Install and Configure Active Directory Domain Services

Similar documents
Manage and Maintain Active Directory Domain Services

70-742: Identity in Windows Server Course Overview

Top Critical Changes to Audit

Back to Basics IT Infrastructure Configuration Tips & Tricks Active Directory / Group Policy / Exchange

Identity with Windows Server 2016 (742)

Become an Active Directory Auditing Superstar: an all-in-one guide!

Product Overview. Netwrix Auditor. Presenter: Jeff Melnick Manager of Sales Engineering x 971

What s New in Netwrix Auditor 8.0. PRESENTER: Jeff Melnick Manager of Sales Engineering x 971

Netwrix Auditor for File Servers and SQL Server

TestOut Server Pro 2016: Identity - English 4.0.x LESSON PLAN. Revised

Course Outline 20742B

Identity with Windows Server 2016

Identity with Windows Server 2016

M20742-Identity with Windows Server 2016

At Course Completion: Course Outline: Course 20742: Identity with Windows Server Learning Method: Instructor-led Classroom Learning

20742: Identity with Windows Server 2016

METHODOLOGY This program will be conducted with interactive lectures, PowerPoint presentations, discussions and practical exercises.

MOC 6232A: Implementing a Microsoft SQL Server 2008 Database

Tracking changes in Hybrid Identity environments with both Active Directory and Azure Active Directory

Identity with Windows Server 2016 (20742)

Top 7 Questions to Assess Data Security in the Enterprise

COURSE OUTLINE. COURSE OBJECTIVES After completing this course, students will be able to: 1 - INSTALLING & CONFIGURING DCS

How to Survive an IT Audit and Thrive Off It!

Identity with Microsoft Windows Server 2016 (MS-20742)

Microsoft - Configuring Windows Server 2008 Active Directory Domain Services (M6425)

Course Outline. Pearson: MCSA Cert Guide: Identity with Windows Server 2016 (Course & Lab)

Netwrix Auditor. Know Your Data. Protect What Matters. Roy Lopez Solutions Engineer

This module provides an overview of multiple Access and Information Protection (AIP) technologies

Server : Manage and Administer 3 1 x

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

COURSE OUTLINE MOC 10969: ACTIVE DIRECTORY SERVICES WITH WINDOWS SERVER MODULE 1: OVERVIEW OF ACCESS AND INFORMATION PROTECTION

Course Outline. Pearson: MCSA Cert Guide: Identity with Windows Server

HOW TO MAXIMIZE THE VALUE OF YOUR SPLUNK INVESTMENT. PRESENTER: Adam Stetson Presales Engineer

MCSE Server Infrastructure. This Training Program prepares and enables learners to Pass Microsoft MCSE: Server Infrastructure exams

Don't 'WannaCry' No More: How to Shield Your IT Infrastructure from Ransomware. Netwrix Corporation Roy Lopez System Engineer

MCSA Windows Server 2012

70-647: Windows Server Enterprise Administration Course 01 Planning for Active Directory

Netwrix Auditor. Visibility platform for user behavior analysis and risk mitigation. Mason Takacs Systems Engineer

Active Directory Services with Windows Server

Designing and Operating a Secure Active Directory.

Monitoring Active Directory: Both Azure AD and On-Premise AD and How Synchronization and Federation Play In

Microsoft Certified Solution Associate Windows Server 2016 Training

Active Directory Services with Windows Server

MCSA: Windows Server MCSA 2016 Windows 2016 Server 2016 MCSA 2016 MCSA : Installation, Storage, and Compute with Windows Server 2016

Active Directory Services with Windows Server

COURSE OUTLINE: OD10969B Active Directory Services with Windows Server

ASM Educational Center (ASM) Est. 1992

Outsmarting Ransomware: Hints and Tricks. Netwrix Corporation Adam Stetson System Engineer

Windows Server 2016 MCSA Bootcamp

Windows Server 2008 Administration

MOC 20417C: Upgrading Your Skills to MCSA Windows Server 2012

Q&As. Identity with Windows Server Pass Microsoft Exam with 100% Guarantee

Microsoft Active Directory Services with Windows Server

PROPOSAL OF WINDOWS NETWORK

Course 10969: Active Directory services with Windows Server

ACTIVE DIRECTORY SERVICES WITH WINDOWS SERVER

MCSA Windows Server 2012 Configuring Advanced Services

Installing and Configuring Windows Server 2012 R2

"Charting the Course... MOC B Active Directory Services with Windows Server Course Summary

Administering. Windows Server 2012 R2. Exam Wiley. Patrick Regan

MOC 20417B: Upgrading Your Skills to MCSA Windows Server 2012

10969B: Active Directory Services with Windows Server

Withstanding Ransomware Attack: A Step-by-Step Guide Presenter:

Installation, Storage, and Compute with Windows Server

MCSA Windows Server 2012

10969: Active Directory Services with Windows Server

(Installation, Storage, and Compute with Windows Server 2016)

MCSA Windows Server A Success Guide to Prepare- Microsoft Upgrading Your Skills to MCSA Windows Server edusum.

IT222 Microsoft Network Operating Systems II

MOC 6419B: Configuring, Managing and Maintaining Windows Server based Servers

Exam Blueprint (Updated 2/18/14)

Deploy and Configure Microsoft LAPS. Step by step guide and useful tips

MCITP CURRICULUM Windows 7

Ten most common Mistakes with AD FS and Hybrid Identity. Sander Berkouwer MVP, DirTeam.com

This course provides students with the knowledge and skills to administer Windows Server 2012.

Exam Identity with Windows Server 2016

70-640_formatted. Number: Passing Score: 800 Time Limit: 120 min File Version: 1.0.

Installing and Configuring Windows Server 2012

Microsoft Certkiller Exam Bundle

Microsoft Certified Solutions Expert (MCSE)

70-410: Installing and Configuring Windows Server 2012

MOC 20410C: Installing and Configuring Windows Server 2012

Microsoft Exchange Server Active Directory Schema Changes Reference November 2011

Microsoft Windows Server 2008 Functionality Changes. Powered by Microsoft TechNet

Course Content of MCSA ( Microsoft Certified Solutions Associate )

Microsoft Certified Solutions Associate (MCSA)

MOC 20411B: Administering Windows Server Course Overview

Server : Advanced Services 3 1 x

MS Exam Objectives Installing and Configuring Windows Server 2012 R2

Fundamentals of Windows Server 2008 Active Directory

COPYRIGHTED MATERIAL. Contents. Assessment Test

Exam Questions

Active Directory Force Replication Command Line 2003

HIPAA Controls. Powered by Auditor Mapping.

CISNTWK-11. Microsoft Network Server. Chapter 4

Exam Name: TS: Upgrading from Windows Server 2003 MCSA to Windows Server 2008,Technology Specializations

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services (Course 6425A)

Active Directory Change Schema Master Greyed Out

What s in Installing and Configuring Windows Server 2012 (70-410):

20413B: Designing and Implementing a Server Infrastructure

Transcription:

Active Directory 101 Install and Configure Active Directory Domain Services Sander Berkouwer CTO at SCCT 10-fold Microsoft MVP Active Directory aficionado Daniel Goater Systems Engineer Netwrix

Active Directory 101 Microsoft exam 70-742 Identity with Windows Server 2016 Active Directory 101 vs. Exam 70-742 o o o o o Implement and manage a certificate authority (CA) hierarchy with AD CS Deploy and manage certificates Implement and administer Active Directory Federation Services (AD FS) Implement and administer Active Directory Rights Management Services (AD RMS) Implement synchronization between AD DS and Azure AD o o o o o o o o o Monitor, troubleshoot, and establish business continuity for AD DS services Secure AD DS and user accounts Manage user settings by using GPOs Implement and manage Group Policy Configure and manage replication Implement AD DS sites Implement AD DS in complex environments Manage objects in AD DS Install and configure Domain Controllers

Agenda An introduction to Active Directory Domain Services Active Directory Domain Controllers Deploying a Domain Controller Managing Active Directory Netwrix Auditor s reporting functionality

An introduction to Active Directory Domain Services

Active Directory (Domain Services) Logical components Partitions Schema Domains Forests Sites Containers Organizational Units Physical components Domain Controllers Read-only Domain Controllers Databases (ntds.dit) The System Volume (SYSVOL) Global Catalog Servers

How the components relate to each other Domain Controllers are grouped In forests to create administrative and schema boundaries In domains and sites to govern replications Each Domain Controllers hosts the Active Directory database and SYSVOL The database and system volume is replicated throughout the domain Each Domain Controllers respects the central schema The schema is set per Active Directory forest Objects are created in the database The schema defines the object classes, but objects themselves live in partitions Objects can be grouped in hard-coded containers and Organizational Units

Containers and Organizational Units (OUs) Both can hold objects within an Active Directory domain Containers are built-in Cannot be created or deleted using the graphical tools or PowerShell Cannot be assigned Group Policies, offer no delegation options Used for system objects and default locations Organizational Units (OUs) are for you One built-in OU: Domain Controllers Can be created and deleted at will For dividing objects into object types, geographic locations, departments, etc. Can be assigned Group Policies and offer delegation options Used for everything and their mothers

Why do you think? What would be the reason Active Directory, by default, places new objects in a container instead of an OU? A. Microsoft don t know what they re doing B. So AD admins cannot mess up new objects from the start C. So AD admins cannot lock themselves out trough delegation mistakes

Recent changes in Active Directory Windows Server 2016 Privileged Access Management Azure AD Join Windows Hello for Business Windows Server 2012 R2 Authentication Policies Authentication Policy Silos Protected Users

Active Directory Domain Controllers

All Domain Controllers are equal* Domain Controllers are 99% equal, with three exceptions: 1. Flexible Single Master Operations (FSMO) role holders To support the multi-master model (every Domain Controllers is writable) Two forest-wide roles (Schema Master, Domain Naming Master) Three domain-wide roles (PDC Emulator, RID Master, Infrastructure Master) 2. Global Catalog Servers (GCs) In multi-domain environments, the Global Catalog caches essential attributes on objects in other domains, thus holds more information This speeds up authentication and makes it more reliable 3. Read-only Domain Controllers (RODCs) Introduced in Active Directory in Windows Server 2008 Host a read-only copy of the Active Directory database (and DNS) Can be scoped for authenticating and caching certain objects, only Ideal for branch offices, not so much for perimeter networks

The role of the Global Catalog Domain A Schema Configuration GC Domain A Schema Configuration Schema Configuration GC Domain Controller Domain A Domain B Domain A Schema Configuration Domain Controller Domain Controller Domain B Domain Controller File Server Domain B

Domain Controllers are Access Points Host the database Ntds.dit Offer file shares (over SMB) The System Volume (SYSVOL) share Offer authentication Services Kerberos (as Key Distribution Centers, KDCs) LDAP, NTLM and LM Tips! Make sure you deploy at least two Domain Controllers per domain. Deploy Read-only Domain Controllers for insecure branch offices.

DNS, Active Directory s Achilles Heel Everything s connected Domain Controllers find other Domain Controllers through DNS Domain-joined devices find Domain Controllers through DNS Domain Controllers register DNS SRV records For their authentication services (GC, Kerberos) When a domain-joined device queries DNS, by default All Domain Controllers in its site are returned All Domain Controllers in the nearest site are returned (empty site) A random list of Domain Controllers is returned (multiple empty sites)

Deploying a Domain Controller

Deployment options for Domain Controllers 1. Install the Active Directory Domain Services Role Use Server Manager to install the Role (remotely) PowerShell: Install-WindowsFeature AD-Domain-Services -IncludeManagementTools 2. Choose the deployment option A Domain Controller for an existing domain Use the Active Directory Domain Services Configuration Wizard (remotely) Dcpromo.exe /unattend Install-ADDSDomainController A Domain Controller for new Domain in an existing Forest Use the Active Directory Domain Services Configuration Wizard (remotely) Dcpromo.exe /unattend Install-ADDSDomain A Domain Controller for a new Forest Use the Active Directory Domain Services Configuration Wizard (remotely) Dcpromo.exe /unattend Install-ADDSForest

Rapid Deployment options Install from Media (IfM) Ideal for new Domain Controllers in branch offices with limited WAN connectivity Export ntds.dit and SYSVOL with ntdsutil.exe and take on disk Use the Install from Media section on the Additional Options page when promoting the new branch office Domain Controllers, then only replicate changes Domain Controller Cloning Ideal for virtualized Domain Controllers, Windows Server 2012, and up. Depends on the VM-GenerationID feature by the hypervisor Governed by Cloneable Domain Controllers group memberships, so fabric admins cannot use it to clone off Domain Controllers

Managing Active Directory

Choose your weapon Active Directory Administrative Center Introduced in Windows Server 2012 Windows PowerShell ActiveDirectory module ADDSDeployment module Active Directory Users and Computers Active Directory Sites and Services Active Directory Domains and Trusts Active Directory Schema snap-in The ds* tools (dsadd.exe, dsquery.exe, dsget.exe, etc.)

Active Directory objects User objects Used to log on interactively by colleagues, as a service Typical attributes: userprincipalname, g, sn Can use profiles for centralized storage of settings and default folders Group objects Two types: security groups (with sids) and distribution groups (no sids) Four scopes: Local, Domain-local, Universal and Global groups Computer objects Object is used to create the Secure Channel, based on object password

Default objects and their locations Object Type Container Administrator User Users Krbtgt User Users Enterprise Admins Group Users Schema Admins Group Users Administrators Group Built-in Domain Admins Group Users Server Operators Group Built-in Account Operators Group Built-in Backup Operators Group Built-in Print Operators Group Built-in Cert Publishers Group Built-in Everyone Group - Authenticated Users Group -

Object management with PowerShell PowerShell Cmdlet New-ADUser Set-ADUser Remove-ADUser Set-ADAccountPassword Set-ADAccountExpiration Unlock-ADAccount Enable-ADAccount Disable-ADAccount New-ADGroup Add-ADGroupMember Test-ComputerSecureChannel Reset-ComputerMachinePassword New-ADOrganizationalUnit Use it to: Create a user object in Active Directory Modify attributes for a user object in Active Directory Delete user object from Active Directory Reset the password for a user object in Active Directory Modify the expiration date for a user object Unlock a user object, after it has become locked after too many sign-in attempts Enable a user object Disable a user object Create a group in Active Directory Add an object as a member of a group Verify and repair the trust relationship for a device Resets the password for a computer object Create an OU in Active Directory

Delegation of Control Beyond the default delegation settings, based on default objects, permissions on objects can be granted to users or groups The Delegation of Control Wizard can be used to assign common administrative tasks, beyond the defaults available like Account Operators, Server Operators, Backup Operators, etc. Beyond the Delegation of Control Wizard, the advanced security properties for an OU allow you to grant even more granular permissions

Best practices when managing objects Apply a naming convention to all types of objects and OUs Disable unused objects, delete stale objects Apply Global-(Universal)-DomainLocal group nesting (unless you risk running into token bloat issues) Use Restricted Groups to govern local group memberships Divide servers and devices into roles per OU, per admin group Restrict users from creating the default 10 computer objects Do not use the built-in delegated groups, unless you re 100% confident their scope and permissions are 100% correct

Active Directory

About Netwrix Corporation Year of foundation: 2006 Headquarters location: Irvine, California Customer support: global 24/5 support with 97% customer satisfaction Global customer base: over 9,000 Recognition: Among the fastest growing software companies in the US with 140 industry awards from Redmond Magazine, SC Magazine, Windows IT Pro and others

Active Directory Active Directory and Group Policy changes Logon auditing State-in-Time information on configurations Risk Assessment Inactive user tracking and password expiration alerting Change rollback wizard Active Directory Azure AD Exchange Office 365 Windows File Servers EMC NetApp SharePoint Oracle Database SQL Server Windows Server VMware

Netwrix Auditor Unified Platform Active Directory Exchange Windows Server Free Add-Ons Windows File Servers EMC NetApp Azure AD Office 365 SharePoint Linux Unix SQL Server Oracle Database VMware

Netwrix Auditor Demonstration

Next Steps Join us for the next sessions of the series: Manage and Maintain AD Domain Services Thursday, 13 th September @ 2 pm BST / 3 pm CEST Create and Manage Group Policy Thursday, 20 th September @ 2 pm BST / 3 pm CEST https://www.netwrix.com/active_directory_101_nemea.html Watch the recording of the Netwrix webinar Tracking Changes in Hybrid AD environments Install an Active Directory Domain Controller in a testlab Contact Sales to obtain more information netwrix.com/contactsales

Questions? Thank you! Sander Berkouwer CTO at SCCT 10-fold Microsoft MVP Active Directory aficionado Daniel Goater Systems Engineer Netwrix www..com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback