Mastering Active Directory: Design, deploy, and protect Active Directory Domain Services for Windows Server 2022, 3rd Edition

Cover
Copyright
Contributors
Table of Contents
Preface
Chapter 1: Active Directory Fundamentals
	Modern access management
		What is an Identity?
	The future of Identity and Access Management (IAM)
		The Rise of Cybercrime
		Zero trust security
		Password-less authentication
		Digital ID
	Hybrid Identity and Active Directory Domain Services
	Benefits of using Active Directory
		Centralized data repository
		The replication of data
		High availability
		Security
		Auditing capabilities
		Single sign-on (SSO)
		Schema modification
		Querying and indexing
	Understanding Active Directory components
		Logical components
			Forests
			Domains
			Domain trees
			Organizational units
		Physical components
			Domain controllers
			The global catalog server
			Active Directory sites
	Understanding Active Directory objects
		Globally unique identifiers and security identifiers
		Distinguished names
		Active Directory server roles
	Summary
Chapter 2: Active Directory Domain Services 2022
	The features of AD DS 2022
		The deprecation of Windows Server 2003\'s forest and domain functional levels
		The deprecation of the File Replication service
	Privileged Access Management (PAM)
		The evolution of cyber crime
			Recent cyber-attacks
			A typical AD attack
	What does PAM have to do with AD DS 2022?
		What is the logic behind PAM?
		Time-based group memberships
	Windows Hello for Business
		Time sync improvements
	PowerShell 7
	Summary
Chapter 3: Designing an Active Directory Infrastructure
	What makes a good system?
		New business requirements
		Correcting legacy design mistakes
	Gathering business requirements
		Defining security boundaries
		Identifying the physical computer network structure
	Designing the forest structure
		Single forest
		Multiple forests
	Creating the forest structure
		Autonomy
		Isolation
	Selecting forest design models
		The organizational forest model
		The resource forest model
		The restricted access forest model
	Designing the domain structure
		Single domain
		Regional domain
		The branch/site domain
		The number of domains
		Deciding on domain names
		The forest root domain
	Deciding on the domain and forest functional levels
	Designing the OU structure
	Designing the physical topology of Active Directory
		Physical or virtual domain controllers
		Domain controller placement
		Global catalog server placement
	Designing a hybrid identity
		Cloud approach
	Identifying business needs
		Synchronization
		Shared responsibility
		Cost
	Summary
Chapter 4: Active Directory Domain Name System
	What is DNS?
	Hierarchical naming structures
		Top-Level Domain managers (TLD managers)
	How DNS works
	DNS infrastructure design
		Integrate AD DS with existing DNS infrastructure
		Disjoint naming space
		Deploying AD-integrated new DNS infrastructure
	DNS essentials
		DNS records
			Start of authority record
			A and AAAA records
			NS records
			Mail exchanger records
			Canonical name records
			Pointer records
			SRV records
		Zones
			Primary zone
			Secondary zone
			Stub zones
			Reverse lookup zones
	Conditional forwarders
	DNS policies
	Secure DNS client over HTTPS (DoH)
	DNS server operation modes
	Zone transfers
	DNS delegation
	DNS service providers
	Summary
Chapter 5: Placing Operations Master Roles
	FSMO roles
		Schema operations master
		Domain-naming operations master
		PDC emulator operations master
		RID operations master role
		Infrastructure operations master
		FSMO role placement
	Active Directory\'s logical and physical topology
		Connectivity
		The number of domain controllers
		Capacity
	Best practices
	Moving FSMO roles
	Seizing FSMO roles
	Summary
Chapter 6: Migrating to Active Directory 2022
	AD DS installation prerequisites
		Hardware requirements
		Virtualized environment requirements
			Best practices for installing a domain controller in Microsoft Azure
		Additional requirements
	AD DS installation methods
	AD DS deployment scenarios
		Setting up a new forest root domain
			AD DS installation checklist for the first domain controller
			Design topology
			Installation steps
		Setting up an additional domain controller
			AD DS installation checklist for an additional domain controller
			Design topology
			Installation steps
	How to plan AD migrations
		Migration life cycle
		Auditing
		AD logical and physical topology
		AD health check
			SCOM and Azure Sentinel
		Application auditing
		Planning
		Implementation
			AD migration checklist
			Design topology
			Installation steps
			Verification
			Maintenance
	Summary
Chapter 7: Managing Active Directory Objects
	Tools and methods for managing objects
		Windows Admin Center
		Active Directory Administrative Center
		The ADUC MMC
	AD object administration with PowerShell
		Creating, modifying, and removing objects in AD
			Creating AD objects
			Creating user objects
	Creating computer objects
	Modifying AD objects
	Removing AD objects
	Finding objects in AD
		Finding objects using PowerShell
	Preventing the accidental deletion of objects
	AD recycle bin
	Summary
Chapter 8: Managing Users, Groups, and Devices
	Object attributes
	Custom attributes
	Syncing custom attributes to Azure AD
	User accounts
		Managed Service Accounts (MSAs)
		Group Managed Service Accounts (gMSAs)
		Uninstalling MSAs
	Groups
		Group scope
		Converting groups
		Setting up groups
	Devices and other objects
	Best practices
	Summary
Chapter 9: Designing the OU Structure
	OUs in operations
		Organizing objects
		Delegating control
		Group policies
	Containers vs. OUs
	Active Directory Groups vs. OUs
	OU design models
		The container model
		The object type model
		The functions model
		The geographical model
		The department model
		The hybrid model
	Managing the OU structure
		Delegating control
	Summary
Chapter 10: Managing Group Policies
	Benefits of group policies
		Maintaining standards
		Automating administration tasks
		Preventing users from changing system settings
		Flexible targeting
		No modifications to target
	Group Policy capabilities
	Group Policy objects
		The Group Policy container
	The Group Policy template
	Group Policy processing
	Group Policy inheritance
	Group Policy conflicts
		Group Policy mapping and status
	Administrative templates
	Group Policy filtering
		Security filtering
		WMI filtering
	Group Policy preferences
	Item-level targeting
	Loopback processing
	Group Policy best practices
	Useful group policies
	Summary
Chapter 11: Active Directory Services - Part 01
	Overview of AD LDS
	Where to use LDS
		Application development
		Hosted applications
		Distributed data stores for AD-integrated applications
		Migrating from other directory services
	The LDS installation
	AD replication
		FRS versus DFSR
		AD sites and replication
			Replication
			Authentication
			Service locations
	Sites
		Subnets
		Site links
		Site link bridges
		Managing AD sites and other components
		Managing sites
		Managing site links
			The site link cost
			Inter-site transport protocols
			Replication intervals
			Replication schedules
			The site link bridge
		Bridgehead servers
		Managing subnets
		How does replication work?
			Intra-site replication
			Inter-site replication
		The KCC
		How do updates occur?
			The Update Sequence Number (USN)
			The Directory Service Agent (DSA) GUID and invocation ID
			The High Watermark Vector (HWMV) table
			The Up-To-Dateness Vector (UTDV) table
	Summary
Chapter 12: Active Directory Services – Part 02
	Active Directory trusts
		Trust direction
		Transitive trusts vs Non-Transitive trusts
		Active Directory trust types
		Creating an Active Directory trust
			Firewall ports
			Conditional Forwarding
			Setting Up an Active Directory Forest Trust
			Testing
	RODCs
	Active Directory database maintenance
		The ntds.dit file
		The edb.log file
		The edb.chk file
		The temp.edb file
		Offline defragmentation
	Active Directory Backup and Recovery
		Preventing the accidental deletion of objects
		Active Directory Recycle Bin
		Active Directory snapshots
		Active Directory system state backup
			Active Directory recovery from system state backup
	Summary
Chapter 13: Active Directory Certificate Services
	PKI in action
		Symmetric keys versus asymmetric keys
		Digital encryption
		Digital signatures
		Signing, encryption, and decryption
	SSL certificates
		Types of certification authorities
		How do certificates work with digital signatures and encryption?
		What can we do with certificates?
	AD CS components
		The CA
		Certificate Enrollment Web Service
		Certificate Enrollment Policy Web Service
		Certification Authority Web Enrollment
		Network Device Enrollment Service
		Online Responder
		The types of CA
	Planning PKI
		Internal or public CAs
		Identifying the correct object types
		The cryptographic key length
		Hash algorithms
		The certificate validity period
		The CA hierarchy
		High availability
		Deciding certificate templates
		The CA boundary
	PKI deployment models
		The single-tier model
		The two-tier model
		Three-tier models
	Setting up a PKI
		Setting up a standalone root CA
		DSConfigDN
		CDP locations
		AIA locations
		CA time limits
		CRL time limits
		The new CRL
		Publishing the root CA data to Active Directory
		Setting up the issuing CA
		Issuing a certificate for the issuing CA
		Post-configuration tasks
		CDP locations
		AIA locations
		CA and CRL time limits
	Certificate templates
	Requesting certificates
	Migrating AD CS from Windows Server 2008 R2 to Windows Server 2022
		Demo setup
		Backing up the configuration of the existing CA (Windows Server 2008 R2)
		Installing an AD CS role in the new Windows 2022 Server
		Restoring the configuration from the previous CA
		Testing
	AD CS disaster recovery
		Disaster recovery methods
			System state backup
			The certutil command utility + Registry Export
			The Backup-CARoleService PowerShell cmdlet + Registry Export
	Summary
Chapter 14: Active Directory Federation Services
	How does AD FS work?
		What is a claim?
		Security Assertion Markup Language (SAML)
		WS-Trust
		WS-Federation
	AD FS components
		Federation service
			AD FS 1.0
			AD FS 1.1
			AD FS 2.0
			AD FS 2.1
			AD FS 3.0
			AD FS 4.0
		What is new in AD FS 2022?
		The Web Application Proxy
	AD FS configuration database
	AD FS deployment topologies
		A single federation server
		A single federation server and single Web Application Proxy server
		Multiple federation servers and multiple Web Application Proxy servers with SQL Server
	AD FS deployment
		DNS records
		SSL certificates
		Installing the AD FS role
		Installing WAP
		Configuring the claims-aware application with new federation servers
		Creating a relying party trust
		Configuring the Web Application Proxy
		Integrating with Azure MFA
		Prerequisites
		Creating a certificate in an AD FS farm to connect to Azure MFA
		Enabling AD FS servers to connect with the Azure MFA client
		Enabling the AD FS farm to use Azure MFA
		Enabling Azure MFA for authentication
	Azure AD federation with AD FS
		Federation sign-in with Azure AD
		Creating federation trust between Azure AD and AD FS
		Configuring Azure AD Connect
		Testing
	Summary
Chapter 15: Active Directory Rights Management Services
	What is AD RMS?
	AD RMS components
		Active Directory Domain Services (AD DS)
		The AD RMS cluster
		Web server
		SQL Server
		The AD RMS client
		Active Directory Certificate Service (AD CS)
	How does AD RMS work?
	How do we deploy AD RMS?
		Single forest-single cluster
		Single forest-multiple clusters
		AD RMS in multiple forests
		AD RMS with AD FS
		AD RMS configuration
		Setting up an AD RMS root cluster
			Installing the AD RMS role
			Configuring the AD RMS role
			Testing – protecting data using the AD RMS cluster
			Testing – applying permissions to the document
	Azure Information Protection (AIP)
		Data classification
		Azure Rights Management Services (Azure RMS)
			How does Azure RMS work?
			AIP implementation
	Summary
Chapter 16: Active Directory Security Best Practices
	AD authentication
	The Kerberos protocol
	Authentication in an AD environment
	Delegating permissions
	Predefined AD administrator roles
	Using object ACLs
	Using the delegate control method in AD
	Implementing fine-grained password policies
	Limitations
	Resultant Set of Policy (RSoP)
	Configuration
	Pass-the-hash attacks
	The Protected Users security group
	Restricted admin mode for RDP
	Authentication policies and authentication policy silos
	Authentication policies
	Authentication policy silos
	Creating authentication policies
	Creating authentication policy silos
	Secure LDAP
		What are the characteristics of secure LDAP?
		Enable secure LDAP
	Microsoft Local Administrator Password Solution (LAPS)
		Review prerequisites
		Install Microsoft LAPS
		Update the AD schema
		Change computer object permissions
		Assign permissions to groups for password access
		Install CSE in Computers
		Create a GPO for LAPS settings
		Testing
	On-prem Azure AD Password Protection
		Azure AD Password Protection proxy
		Azure AD Password Protection DC agent
		How does Azure AD Password Protection work with AD?
		Configuration
		Testing
	Summary
Chapter 17: Advanced AD Management with PowerShell
	AD management with PowerShell – preparation
		PowerShell 7
	AD management commands and scripts
	Replication
	Replicating a specific object
	Users and groups
	Last logon time
	Last login date report
	Login failures report
	Finding the locked-out account
	Password expire report
	Review the membership of the high-level administrative groups
	Dormant accounts
	Users with the Password Never Expires setting
	Azure Active Directory PowerShell
	Installation
	General commands
	Managing users
	Managing groups
	Microsoft Graph
	Microsoft Graph Explorer
	Summary
Chapter 18: Hybrid Identity
	Extending on-prem AD to Azure AD
	Evaluating the present business requirements
	Evaluating an organization\'s infrastructure road map
	Evaluating the security requirements
	Selecting the Azure AD version
		Deciding on a sign-in method
		Password hash synchronization
	Federation with Azure AD
		Pass-through authentication
		Azure AD Seamless SSO
		Synchronization between on-prem AD and an Azure AD managed domain
		Azure AD Connect
		Azure AD Connect deployment topology
		Staging the server
		Azure AD Connect cloud sync
		Azure AD Connect cloud sync prerequisites
		Azure AD Connect cloud sync configuration
	Step-by-step guide to integrating an on-prem AD environment with Azure AD
	Creating a virtual network
	Setting up an Azure AD managed domain
	Adding DNS server details to the virtual network
	Creating a Global Administrator account for Azure AD Connect
	Setting up Azure AD Connect
	Installing the Pass-through Authentication agent
	Azure AD Connect configuration
	Syncing NTLM and Kerberos credential hashes to Azure AD
	Enabling secure LDAP (LDAPS) for an Azure AD DS managed domain
	Enable secure LDAP (LDAPS)
		Allow secure LDAP traffic
		Testing
		Azure AD DS resiliency with replica sets
		Set up a new resource group for an additional replica set
		Set up a new virtual network for an additional replica set
		Set up global VNet peering between two virtual networks
		Create an Azure AD DS managed domain replica set
	Summary
Chapter 19: Active Directory Audit and Monitoring
	Auditing and monitoring AD using built-in Windows tools and techniques
	Windows Event Viewer
	Custom Views
	Windows Logs
	Applications and Services Logs
	Subscriptions
	AD DS event logs
	AD DS log files
	AD audit
		Audit Directory Service Access
		Audit Directory Service Changes
		Audit Directory Service Replication
		Audit Detailed Directory Service Replication
	Demonstration
		Reviewing events
	Setting up event subscriptions
	Security event logs from domain controllers
	Enabling advanced security audit policies
	Enforcing advanced auditing
	Reviewing events with PowerShell
	Microsoft Defender for Identity
	What is Microsoft Defender for Identity?
	Defender for Identity benefits
		Prevent
		Detect
		Investigate
		Respond
		Microsoft Defender for Identity architecture
		Microsoft Defender for Identity prerequisites
			Licenses
			Connectivity to the Defender for Identity cloud service
			Service accounts
			Honeytoken account
			Firewall ports
			Advanced audit policies
			NTLM auditing
			SAM-R Permissions
			Sizing tool
		Deployment
	Azure AD Connect Health
	Prerequisites
	Configuration
	Summary
PacktPage
Index