Mastering Active Directory电子书

Dedication

About Packt

Why subscribe?

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Section 1: Active Directory Planning, Design, and Installation

Active Directory Fundamentals

Benefits of using Active Directory

Centralized data repository

Replication of data

High availability

Security

Auditing capabilities

Single sign-on (SSO)

Schema modification

Querying and indexing

Understanding Active Directory components

Logical components

Forests

Domains

Domain trees

Organizational units

Physical components

Domain controllers

Global catalog server

Active Directory sites

Understanding Active Directory objects

Globally unique identifiers and security identifiers

Distinguished names

Active Directory server roles

Active Directory Domain Services

Read-only domain controllers

Active Directory Federation Services

Active Directory Lightweight Directory Services

Active Directory Rights Management Services

Active Directory Certificate Services

Azure AD

Centralized identity and access management

SSO experience

Domain services

Azure AD Application Proxy

Azure AD B2B

Azure AD B2C

Azure AD versions

Summary

Active Directory Domain Services 2016

Features of AD DS 2016

Deprecation of Windows Server 2003's forest and domain functional levels

Deprecation of File Replication Services

PAM

What does PAM have to do with AD DS 2016?

What is the logic behind PAM?

Time-based group memberships

Microsoft Passport

AD FS improvements

Time sync improvements

Azure AD join

Azure AD joined devices

Hybrid Azure AD join devices

Windows' current devices

Windows' down-level devices

Summary

Designing an Active Directory Infrastructure

What makes a good system?

New business requirements

Correcting legacy design mistakes

Gathering business data

Defining security boundaries

Identifying the physical computer network structure

Designing the forest structure

Single forest

Multiple forest

Creating the forest structure

Autonomy

Isolation

Selecting forest design models

The organizational forest model

The resource forest model

The restricted access forest model

Designing the domain structure

Single domain model

The regional domain model

The number of domains

Deciding on domain names

The forest root domain

Deciding on the domain and forest functional levels

Designing the OU structure

Designing the physical topology of Active Directory

Physical or virtual domain controllers

Domain controller placement

Global catalog server placement

Designing a Hybrid Identity

Cloud approach

Identifying business needs

Synchronization

Cost

Summary

Active Directory Domain Name System

What is DNS?

Hierarchical naming structures

How DNS works

DNS essentials

DNS records

Start of authority record

A and AAAA records

NS records

Mail exchanger records

Canonical name records

Pointer records

SRV records

Zones

Primary zone

Secondary zone

Stub zones

Reverse lookup zones

DNS server operation modes

Zone transfers

DNS delegation

DNS service providers

Summary

Placing Operations Master Roles

FSMO roles

Schema operations master

Domain-naming operations master

Primary domain controller emulator operations master

Relative ID operations master role

Infrastructure operations master

FSMO role placement

Active Directory's logical and physical topology

Connectivity

The number of domain controllers

Capacity

Moving FSMO roles

Seizing FSMO roles

Summary

Migrating to Active Directory 2016

AD DS installation prerequisites

Hardware requirements

Virtualized environment requirements

Additional requirements

AD DS installation methods

AD DS deployment scenarios

Setting up a new forest root domain

AD DS installation checklist for the first domain controller

Design topology

Installation steps

Setting up an additional domain controller

AD DS installation checklist for an additional domain controller

Design topology

Installation steps

Setting up a new domain tree

AD DS installation checklist for a new domain tree

Design topology

Installation steps

Setting up a new child domain

AD DS installation checklist for a new child domain

Design topology

Installation steps

How to plan Active Directory migrations

Migration life cycle

Auditing

Active Directory logical and physical topology

Active Directory health check

SCOM and Azure Monitor

Application auditing

Planning

Implementation

Active Directory migration checklist

Design topology

Installation steps

Verification

Maintenance

Summary

Section 2: Active Directory Administration

Managing Active Directory Objects

Tools and methods for managing objects

Active Directory Administrative Center

The ADUC MMC

AD object administration with PowerShell

Creating, modifying, and removing objects in AD

Creating AD objects

Creating user objects

Creating computer objects

Modifying AD objects

Removing AD objects

Finding objects in AD

Finding objects using PowerShell

Summary

Managing Users, Groups, and Devices

Object attributes

Custom attributes

User accounts

MSAs

gMSAs

Uninstalling MSAs

Groups

Group scope

Converting groups

Setting up groups

Devices and other objects

Best practices

Summary

Designing the OU Structure

OUs in operations

Organizing objects

Delegating control

Group policies

Containers versus OUs

OU design models

The container model

The object type model

The geographical model

The department model

Managing the OU structure

Delegating control

Summary

Managing Group Policies

Benefits of group policies

Maintaining standards

Automating administration tasks

Preventing users from changing system settings

Flexible targeting

No modifications to target

Group Policy capabilities

Group Policy objects

The Group Policy container

The Group Policy template

Group Policy processing

Group Policy inheritance

Group Policy conflicts

Group Policy mapping and status

Administrative templates

Group Policy filtering

Security filtering

WMI filtering

Group Policy preferences

Item-level targeting

Loopback processing

Group Policy best practices

Summary

Section 3: Active Directory Service Management

Active Directory Services

Overview of AD LDS

Where to use LDS?

Application developments

Hosted applications

Distributed data stores for AD-integrated applications

Migrating from other directory services

The LDS installation

AD replication

FRS versus DFSR

Prepared state

Redirected state

Eliminated state

AD sites and replication

Replication

Authentication

Service locations

Sites

Subnets

Site links

Site link bridges

Managing AD sites and other components

Managing sites

Managing site links

The site link cost

Inter-site transport protocols

Replication intervals

Replication schedules

The site link bridge

Bridgehead servers

Managing subnets

How does replication work?

Intra-site replications

Inter-site replications

The KCC

How do updates occur?

The Update Sequence Number (USN)

The Directory Service Agent (DSA) GUID and invocation ID

The High Watermark Vector (HWMV) table

The Up-To-Dateness Vector (UTDV) table

RODCs

AD database maintenance

The ntds.dit file

The edb.log file

The edb.chk file

The temp.edb file

Offline defragmentation

AD backup and recovery

Preventing the accidental deletion of objects

AD Recycle Bin

AD snapshots

AD system state backup

AD recovery from system state backup

Summary

Active Directory Certificate Services

PKI in action

Symmetric keys versus asymmetric keys

Digital encryption

Digital signatures

Signing, encryption, and decryption

SSL certificates

Types of certification authorities

How do certificates work with digital signatures and encryption?

What can we do with certificates?

AD CS components

The CA

Certificate Enrollment Web Service

Certificate Enrollment Policy Web Service

Certification Authority Web Enrollment

Network Device Enrollment Service

Online Responder

The types of CA

Planning PKI

Internal or public CAs

Identifying the correct object types

The cryptographic key length

Hash algorithms

The certificate validity period

The CA hierarchy

High availability

Deciding certificate templates

The CA boundary

PKI deployment models

The single-tier model

The two-tier model

Three-tier models

Setting up a PKI

Setting up a standalone root CA

DSConfigDN

CDP locations

AIA locations

CA time limits

CRL time limits

The new CRL

Publishing the root CA data to AD

Setting up the issuing CA

Issuing a certificate for the issuing CA

Post-configuration tasks

CDP locations

AIA locations

CA and CRL time limits

Certificate templates

Requesting certificates

Summary

Active Directory Federation Services

How does AD FS work?

What is a claim?

Security Assertion Markup Language (SAML)

WS-Trust

WS-Federation

AD FS components

Federation service

AD FS 1.0

AD FS 1.1

AD FS 2.0

AD FS 2.1

AD FS 3.0

AD FS 4.0

What is new in AD FS 2019?

The Web Application Proxy

AD FS configuration database

AD FS deployment topologies

Single federation server

Single federation server and single Web Application Proxy server

Multiple federation servers and multiple Web Application Proxy servers with SQL Server

AD FS deployment

DNS records

SSL certificates

Installing the AD FS role

Installing WAP

Configuring the claims-aware application with new federation servers

Creating a relying party trust

Configuring the Web Application Proxy

Integrating with Azure MFA

Prerequisites

Creating a certificate in an AD FS farm to connect to Azure MFA

Enabling AD FS servers to connect with the Azure Multi-Factor Authentication client

Enabling the AD FS farm to use Azure MFA

Enabling Azure MFA for authentication

Summary

Active Directory Rights Management Services

What is AD RMS?

AD RMS components

Active Directory Domain Services (AD DS)

The AD RMS cluster

Web server

SQL Server

The AD RMS client

Active Directory Certificate Service (AD CS)

How does AD RMS work?

How do we deploy AD RMS?

Single forest–single cluster

Single forest–multiple clusters

AD RMS in multiple forests

AD RMS with AD FS

AD RMS configuration

Setting up an AD RMS root cluster

Installing the AD RMS role

Configuring the AD RMS role

Testing – protecting data using the AD RMS cluster

Testing – applying permissions to the document

Summary

Section 4: Best Practices and Troubleshooting

Active Directory Security Best Practices

AD authentication

The Kerberos protocol

Authentication in an AD environment

Delegating permissions

Predefined AD administrator roles

Using object ACLs

Using the delegate control method in AD

Implementing fine-grained password policies

Limitations

Resultant Set of Policy (RSoP)

Configuration

Pass-the-hash attacks

The Protected Users security group

Restricted admin mode for RDP

Authentication policies and authentication policy silos

Authentication policies

Authentication policy silos

Creating authentication policies

Creating authentication policy silos

JIT administration and JEA

JIT administration

JEA

Azure AD PIM

License requirements

Implementation guidelines

Implementation

AIP

Data classification

Azure Rights Management Services (Azure RMS)

Azure RMS versus AD RMS

How does Azure RMS work?

AIP scanner

AIP implementation

Summary

Advanced AD Management with PowerShell

AD management with PowerShell – preparation

AD management commands and scripts

Replication

Replicating a specific object

Users and Groups

Last logon time

Last login date report

Login failures report

Finding the locked-out account

Password expire report

JEA

JEA configuration

Testing

Azure Active Directory PowerShell

Installation

General commands

Managing users

Managing groups

Summary

Azure Active Directory Hybrid Setup

Integrating Azure AD with on-premises AD

Evaluating the present business requirements

Evaluating an organization's infrastructure road map

Evaluating the security requirements

Selecting the Azure AD version

Deciding on a sign-in method

Password hash synchronization

Federation with Azure AD

Pass-through authentication

Azure AD Seamless SSO

Synchronization between on-premises AD and Azure AD Managed Domain

Azure AD Connect

Azure AD Connect deployment topology

Staging the server

Step-by-step guide to integrating an on-premises AD environment with Azure AD

Creating a virtual network

Setting up Azure AD Managed Domain

Adding DNS server details to the virtual network

Creating a global administrator account for Azure AD Connect

Setting up Azure AD Connect

Installing the pass-through authentication agent

Azure AD Connect configuration

Syncing NTLM and Kerberos credential hashes to Azure AD

Summary

Active Directory Audit and Monitoring

Auditing and monitoring AD using in-built Windows tools and techniques

Windows Event Viewer

Custom views

Windows Logs

Applications and Services Logs

Subscriptions

Active Directory Domain Service event logs

Active Directory Domain Service log files

AD audit

Audit Directory Service Access

Audit Directory Service Changes

Audit Directory Service Replication

Audit Detailed Directory Service Replication

Demonstration

Reviewing events

Setting up event subscriptions

Security event logs from domain controllers

Enabling advanced security audit policies

Enforcing advanced auditing

Reviewing events with PowerShell

Microsoft ATA

What is Microsoft ATA?

ATA benefits

ATA components

The ATA Center

The ATA Gateway

The ATA Lightweight Gateway

ATA deployment

ATA deployment prerequisites

Demonstration

Installing the ATA Center

Installing the ATA Lightweight Gateway

ATA testing

Azure Monitor

The benefits of Azure Monitor

Azure Monitor in a hybrid environment

What benefits will it have for AD?

Demonstration

Enabling Azure Monitor AD solutions

Installing Log Analytics agents

Viewing analyzed data

Azure AD Connect Health

Prerequisites

Demonstration

Summary

Active Directory Troubleshooting

Troubleshooting AD DS replication issues

Identifying replication issues

Event Viewer

System Center Operation Manager (SCOM)

Azure Monitor

Troubleshooting replication issues

Lingering objects

Strict replication consistency

Removing lingering objects

Issues involving DFS Replication

Troubleshooting

Verifying the connection

SYSVOL share status

DFS Replication Status

DFSR crash due to the dirty shutdown of the domain controller (event ID 2213)

Content Freshness

Non-authoritative DFS Replication

Authoritative DFS Replication

How to troubleshoot Group Policy issues

Troubleshooting

Forcing Group Policy processing

Resultant Set of Policy (RSoP)

GPRESULT

Group Policy Results Wizard

Group Policy Modeling Wizard

How to troubleshoot AD DS database-related issues

Integrity checking to detect low-level database corruption

AD database recovery

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think