Mastering Active Directory电子书

Title Page

Copyright

Mastering Active Directory

Credits

About the Author

Acknowledgement

About the Reviewers

www.PacktPub.com

Why subscribe?

Customer Feedback

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Downloading the color images of this book

Errata

Piracy

Questions

Active Directory Fundamentals

Benefits of using Active Directory

Centralized data repository

Replication of data

High availability

Security

Auditing capabilities

Single sign-on

Schema modification

Querying and indexing

Active Directory components

Logical components

Forests

Domains

Domain trees

Organizational units

Physical components

Domain controllers

Global catalog server

Active Directory sites

Active Directory objects

Globally unique identifier and security identifier

Distinguished names

Active Directory server roles

Active Directory Domain Service

Read-only domain controllers

Active Directory Federation Services

Active Directory Lightweight Directory Services

Active Directory Rights Management Services

Active Directory Certification Services

Summary

Active Directory Domain Services 2016

AD DS 2016 features

Deprecation of Windows Server 2003 domain and forest functional levels

Deprecation of File Replication Services

Privileged Access Management

What is it to do with AD DS 2016?

What is the logic behind PAM?

Time-based group memberships

Microsoft Passport

Active Directory Federation Services improvements

Time sync improvements

Summary

Designing Active Directory Infrastructure

What makes a good system?

New business requirements

Correcting legacy design mistakes

Gathering business data

Defining security boundaries

Identifying the physical computer network structure

Designing the forest structure

Single forest

Multiple forest

Creating the forest structure

Autonomy

Isolation

Selecting forest design models

Organizational forest model

Resource forest model

Restricted access forest model

Designing the domain structure

Single domain model

Regional domain model

The number of domains

Deciding domain names

Forest root domain

Deciding domain and forest functional levels

Designing the OU structure

Designing the physical topology of Active Directory

Physical or virtual domain controllers

Domain controller placement

Global catalog server placement

Summary

Active Directory Domain Name System

What is DNS?

Hierarchical naming structure

How DNS works

DNS essentials

DNS records

Start of authority record

A and AAAA records

NS records

MX records

Canonical name record

PTR record

SRV records

Zones

Primary zone

Secondary zone

Stub zone

Reverse lookup zone

DNS server operation modes

Zone transfers

DNS delegation

Summary

Placing Operations Master Roles

FSMO roles

Schema operations master

Domain naming operations master

Primary domain controller emulator operations master

Relative ID operations master role

Infrastructure operations master

FSMO roles placement

Active Directory logical and physical topology

Connectivity

The number of domain controllers

Capacity

Moving FSMO roles

Seize FSMO roles

Summary

Migrating to Active Directory 2016

Active Directory Domain Service installation prerequisites

Hardware requirements

Virtualized environment requirements

Additional requirements

Active Directory Domain Service installation methods

Active Directory Domain Service deployment scenarios

Setting up a new forest root domain

Active Directory Domain Service installation checklist for first domain controller

Design topology

Installation steps

Setting up an additional domain controller

Active Directory Domain Service installation checklist for an additional domain controller

Design topology

Installation steps

Setting up a new domain tree

Active Directory Domain Service installation checklist for a new domain tree

Design topology

Installation steps

Setting up a new child domain

Active Directory Domain Service installation checklist for a new child domain

Design topology

Installation steps

How to plan Active Directory migrations

Migration life cycle

Audit

Active Directory logical and physical topology

Active Directory health check

System Center Operation Manager and Operation Management Suite

Active Directory health checklist

Application audit

Plan

Implementation

Active Directory migration checklist

Design topology

Installation steps

Verification

Maintain

Summary

Managing Active Directory Objects

Tools and methods to manage objects

Active Directory Administrative Center

The Active Directory Users and Computers MMC

Active Directory object administration with PowerShell

Creating, modifying, and removing objects in Active Directory

Creating Active Directory objects

Creating user objects

Creating computer objects

Modifying Active Directory objects

Removing Active Directory objects

Finding objects in Active Directory

Finding objects using PowerShell

Summary

Managing Users, Groups, and Devices

Object attributes

Custom attributes

User accounts

Managed Service Accounts

Group Managed Service Accounts

Uninstalling Managed Service Account

Groups

Group scope

Converting groups

Setting up groups

Devices and other objects

Best practices

Summary

Designing the OU Structure

OUs in operations

Organizing objects

Delegating control

Group policies

Containers versus OUs

OU design models

The container model

The object type model

The geographical model

The department model

Managing the OU structure

Delegating control

Summary

Managing Group Policies

Benefits of group policies

Maintaining standards

Automating administration tasks

Preventing users from changing system settings

Flexible targeting

No modifications to target

Group Policy capabilities

Group Policy objects

Group Policy container

The Group Policy template

Group Policy processing

Group Policy inheritance

Group Policy conflicts

Group Policy mapping and status

Administrative templates

Group Policy filtering

Security filtering

WMI filtering

Group Policy preferences

Item-level targeting

Loopback processing

Group Policy best practices

Summary

Active Directory Services

The AD LDS overview

Where to use LDS?

Application developments

Hosted applications

Distributed data stores for Active Directory integrated applications

Migrating from other directory services

The LDS installation

The Active Directory replication

FRS versus DFSR

Prepared state

Redirected state

Eliminated state

Active Directory sites and replication

Replication

Authentication

Service locations

Sites

Subnets

Site links

Site link bridges

Managing Active Directory sites and other components

Managing sites

Managing site links

The site cost

Inter-site transport protocols

Replication intervals

Replication schedules

Site link bridge

Bridgehead servers

Managing subnets

How does replication work?

Intra-site replications

Inter-site replications

Knowledge Consistency Checker

How update occurs ?

The update sequence number

Directory Service Agent GUID and invocation ID

The high watermark vector table

The up-to-dateness vector table

The read-only domain controllers

Active Directory database maintenance

The ntds.dit file

The edb.log file

The edb.chk file

The temp.edb file

Offline defragmentation

Active Directory backup and recovery

Preventing accidental deletion of objects

Active Directory Recycle Bin

Active Directory snapshots

Active Directory system state backup

Active Directory recovery from system state backup

Summary

Active Directory Certificate Services

PKI in action

Symmetric keys versus asymmetric keys

Digital encryption

Digital signatures

Signing, encryption, and decryption

Secure Sockets Layer certificates

Types of certification authorities

How do certificates work with digital signatures and encryption?

What can we do with certificates?

Active Directory Certificate Service components

The certification authority

Certificate Enrollment Web Service

Certificate Enrollment Policy Web Service

Certification Authority Web Enrollment

Network Device Enrollment Service

Online Responder

The types of CA

Planning PKI

Internal or public CAs

Identifying the object types

Cryptographic provider

The cryptography key length

Hash algorithms

The certificate validity period

The CA hierarchy

High availability

Deciding certificate templates

The CA boundary

PKI deployment models

The single-tier model

The two-tier model

Three-tier models

Setting up PKI

Setting up a stand-alone root CA

DSConfigDN

CDP locations

AIA locations

CA time limits

CRL time limits

The new CRL

Publishing the root CA data into the Active Directory

Setting up the issuing CA

Issuing a certificate for the issuing CA

Post configuration tasks

CDP locations

AIA locations

CA and CRL time limits

Certificate templates

Requesting certificates

Summary

Active Directory Federation Services

How does AD FS work?

Security Assertion Markup Language (SAML)

WS-Trust

WS-Federation

AD FS components

Federation Service

AD FS 1.0

AD FS 1.1

AD FS 2.0

AD FS 2.1

AD FS 3.0

AD FS 4.0

The Web Application Proxy

AD FS configuration database

AD FS deployment topologies

Single Federation Server

Single federation server and single Web Application Proxy server

Multiple federation servers and multiple Web Application Proxy servers with SQL Server

AD FS deployment

DNS records

SSL certificates

Installing the AD FS role

Installing WAP

Configuring the claim aware app with new federation servers

Creating a relaying party trust

Configuring the Web Application Proxy

Integrating with Azure MFA

Prerequisites

Creating a certificate in an AD FS farm to connect to Azure MFA

Enabling AD FS servers to connect with Azure Multi-Factor Auth Client

Enabling AD FS farm to use Azure MFA

Enabling Azure MFA for authentication

Summary

Active Directory Rights Management Services

What is AD RMS?

AD RMS components

Active Directory Domain Services

The AD RMS cluster

Web server

SQL Server

AD RMS client

Active Directory Certificate Service

How does AD RMS work?

AD RMS deployment

Single forest – single cluster

Single forest – multiple clusters

AD RMS in multiple forests

AD RMS with AD FS

AD RMS configuration

Setting up AD RMS root cluster

Installing the AD RMS role

Configuring the AD RMS role

Testing by protecting data using the AD RMS cluster

To protect the document

Summary

Active Directory Security Best Practices

Active Directory authentication

Delegating permissions

Predefined Active Directory administrator roles

Using object ACLs

Using the delegate control method in AD

Fine-grained password policies

Limitations

Resultant Set of Policy

Configuration

Pass-the-hash attacks

Protected Users security group

Restricted admin mode for RDP

Authentication policies and authentication policy silos

Authentication policies

Authentication policy silos

Creating authentication policies

Creating authentication policy silos

Just-in-time administration and just enough administration

Just-in-time administration

Just enough administration

Summary

Advanced AD Management with PowerShell

AD management with PowerShell – preparation

AD management commands and scripts

Replication

Replicating a specific object

User and Groups

Last log on time

Last log in date report

Login failures report

Finding the locked out account

Password expire report

JEA

JEA configuration

Testing

Summary

Azure Active Directory Hybrid Setup

What is Azure AD?

Benefits of Azure AD

Azure AD limitations

Azure AD editions

Azure AD free version

Azure AD Basic

Azure AD Premium P1

Azure AD Premium P2

Integrate Azure AD with on-premises AD

Azure AD Connect

Azure AD Connect deployment topology

Staging server

Before installing the AD Connect server

Step-by-step guide to integrate on-premises AD environment with Azure AD

Creating a virtual network

Creating an Azure AD instance

Add DNS server details to the virtual network

Create an AAD DC administrator group

Creating a global administrator account for Azure AD Connect

Add a custom domain to Azure AD

Setting up Azure AD Connect

Password synchronization

Syncing NTLM and Kerberos credential hashes to Azure AD

Manage Azure AD Domain Services using virtual server

Creating virtual server in Azure in same virtual network

Join virtual server to Azure AD

Install RSAT tools and managing Azure AD through a virtual server

Summary

Active Directory Audit and Monitoring

Auditing and monitoring Active Directory using inbuilt Windows tools and techniques

Windows Event Viewer

Custom views

Windows logs

Applications and Services logs

Subscriptions

Active Directory Domain Service event logs

Active Directory Domain Service log files

Active Directory audit

Audit Directory Service Access

Audit Directory Service Changes

Audit Directory Service Replication

Audit Detailed Directory Service Replication

Demonstration

Reviewing events

Setting up event subscriptions

Security event log from domain controllers

Enabling advanced security audit policies

Enforcing advanced auditing

Reviewing events with PowerShell

Microsoft Advanced Threat Analytics

ATA benefits

ATA components

ATA center

ATA gateway

ATA Lightweight Gateway

ATA deployments

ATA deployment prerequisites

Demonstration

Installing ATA center

Installing ATA Lightweight Gateway

ATA testing

Microsoft Operations Management Suite (OMS)

Benefits of OMS

OMS services

OMS in a hybrid environment

What benefits will it have for Active Directory?

Demonstration

Enabling OMS AD solutions

Installing OMS agents

Viewing analyzed data

Collecting Windows logs for analysis

Summary

Active Directory Troubleshooting

How to troubleshoot AD DS replication issues

Identifying replication issues

Event Viewer

System Center Operation Manager

Microsoft Operation Management Suite (OMS)

Troubleshooting replication issues

Lingering objects

Strict replication consistency

Removing lingering objects

DFS replication issues

Troubleshooting

Verifying the connection

SYSVOL share status

DFS replication status

DFSR crash due to dirty shutdown of the domain controller (event ID 2213)

Content freshness

Non-authoritative DFS replication

Authoritative DFS replication

How to troubleshoot Group Policy issues

Troubleshooting

Forcing Group Policy processing

Resultant Set of Policy (RSoP)

GPRESULT

Group Policy Results Wizard

Group Policy Modeling Wizard

How to troubleshoot AD DS database-related issues

Integrity checking to detect low-level database corruption

AD database recovery

Summary