Mastering Active Directory: Design, deploy, and protect Active Directory Domain Services for Windows Server 2022, 3rd Edition
- Length: 778 pages
- Edition: 3
- Language: English
- Publisher: Packt Publishing
- Publication Date: 2021-12-09
- ISBN-10: 1801070393
- ISBN-13: 9781801070393
- Sales Rank: #749489 (See Top 100 Books)
Become an expert at managing enterprise identity infrastructure with Active Directory Domain Services 2022
Key Features
- Design and update your identity infrastructure by utilizing the latest Active Directory features and core capabilities.
- Overcome migration challenges as you update to Active Directory Domain Services 2022
- Establish a strong identity foundation in the cloud by consolidating secure access.
Book Description
Mastering Active Directory, Third Edition is a comprehensive guide for Information Technology professionals looking to improve their knowledge about MS Windows Active Directory Domain Service. The book will help you to use identity elements effectively and manage your organization’s infrastructure in a secure and efficient way. This third edition has been fully updated to reflect the importance of cloud-based strong authentication and other tactics to protect identity infrastructure from emerging security threats.
Mastering Active Directory, Third Edition provides extensive coverage of AD Domain Services and helps you explore their capabilities as you update to Windows Server 2022. This book will also teach you how to extend on-premises identity presence to cloud via Azure AD hybrid setup. By the end of this Microsoft Active Directory book, you’ll feel confident in your ability to design, plan, deploy, protect, and troubleshoot your enterprise identity infrastructure.
What you will learn
- Install, protect, and manage Active Directory Domain Services (Windows Server 2022)
- Design your hybrid identity by evaluating business and technology requirements
- Automate administrative tasks in Active Directory using Windows PowerShell 7.x
- Protect sensitive data in a hybrid environment using Azure Information Protection
- Learn about Flexible Single Master Operation (FSMO) roles and their placement
- Manage directory objects effectively using administrative tools and PowerShell
- Centrally maintain the state of user and computer configuration by using Group Policies
- Harden your Active Directory using security best practices
Who This Book Is For
If you are an Active Directory administrator, system administrator, or IT professional who has basic knowledge of Active Directory and is looking to become an expert in this topic, this book is for you.
You need to have some experience of working with Active Directory to make the most of this book.
Table of Contents
- Active Directory Fundamentals
- Active Directory Domain Services 2022
- Designing an Active Directory Infrastructure
- Active Directory Domain Name System
- Placing Operations Master Roles
- Migrating to Active Directory 2022
- Managing Active Directory Objects
- Managing Users, Groups, and Devices
- Designing the OU Structure
- Managing Group Policies
- Active Directory Services – Part 1
- Active Directory Services – Part 2
- Active Directory Certificate Services
- Active Directory Federation Services
- Active Directory Rights Management Services
- Active Directory Security Best Practices
- Advanced AD Management with PowerShell
- Hybrid Identity
- Active Directory Audit and Monitoring
- Active Directory Troubleshooting
- Bonus Chapter: Appendix A, References
Preface Who this book is for What this book covers To get the most out of this book Get in touch Active Directory Fundamentals Modern access management What is an Identity? The future of Identity and Access Management (IAM) The Rise of Cybercrime Zero trust security Password-less authentication Digital ID Hybrid Identity and Active Directory Domain Services Benefits of using Active Directory Centralized data repository The replication of data High availability Security Auditing capabilities Single sign-on (SSO) Schema modification Querying and indexing Understanding Active Directory components Logical components Forests Domains Domain trees Organizational units Physical components Domain controllers The global catalog server Active Directory sites Understanding Active Directory objects Globally unique identifiers and security identifiers Distinguished names Active Directory server roles Summary Active Directory Domain Services 2022 The features of AD DS 2022 The deprecation of Windows Server 2003's forest and domain functional levels The deprecation of the File Replication service Privileged Access Management (PAM) The evolution of cyber crime Recent cyber-attacks A typical AD attack What does PAM have to do with AD DS 2022? What is the logic behind PAM? Time-based group memberships Windows Hello for Business Time sync improvements PowerShell 7 Summary Designing an Active Directory Infrastructure What makes a good system? New business requirements Correcting legacy design mistakes Gathering business requirements Defining security boundaries Identifying the physical computer network structure Designing the forest structure Single forest Multiple forests Creating the forest structure Autonomy Isolation Selecting forest design models The organizational forest model The resource forest model The restricted access forest model Designing the domain structure Single domain Regional domain The branch/site domain The number of domains Deciding on domain names The forest root domain Deciding on the domain and forest functional levels Designing the OU structure Designing the physical topology of Active Directory Physical or virtual domain controllers Domain controller placement Global catalog server placement Designing a hybrid identity Cloud approach Identifying business needs Synchronization Shared responsibility Cost Summary Active Directory Domain Name System What is DNS? Hierarchical naming structures Top-Level Domain managers (TLD managers) How DNS works DNS infrastructure design Integrate AD DS with existing DNS infrastructure Disjoint naming space Deploying AD-integrated new DNS infrastructure DNS essentials DNS records Start of authority record A and AAAA records NS records Mail exchanger records Canonical name records Pointer records SRV records Zones Primary zone Secondary zone Stub zones Reverse lookup zones Conditional forwarders DNS policies Secure DNS client over HTTPS (DoH) DNS server operation modes Zone transfers DNS delegation DNS service providers Summary Placing Operations Master Roles FSMO roles Schema operations master Domain-naming operations master PDC emulator operations master RID operations master role Infrastructure operations master FSMO role placement Active Directory's logical and physical topology Connectivity The number of domain controllers Capacity Best practices Moving FSMO roles Seizing FSMO roles Summary Migrating to Active Directory 2022 AD DS installation prerequisites Hardware requirements Virtualized environment requirements Best practices for installing a domain controller in Microsoft Azure Additional requirements AD DS installation methods AD DS deployment scenarios Setting up a new forest root domain AD DS installation checklist for the first domain controller Design topology Installation steps Setting up an additional domain controller AD DS installation checklist for an additional domain controller Design topology Installation steps How to plan AD migrations Migration life cycle Auditing AD logical and physical topology AD health check SCOM and Azure Sentinel Application auditing Planning Implementation AD migration checklist Design topology Installation steps Verification Maintenance Summary Managing Active Directory Objects Tools and methods for managing objects Windows Admin Center Active Directory Administrative Center The ADUC MMC AD object administration with PowerShell Creating, modifying, and removing objects in AD Creating AD objects Creating user objects Creating computer objects Modifying AD objects Removing AD objects Finding objects in AD Finding objects using PowerShell Preventing the accidental deletion of objects AD recycle bin Summary Managing Users, Groups, and Devices Object attributes Custom attributes Syncing custom attributes to Azure AD User accounts Managed Service Accounts (MSAs) Group Managed Service Accounts (gMSAs) Uninstalling MSAs Groups Group scope Converting groups Setting up groups Devices and other objects Best practices Summary Designing the OU Structure OUs in operations Organizing objects Delegating control Group policies Containers vs. OUs Active Directory Groups vs. OUs OU design models The container model The object type model The functions model The geographical model The department model The hybrid model Managing the OU structure Delegating control Summary Managing Group Policies Benefits of group policies Maintaining standards Automating administration tasks Preventing users from changing system settings Flexible targeting No modifications to target Group Policy capabilities Group Policy objects The Group Policy container The Group Policy template Group Policy processing Group Policy inheritance Group Policy conflicts Group Policy mapping and status Administrative templates Group Policy filtering Security filtering WMI filtering Group Policy preferences Item-level targeting Loopback processing Group Policy best practices Useful group policies Summary Active Directory Services – Part 01 Overview of AD LDS Where to use LDS Application development Hosted applications Distributed data stores for AD-integrated applications Migrating from other directory services The LDS installation AD replication FRS versus DFSR AD sites and replication Replication Authentication Service locations Sites Subnets Site links Site link bridges Managing AD sites and other components Managing sites Managing site links The site link cost Inter-site transport protocols Replication intervals Replication schedules The site link bridge Bridgehead servers Managing subnets How does replication work? Intra-site replication Inter-site replication The KCC How do updates occur? The Update Sequence Number (USN) The Directory Service Agent (DSA) GUID and invocation ID The High Watermark Vector (HWMV) table The Up-To-Dateness Vector (UTDV) table Summary Active Directory Services – Part 02 Active Directory trusts Trust direction Transitive trusts vs Non-Transitive trusts Active Directory trust types Creating an Active Directory trust Firewall ports Conditional Forwarding Setting Up an Active Directory Forest Trust Testing RODCs Active Directory database maintenance The ntds.dit file The edb.log file The edb.chk file The temp.edb file Offline defragmentation Active Directory Backup and Recovery Preventing the accidental deletion of objects Active Directory Recycle Bin Active Directory snapshots Active Directory system state backup Active Directory recovery from system state backup Summary Active Directory Certificate Services PKI in action Symmetric keys versus asymmetric keys Digital encryption Digital signatures Signing, encryption, and decryption SSL certificates Types of certification authorities How do certificates work with digital signatures and encryption? What can we do with certificates? AD CS components The CA Certificate Enrollment Web Service Certificate Enrollment Policy Web Service Certification Authority Web Enrollment Network Device Enrollment Service Online Responder The types of CA Planning PKI Internal or public CAs Identifying the correct object types The cryptographic key length Hash algorithms The certificate validity period The CA hierarchy High availability Deciding certificate templates The CA boundary PKI deployment models The single-tier model The two-tier model Three-tier models Setting up a PKI Setting up a standalone root CA DSConfigDN CDP locations AIA locations CA time limits CRL time limits The new CRL Publishing the root CA data to Active Directory Setting up the issuing CA Issuing a certificate for the issuing CA Post-configuration tasks CDP locations AIA locations CA and CRL time limits Certificate templates Requesting certificates Migrating AD CS from Windows Server 2008 R2 to Windows Server 2022 Demo setup Backing up the configuration of the existing CA (Windows Server 2008 R2) Installing an AD CS role in the new Windows 2022 Server Restoring the configuration from the previous CA Testing AD CS disaster recovery Disaster recovery methods System state backup The certutil command utility + Registry Export The Backup-CARoleService PowerShell cmdlet + Registry Export Summary Active Directory Federation Services How does AD FS work? What is a claim? Security Assertion Markup Language (SAML) WS-Trust WS-Federation AD FS components Federation service AD FS 1.0 AD FS 1.1 AD FS 2.0 AD FS 2.1 AD FS 3.0 AD FS 4.0 What is new in AD FS 2022? The Web Application Proxy AD FS configuration database AD FS deployment topologies A single federation server A single federation server and single Web Application Proxy server Multiple federation servers and multiple Web Application Proxy servers with SQL Server AD FS deployment DNS records SSL certificates Installing the AD FS role Installing WAP Configuring the claims-aware application with new federation servers Creating a relying party trust Configuring the Web Application Proxy Integrating with Azure MFA Prerequisites Creating a certificate in an AD FS farm to connect to Azure MFA Enabling AD FS servers to connect with the Azure MFA client Enabling the AD FS farm to use Azure MFA Enabling Azure MFA for authentication Azure AD federation with AD FS Federation sign-in with Azure AD Creating federation trust between Azure AD and AD FS Configuring Azure AD Connect Testing Summary Active Directory Rights Management Services What is AD RMS? AD RMS components Active Directory Domain Services (AD DS) The AD RMS cluster Web server SQL Server The AD RMS client Active Directory Certificate Service (AD CS) How does AD RMS work? How do we deploy AD RMS? Single forest-single cluster Single forest-multiple clusters AD RMS in multiple forests AD RMS with AD FS AD RMS configuration Setting up an AD RMS root cluster Installing the AD RMS role Configuring the AD RMS role Testing – protecting data using the AD RMS cluster Testing – applying permissions to the document Azure Information Protection (AIP) Data classification Azure Rights Management Services (Azure RMS) How does Azure RMS work? AIP implementation Summary Active Directory Security Best Practices AD authentication The Kerberos protocol Authentication in an AD environment Delegating permissions Predefined AD administrator roles Using object ACLs Using the delegate control method in AD Implementing fine-grained password policies Limitations Resultant Set of Policy (RSoP) Configuration Pass-the-hash attacks The Protected Users security group Restricted admin mode for RDP Authentication policies and authentication policy silos Authentication policies Authentication policy silos Creating authentication policies Creating authentication policy silos Secure LDAP What are the characteristics of secure LDAP? Enable secure LDAP Microsoft Local Administrator Password Solution (LAPS) Review prerequisites Install Microsoft LAPS Update the AD schema Change computer object permissions Assign permissions to groups for password access Install CSE in Computers Create a GPO for LAPS settings Testing On-prem Azure AD Password Protection Azure AD Password Protection proxy Azure AD Password Protection DC agent How does Azure AD Password Protection work with AD? Configuration Testing Summary Advanced AD Management with PowerShell AD management with PowerShell – preparation PowerShell 7 AD management commands and scripts Replication Replicating a specific object Users and groups Last logon time Last login date report Login failures report Finding the locked-out account Password expire report Review the membership of the high-level administrative groups Dormant accounts Users with the Password Never Expires setting Azure Active Directory PowerShell Installation General commands Managing users Managing groups Microsoft Graph Microsoft Graph Explorer Summary Hybrid Identity Extending on-prem AD to Azure AD Evaluating the present business requirements Evaluating an organization's infrastructure road map Evaluating the security requirements Selecting the Azure AD version Deciding on a sign-in method Password hash synchronization Federation with Azure AD Pass-through authentication Azure AD Seamless SSO Synchronization between on-prem AD and an Azure AD managed domain Azure AD Connect Azure AD Connect deployment topology Staging the server Azure AD Connect cloud sync Azure AD Connect cloud sync prerequisites Azure AD Connect cloud sync configuration Step-by-step guide to integrating an on-prem AD environment with Azure AD Creating a virtual network Setting up an Azure AD managed domain Adding DNS server details to the virtual network Creating a Global Administrator account for Azure AD Connect Setting up Azure AD Connect Installing the Pass-through Authentication agent Azure AD Connect configuration Syncing NTLM and Kerberos credential hashes to Azure AD Enabling secure LDAP (LDAPS) for an Azure AD DS managed domain Enable secure LDAP (LDAPS) Allow secure LDAP traffic Testing Azure AD DS resiliency with replica sets Set up a new resource group for an additional replica set Set up a new virtual network for an additional replica set Set up global VNet peering between two virtual networks Create an Azure AD DS managed domain replica set Summary Active Directory Audit and Monitoring Auditing and monitoring AD using built-in Windows tools and techniques Windows Event Viewer Custom Views Windows Logs Applications and Services Logs Subscriptions AD DS event logs AD DS log files AD audit Audit Directory Service Access Audit Directory Service Changes Audit Directory Service Replication Audit Detailed Directory Service Replication Demonstration Reviewing events Setting up event subscriptions Security event logs from domain controllers Enabling advanced security audit policies Enforcing advanced auditing Reviewing events with PowerShell Microsoft Defender for Identity What is Microsoft Defender for Identity? Defender for Identity benefits Prevent Detect Investigate Respond Microsoft Defender for Identity architecture Microsoft Defender for Identity prerequisites Licenses Connectivity to the Defender for Identity cloud service Service accounts Honeytoken account Firewall ports Advanced audit policies NTLM auditing SAM-R Permissions Sizing tool Deployment Azure AD Connect Health Prerequisites Configuration Summary Other Books You May Enjoy Index
Donate to keep this site alive
How to download source code?
1. Go to: https://github.com/PacktPublishing
2. In the Find a repository… box, search the book title: Mastering Active Directory: Design, deploy, and protect Active Directory Domain Services for Windows Server 2022, 3rd Edition
, sometime you may not get the results, please search the main title.
3. Click the book title in the search results.
3. Click Code to download.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.