even when I used it correctly, the doors wouldn't open. The guard in the building asked for my card. Once I handed it over, he scanned it with a bar code reader and checked some information on his computer screen. Then he informed me that I was not allowed into that building and guided me to the correct building. This means that my information can be accessed from any building through their system to verify my identity and access permissions.

When I used the card in the correct buildings, it allowed me to step in. In the system, it first verified my identity and then checked whether I was

authorized

to work in that facility. If I was authorized, the system allowed access; if not, it rejected my request to enter.

When I entered and left the building, I did not have to record my time. But the managers in that department knew how many hours I had worked as my check-in and check-out times had been recorded in the system and they could review the information anytime.

This system acts as an authentication and authorization system. It uses different protocols and standards to manage and protect identities saved in a central database. This is the primary need of a directory service.

Every organization has its own organizational structure. The most common way is to group roles, assets, and responsibilities into different departments, such as sales, IT, production, and quality assurance. Apart from skills and knowledge, employers use company resources such as applications and hardware devices to achieve company goals. In order to use these resources efficiency, it's important to have some kind of access control in place. The resources should be available for the required users at the required time. This is very easy if all this data about users, applications, and resources is recorded in a central repository and uses authentication and authorization to manage resources. This is how the directory service was born. Different service providers have different directory services, for example, the Novell directory services, Oracle directory service, and Red Hat directory service. The Microsoft Active Directory service is the most commonly used directory service in modern enterprises.

Centralized data repository

Active Directory stores the identity information of users, applications, and resources in a multi-master database. This database is a file called ntds.dit. This database is based on Joint Engine Technology (JET) database engine. The data in this database can be modified using any alternative domain controller. The Active Directory database can store some 2 billion objects. Users can use the identity data stored in Active Directory from anywhere in the network in order to access resources. Administrators can manage authentication and authorization of the organizational identities from a centralized location. Without directory services, identities would be duplicated across different systems and add administrative overhead to manage.

Replication of data

There are organizations that use a single domain controller. But when it comes to complex business requirements such as branch offices, redundancy, it is required that they have multiple domain controllers (we are going to look at domain controller placement later in a different chapter). If the identities are managed from a centralized system, it's important that each domain controller be aware of the changes that have been made to the Active Directory database. Say, user Jane in the sales department forgets her password and requests the IT department to reset it. In 30 minutes' time, she's going to be working from a branch office located in a different city. The IT administrator resets her password from the headquarter's domain controller, DC01. In order to have a successful login from the branch office, this change to the directory needs to be replicated over to the domain controller in the branch office, DC05. Microsoft Active Directory has two types of replications. If a domain controller advertises the changes made on that particular domain controller to neighboring domain controllers, it is called outbound replication. If a domain controller accepts changes advertised by neighboring domain controllers, it called inbound replication. The replication connections (from who and to whom) and replication schedule can be modified based on the business requirements.

High availability

High availability is important for any business-critical system in an organization. This is applicable to domain controllers too. On other systems, in order to implement high availability, we need to make software or hardware changes. With built-in fault-tolerance capabilities, Active Directory domaincontrollers do not need additional changes. A multi-master database and replication of domain controllers allow users to continue with authentication and authorization from any available domain controller at any time.

Security

Data and identity security are very important in modern businesses. We are living in a world where identity is the new perimeter. A significant portion of this book is focused on how to use Active Directory features to secure your identity infrastructures from emerging threats. Active Directory allows you to use different authentication types, group policies, and workflows to protect the resources in your network. Even applications benefit from these technologies and methodologies to secure the identities used within applications. This helps administrators build different security rules based on departments and groups in order to protect data and workloads. It also forces individuals to follow organizational data- and network-security standards.

Auditing capabilities

Setting up advanced security policies will not be enough to protect your identity infrastructure. Periodic audits will help you understand new security threats. Active Directory allows you to capture and audit events occurring in your identity infrastructure. They can be related to user authentication, directory service modifications, or access violation. It also helps you collect data from a centralized location, which will help you troubleshoot authentication and authorization issues users may have.

Single sign-on

In an organization, there are different applications in use. Each of these applications has a different authentication mechanism. It will be difficult to maintain different user credentials to authenticate on different applications. Most application vendors now support integration with Active Directory for authentication. This means that with Active Directory credentials, you can authenticate on different systems and applications used by your organization. You will not need to keep typing your credentials to get access. Once you authenticate on a computer, the same session will be used to authenticate other Active Directory integrated applications.

Schema modification

Any kind of database has its own structure, called schema. This is also applicable to an Active Directory database. This schema describes all objects in Active Directory. By knowing the schema, you can modify or extend it. This is important for the development of Active Directory integrated applications. Microsoft publishes Active Directory Service Interfaces (ADSI) with a set of COM interfaces, and it can be used to access Active Directory service features from different network providers. Application developers can use it to develop their application to be Active Directory-integrated and publish it to the directory. Users can search for the service through Active Directory, and applications can access Active Directory objects as required.

Querying and indexing

By maintaining a central data repository, Active Directory also allows users and applications to query objects and retrieve accurate data. If I need to find user John's account, I do not need to know which branch he is in or what department he belongs to. With a simple Active Directory query, I will be provided with information about the user account. In a manner similar to when we add a new object to the directory, objects will publish its attributes and make it available for users and applications for queries.

These are some of the main capabilities of the Active Directory service, and these features will be explained in detail in later chapters, including how to plan, implement, and maintain them within your identity infrastructure.

Active Directory components

Active Directory components can be divided into two main categories:

Logical components

Physical components

When you design your identity infrastructure, you need to consider both components. Logical components of the Active Directory structure can change at any given time according to business requirements. But you won't be able to easily modify the physical components compared to logical components. The placement of these components will define the efficiency, security, reliability, and manageability of your identity infrastructure. So, it's crucial that we get it right in the beginning before we move on to advanced identity infrastructure planning.

Logical components

Each business has its own hierarchical organization layout. It may contain multiple branch offices, multiple groups of companies, and many different departments. Each of these components in the business carries out different operations. Operations in the sales department are completely different from the IT department. Everyone is bound to the company by following different operational guidelines and targets. When we design the identity infrastructure, we need to match it with the company hierarchical layout in order to manage resource and security effectively. Logical components of the Active Directory help you structure the identity infrastructure by considering design, administration, extensibility, security, and scalability.

The Active Directory logical structure contains two types of objects. Objects can be either container objects or leaf objects. Container objects can be associated with other objects in the logical structure. Leaf objects are the smallest components in the logical structure. They will not have any other child objects associated.

Forests

Amazon is the world's largest rain forest. There are different animal species, and more than 400 tribes live in there. Each of these animal species is different from each other. Reptiles, mammals, snakes, fish all have different characteristics and we can group each of them by considering their characteristics. Tribes living in the forest also have their own language, culture, and boundaries. But all these animals and tribes share one forest. They use food, water, and other resources from the Amazon forest to survive. Amazon forests have well-defined boundaries. Another forest in 100 miles from an Amazon forest is not called an Amazon forest. Its name and boundaries are unique.

The Active Directory forest also can be explained in a similar way. The Active Directory forest represents a complete Active Directory instance. It is made of one or more domain and domain trees. I will be explaining what domain and domain trees are in detail later in this chapter. Each domain has its own characteristics, boundaries, and resources allocated. But at the same time, it shares a common logical structure, schema, and directory configuration within the forest. Similarly, tribes have a relationship with the forest and different tribes, and domains in the Active Directory forest will have a two-way trust relationship. Different tribes in the Amazon forest aren't named after Amazon. Each tribe have its own name. Similarly, domains in a forest can contain any domain name:

The first domain controller in the Active Directory service deployment is important. When you create the first domain, it will create the forest as well. Then, the first domain will become the forest root domain. A domain tree contains its own root domain. But forests can contain multiple root domains.

In the previous diagram, Rebeladmin Corp. is an IT solution provider. The rebeladmin.com is the forest root domain. It does have another two companies: one is Rebeladmin IT with the domain name rebeladminit.com, and it provides managed IT services. The other company is My training, with the domain name mytraining.ca, and it provides IT training to professionals. The rebeladminit.com and mytraining.ca both are root domains in their own domain trees. Both domains in the forest will trust each other with two-way transitive trust.

When Microsoft releases a new Active Directory service version, new features are bound to the forest and domain functional levels. If you want to use Active Directory Domain Services 2016 forest level features, your directory's Active Directory forest should use the Windows Server 2016 forest functional level. Before Windows Server 2012 R2, forest functional level upgrades were one-way. Now it is possible to roll back to the lower forest functional level if required. This is if the forest function level is lower it allowed to add the latest domain controller version. For example, if the forest function level is Windows Server 2008, it is allowed to install the domain controller inside the forest with the operating system Windows Server 2016. But this doesn't mean it can use features provided by Windows Directory Services 2016 until it upgrades its domain and forest functional levels. If you upgrade the forest function level to Windows Server 2016, you can have only domain controllers running a minimum of Windows Server 2016.

Domains

Referring back to my example about the Amazon forest, we can say there are more than 400 tribes living in the Amazon forest. Each of these tribes is unique in certain ways. Each tribe has a different language and culture. Each tribe has its own territory to do their hunting, farming, and fishing. Each tribe know its boundaries and does not cross others' boundaries as that can lead to a war between tribes. Each tribe has its own tools and methods for hunting and farming. Also, each tribe has different groups assigned for different tasks. Some are good at hunting, some are good at farming, and some are good at cooking. All their contribution help them survive and grow as a tribe.

The Active Directory domain too can be explained in a similar way. The domain contains the logical components to achieve administrative goals in the organization. By default, the domain become the security boundary for the objects inside it. Each object has its own administrative goals. Individuals in tribes have different identities and responsibilities, but all of them are part of the tribe and the forest. In the same way, all the objects in the domain are part of a common database. Also, everyone in the tribe still needs to follow some of the common rules. Objects in the domain are also controlled by the security rules defined. These security rules are only applicable within that particular domain and are not valid for any object outside the domain boundaries. A domain also allows you to set smaller administrative boundaries within the organization. In the previous section, I explained that a forest can contain multiple domains. Managing a forest is difficult as its administrative boundary is large, but the domain allows you to set smaller administrative targets. Active Directory is divided into multiple partitions to improve efficiency. The domain is also a partition of Active Directory. When I described the Active Directory forest, I had mentioned that every domain inside the forest shared the same schema. Each of the domain controllers also has a copy of the domain partition, and it is shared only by the domain controllers within the same domain tree. All the information about objects in that particular domain is saved in that domain partition. This ensures that only the required data is replicated across the domain trees and forests:

The Active Directory domain's functional levels define the Active Directory capabilities. With every new version of the directory services, new features are added to the domain's functional level. In order to use the features within the domain, the domain functional level need to be upgraded. The version of domain function level you can run on the domain depends on the forest functional level. You cannot have a domain functional level higher than the forest functional level.

Domain trees

I am 33 years old and am living in the UK with my daughter and wife. My parents are still living in Sri Lanka, where you can find sunshine all year and white beaches. After our wedding, I moved into new a house, but that didn't mean I was not a part of the family anymore. I am still the son of my parents. I carry my father's surname. I also inherit traditions and characteristics from my parents. My children will have their own families one day, but in the end, we all are part of the same family tree. A domain tree is a collection of domains that reflects the organization's structure. My parents and I are bound by a parent-child relationship. It is obviously different from other kinds of relationships. Similarly, domains inside the domain tree have a parent-child relationship. The first domain in the domain tree is called the parent domain. This is the root domain as well. All other domains in the domain tree are called the child domain. There will be only one parent domain in a domain tree.

In some documentations, the child domain is also called a subdomain. When dealing with internet domains, sometimes, it is required to create additional place holder, a sub URL. For example, rebeladmin.com