Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Active Directory Administration Cookbook, Second Edition
  • Table Of Contents Toc
  • Feedback & Rating feedback
Active Directory Administration Cookbook, Second Edition

Active Directory Administration Cookbook, Second Edition

By : Sander Berkouwer
5 (3)
Buy this Book
close
close
Active Directory Administration Cookbook, Second Edition

Active Directory Administration Cookbook, Second Edition

5 (3)
By: Sander Berkouwer
Buy this Book

Overview of this book

Updated to the Windows Server 2022, this second edition covers effective recipes for Active Directory administration that will help you leverage AD's capabilities for automating network, security, and access management tasks in the Windows infrastructure. Starting with a detailed focus on forests, domains, trusts, schemas, and partitions, this book will help you manage domain controllers, organizational units, and default containers. You'll then explore Active Directory sites management as well as identify and solve replication problems. As you progress, you'll work through recipes that show you how to manage your AD domains as well as user and group objects and computer accounts, expiring group memberships, and Group Managed Service Accounts (gMSAs) with PowerShell. Once you've covered DNS and certificates, you'll work with Group Policy and then focus on federation and security before advancing to Azure Active Directory and how to integrate on-premise Active Directory with Azure AD. Finally, you'll discover how Microsoft Azure AD Connect synchronization works and how to harden Azure AD. By the end of this AD book, you’ll be able to make the most of Active Directory and Azure AD Connect.
Table of Contents (18 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Download the example code files
Icon
Code in Action
Icon
Download the color images
Icon
Conventions used
Icon
Get in touch
Icon
Share Your Thoughts
1
Chapter 1: Optimizing Forests, Domains, and Trusts
Icon
Chapter 1: Optimizing Forests, Domains, and Trusts
Icon
Choosing between a new domain or forest
Icon
Listing the domains in your forest
Icon
Using adprep.exe to prepare for new Active Directory functionality
Icon
Raising the domain functional level to Windows Server 2016
Icon
Raising the forest functional level to Windows Server 2016
Icon
Creating the right trust
Icon
Removing a trust
Icon
Verifying and resetting a trust
Icon
Securing a trust
Icon
Extending the schema
Icon
Enabling the Active Directory Recycle Bin
Icon
Managing UPN suffixes
Free Chapter
2
Chapter 2: Managing Domain Controllers
chevron up
Icon
Chapter 2: Managing Domain Controllers
Icon
Preparing a Windows server to become a domain controller
Icon
Promoting a server to a domain controller
Icon
Promoting a server to a read-only domain controller
Icon
Using Install From Media
Icon
Using domain controller cloning
Icon
Determining whether a virtual domain controller has a VM-GenerationID
Icon
Demoting a domain controller
Icon
Demoting a domain controller forcefully
Icon
Inventory domain controllers
Icon
Decommissioning a compromised read-only domain controller
3
Chapter 3: Managing Active Directory Roles and Features
Icon
Chapter 3: Managing Active Directory Roles and Features
Icon
About FSMO roles
Icon
Querying FSMO role placement
Icon
Transferring FSMO roles
Icon
Configuring the PDC Emulator to synchronize time with a reliable source
Icon
Managing time synchronization for virtual domain controllers
Icon
Managing global catalogs
4
Chapter 4: Managing Containers and Organizational Units
Icon
Chapter 4: Managing Containers and Organizational Units
Icon
Differences between OUs and containers
Icon
Creating an OU
Icon
Deleting an OU
Icon
Modifying an OU
Icon
Delegating control of an OU
Icon
Modifying the default location for new user and computer objects
5
Chapter 5: Managing Active Directory Sites and Troubleshooting Replication
Icon
Chapter 5: Managing Active Directory Sites and Troubleshooting Replication
Icon
What do Active Directory sites do?
Icon
Recommendations
Icon
Creating a site
Icon
Managing a site
Icon
Managing subnets
Icon
Creating a site link
Icon
Managing a site link
Icon
Modifying replication settings for an Active Directory site link
Icon
Creating a site link bridge
Icon
Managing bridgehead servers
Icon
Managing the ISTG and KCC
Icon
Managing UGMC
Icon
Working with repadmin.exe
Icon
Forcing replication
Icon
Managing inbound and outbound replication
Icon
Modifying the tombstone lifetime period
Icon
Managing strict replication consistency
Icon
Upgrading SYSVOL replication from FRS to DFSR
Icon
Checking for and remediating lingering objects
6
Chapter 6: Managing Active Directory Users
Icon
Chapter 6: Managing Active Directory Users
Icon
Creating a user
Icon
Deleting a user
Icon
Modifying several users at once
Icon
Moving a user
Icon
Renaming a user
Icon
Enabling and disabling a user
Icon
Finding locked-out users
Icon
Unlocking a user
Icon
Managing userAccountControl
Icon
Using account expiration
7
Chapter 7: Managing Active Directory Groups
Icon
Chapter 7: Managing Active Directory Groups
Icon
Creating a group
Icon
Deleting a group
Icon
Managing the direct members of a group
Icon
Managing expiring group memberships
Icon
Changing the scope or type of a group
Icon
Viewing nested group memberships
Icon
Finding empty groups
8
Chapter 8: Managing Active Directory Computers
Icon
Chapter 8: Managing Active Directory Computers
Icon
Creating a computer
Icon
Deleting a computer
Icon
Joining a computer to the domain
Icon
Renaming a computer
Icon
Testing the secure channel for a computer
Icon
Resetting a computer's secure channel
9
Chapter 9: Managing DNS
Icon
Chapter 9: Managing DNS
Icon
Managing the DNS server role on domain controllers
Icon
Creating a DNS zone
Icon
Managing the DNS zone properties
Icon
Deleting a DNS zone
Icon
Creating a DNS record
Icon
Deleting a DNS record
Icon
Verifying the domain controller SRV DNS records
Icon
Creating a DNS conditional forwarder
10
Chapter 10: Getting the Most Out of Group Policy
Icon
Chapter 10: Getting the Most Out of Group Policy
Icon
Creating a GPO
Icon
Copying a GPO
Icon
Deleting a GPO
Icon
Modifying the settings of a GPO
Icon
Assigning scripts
Icon
Installing applications
Icon
Linking a GPO to an OU
Icon
Blocking inheritance of GPOs on an OU
Icon
Enforcing the settings of a GPO Link
Icon
Applying security filters
Icon
Creating and applying WMI filters
Icon
Refreshing GPO settings
Icon
Configuring loopback processing
Icon
Restoring a default GPO
Icon
Creating the Group Policy Central Store
11
Chapter 11: Securing Active Directory
Icon
Chapter 11: Securing Active Directory
Icon
Applying fine-grained password and account lockout policies
Icon
Backing up and restoring GPOs
Icon
Backing up and restoring Active Directory
Icon
Working with Active Directory snapshots
Icon
Managing the DSRM passwords on domain controllers
Icon
Protecting important objects from accidental deletion
Icon
Implementing LAPS
Icon
Managing deleted objects
Icon
Working with gMSAs
Icon
Configuring diagnostic logging
Icon
Configuring the advanced security audit policy
Icon
Resetting the KRBTGT secret
Icon
Using the SCW to secure domain controllers
Icon
Leveraging the Protected Users group
Icon
Putting authentication policies and authentication policy silos to good use
Icon
Configuring Extranet Smart Lockout
12
Chapter 12: Managing Certificates
Icon
Chapter 12: Managing Certificates
Icon
Deciding between your own CA and a public CA
Icon
Setting up a CA
Icon
Setting up an online responder
Icon
Removing a certificate template
Icon
Duplicating and editing a certificate template
Icon
Requesting a web server certificate
Icon
Issuing domain controller certificates
Icon
Managing certificate autoenrollment
Icon
Revoking a certificate
Icon
Decommissioning a CA
13
Chapter 13: Managing Federation
Icon
Chapter 13: Managing Federation
Icon
Choosing the right AD FS farm deployment method
Icon
Installing the AD FS server role
Icon
Setting up an AD FS farm with WID
Icon
Setting up an AD FS farm with SQL Server
Icon
Adding additional AD FS servers to an AD FS farm
Icon
Removing AD FS servers from an AD FS farm
Icon
Creating an RPT
Icon
Deleting an RPT
Icon
Configuring branding
Icon
Migrating a WID-based AD FS farm to an SQL Server
Icon
Setting up a WAP
Icon
Decommissioning a WAP
14
Chapter 14: Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and DSSO)
Icon
Chapter 14: Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and DSSO)
Icon
Choosing the right authentication method
Icon
Signing up for Azure AD
Icon
Verifying your DNS domain name
Icon
Implementing PHS with Express Settings
Icon
Implementing PTA and Seamless SSO
Icon
Implementing SSO using AD FS
Icon
Managing AD FS with Azure AD Connect
Icon
Implementing Azure Traffic Manager for AD FS geo-redundancy
Icon
Migrating from AD FS to PTA for SSO to Office 365
Icon
Making PTA (geo)redundant
15
Chapter 15: Handling Synchronization in a Hybrid World (Azure AD Connect)
Icon
Chapter 15: Handling Synchronization in a Hybrid World (Azure AD Connect)
Icon
Choosing the right source anchor attribute for user objects
Icon
Configuring staging mode
Icon
Switching to a staging-mode server
Icon
Configuring domain and OU filtering
Icon
Configuring Azure AD app and attribute filtering
Icon
Configuring hybrid Azure AD join
Icon
Configuring device writeback
Icon
Configuring password writeback
Icon
Configuring group writeback
Icon
Changing passwords for Azure AD Connect service accounts
16
Chapter 16: Hardening Azure AD
Icon
Chapter 16: Hardening Azure AD
Icon
Setting contact information
Icon
Preventing non-privileged users from accessing the Azure portal
Icon
Viewing all privileged users in Azure AD
Icon
Preventing users from registering or consenting to apps
Icon
Preventing users from inviting guests
Icon
Allowing and blocking invitations for Azure AD B2B
Icon
Configuring Azure AD join and Azure AD registration
Icon
Configuring Intune auto-enrollment upon Azure AD join
Icon
Choosing between Security defaults and Conditional Access
Icon
Configuring Conditional Access
Icon
Accessing Azure AD Connect Health
Icon
Configuring Azure AD Connect Health for AD FS
Icon
Configuring Azure AD Connect Health for AD DS
Icon
Configuring Azure AD PIM
Icon
Configuring Azure AD Identity Protection
Icon
Implementing Defender for Identity
Icon
Why subscribe?
17
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Packt is searching for authors like you
Icon
Share Your Thoughts

Using Install From Media

For Active Directory environments with really low bandwidth or networking resiliency between locations with domain controllers, regardless of whether these are read-only domain controllers or fully writable domain controllers, promoting a Windows Server installation to a domain controller can take a long time or even fail.

In these types of scenarios, for adding an additional domain controller or read-only domain controller to an existing domain, Microsoft offers the Install From Media (IFM) option.

Getting ready

When creating IFM media, check for proper Active Directory replication before creating the IFM media on the domain controller. This ensures that the domain controller is up to date with all changes in Active Directory.

Create a folder on the source and destination domain controller to store the files needed for IFM.

How to do it...

IFM consists of two steps:

  • Creating the IFM package
  • Leveraging the IFM package

Creating the IFM package

To create the IFM package, perform the following actions on a domain controller in a well-connected networking location, running the same version of Windows Server on which you intend to use the IFM package to swiftly promote it to a domain controller in a low-bandwidth scenario:

Tip

IFM packages to create read-only domain controllers can be created on both read-only domain controllers and on fully writable domain controllers. IFM packages to create fully writable domain controllers can only be created on fully writable domain controllers.

  1. Sign in interactively to the domain controller that you want to use as the source server for IFM.
  2. Press Start.
  3. Search for Command Prompt, right-click its search result, and choose Run as administrator from the context menu. Alternatively, run cmd.exe, but instead of running it by pressing Enter, press Ctrl, Shift, and Enter.
  4. Run the following command to start the NTDS utility in interactive mode:
    ntdsutil.exe
  5. Type the following command in interactive mode to select the Active Directory database:
    activate instance ntds
  6. Type the following command in interactive mode to enter the IFM creation context:
    IFM
  7. Type the following command in interactive mode to create IFM, including the contents of the Active Directory SYSVOL for a read-only domain controller, and place it in the C:\IFM folder:
    create RODC C:\IFM
  8. Type the following command in interactive mode to exit the IFM context:
    quit
  9. Type the following command in interactive mode to exit the NTDS utility itself:
    quit
  10. Close the Command Prompt window.

Leveraging the IFM package

To leverage the IFM package on the destination domain controller in the remote location, choose one of the following methods:

  • Using the Active Directory Domain Services Configuration Wizard after you've installed the Active Directory Domain Services role
  • Using dcpromo.exe
  • Using the Install-ADDSDomainController PowerShell cmdlet

Using the Active Directory Domain Services Configuration Wizard

Perform these steps to leverage the install using the Active Directory Domain Services Configuration Wizard:

  1. Promote the Windows Server installation as you would normally.
  2. On the Additional Options screen, click the Install from media option:
Figure 2.12 – The Additional Options screen of the Active Directory Domain Services Configuration Wizard

Figure 2.12 – The Additional Options screen of the Active Directory Domain Services Configuration Wizard

  1. On the Install from Media screen, specify the location on the drive of the Windows Server installation you intend to promote to a (read-only) domain controller using the Install from Media option.
  2. Optionally, specify the fully writable domain controller you want to replicate from. Specify a domain controller that is best reachable from the intended domain controller.
  3. Click Next > to proceed to the next screens as you normally would.

Using the Install-ADDSDomainController PowerShell cmdlet

The Install-ADDSDomainController PowerShell cmdlet only needs the -InstallationMediaPath additional parameter to leverage the IFM package when promoting a Windows Server installation to a domain controller.

When combining it with the sample PowerShell command for adding a domain controller to an existing domain, the following line of Windows PowerShell emerges:

Install-ADDSDomainController -DomainName lucernpub.com -InstallationMediaPath "C:\IFM"

Replace lucernpub.com with the DNS domain name of your Active Directory domain.

Using dcpromo.exe

As with the Install-ADDSDomainController PowerShell cmdlet, dcpromo.exe requires an optional parameter to leverage the IFM package.

Perform the following steps:

  1. Promote the Windows Server installation, as you would normally.
  2. When using an answer file, add the following line:
    ReplicationSourcePath= "C:\IFM"
  3. When using unattended mode, add the following argument:
    /ReplicationSourcePath:"C:\IFM"

How it works...

As a Windows Server installation becomes a domain controller, it replicates the contents of the Active Directory database and the Active Directory SYSVOL to its local hard drive(s). The entire package needed for this replication can also be assembled before promotion. Then, the IFM package can be delivered to the remote location, or even carried by the technician that will promote the (read-only) domain controller.

Important Note

The amount of network traffic needed when using the IFM option is heavily reduced but is certainly not zero. As the IFM package represents a point-in-time snapshot of the contents of the Active Directory database and the Active Directory SYSVOL, any changes between the time of the creation of the IFM package and using it will need to replicate before promotion of the domain controller is successfully completed.

End of Section 5
Next Section

Create a Note

Modal Close icon
You need to login to use this feature.
notes
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Delete Note

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Edit Note

Modal Close icon
Write a note (max 255 characters)
Cancel
Update Note

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY