00:01:05:36
/332
20742B
Identity with Windows Server 2016
Course outline
Module 1
Installing and configuring domain controllers
Module 2
Managing objects in AD DS
Module 3
Advanced AD DS infrastructure management
Module 4
Implementing and administering AD DS sites and replication
Module 5
Implementing Group Policy
Module 6
Managing user settings with Group Policy
Course outline, continued
Module 7
Securing Active Directory Domain Services
Module 8
Deploying and managing AD CS
Module 9
Deploying and managing certificates
Module 10
Implementing and administering AD FS
Module 11
Implementing and administering AD RMS
Module 12
Implementing AD DS synchronization with Microsoft Azure AD
Module 13
Monitoring, managing, and recovering AD DS
Windows Server 2016 certification path
O
R
MCSA: Windows Server 2016
VM environment
Module 1
Installing and configuring domain
controllers
AD DS components
AD DS is composed of both logical and physical
components
What is the AD DS schema?
What is an AD DS forest?
What is an AD DS domain?
The domain is a replication
boundary
The domain is an administrative
center for configuring and
managing objects
Any domain controller can
authenticate any sign-in
anywhere in the domain
The domain provides authorization
AD DS requires one or more domain controllers
All domain controllers hold a copy of the domain
database, which is continually synchronized
The domain is the context within which user accounts,
computer accounts, and groups are created
What are OUs?
Use containers to group objects within a domain:
You cannot apply GPOs to containers
Containers are used for system objects and as the
default location for new objects
Create OUs to:
Configure objects by assigning GPOs to them
Delegate administrative permissions
What is new in AD DS in Windows Server 2016?
PAM
Azure AD Join
Microsoft Passport
What is Azure AD?
Module Overview
Overview of AD DS
Overview of AD DS domain controllers
Deploying a domain controller
Overview of AD DS administration tools
You typically perform AD DS management by
using the following tools:
Active Directory Administrative Center
Active Directory Users and Computers
Active Directory Sites and Services
Active Directory Domains and Trusts
Active Directory Schema snap-in
Active Directory module for Windows PowerShell
What is a domain controller?
Domain controllers:
Are servers that host the AD DS database (
Ntds.dit
) and
SYSVOL
Host the Kerberos authentication service and KDC
services to perform authentication
Have best practices for:
Availability:
Use at least two domain controllers in a domain
Security:
Use an RODC or BitLocker
What is a global catalog?
Overview of domain controller SRV records
Clients find domain controllers through DNS
lookup
Domain controllers dynamically register their
addresses with DNS
The results of DNS queries for domain
controllers are returned in this order:
1.
A list of domain controllers in the same site as the
client
2.
A list of domain controllers in the next closest site, if
none are available in the same site
3.
A random list of domain controllers in other sites,
if no domain controller is available in the next closest
site
What are operations masters?
In the multimaster replication model, some
operations must be single master operations
Many terms are used for single master operations in
AD DS, including:
Operations master (or operations master role)
Single master role
Flexible single master operations (FSMO)
The five FSMOs
Forest:
Domain naming master
Schema master
Domain:
RID master
Infrastructure master
PDC emulator master
Transferring and seizing roles
Transferring is:
Planned
Done with the latest data
Done through snap-ins, Windows PowerShell, or
ntdsutil.exe
Seizing is:
Unplanned and a last resort
Done with incomplete or out-of-date data
Done through Windows PowerShell or ntdsutil.exe
Installing a domain controller from Server Manager
The
Deployment Configuration
section of the
Active Directory Domain Services Configuration
Wizard
Installing a domain controller on a Server Core
installation of Windows Server 2016
Using Server Manager:
1.
Install the AD DS role
2.
Run the
Active Directory Domain Services
Configuration Wizard
Using Windows PowerShell:
1.
Install the files by running the command
Install-WindowsFeature AD-Domain-Services
2.
Install the domain controller role by running the
command
Install-ADDSDomainController
Installing a domain controller by installing from media
The
Install from media
section on the
Additional
Options
page of the
Active Directory Domain Services
Configuration
Wizard
Cloning domain controllers
You might clone domain controllers for:
Rapid deployment
Private clouds
Recovery strategies
To clone a source domain controller:
Add the domain controller to the
Cloneable Domain
Controllers
group
Verify app and service compatibility
Create a
DCCloneConfig.xml
 file
Export it once, and then create as many clones as
needed
Start the clones
Cloning domain controllers
Lab Scenario
You are an IT administrator at A. Datum
Corporation. The company is expanding its
business and has several new locations. The AD DS
administration team is currently evaluating the
methods available in Windows Server 2016 for a
rapid and remote domain controller deployment.
Also, the team is looking for a way to automate
certain AD DS administrative tasks. The team
wants a fast and seamless deployment of new
domain controllers for new locations, and it wants
to promote servers to domain controllers from a
central location.
Lab: Deploying and administering AD DS
Exercise 1: Deploying AD DS
Exercise 2: Deploying domain controllers by
performing domain controller cloning
Exercise 3: Administering AD DS
Logon Information
Virtual machines:
20742B-LON-DC1
20742B-LON-SVR1
User name:
Adatum\Administrator
Password:
Pa55w.rd
Estimated Time: 45 minutes
Module 2
Managing objects in AD DS
Module Overview
Managing user accounts
Managing groups in AD DS
Managing computer objects in AD DS
Using Windows PowerShell for AD DS
administration
Implementing and managing OUs
Creating user accounts
Users accounts:
Allow or deny access to sign into computers
Grant access to processes and services
Manage access to network resources
User accounts can be created by using:
Active Directory Users and Computers
Active Directory Administrative Center
Windows PowerShell
Directory command line tool
dsadd
Considerations for naming users include:
Naming formats
UPN suffixes
Creating user profiles
The Profile section of the User Properties
window
User account templates
User templates simplify the creation of new
user accounts
Template account
New user
account
Group memberships
Home directory path
Profile path
Logon scripts
Password settings
Department
Manager
Group types
Distribution groups
Used only with email applications
Not security enabled (no SID)
Cannot be given permissions
Security groups
Security principal with a SID
Can be given permissions
Can also be email-enabled
You can convert security groups to distribution groups
and distribution groups to security groups
Group scopes
Local groups can contain users, computers, global groups,
domain-local groups and universal groups from the same
domain, domains in the same forest and other trusted domain
and can be given permissions to resources on the local
computer only
Domain-local groups have the same membership possibilities
but can be given permission to resources anywhere in the
domain
Universal groups can contain users, computers, global groups
and other universal groups from the same domain or domains
in the same forest and can be given permissions to any
resource in the forest
Global groups can only contain users, computers and other
global groups from the same domain and can be given
permission to resources in the domain or any trusted domain
Implementing group management
This best practice for nesting
groups is known as IGDLA
I: Identities, users, or computers,
which are members of
G: Global groups, which collect
members based on members’
roles, which are members of
DL: Domain-local groups, which
provide management such as
resource access which are
A: Assigned access to a resource
Implementing group management
I: Identities, users, or
computers,
which are members
of
Implementing group management
I: Identities, users, or
computers, which are
members of
G: Global groups, which
collect members based on
members’ roles, which are
members of
Implementing group management
I: Identities, users, or
computers, which are
members of
G: Global groups, which
collect members based on
members’ roles, which are
members of
DL: Domain-local groups,
which provide management
such as resource access which
are
Implementing group management
I: Identities, users, or
computers, which are
members of
G: Global groups, which
collect members based on
members’ roles, which are
members of
DL: Domain-local groups,
which provide management
such as resource access
which are
A: Assigned access to a
resource
Implementing group management
This best practice for nesting
groups is known as IGDLA
I: Identities, users, or
computers, which are
members of
G: Global groups, which
collect members based on
members’ roles, which are
members of
DL: Domain-local groups,
which provide management
such as resource access
which are
A: Assigned access to a
resource
Managing group membership by using Group Policy
Restricted Groups can simplify group
management
You use it to manage local and AD DS groups
Managing group membership by using Group Policy
Members can be added to the group and the
group can be nested into other groups
Default groups
Carefully manage the default groups
 that provide administrative
privileges, because these groups:
Typically have broader privileges than are necessary for
most delegated environments
Often apply protection to their members
Special identities
Special identities:
Are groups
 for which the operating system controls
membership
Can be used by the Windows Server operating system
to provide access to resources based on the type of
authentication or connection, not on the user account
Important special identities include:
What is the Computers container?
Active Directory Administrative Center is opened to the
Adatum (local)\Computers container
Distinguished Name is CN=Computers,DC=Adatum,DC=com
Specifying the location of computer accounts
Best practice is to create OUs for
computer objects
Servers are typically subdivided by
server role
Client computers are t
ypically
subdivided by region
Divide OUs:
By administration
To facilitate configuration with Group
Policy
Controlling permissions to create computer accounts
In the Delegation of Control Wizard window,
the administrator is creating a custom
delegation for computer objects
Joining a computer to a domain
Computer accounts and secure channels
Computers have accounts:
SAMAccountName
and password
Used to create a secure channel between the computer
and a domain controller
Scenarios in which a secure channel might be
broken:
Reinstalling a computer, even with same name,
generates a new SID and password
Restoring a computer from an old backup or rolling
back a computer to an old snapshot
The computer and domain disagreeing about what the
password is
Resetting the secure channel
Do not delete a computer from the domain and
then rejoin it; this creates a new account,
resulting in a new SID and lost group
memberships
Options for resetting the secure channel:
nltest
netdom
Active Directory Users and Computers
Active Directory Administrative Center
Windows PowerShell
dsmod
Performing an offline domain join
Use offline domain join to join computers to a
domain when they cannot contact a domain
controller
Create a domain-join file by using:
Import the domain join file by using:
djoin.exe /Provision /Domain <
DomainName
>
/Machine <
MachineName
> /SaveFile <
filepath
>
djoin.exe /requestODJ /LoadFile <
filepath
>
/WindowsPath <path to the Windows directory of
the offline image>
Lab Scenario
You have been working for A. Datum Corporation as a
desktop support specialist and have visited desktop
computers to troubleshoot app and network problems.
You recently accepted a promotion to the server support
team. One of your first assignments is to configure the
infrastructure service for a new branch office.
To begin deployment of the new branch office, you are
preparing AD DS objects. As part of this preparation, you
need to create users and groups for the new branch office
that will house the Research department. Finally, you need
to reset the secure channel for a computer account that
has lost connectivity to the domain in the branch office.
Lab A: Managing AD DS objects
Exercise 1: Creating and managing groups in
AD DS
Exercise 2: Creating and configuring user accounts
in AD DS
Exercise 3: Managing computer objects in AD DS
Logon Information
Virtual machines:
20742B-LON-DC1
20742B-LON-CL1
User name:
Adatum\Administrator
Password:
Pa55w.rd
Estimated Time: 45 minutes
Using Windows PowerShell cmdlets to manage user
accounts
New-ADUser "Sten Faerch" –AccountPassword (Read-Host
–AsSecureString "Enter password") ‑Department IT
Using Windows PowerShell cmdlets to manage groups
New-ADGroup –Name "CustomerManagement" –Path
"ou=managers,dc=adatum,dc=com" –GroupScope Global
–GroupCategory Security
Add-ADGroupMember –Name “CustomerManagement”
–Members "Joe"
Using Windows PowerShell cmdlets to manage
computer accounts
New-ADComputer –Name “LON-SVR8” -Path
"ou=marketing,dc=adatum,dc=com" -Enabled $true
Test-ComputerSecureChannel -Repair
Using Windows PowerShell cmdlets to manage OUs
New-ADOrganizationalUnit –Name “Sales”
–Path "ou=marketing,dc=adatum,dc=com"
–ProtectedFromAccidentalDeletion $true
What are bulk operations?
A bulk operation is a single action that changes multiple
objects
Sample bulk operations:
Create user accounts based on data in a spreadsheet
Disable all accounts not used in six months
Rename the department for many users
You can perform bulk operations by using:
Graphical tools
Command-line tools
Scripts
Querying objects with Windows PowerShell
Descriptions of operators:
Querying objects with Windows PowerShell
Show all the properties for a user account:
Show all the user accounts in the Marketing OU and all its
subcontainers:
Show all of the user accounts with a last sign in date
before a specific date:
Show all of the user accounts in the Marketing department
that have a last sign in date before a specific date:
Get-ADUser –Name “Administrator” -Properties *
Get-ADUser –Filter * -SearchBase
"ou=Marketing,dc=adatum,dc=com" -SearchScope subtree
Get-ADUser -Filter {lastlogondate -lt "January 1, 2016"}
Get-ADUser -Filter {(lastlogondate -lt "January 1,
2016") -and (department -eq "Marketing")}
Modifying objects with Windows PowerShell
Use the pipe character ( | ) to pass a list of objects to a
cmdlet for further processing
Get‑ADUser ‑Filter {company ‑notlike "*"} |
Set‑ADUser ‑Company "A. Datum"
Get‑ADUser ‑Filter {lastlogondate ‑lt "January 1,
2016"} | Disable‑ADAccount
Get-Content C:\users.txt | Disable-ADAccount
Working with CSV files
The first line of a .csv file defines the names of the
columns:
A
foreach
 loop processes the contents of a .csv file that
have been imported into a variable:
FirstName,LastName,Department
Greg,Guzik,IT
Robin,Young,Research
Qiong,Wu,Marketing
$users=Import-CSV –LiteralPath “C:\users.csv”
foreach ($user in $users) {
     Write-Host "The first name is:"
$user.FirstName
     }
Planning OUs
AD DS permissions
Users receive their token (list of SIDs) during
sign in
Objects have a security descriptor that describes:
Who (SID) has been granted or denied access
Which permissions (Read, Write, Create or Delete child)
What kind of objects
Which sublevels
When users browse the Active Directory
structure, their token is compared to the security
descriptor to evaluate their access rights
Delegating AD DS permissions
Permissions on AD DS objects can be granted to
users or groups
Permission models are usually object-based or
role-based
The Delegation of Control Wizard can simplify
assigning common administrative tasks
The OU advanced security properties allow you
to grant granular permissions
Lab Scenario
You have been working for the A. Datum Corporation as a
desktop support specialist and have performed
troubleshooting tasks on desktop computers to resolve
application and network problems. You recently accepted a
promotion to the server support team. One of your first
assignments is to configure the infrastructure service for a
new branch office.
To begin the deployment of the new branch office, you are
preparing AD DS objects. As part of this preparation, you
need to create an OU for the branch office and delegate
permission to manage it. Also, you need to evaluate
Windows PowerShell to manage AD DS more efficiently.
Lab B: Administering AD DS
Exercise 1: Delegating administration for OUs
Exercise 2: Creating and modifying AD DS objects
with Windows PowerShell
Logon Information
Virtual machines:
20742B-LON-DC1
20742B-LON-SVR1
20742B-LON-CL1
User name:
Adatum\Administrator
Password:
Pa55w.rd
Estimated Time:
30
 minutes
Module 3
Advanced AD DS infrastructure
management
Module Overview
Overview of advanced AD DS deployments
Deploying a distributed AD DS environment
Configuring AD DS trusts
Overview of domain and forest boundaries in an AD
DS structure
Why implement multiple domains?
Organizations might choose to deploy multiple
domains to meet:
Domain replication requirements
DNS namespace requirements
Distributed administration requirements
Forest administrative group security requirements
Resource domain requirements
Why implement multiple forests?
Organizations might choose to deploy multiple forests to
meet:
Security isolation requirements:
PAM in Windows Server 2016 AD DS uses a separate
bastion forest to isolate privileged accounts in order to
protect against credential theft techniques
Incompatible schema requirements
Multinational requirements
Extranet security requirements
Business merger or divestiture requirements
Deploying a domain controller in Azure IaaS
Scenarios in which you might deploy AD DS on
an Azure virtual machine:
Disaster recovery
Geo-distributed domain controllers
Isolated applications
Considerations during deployment include:
Network topology
Site topology
Service healing
IP addressing
DNS
Hard disk read/write caching
Managing objects in complex AD DS deployments
Potential issues include:
User and group management
User self-service
Certificate management
Identity syncing
MIM 2016 provides:
Cloud-ready identities for Azure Active Directory
Powerful user self-service features with multi-factor
authentication
PAM
AD DS domain functional levels
New
 functionality re
quires that domain controllers are
running a particular version of the Windows operating
system:
Windows Server 2003
Windows Server 2008
Window
s Server
2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
You cannot raise the functional
 level while domain
controllers are running previous Windows Server versions
You cannot
 add domain controllers that are running
previous Windows Server versions after raising the
functional level
AD DS forest functional levels
Windows Server 2003:
Forest trusts
Domain rename
Linked-value replication
Improved Knowledge Consistency Checker
Support for RODCs
Conversion of inetOrgPerson objects to user objects
Deactivation and redefinition of attributes and object classes
Windows Server 2008:
No new features; sets minimum level for all new domains
Windows Server 2008 R2:
Active Directory Recycle Bin
Windows Server 2012 and Windows Server 2012 R2:
No new features; sets minimum level for all new domains
Windows Server 2016:
No new features; sets minimum level for all new domains
Deploying new AD DS domains
Forest root domain:
Is automatically created with a new forest
Is the base of an AD DS infrastructure
Can be the only domain in an AD DS deployment
Child domain:
Is a child of a parent domain
Shares the same namespace with the parent domain
Tree domain:
Creates a new domain tree and a new namespace
Are commonly used in merger and acquisition scenarios
Upgrading a previous version of AD DS to Windows
Server 2016
Methods to upgrade AD DS to Windows Server 2016:
In-place upgrade from Windows Server 2012 R2 or
Windows Server 2012
Introduce a new Windows Server 2016 server into the
domain, and then promote it to be a domain controller
(recommended method)
Both methods require that the schema is at the
Windows Server 2016 functional level:
The Active Directory Domain Services Configuration
Wizard will upgrade the schema automatically when
run with appropriate permissions
Adprep
 is available
Migrating to Windows Server 2016 AD DS from a
previous version
Fabrikam.net
Adatum.com
Security principals that
migrate:
User accounts
Managed service accounts
Computer accounts
Groups
Accounts get new SIDs,
but resource access is
maintained by using
SID-History
Interforest migration
Migrating to Windows Server 2016 AD DS from a
previous version
Fabrikam.net
Adatum.com
Considerations for implementing complex AD DS
environments
DNS considerations:
Centralized versus decentralized
Verify the DNS client configuration and name resolution
Optimize DNS name resolution:
Conditional forwarders and stub zones
DNS name devolution and DNS suffix search order
Deploy a GlobalNames zone
Use Active Directory-integrated zones
Extending AD DS to Azure
UPN considerations:
UPN suffixes
Global catalog
Federated authentication scenarios
Overview of different AD DS trust types
P/C
P/C
R
How trusts work in a forest
How trusts work between forests
A forest trust is a one-way or two-way trust relationship
between the forest root domains of two forests
Asia.t
ailspintoys.com
Sales.wideworldimporter
s.com
Configuring advanced AD DS trust settings
Security
c
onsiderations in
f
orest
t
rust
s include:
SID
f
iltering
Selective
a
uthentication
Name
suffix routing
An i
ncorrectly configured trust can
allow
una
u
thorized access to resources
Lab Scenario
A. Datum has deployed a single AD DS domain with all the domain
controllers located in its London datacenter. As the company has
grown and added branch offices with a large numbers of users, it has
become increasingly apparent that the current AD DS environment
does not meet company requirements. The network team is concerned
about the amount of AD DS–related network traffic that is crossing
WAN links, which are becoming highly utilized.
The company has also become increasingly
integrated with partner
organizations, some of which need access to shared resources and
applications that are located on the A. Datum internal network. The
Security department at A. Datum wants to ensure that access for these
external users is as secure as possible.
As one of the senior network administrators at A. Datum, you are
responsible for implementing an AD DS infrastructure that meets
company requirements. You are responsible for planning an AD DS
domain and forest deployment that provides optimal services for
internal and external users while addressing the security requirements
at A. Datum.
Lab: Domain and trust management in AD DS
Exercise 1: Implementing forest trusts
Exercise 2: Implementing child domains in AD DS
Logon Information
Virtual machines:
20742B-LON-DC1
20742B-TOR-DC1
20742B-LON-SVR2
20742B-TREY-DC1
User name:
Adatum\Administrator
Password:
Pa55w.rd
Estimated Time: 30 minutes
Module 4
Implementing and administering
AD DS sites and replication
Module Overview
Overview of AD DS replication
Configuring AD DS sites
Configuring and monitoring AD DS replication
What are AD DS partitions?
Characteristics of AD DS replication
Multi-master replication ensures:
Accuracy (integrity)
Consistency (convergence)
Performance (keeping replication traffic to a reasonable level)
Key characteristics of AD DS replication include:
Multi-master replication
Pull replication
Store-and-forward replication
Partitions
Automatic generation of an efficient, robust replication topology
Attribute-level and multivalue replication
Distinct control of intersite replication
Collision detection and management
How AD DS replication works within a site
Intrasite replication uses:
Connection objects for inbound replication to a domain
controller
Knowledge Consistency Checker to automatically create a
topology that is e
fficient (maximum three-hop) and robust
(two-way)
Notifications in which the domain controller tells
its downstream partners that a change is available
Polling, in which the domain controller checks with
its upstream partners for changes:
Downstream domain controller
directory replication agent
replicates changes
Changes to all partitions held by
both domain controllers are replicated
DC01
DC03
DC02
Resolving replication conflicts
In multi-master replication models, replication
conflicts arise when:
The same attribute is changed on two domain controllers
simultaneously
An object is moved or added to a deleted container on
another domain controller
Two objects with the same relative distinguished name are
added to the same container on two different domain
controllers
To resolve replication conflicts, AD DS uses:
Version number
Time stamp
Server GUID
How replication topology is generated
Domain A topology
Global
catalog
server
Global
catalog
server
A3
A4
B1
B2
B3
A3
A4
B1
B2
B3
Global
catalog
server
A1
A2
Domain
controllers
in another
domain
How SYSVOL replication works
SYSVOL contains logon scripts, Group Policy templates, and
GPOs with their content
SYSVOL replication can take place by using:
FRS, which is primarily used in Windows Server 2003 and
older domain structures
DFS Replication, which is used in Windows Server 2008 and
newer domains
To migrate SYSVOL replication from FRS to DFS Replication:
The domain functional level must be at least Windows
Server 2008
Use the
Dfsrmig.exe
tool to perform the migration
What are AD DS sites?
Sites identify network locations with fast, reliable network
connections
Sites are associated with subnet objects
Sites are used to manage:
Replication when domain controllers are separated by slow,
expensive links
Service localization:
Domain controller authentication
AD DS–aware (site-aware)
services or applications
Why implement additional sites?
Create additional sites when:
A slow link separates a part of the network
A part of the network has enough users to warrant hosting
domain controllers or other services in that location
You want to control service localization
You want to control replication between domain controllers
How replication works between sites
Replication within sites:
Assumes fast, inexpensive, and
highly reliable network links
Does not compress traffic
Uses a change notification
mechanism
Replication between sites:
Assumes higher cost, limited
bandwidth, and unreliable network
links
Has the ability to compress
replication
Occurs on a configured schedule
Can be configured for immediate
and urgent replications
What is the ISTG?
ISTG defines the replication between AD DS sites on a network
Overview of SRV records
Domain controllers register SRV records as follows:
_tcp.adatum.com
: All domain controllers in the domain
_tcp.
sitename
._sites.adatum.com
: All services in a specific site
Clients query DNS to locate services in specific sites
How client computers locate domain controllers within
sites
The process for locating a domain controller is as follows:
1.
The new client queries for all domain controllers in the domain
2.
The client attempts an LDAP ping to find all domain controllers
3.
First domain controller responds
4.
The client queries for all domain controllers in the site
5.
The client attempts an LDAP ping to find all domain controllers in the
site
6.
The client forms an affinity
Moving domain controllers between sites
Site A
Site B
What are AD DS site links?
Site links contain sites:
Within a site link, a connection object can be created
between any two domain controllers
The default site link, DEFAULTIPSITELINK, is not always
appropriate with your network topology
What is site link bridging?
By default, automatic site link bridging:
Enables ISTG to create connection objects between site
links
Allows disabling of transitivity in the properties of the IP
transport
Site link bridges:
Enable you to create transitive site
links manually
Are useful only when transitivity
is disabled
What is universal group membership caching?
Universal group membership caching enables
domain controllers in a site with no global catalog
servers to cache universal group membership
Managing intersite replication
Site link costs:
Replication uses connections with the lowest cost
Replication:
During polling, the downstream bridgehead polls its
upstream partners:
Default is 3 hours
Minimum is 15 minutes
Recommended is 15 minutes
Replication schedules:
24 hours a day
Can be scheduled
Tools for monitoring and managing replication
Repadmin.exe
examples:
repadmin /showrepl Lon-dc1.adatum.com
repadmin /showconn Lon-dc1 adatum.com
repadmin /showobjmeta Lon-dc1 "cn=Linda Miller,ou=…"
repadmin /kcc
Dcdiag.exe /test:
testName:
FrsEvent or DFSREvent
Intersite
KccEvent
Replications
Topology
Monitor replication with Operations Manager
Use Windows PowerShell cmdlets
Lab Scenario
A. Datum Corporation has deployed a single
AD DS domain, with all the domain controllers
located in the London datacenter. As the company
has grown and added branch offices with large
numbers of users, it has become apparent that the
current AD DS environment does not meet the
company’s requirements. Users in some branch
offices report that it can take a long time for them
to sign in to their computers. Access to network
resources such as the company’s servers, which
are running Microsoft Exchange Server 2016 and
Microsoft SharePoint Server 2016, can be slow,
and they sporadically fail.
Lab Scenario
As one of the senior network administrators, you
are responsible for planning and implementing an
AD DS infrastructure that will help address the
organization’s business requirements. You are
responsible for configuring AD DS sites and
replication to optimize the user experience and
network utilization within the organization.
Lab: Implementing AD DS sites and replication
Exercise 1: Modifying the default site
Exercise 2: Creating additional sites and subnets
Exercise 3: Configuring AD DS replication
Exercise 4: Monitoring and troubleshooting AD DS
replication
Logon Information
Virtual machines:
20742B-LON-DC1
20742B-TOR-DC1
User name:
Adatum\Administrator
Password:
Pa55w.rd
Estimated Time: 30 minutes
Module 5
Implementing Group Policy
Module Overview
Introducing Group Policy
Implementing and administering GPOs
Group Policy scope and Group Policy processing
Troubleshooting the application of GPOs
Overview of Group Policy tools and consoles
Group Policy Management Console
Group Policy
Management Editor
Command-line utilities:
GPUpdate
 and
GPResult
Benefits of using Group Policy
Group Policy is a very powerful administrative tool
You can use it to enforce various types of settings
to a large number of users and computers
Typically, you use GPOs to:
Apply security settings
Manage desktop application settings
Deploy application software
Manage Folder Redirection
Configure network settings
Group Policy Objects
A GPO is:
A container for one or more policy settings
Managed with the GPMC
Stored in the GPOs container
Edited with Group Policy Management Editor
Applied to a specific level in the AD DS hierarchy
Overview of GPO scope
The
scope
 of a GPO is the collection of users and
computers that will apply the settings in the GPO
 You can use several methods to scope a GPO:
Link the GPO to a container, such as an OU
Filter by using security settings
Filter by using WMI filters
For Group Policy preferences:
Y
ou can filter or target the settings that you configure by
Group Policy preferences within a GPO based on several
criteria
Overview of GPO inheritance
GPOs are processed on a client computer in the
following order:
1.
Local GPOs
2.
Site-level GPOs
3.
Domain-level GPOs
4.
OU GPOs, including any nested OUs
The Group Policy Client service and client-side
extensions
Group Policy application process:
1.
Group Policy Client retrieves GPOs
2.
Client downloads and caches GPOs
3.
Client-side extensions process the settings
Policy settings in the
Computer Configuration
node apply at system startup and every 90–120
minutes thereafter
Policy settings in the
User Configuration
node
apply at sign-in and every 90–120 minutes
thereafter
What are domain-based GPOs?
GPO storage
GPO
Contains Group Policy settings
Stores content in two locations
Group Policy container
Stored in AD DS
Provides version information
Group Policy template
Stored in shared SYSVOL folder
Provides Group Policy settings
What are starter GPOs?
Exported to .cab file
Starter GPO
.cab file
Imported to the GPMC
Load
.cab file
A starter GPO:
Stores administrative template settings on which new
GPOs will be based
Can be exported to .cab files
Can be imported into other areas of an organization
Common GPO management tasks
You can manage GPOs by using GPMC or Windows
PowerShell. These are some of the options for
managing the state of GPOs:
Delegating administration of Group Policy
Delegation of GPO-related tasks allows the administrative
workload to be distributed across the enterprise
You can delegate the following Group Policy tasks
independently:
Creating GPOs
Editing GPOs
Managing Group Policy links for a site, domain, or OU
Performing Group Policy modeling analysis in a domain or OU
Reading Group Policy results data in a domain or OU
Creating WMI filters in a domain
What are GPO links?
After you have linked a GPO, the users or computers in that container are within
the scope of the GPO, including computers and users in child OUs
Group Policy processing order
Configuring GPO inheritance and precedence
The application of GPOs linked to each container results in a cumulative
effect called
policy
inheritance:
Default precedence: Local
 Site  Domain  OU  Child OU… (LSDOU)
Visible on the
Group Policy Inheritance
tab
Link order (attribute of GPO link):
Lower number
Higher on list
 Precedence
Block Inheritance (attribute of OU):
Blocks the processing of GPOs from a higher level
Enforced (attribute of GPO link):
Enforced GPOs override Block Inheritance
Enforced GPO settings win over conflicting settings in lower GPOs
Using security filtering to modify Group Policy scope
Apply Group Policy permission:
GPO has an ACL (
Delegation
 tab
Advanced
)
Members of the Authenticated Users group have Allow Apply Group Policy
permissions by default
To scope only to users in selected global groups:
Remove the Authenticated Users group
Add appropriate global groups: Must be global groups (GPOs do not scope to
domain local)
To scope to users except for those in selected groups:
On the
Delegation
 tab, click
Advanced
Add appropriate global groups
Deny the Apply Group Policy permission
What are WMI filters?
WMI queries can filter GPOs based on system
characteristics, including:
RAM
Processor speed
Disk capacity
IP address
Operating system version
WMI queries are written by using WQL, for example
     select * from Win32_OperatingSystem where Version like "10.%"
WMI filters can be expensive in terms of Group Policy
processing performance
What are WMI filters?
How to enable or disable GPOs and GPO nodes
Loopback policy processing
Provides the ability to apply user Group Policy settings
based on the computer to which the user is signing in
Replace mode:
Only the list of GPOs based on the computer object is used
Merge mode:
The list of the GPOs based on the computer have higher precedence
than the list of GPOs based on the user
Useful in closely managed environments and special-use
computers, such as:
Terminal servers, public-use computers, and classrooms
Loopback policy processing
Considerations for slow links and disconnected systems
Slow link detection:
By default, connection speeds below 500 kbps
The following CSEs apply by default:
Security Settings
Administrative Templates
Disconnected computers:
Cache Group Policy so that settings still apply
Perform Group Policy refresh when reconnecting with the
domain network if a background refresh has been missed
Identifying when settings become effective
GPO replication must occur
Group changes must replicate
Group Policy refresh must occur
User must sign out and sign in or the computer
must restart
You must perform a manual refresh
Most CSEs do not reapply unchanged GPO
settings
Lab Scenario
Your manager asked you to use Group Policy to implement
standardized security settings to lock computer screens when users
leave computers unattended for 10 minutes or more. You also have to
configure a policy setting that will prevent access to certain programs
on local computers.
You configured Group Policy to lock computer screens when users
leave computers unattended for 10 minutes or more. However, after
some time, you were made aware that a critical application used by
the Research engineering team fails when
the screen saver starts. An
engineer asked you to prevent the GPO setting from applying to any
member of the Research security group. He also asked you to
configure conference room computers to be exempt from corporate
policy. However, you must ensure that the conference room computers
use a 2-hour time out.
Create the policies that you need to evaluate the RSoPs for users in
your environment. Make sure to optimize the Group Policy
infrastructure and verify that all policies are applied as they were
intended.
Lab A: Implementing a Group Policy infrastructure
Exercise 1: Creating and configuring GPOs
Exercise 2: Managing GPO scope
Logon Information
Virtual machines:
20742B-LON-DC1
20742B-LON-CL1
User name:
Adatum\Administrator
Password:
Pa55w.rd
Estimated Time: 40 minutes
Refreshing GPOs
When you apply GPOs, remember that:
Computer settings apply at startup
User settings apply at sign-in
Polices refresh at regular, configurable intervals
Security settings refresh at least every 16 hours
Policies refresh manually by using:
The
 gpupdate
 command-line utility
The Windows PowerShell cmdlet
Invoke-gpupdate
With the Remote Group Policy Refresh feature, you can
refresh policies remotely
What is RSoP?
RSoP is the net effect of GPOs applied to a user or computer
Group Policy Management
What is RSoP?
Group Policy Modeling Wizard
Generating RSoP reports
RSoP reports show the actual settings being applied to the
user and computer
Might show the time taken to apply Group Policy
You can generate RSoP reports by using:
Group Policy Results Wizard
GPResults
Get-GPResultantSetOfPolicy
Target computer must be online
Remote WMI must be enabled
Generating RSoP reports
Group Policy Results Wizard
Examining Group Policy event logs
Detecting Group Policy health issues
Group Policy health check in Group Policy Management
Console
Lab Scenario
After configuring settings for the Research department
and computers in the conference rooms, you want to make
sure that all settings apply as intended. You want to do this
by creating RSoP reports from both
Group Policy
Management Console
 and a client. You do not have
access to a computer in the conference rooms, so you
have to simulate how settings will apply by using Group
Policy modeling analyses. You want to investigate what
events are stored in Event Viewer regarding Group Policy.
After some time, you receive a Help desk ticket
opened by
a user. The issue is that the Screen Saver settings that was
applied is not the correct settings for the user. You have to
investigate the issue and make sure that the correct
settings apply to the user.
Lab B: Troubleshooting Group Policy infrastructure
Exercise 1: Verifying GPO application
Exercise 2: Troubleshooting GPOs
Logon Information
Virtual machines:
20742B-LON-DC1
20742B-LON-CL1
User name:
Adatum\Administrator
Password:
Pa55w.rd
Estimated Time: 25 minutes
Module 6
Managing user settings with
Group Policy
Module Overview
Implementing administrative templates
Configuring Folder Redirection, software
installation, and scripts
Configuring Group Policy preferences
What are administrative templates?
Administrative templates give you the ability to control the environment
of the operating system and the user experience:
Administrative template section for computers:
Control Panel
Network
Printers
System
Windows-based components
Administrative template section for users:
Control Panel
Desktop
Network
Start menu and taskbar
System
Windows-based components
Each of these main sections contain many subfolders to further organize
settings
What are .adm and .admx files?
.adm files:
Are copied into every GPO in SYSVOL
Are difficult to customize
Are not language-neutral
Could cause SYSVOL bloat if there are many GPOs
.admx files:
Are language-neutral
.adml files provide the localized language
Are not stored in the GPO
Are extensible through XML
Overview of the central store
Importing security templates
Security Templates contain settings for:
Account policies
Local policies
Event log
Restricted groups
System services
Registry
File system
More security settings are available in a GPO
Security templates created in the Security Templates
snap-in can be imported into a GPO
The Security Compliance Manager can export security
baselines in a GPO backup format
Managing administrative templates
Extend the set of administrative templates by:
1.
Creating new templates or downloading available
templates
2.
Adding the templates to the central store so the
settings become available in all GPOs
3.
Configuring the settings in a GPO
4.
Deploying the GPO
.admx files are available for both Microsoft and
third-party applications
Import legacy .adm files to the Administrative
Templates section of a GPO
What is Folder Redirection?
Folder Redirection allows folders to be located on a
network server, but appear as if they are located on a
local drive
Folders that can be redirected in Windows Vista and
later are:
Settings for configuring Folder Redirection
Accounting
Users
Accounting
Users
Accounts
A-M
Accounting
Managers
Anne
Amy
Folder Redirection configuration options:
Use Basic Folder Redirection when all users
save their files to the same location
Use Advanced Folder Redirection when
the server hosting the folder location
is based on group membership
Use the Follow the Documents folder to force certain
folders to become subfolders of Documents
Target folder location options:
Create a folder for each user under the
root path
Redirect to the following location
Redirect to the local user profile location
Redirect to the user’s home directory
(Documents folder only)
Security settings for redirected folders
Managing software with Group Policy
Group Policy settings for applying scripts
You can use scripts to perform many tasks, such as
clearing page files, mapping drives, and clearing
temp folders for users
Scripts languages include VBScript, Jscript,
Windows PowerShell, and command/batch files
You can assign Group Policy script settings to
assign:
For computers:
Startup scripts
Shutdown scripts
For users:
Logon scripts
Logoff scripts
What are Group Policy preferences?
Group Policy preferences extensions expand the
range of configurable settings within a GPO:
Enables you to manage settings that were
previously not manageable by using Group Policy
Are supported natively on Windows Server 2008
and newer and Windows Vista SP2 and newer
Can be created, deleted, replaced, or updated
Categories include mapped drives, shortcuts,
registry changes, power options, schedules tasks,
and Internet Explorer settings
Comparing Group Policy preferences and Group Policy
settings
Features of Group Policy preferences
Item-level targeting options
Item-level targeting options
Restrict drive mappings to an Active Directory
security group
Configure different power plans to portable and
desktop computers
Deploy printers only to computers that meet
specific criteria, and to users that are members of
a specific group
Copy Microsoft Office templates based on the
language of the operating system installed on the
computer
Lab Scenario
A. Datum Corporation has implemented Microsoft Office 2016, and
you want to use Group Policy to configure settings for some Office
2016 apps. The IT department uses logon scripts to provide users
with drive mapping to shared folders. However, maintaining these
scripts is an ongoing problem, because they are large and complex.
Your manager has asked that you implement drive mapping by using
Group Policy preferences to remove logon scripts.
Your manager also has asked that you place a desktop shortcut to
the Notepad app for all users who belong to the IT Security group.
Additionally,
 you must add a new computer administrator’s security
group as a local administrator on all servers.
To help minimize profile sizes, you also need to configure Folder
Redirection to redirect several profile folders to each user’s home
drive. Finally, you have to complete the GPO design to manage user
desktops and server security.
Lab: Managing user settings with Group Policy
Exercise 1: Using administrative templates to
manage user settings
Exercise 2: Implementing settings by using
Group Policy preferences
Exercise 3: Configuring Folder Redirection
Exercise 4: Planning Group Policy (optional)
Logon Information
Virtual machines:
20742B-LON-DC1
20742B-LON-CL1
User name:
Adatum\Administrator
Password:
Pa55w.rd
Estimated Time: 30 minutes
Module 7
Securing Active Directory
Domain Services
Module Overview
Securing domain controllers
Implementing account security
Implementing audit authentication
Configuring managed service accounts
Security risks that can affect domain controllers
Domain controllers are prime targets for attacks
and the most important resources to secure
Security risks include:
Network security
Authentication attacks
Elevation of privilege
DoS attack
Operating system, service, or application attacks
Operational risks
Physical security threats
Modifying the security settings of domain controllers
Use a GPO to apply the same security settings to all
domain controllers
Consider custom GPOs that link to the Domain
Controllers OU
Security options include:
Account policies, such as passwords and account lockout
Local policies, such as auditing, user rights, and security options
Event log configuration
Restricted groups
Secure system services
Windows Firewall with advanced security
Public key policies
Advanced auditing
What are RODCs?
AD DS
AD DS
What are RODCs?
Consider the following limitations when deploying
RODC
s
:
RODCs cannot be operations master role holders
RODCs cannot be bridgehead servers
You should have only one RODC per site, per
domain
RODCs cannot authenticate across trusts when a
WAN connection is not available
N
o replication changes originate at an RODC
RODCs cannot support any app properly that
needs to update AD DS interactively
Deploying an RODC
Prerequisites:
ADPrep /RODCPrep
Sufficient Windows Server 2008 or newer replication partners for
the RODCs
For a one-step deployment, perform either of the following steps:
In Server Manager, open Add Roles and Features, and then use
Active Directory Domain Services Configuration Wizard
Windows PowerShell:
Install-ADDSDomainController –
ReadOnlyReplica
For a two-step deployment, perform the following steps:
1.
Prestaging: Create the account by using  Active Directory
Administrative Center or
Add-
ADDSReadOnlyDomainControllerAccount
2.
Delegated promotion: Join the RODC as delegated admin: Server
Manager or
Install-ADDSDomainController -ReadOnlyReplica
Planning and configuring an RODC password
replication policy
A password replication policy determines which users’ or computers’
credentials that a specific RODC caches
You can configure
 these credentials by using a
:
Domain
-
wide password replication policy
RODC
-
specific password replication policy
RODC filtered attribute set
Separating RODC local administration
Administrator role separation allows performance of local
administrative tasks on the RODC for nondomain
administrators
Each RODC maintains a local Security Accounts Manager
database of groups for specific administrative purposes
Configure the local administrator by:
Adding the user or group when precreating or installing
the RODC
Adding a user or group on the
Managed By
tab on the
RODC account properties
Account security in Windows Server 2016
Account security features in Windows Server 201
6
 include:
Password policies
Account lockout policies
Fine-grained password policies
Protected users
Authentication policies
Authentication policy silos
Password policies
Set password requirements by using the following
settings:
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password complexity requirements:
Does not contain name or user name
Must have at least six characters
Contains characters from three of the following four groups
groups: uppercase, lowercase, numeric, and special characters
Account lockout policies
Account lockout policies define whether accounts
should be locked automatically after several failed
attempts to sign in
To configure these policy settings, you must
consider:
Account lockout duration
Account lockout threshold
Reset account lockout counter after
Account lockout policies provide a level of security
but also provide an opportunity for DoS attacks
Kerberos policies
Kerberos policy settings determine timing for Kerberos
tickets and other events
Kerberos claims and compound authentication for DAC
requires Windows Server 2012
 or newer
 domain controllers
Protecting groups in AD DS
Restricted groups:
You can control membership for local groups on
workstations and servers
 by using the following
attributes:
Members
Member of
You
cannot
use these
with domain groups
Protected Users group:
Provides additional protection against the compromise
of credentials during authentication processes
Members of this group automatically have
nonconfigurable protection applied to their accounts
Fine-grained password and lockout policies
You can use fine-grained password policies to
specify multiple password policies within a single
domain
Fine-grained password policies:
Apply only to user objects,
InetOrgPerson
 objects, or
global security groups
Do not apply directly to an OU
Do not interfere with custom password filters that you
might use in the same domain
Tools for creating PSOs
Windows Server 2012
 and newer operating systems
provide two tools for configuring PSOs:
Windows PowerShell cmdlets:
New-ADFineGrainedPasswordPolicy
Add-FineGrainedPasswordPolicySubject
Active Directory Administrative Center
PSO precedence and resultant PSO
If multiple PSOs apply to a user:
The PSOs that you directly apply take precedence rather than the
PSOs that you apply by using group memberships
The PSO with the lowest precedence wins
If two PSOs have the same precedence, the smallest objectGUID
wins
To evaluate a user object to see which PSO has been applied, you
can use the
msDS-ResultantPSO
 Active Directory attribute
To view the effective PSO that AD DS applies to a user:
1.
Open Active Directory Users and Computers, and on the
View
menu, ensure that Advanced Features is enabled
2.
Open the properties of a user account
3.
On the
Attribute Editor
tab, view the
msDS-ResultantPSO
attribute if you have configured the
Show Constructed Attributes
option under the
Filter
 options
Account-security options in Windows Server 2016
Protected Users group:
Protects users in the Protected Users group
Prevents locally cached user profiles and credentials
Requires Kerberos authentication, limits TGT to four hours
No offline sign in
Windows 8.1
, Windows 10,
Windows Server 2012 R2
 and
Windows Server 2016
 domain members only
Authentication policies:
Configured as authentication policy object in AD DS, applied to user,
service, or computer accounts
Custom TGT
Uses claims (DAC) for custom conditions
Authentication policy silos:
AD DS object
Centrally apply authentication policies to multiple objects
Additional claim allows administrators to configure file access per silo
Configuring user account policies
Local Security Policy account settings:
Configure with
secpol.msc
Apply to local user accounts
Group Policy account settings:
Configure with the Group Policy Management console
Apply to all accounts in AD DS and local accounts on
computers joined to the domain
Can apply only once in a domain and in only one GPO
Take precedence over Local Security Policy settings
Enhancing password authentication with Windows
Hello and MFA
To enhance security of
the
authentication process,
you can use:
Windows Hello
:
For biometric-based sign in to Windows
Microsoft Passport
:
To leverage Windows Hello and TPM
Azure Multi-
F
actor Authentication
:
To
enhance account security by adding second factor of
verification
Can be used in cloud or for on-premises applications
Enhancing password authentication with Windows
Hello and MFA
How Windows Hello works
Enhancing password authentication with Windows
Hello and MFA
Multi-Factor Authentication adds a second level of
authentication:
Text message
Phone call
Mobile app
Account logon and logon events
Account logon events:
The system that authenticates the
account registers these events
For domain accounts: domain
controllers
For local accounts: local computer
Logon events:
The machine at or to which a user
logged on registers these events
Interactive logon: user's system
Network logon: server
Logon
event
Account logon
event
Logon
event
AD DS
Scoping audit policies
Overview of service accounts
Sometimes, applications require resource access:
For this purpose, you can create domain or local
accounts to manage such access. However, this might
compromise security
Use the following service accounts instead:
Local System:
Most privileged, still vulnerable if compromised
Local Service:
Least privileged, may not have enough permissions to access all
required resources
Network Service:
Can access network resources with proper credentials
Challenges of using service accounts
Extra administration effort to manage the service
account password
Difficulty in determining where a domain-based
account is used as a service account
Extra administration effort to mange the SPN
Overview of managed service accounts
Use MSAs to automate password and SPN management
for service accounts that services and applications use
Requires a Windows Server 2008 R2 or
newer
 installed
with:
.NET Framework 3.5.x
Active Directory module for Windows PowerShell
Recommended to run with AD DS configured at the
Windows Server 2008 R2 functional level or higher
What are group MSAs?
Group MSAs extend the capability of standard
MSAs by:
Enabling MSAs for use on more than one computer in
the domain
Storing MSA authentication information on domain
controllers
To support group MSA, your environment:
Must have at least one Windows Server 2012
 or
newer
 domain controller
Must have a KDS root key created for the domain
SPNs and Kerberos delegation
Kerberos delegation of authentication:
Services can delegate service tickets issued to them by
the KDC to another service
Constrained delegation:
Allows administrators to define which services can use
service tickets issued to other services
SPNs help identify services uniquely
Windows Server 201
6
 allows:
Constrained delegation across domains
Service administrators to configure constrained
delegation
Lab Scenario
The security team at A. Datum Corporation has been examining
possible security issues in the organization, focusing on AD DS.
The security team is particularly concerned with AD DS
authentication and security of branch-office domain controllers.
You must help improve security and monitoring of
authentication against the enterprise’s AD DS domain.
Additionally, management at A. Datum has instituted a
password policy, and you must enforce it for all user accounts
and develop a more-stringent password policy for security-
sensitive administrative accounts. It also is
important that you
implement an appropriate audit trail to help monitor
authentication attempts within AD DS.
The second part of your assignment includes deploying and
configuring RODCs to support AD DS authentication within a
branch office. Lastly, you should evaluate the usage of a group
MSA by deploying it to the test server.
Lab: Securing AD DS
Exercise 1: Implementing security policies for
accounts, passwords, and administrative groups
Exercise 2: Deploying and configuring an RODC
Exercise 3: Creating and associating a group MSA
Logon Information
Virtual machines:
20742B-LON-DC1
20742B-LON-SVR1
User name:
Adatum\Administrator
Password:
Pa55w.rd
Estimated Time: 40 minutes
Module 8
Deploying and managing AD CS
Module Overview
Deploying CAs
Administering CAs
Troubleshooting and maintaining CAs
What is AD CS?
Allows you to implement a PKI for your
organization:
Issue and manage certificates
AD CS role services in Windows Server 2016:
Certification Authority
Certification Authority Web Enrollment
Online Responder
Network Device Enrollment Service
Certificate Enrollment Web Service
Certificate Enrollment Policy Web Service
Options for implementing CA hierarchies
Standalone vs. enterprise CAs
Considerations for deploying a root CA
Computer name and domain membership cannot
change
When you plan private key configuration, consider
the following:
CSP
Key character length, with a default of 2,048
The hash algorithm that is used to sign certificates issued
by a CA
When you plan a root CA, consider the following:
Name and configuration
Certificate database and log location
Validity period
Considerations for deploying a subordinate CA
Organizational divisions
How to use the CAPolicy.inf file for installing a CA
The CAPolicy.inf file is stored in the
%SystemRoot% folder of the root or subordinate
CA
The CAPolicy.inf file defines the following:
Certification practice statement
Object identifier
CRL publication intervals
CA renewal settings
Key size
Certificate validity period
CDP and AIA paths
Managing CAs
For managing CA hierarchy
,
 you can use:
CA management console
Windows PowerShell
C
ertutil
 command
-
line
tool
Certutil provides
an
interface for advanced CA
and PKI configuration and management
PKI options
 are
 manageable through Group
Policy
, if you use the following
:
Credential roaming
Autoenrollment of certificates
Certificate path validation
Certificate distribution
Configuring CA security
You can assign
 the
 following permissions on
a
CA object
:
Read
Issue and Manage Certificates
Manage CA
Request Certificates
Security principals with the Issue and Manage
Certificates permission can be restricted to a
specific template
The
Certificate Managers
tab on the CA object
properties
Security roles for CA administration
Role-based administration:
Grant predefined CA permissions to a security group
Must be manually configured; roles are not
automatically created
Typical roles for AD CS might be:
CA Administrator
Certificate Manager
Backup Operator
Auditor
Enrollee
Roles might be unique to each AD CS
deployment
Configuring CA policy and exit modules
The
policy module
 determines the action that is
performed after the certificate request is received
The
exit module
 determines what happens with a
certificate after it is issued
Each CA is configured with default policy and exit
modules
M
IM
2016 Certificate Management
deploys
custom policy and exit modules
The e
xit module can
send email or publish a
certificate to a file system
Y
ou have to use certutil to specify these settings,
because they are not available in the CA
administrator console
Configuring CDPs and AIA locations
The AIA
specifies
where to retrieve the CA's certificate
The CDP
 specifies
from where the CRL for a CA can be
retrieved
Publication locations for AIA and CDP
:
AD DS (LDAP)
Web servers (HTTP)
FTP servers
File servers
Ensure that you properly configure CRL and AIA locations
for offline and standalone C
A
s
Ensure that
the
CRL for
an o
ffline
r
oot CA does not expire
Troubleshooting CAs
Tools for managing CAs:
Certificates snap-in
PKIView.msc console
Certification Authority
console
Certutil.exe
Certificate Templates snap-in
Common AD CS issues
:
Client autoenrollment issues
Unavailable enterprise CA option
Error accessing CA webpages
Enrollment agent restriction
Renewing a CA certificate
The CA certificate needs to be renewed when the validity
period of the CA certificate is close to its expiration date
The CA will never issue a certificate that has a longer
validity time than its own certificate
C
onsiderations
 for renewing a root CA
certificate
:
Key length
Validity period
C
onsiderations
 for renewing a certificate for an issuing
CA
:
New key pair
Smaller CRLs
Procedure for renewing a CA certificate
Moving a root CA to another computer
T
o move
a
CA from one
computer
 to another
,
 you have to perform
backup and restore
:
To b
ack
up
 a computer, follow this
procedure:
R
ecord the names of the certificate templates
Back up a CA
 in
the
CA admin console
E
xport
the
registry subkey
U
ninstall the CA
role
Confirm the %SystemRoot% folder
locations
Remove
the
old CA from the domain
To r
estore
, follow this procedure:
Install AD CS
Use the existing private key
Restore
the registry file
Restore the CA
 database and settings
R
estore the certificate templates
Monitoring CA operations
For monitoring and maintenance of
 a
 CA
hierarchy
,
 you can use
PKIV
iew and CA
a
uditing
With
PKIView
, you can
:
A
ccess
and manage
PKI-related AD DS containers
Monitor
CAs and their health state
Check the status of
CA certificates
Check the status of
AIA locations
Check the status of
CRLs
Check the status of
CDPs
E
valuate the state of the Online Responder
CA
a
uditing provides logging for various events
that
occur
on the CA
Lab Scenario
A. Datum has expanded, therefore, its security
requirements also have increased. The Security
department is particularly interested in enabling
secure access to critical websites and in providing
additional security for some features. To address
these and other security requirements, A. Datum
has decided to implement a PKI by using the AD
CS role in Windows Server 2016. As a senior
network administrator at A. Datum, you are
responsible for implementing the AD CS
deployment.
Lab: Deploying and configuring a two-tier CA hierarchy
Exercise 1: Deploying an offline root CA
Exercise 2: Deploying an enterprise
subordinate CA
Logon Information
Virtual machines:
20742B-LON-DC1
20742B-LON-SVR1
20742B-CA-SVR1
User name:
Adatum\Administrator
Password:
Pa55w.rd
Estimated Time: 40 minutes
Module 9
Deploying and managing
certificates
Module Overview
Deploying and managing certificate templates
Managing certificate deployment, revocation, and
recovery
Using certificates in a business environment
Implementing and managing smart cards
What are certificates and certificate templates?
A ce
rtificate contains information about user
s,
device
s
, usage, validity
,
 and a key pair
A certificate template defines:
The format and contents of a certificate
The process for creating and submitting a valid
certificate request
The security principals that are allowed to read, enroll, or
use autoenrollment for a certificate that will be based on
the template
The permissions that are required to modify a certificate
template
Certificate template versions in Windows Server 2016
Version 1
Created by default when CA is installed
Cannot be modified (except for permissions) or removed
Can be duplicated to create version 2 or version 3 templates
Version 2
Allows customization of most settings in the template
Supports autoenrollment
Version 3
Supports advanced Suite B cryptographic settings
Includes advanced options for encryption, digital signatures, key
exchange, and hashing
Version 4
Supports both CSPs and key storage providers
Supports renewal with the same key
Configuring certificate template permissions
Configuring certificate template settings
For each certificate template, you can customize several
settings
,
 such as validity time, purpose, CSP, private key
exportability
,
 and issuance requirements
Options for updating a certificate template
Certificate enrollment methods
Overview of certificate autoenrollment
A certificate template is configured for Allow,
Enroll, and Autoenroll permissions for users who
receive the certificates
The CA is configured to issue the template
An AD DS Group Policy Object
should be
 created to
enable autoenrollment
The GPO
should be
 linked to the appropriate site,
domain, or Organizational Unit
The user or computer receives the certificates
during the next Group Policy refresh interval
What is an enrollment agent?
An
Enrollment Agent
 is a user account used to
request certificates on behalf of another user
account
An Enrollment Agent must possess a certificate
based on the Enrollment Agent template
Enrollment Agents are typically members of
corporate or IT security departments
You can limit the scope of an Enrollment Agent to:
S
pecific
users or security groups
S
pecific certificate templates
How does certificate revocation work?
The following are steps in the certificate revocation
lifecycle:
1.
A certificate is revoked
2.
A CRL is published
3.
A client computer verifies certificate validity and
revocation
Overview of key archival and recovery
Private k
eys can get lost when:
A user profile is deleted
An operating system is reinstalled
A disk is corrupted
A computer is lost or stolen
I
t is critical that you archive
 private keys for
certificates
that
are
used for encryption
The KRA
is needed for key recovery
You must configure key archival on the CA and on the
certificate template
Key recovery is a
two
-phase process
:
1.
Key retrieval
2.
Key recovery
The KRA
certificate must be protected
Configuring automatic key archival
Steps to configure automatic key archival:
1.
Configure the KRA certificate template
2.
Designated Key Recovery Agents enroll for a KRA
certificate
3.
Enable Key Recovery Agents on the CA
4.
Configure necessary certificate templates for key
archival
Using certificates for SSL
The purpose of securing a connection with SSL is to
protect data
 during communication
For
SSL,
a certificate must be installed on the server
Be aware of
trust issues
SSL works in
 the
 following steps:
1.
The user types an HTTPS URL
2.
The web server sends its SSL certificate
3.
The client performs a check of the server certificate
4.
The client generate
s
 a symmetric encryption key
5.
The c
lient
encrypt
s
 this key with the server’s public key
6.
The server uses its private key to decrypt the encrypted
symmetric key
Using certificates for digital signatures
Digital signature
s
 ensure
 that
:
Content
 is not modified during transport
The identity of the author is verifiable
Digital signatures work in the following way
:
1.
When an author digitally signs a document or a message, the
operating system on his or her computer creates a message
cryptographic digest
2.
The cryptographic d
igest
 is then encrypted by using the author’s
private key
 and
added to the end of the document or message
3.
The recipient use
s
 the author’s public key to decrypt the
cryptographic digest
and compare it to
the cryptographic
digest
created on
the
recipient
’s
computer
Users need to have
a
certificate
 that is
 based on
 a
User
template to use digital signatures
Using certificates for authentication
You can use c
ertificates
for user and device
authentication
You can also use certificates in
network and
application access scenarios such as:
L2TP/IPsec
VPN
EAP-TLS
PEAP
NAP
with
I
P
sec
Outlook Web App
M
obile device
 authentication
What is a smart card?
A smart card is a miniature computer, with limited
storage and processing capabilities, embedded in
a plastic card about the size of a credit card
Smart cards:
Provide
options for multifactor authentication
P
rovide enhanced security over passwords
You must use a valid smart card and PIN together
How does smart card authentication work?
Smart cards can be used for:
Interactive sign in to AD DS
Client authentication
Remote sign-in
Offline sign-in
Interactive sign-in
steps:
1.
The sign-in request goes to the LSA,
which
 is
 forward
ed
 to
 the
Kerberos
 package
2.
KDC
verifies the certificate
3.
KDC
verifies the digital signature on the authentication service
4.
KDC
performs an AD DS query to locate the user account
5.
KDC generates a random encryption key to encrypt the TGT
6.
KDC signs the reply with its private key and sends it to the user
What is a virtual smart card?
A smart card infrastructure
might be
expensive
Windows Server 2012 AD CS introduced virtual
smart cards
Virtual
s
mart
c
ard
s use
the capabilities of the
TPM chip
N
o cost for buying smart cards and smart card
readers
The computer
acts like a smart card
The cryptographic capabilities of the TPM protect
the private keys
Enrolling certificates for smart cards
Before
you issue smart cards, define the method of
enrolling smart card certificates
Smart card certificate enrollment requires some
manual intervention
For smart card enrollment:
D
efine the certificate template
for
the
smart cards
E
nroll one or more users for the Enrollment Agent
certificate
Configure
the enrollment station
Start
the
Enroll On Behalf O
f
w
izard
Ensure that users change their personal PIN
s
Lab Scenario
You are working as an administrator at A. Datum Corporation.
As A. Datum expands, its security requirements are also
increasing. The Security department particularly is interested in
enabling secure access to critical websites and in providing
additional security for features such as EFS, digital signatures,
smart cards, and the
DirectAccess
 feature in Windows 8.1 and
Windows 10. The Security department especially wants to
evaluate digital signatures in Microsoft Office documents. To
address these and other security requirements, A. Datum has
decided to use certificates issued by the AD CS role in Windows
Server 2016.
As a senior network administrator at A. Datum, you are
responsible for implementing certificate enrollment. You also
will be developing the procedures and process for managing
certificate templates and for deploying and revoking certificates.
Lab: Deploying and using certificates
Exercise 1: Configuring certificate templates
Exercise 2: Enrolling and using certificates
Exercise 3: Configuring and implementing key
recovery
Logon Information
Virtual machines:
20742B-LON-DC1
20742B-LON-SVR1
20742B-LON-SVR2
20742B-LON-CL1
User name:
Adatum\Administrator
Password:
Pa55w.rd
Estimated Time: 35 minutes
Module 10
Implementing and administering
AD FS
Module Overview
Overview of AD FS
AD FS requirements and planning
Deploying and configuring AD FS
Web Application Proxy overview
What is identity federation?
Allows identification, authentication, and
authorization across organizational and platform
boundaries
Requires a federated trust relationship between
two organizations or entities
Allows organizations to retain control over who
can access resources
Allows organizations to retain control of their
user and group accounts
What are claims-based identity and claims-based
authentication?
Claims provide information about the users
T
he users’ identity provider supplies information that
the application provider accepts
Overview of web services
Web services comprise a standardized set of
specifications used to build applications and
services
Web services typically:
Transmit data as XML
Use SOAP to define the XML message format
Use WSDL to define valid SOAP messages
Use UDDI to describe available web services
SAML is a standard for exchanging identity
claims
What is AD FS?
AD FS is the Microsoft identity federation
product that can use claims-based authentication
AD FS has the following features:
SSO for web-based apps
Interoperability with web services on multiple platforms
Support for many clients, such as web browsers, mobile
devices, and applications
Extensibility to support customized claims from third-
party applications
The Delegation of account management to the user’s
organization
What’s new in AD FS in Windows Server 2016?
New AD FS features introduced in
Windows Server 2012:
Integration with the Windows Server 2012 operating
system
Integration with Dynamic Access Control
Windows PowerShell cmdlets for administering AD FS
New AD FS features introduced in
Windows Server 2016:
Support for any directory that is LDAP v3-compliant
New factors of authentication
Improvements in AD FS management
Conditional access
How AD FS enables SSO in a single organization
External client
Federation
server
Federation
Service
Proxy
Web server
AD DS
domain
controller
How AD FS enables SSO in a business-to-business
federation
AD FS components
AD FS requirements
A successful AD FS deployment includes the
following critical infrastructure:
TCP/IP network connectivity
AD DS
Attribute stores
DNS
PKI and certificate requirements
AD FS uses the following certificates:
Service communication certificates
Token-signing certificates
Token-decrypting certificates
When choosing certificates, ensure that all
federation partners and clients trust the service
communication certificate
Federation server roles
A claims provider federation server:
Authenticates internal users
Issues signed tokens containing user claims
A relying party federation server:
Consumes tokens from the claims provider
Issues tokens for application access
A Federation Service Proxy:
Gets deployed in a perimeter network
Provides a layer of security enhancement for internal
federation servers
Planning an AD FS deployment for online services
Account
federation
server
Deploying SSO integration with Microsoft online
services
To configure SSO for integration with online
services, you must:
Prepare your environment for SSO
Deploy federation services
Deploy directory synchronization
Verify SSO
Planning a highly available AD FS deployment
When planning the availability of your AD FS
environment for federated authentication, you
should consider the following categories:
The federation server farm
NLB
The configuration database
Capacity planning
Use the following when planning for the capacity
of your federation servers:
Capacity Planning spreadsheet requirements:
The percentage of total users expected to send authentication
requests to AD FS during peak usage periods
The length of time the peak usage period is expected to last
The total number of users that will require SSO access
Estimation table:
What are AD FS claims and claim rules?
Claims provide information about users from the
claims provider to the relying party
AD FS:
Provides a default set of built-in claims
Enables the creation of custom claims
Requires each claim have a unique URI
Claims can be:
Retrieved from an attribute store
Calculated based on retrieved values
Transformed into alternate values
What are AD FS claims and claim rules?
Claim rules define how claims are sent and
consumed by AD FS servers
Claims provider rules are acceptance transform
rules
Relying party rules can be:
Issuance transform rules
Issuance authorization rules
Delegation authorization rules
AD FS servers provide default claim rules,
templates, and a syntax for creating custom
claim rules
What is a claims provider trust?
Claims provider trusts:
Are configured on the relying party federation server
Identify the claims provider
Configure the claim rules for the claims provider
In a single-organization scenario, a claims
provider trust called Active Directory defines how
AD DS user credentials are processed
You can configure claims provider trusts by:
Importing the federation metadata
Importing a configuration file
Configuring the trust manually
What is a relying party trust?
Relying party trusts:
Are configured on the claims provider federation server
Identify the relying party
Configure the claim rules for the relying party
In a single-organization scenario, a relying party
trust defines the connection to internal
applications
You can configure relying party trusts by:
Importing the federation metadata
Importing a configuration file
Manually configuring the trust
Installing and configuring AD FS
You might need to prepare the following items
before installing AD FS:
SQL Server
Service account
Certificates
DNS
During the deployment of AD FS, you:
1.
Install AD FS
2.
Configure AD FS
3.
Create the first federation server in a farm
4.
Add a federation server to a farm
5.
Update AD FS
Configuring an account partner and a resource partner
An account partner is a claims provider in a business-to-
business federation scenario. To configure an account
partner:
Implement the physical topology
Add an attribute store
Configure a relying party trust
Add a claim description
Prepare the client computers for federation
A resource partner is a relying party in a business-to-
business federation scenario. To configure a relying
partner
:
Implement the physical topology
Add an attribute store
Configure a claims provider trust
Create claim rule sets for the claims provider trust
Configuring claims rules
Business-to-business scenarios might require
more-complex claims rules
You can create claims rules by using the
following templates:
Send LDAP Attributes as Claims
Send Group Membership as a Claim
Pass Through or Filter an Incoming Claim
Transform an Incoming Claim
Permit or Deny Users Based on an Incoming Claim
You can also create custom rules by using the
AD FS claim rule language
How home realm discovery works
Home realm discovery identifies the AD FS server
responsible for providing claims about a user
Two methods for home realm discovery exist:
Prompt users during their first authentication
Include a
whr
string in the application URL
SAML applications can use a preconfigured
profile for home realm discovery
Managing an AD FS deployment
After the installation, you might need to perform
periodic AD FS management tasks, including:
Managing the certificate life cycle
Using automatic certificate rollover, which renews AD FS
certificates once a year
Using the
Get-ADFSCertificate
 cmdlet to view certificate
expiration dates
Using the
Update-MsolFederatedDomain
 cmdlet to
manage certificate rollover when the AD FS token-
signing certificate renews on an annual basis
Using the
Set-AdfsSyncProperties
 cmdlet to change the
primary and secondary AD FS federation servers
What is the Web Application Proxy?
Windows Server 2016 includes several
improvements to the Web Application Proxy role,
including:
Preauthentication for HTTP Basic app publishing
Wildcard domain publishing of apps
HTTP to HTTPS redirection
HTTP publishing
Web Application Proxy and AD FS proxy
The Web Application Proxy is an AD FS proxy
The same certificate is used on the AD FS server
and the Web Application Proxy
Split DNS allows the same name to resolve to
different IP addresses
Web Application Proxy authentication methods
Preauthentication types:
AD FS
Pass-through
Scenarios for using the Web Application Proxy
You can use the Web Application Proxy to publish:
SharePoint services
Exchange services
Remote Desktop Gateway services
Other, custom line-of-business applications
Installing and configuring the Web Application Proxy
You might need to prepare the following items
before installing the Web Application Proxy:
Certificates
Load balancing
DNS
During the deployment of the Web Application
Proxy, you will:
Install the Web Application Proxy
Configure the Web Application Proxy
Update the Web Application Proxy
Lab Scenario
A. Datum Corporation has set up a variety of business relationships with other
companies and customers. Some of these partner companies and customers need
to access business applications that are running on the A. Datum Corporation
network. The business groups at A. Datum Corporation want to provide maximum
level of functionality and access to these companies. The Security and Operations
departments want to help ensure that the partners and customers can access only
the resources that they are authorized for and that implementing the solution does
not significantly increase the workload for the
Operations team. A. Datum
Corporation is also working on the migration of some parts of its network
infrastructure to online services, including Azure and Office 365.
To meet these business requirements, A. Datum Corporation is planning to
implement AD FS. In the initial deployment, the company is planning to use AD FS
to implement SSO for internal users accessing an application on a web server. A.
Datum Corporation is partnering with another company, Trey Research. Trey
Research users should be able to access the same application.
As one of the senior network administrators at A. Datum Corporation also, it is
your responsibility to implement the AD FS solution. As a proof of concept, you are
deploying a sample claims-aware application and configuring AD FS to allow both
internal users and Trey Research users to access the same application.
Lab: Implementing AD FS
Exercise 1: Configuring the AD FS prerequisites
Exercise 2: Installing and configuring AD FS
Exercise 3: Configuring an internal application for AD FS
Exercise 4: Configuring AD FS for federated business
partners
Logon Information
Virtual machines:
20742B-LON-DC1
20742B-LON-SVR1
20742B-LON-CL1
User name:
Adatum\Administrator
Password:
Pa55w.rd
Virtual machine:
20742B-TREY-DC1
User name:
TreyResearch\Administrator
Password:
Pa55w.rd
Estimated Time: 60 minutes
Module 11
Implementing and administering
AD RMS
Module Overview
Overview of AD RMS
Deploying and managing an AD RMS
infrastructure
Configuring AD RMS content protection
What is AD RMS?
An Information protection technology that:
Reduces data leakage by design
Integrates with certain Microsoft products and
Windows Server operating systems
Helps protects data when in transit, at rest and
in essentially any location
Usage scenarios for AD RMS
The primary use for AD RMS is to control the
distribution of sensitive information, and t
ypical
usage scenarios
 include
:
Helping to prevent
access to confidential
documents
,
regardless of their location
Using a
ction
-
based permissions based on AD DS
accounts
Helping to prevent
confidential emails
from
 leav
ing
an
organization
Overview of AD RMS components
The
AD RMS
c
luster:
Is c
reated when you deploy
the
first AD RMS server
The AD RMS server:
Licenses AD RMS-protected content
Certifies the identity of trusted users and devices
The AD RMS client
:
Built in to Windows Vista
, Windows 7 and later
Interacts with AD RMS-enabled apps
AD RMS-enabled apps:
Allows for the publication and consumption of AD RMS protected
content
Includes Office, Exchange Server, and SharePoint Server
Have the ability to be created through the AD RMS SDK
AD RMS certificates and licenses
AD RMS certificate
s
 and licenses include:
Server licensor certificates
AD RMS machine certificates
RACs
Client licensor certificates
PLs
End-user licenses
How AD RMS works
What is Azure RMS?
Azure RMS
is
 RMS protection from the cloud
Azure RMS is available in
Office 365 Enterprise E3
,
Office 365 ProPlus
 and as a separate service
Azure RMS provides:
IRM integration with Office
Professional
Exchange Online IRM integration
SharePoint Online IRM integration
Windows Server FCI integration
The
RMS sharing app
lication
 integrates with
File Explorer
Comparing AD RMS, Azure RMS, and Azure RMS
for Office 365
Configuring the AD RMS cluster
AD RMS configuration includes configuring
 the
following
 components:
New or existing cluster
Configuration database
Service account
Cryptographic mode
Cluster key storage
Cluster key password
Cluster website
Cluster address
Licensor certificate
Service connection point registration
AD RMS client requirements
The client is included in Windows Vista
 or
newer
The client is included in Windows Server 2008
and
newer
The client is available for download for
Windows XP
operating systems and Mac OS X
The AD RMS-enabled applications include
Office 2007 and newer
Exchange Server 2007
 and
newer support
AD RMS
The
AD
RMS client needs
an
RMS CAL
Implementing an AD RMS backup and recovery
strategy
Back up the private key and the certificates
Ensure that the AD RMS database is backed up
regularly
Export templates to back them up
Run the AD RMS server as a VM, and perform a
full server backup
Decommissioning and removing AD RMS
Decommission an AD RMS cluster prior to
removing it:
Decommission to provide a key that decrypts
previously published AD RMS content
Leave the server in a decommissioned state until all the
AD RMS-protected content is migrated
Export the server licensor certificate prior to
uninstalling the AD RMS role
Monitoring AD RMS
AD RMS provides built-in monitoring and
reporting capabilities
Microsoft Report Viewer is needed for reporting
The a
vailable reports
 are
:
Statistics
Health
Troubleshooting
Operations Manager
can monitor AD RMS with
an
existing management pack
Implementing external sharing
Trusted user domains exchange protected content
between two organizations
Trusted publishing domains consolidate the AD RMS
architecture
Federated trusts enable users from partner organizations
to access and use a local AD RMS infrastructure
Microsoft account
s
enable standalone users to access
AD RMS content
The
Azure
a
uthentication system
 enables an AD RMS
cluster to work with
partner organization
s
without
requiring a direct federation trust
What are rights policy templates?
Rights policy templates:
Allow authors to apply standard forms of protection
across an organization
Exist in different apps, which allow different forms of
rights
Allow you to configure rights related to viewing,
editing, and printing documents
Allow you to configure content expiration rights
Allow you to configure content revocation
Providing rights policy templates for offline use
1.
Enable the AD RMS Rights Policy Template
Management (Automated) scheduled task
2.
Edit the registry key to specify the
template
shared folder location
3.
Publish templates to a shared folder
What are exclusion policies?
Exclusion policies enable you to:
Block specific users from accessing
AD RMS-protected content by blocking their
RACs
Block specific apps from creating or
consuming AD RMS–protected content
Block specific versions of AD RMS clients
Lab Scenario
A. Datum Corporation performs highly confidential research, so
their security team wants to implement additional security for
some of the documents that the Research department creates.
The security team is concerned that anyone with
read
 access to
the documents can modify and distribute them in any way that
they choose. The security team wants to provide an extra level
of protection that stays with a document even if it moves
around the network or outside of the network.
As a senior network administrator at A. Datum Corporation, you
must plan and implement an AD RMS solution that will help to
provide the level of protection that the security team requested.
The AD RMS solution must provide many options that can be
adapted for a wide variety of business and security
requirements.
Lab: Implementing an AD RMS infrastructure
Exercise 1: Installing and configuring AD RMS
Exercise 2: Configuring AD RMS templates
Exercise 3: Using AD RMS on clients
Logon Information
Virtual machines:
20742B-LON-DC1
20742B-LON-SVR1
20742B-LON-CL1
User name:
Adatum\Administrator
Password:
Pa55w.rd
Estimated Time:
40
 minutes
Module 12
Implementing AD DS
synchronization with
Microsoft Azure AD
Module Overview
Planning and preparing for directory
synchronization
Implementing directory synchronization by using
Azure AD Connect
Managing identities with directory synchronization
Extending the scope of AD DS
AD DS
 was designed primarily for on-premises
deployments, so its limitations are that it:
Has a single tenant by design
Employs protocols not suited for Internet communication
Requires domain-joined computers to deliver full
functionality
You can install AD DS domain controllers on Azure
virtual machines
Extending the scope of AD DS
You can use AD DS to provide authentication and
authorization for cloud-based services and mobile
devices by using:
AD FS and Web Application Proxy
Azure AD
Device Registration
Federation support
Azure AD as an authentication system
Key differences between Azure AD and AD DS:
Azure AD is designed for Internet-based
applications
In
Azure AD,
there are no OUs or GPOs
Azure AD cannot be queried through LDAP
Azure AD does not use Kerberos authentication
Azure AD includes federation services
Azure AD authentication options
Overview of directory synchronization
Planning directory synchronization
Best practices for deploying directory
synchronization:
Have a proper project plan
If AD DS filtering is used, configure it before
synchronizing objects to
Azure AD
Work with a cloud services partner
Perform thorough capacity planning
Remediate AD DS before deploying directory
synchronization
Add all SMTP domains as verified domains before
synchronizing
Prerequisites and preparation for directory
synchronization
When reviewing the prerequisites for directory
synchronization, your tasks should include:
Capacity planning for your directory synchronization
database server
Identifying the hardware requirements for your
directory synchronization computer
Identifying whether your environment exceeds the
Azure AD object quota
Reviewing the network ports required by directory
synchronization
Determining if any schema extensions to AD DS are
required
Configuring a tenant for directory synchronization
To enable Active Directory synchronization by
using the
Azure portal
:
1.
In the left navigation pane, click
ALL ITEMS
, and then
click your Azure AD instance.
2.
On the toolbar, click
DIRECTORY INTEGRATION
.
3.
Under
integration with local active directory
, click
Activate
.
AD FS and Azure AD
Client
computer
SaaS application
AD FS
AD DS domain
controller
Federation trust
7
6
8
4
10
3
9
2
11
1
5
Azure AD
Overview of Azure AD Connect
When you use Azure AD Connect for directory
synchronization:
New user, group, and contact objects in on-premises
AD DS are added to
Azure AD
Attributes of existing user, group, or contact objects
that are modified in on-premises AD DS are modified
in
Azure AD
Existing user, group, and contact objects that are
deleted from on-premises AD DS are deleted from
Azure AD
Existing user objects that are disabled on-premises are
disabled in
Azure
AD
Azure AD Connect requirements
When you identify the Azure AD Connect
requirements, you should review:
Azure AD requirements
Domain and forest requirements
Operating system and supporting software requirements
Permissions and accounts
Database requirements
Azure AD Connect express synchronization
Scenarios for using the express settings include:
You have a single AD DS forest
Users sign in with the same password by using passwords
synchronization
Installing Azure AD Connect with express settings:
Installs the synchronization engine
Configures Azure AD Connector
Configures the on-premises AD DS connector
Enables password synchronization
Configures synchronization services
Configures sync services for an Exchange hybrid deployment
(optional)
Enables automatic update of Azure AD Connect
Azure AD Connect customized synchronization
You can select customized settings for the
following scenarios:
When you have multiple forests
When you customize your sign-in option, such as AD FS
for federation, or use a non-Microsoft identity provider
When you customize synchronization features, such as
filtering and writeback
Azure AD Connect monitoring features
Azure AD Privileged Identity Management
Azure AD Privileged Identity Management allows
you to:
Discover which users are the Azure AD
administrators
Enable on-demand, just-in-time administrative
access to directory resources
Get reports about administrator access history
and the changes in administrator assignments
Get alerts about access to a privileged role
Comparing options for identity synchronization
Managing users with directory synchronization
After you deploy Azure AD Connect successfully
and enable scheduled synchronization, perform
these required management tasks to ensure users
synchronize efficiently:
User writeback
Password writeback
Device writeback
Primary SMTP address management
Recovery from accidental deletions
Recovery from unsynchronized deletions
Accidental account deletion
Bulk activation of new accounts
Managing groups with directory synchronization
The group writeback feature writes groups from
Azure AD to on-premises AD DS
The c
mdlet
Initialize-ADSyncGroupWriteBack
prepares AD DS automatically
 for group
writeback
The OU where on-premises AD DS
stores the
cloud groups is
 $groupOU
G
roups
 from Azure AD
 are represented as
distribution groups in on-premises AD DS
An Azure AD Premium license is required if you
enable a group writeback without the Exchange
Server hybrid writeback feature
Modifying directory synchronization
Filtering configuration types that you apply to Azure
AD Connect include:
Domain:
Allows you to select which AD DS domains are allowed to synchronize
to Azure AD
Uses Azure AD Connect or Synchronization Service Manager
OU:
Allows you to select which OUs in AD DS are allowed to synchronize
to Azure AD
Uses Azure AD Connect or Synchronization Service Manager
Attribute:
Allows you to control which objects in AD DS should synchronize to
the Azure AD based on criteria of the objects’ attributes
Uses Synchronization Rules Editor
Monitoring directory synchronization
Tools to monitor directory synchronization:
Operations Manager—use the System Center
Management Pack for Azure
The
Azure
classic
 portal
Windows PowerShell
Synchronization Service Manager
Event logs
Troubleshooting directory synchronization
Troubleshooting tasks for directory
synchronization include:
Analyzing logs for errors
Remediating synchronization errors with the tool
Typical issues that can lead to problems include:
Installation errors, such as using incorrect on-premises
or
Azure AD
credentials
Inadvertently deactivating directory synchronization in
the Azure classic portal or through Windows PowerShell
Unexpected changes in AD DS that affect OU scoping or
attribute filtering
Corrupted AD DS requiring directory recovery
Lab Scenario
As part of the proof-of-concept phase, your team
must configure and test synchronization between
on-premises AD DS and Azure AD. You must
prepare AD DS for directory synchronization,
install and run Azure AD Connect, and then verify
that the directories synchronize.
Lab: Configuring directory synchronization
Exercise 1: Preparing for directory synchronization
Exercise 2: Configuring directory synchronization
Exercise 3: Managing Active Directory users and
groups
Logon Information
Virtual machines:
20742B-LON-DC1
20742B-LON-SVR1
20742B-LON-CL1
Internet access:
MT17B-WS2016-NAT
User name:
Adatum\Administrator
Password:
Pa55w.rd
Estimated Time: 40 minutes
Module 13
Monitoring, managing, and
recovering AD DS
Module Overview
Monitoring AD DS
Managing the Active Directory database
Active Directory backup and recovery options for
AD DS and other identity and access solutions
Understanding performance and bottlenecks
A
bottleneck
 is a resource that is currently at peak
utilization
Key system resources:
CPU
Disk
Memory
Network
Overview of monitoring tools
Windows Server provides the following tools to
help with monitoring performance issues:
Task Manager
Resource Monitor
Event Viewer
Performance Monitor
Windows PowerShell
What is Performance Monitor?
You can use Performance Monitor to view current performance
statistics or historical data gathered by using data collector sets
What is Performance Monitor?
Important performance counters include:
CPU
Memory
Disk
Network
AD DS:
NTDS\ DRA Inbound Bytes Total/sec
NTDS\ DRA Inbound Object
NTDS\ DRA Outbound Bytes Total/sec
NTDS\ DRA Pending Replication Synchronizations
Security System-Wide Statistics\ Kerberos Authentications/sec
Security System-Wide Statistics\ NTLM Authentications
What are data collector sets?
You can use data collector sets to gather
performance-related information
Data collector sets can contain the following
types of data collectors:
Performance counters
Event trace data
System configuration information
Overview of the AD DS database
The directory database stores Active Directory
information
Four Active Directory partitions on each domain
controller are: domain, configuration, schema,
and application (optional)
File-level components of the AD DS database are
What is NtdsUtil?
You can use NtdsUtil to:
Manage and control single-master operations
Perform Active Directory database maintenance:
Perform offline defragmentation
Create and mount snapshots
Move database files
Clean domain-controller metadata:
Domain-controller removal or demotion while not connected
to a domain
Reset DSRM:
Password
set dsrm
Understanding restartable AD DS
Use the
Services
 console to start  or stop
AD DS
Three states of
AD DS:
AD DS Started
AD DS Stopped
DSRM
It is not possible to perform
 a
 system state
restor
ation
 while AD DS is in Stopped state
Managing Active Directory snapshots
Create a snapshot of AD DS with NtdsUtil
Mount the snapshot with NtdsUtil
View the snapshot:
Right-click the root node of Active Directory Users and Computers, and then
click
Connect to Domain Controller
Type
serverFQDN:port
View read-only snapshot:
Cannot directly restore data from the snapshot
Recover data:
Connect to the mounted snapshot, and then export/reimport objects’
attributes with Ldifde
Restore a backup from the same date as the snapshot
Deleting and restoring objects from AD DS
Deleted objects are recovered through tombstone
reanimation
When
an
object is deleted
,
 most of
 its
 attributes are
cleared
Authoritative restore requires
Active Directory
downtime
Configuring Active Directory Recycle Bin
Active Directory Recycle Bin provides a way to
restore deleted objects without Active Directory
downtime
Uses Active Directory
m
odule
 for
Windows
PowerShell
or the Active Directory Administrative
Center to restore objects
Additional backup and recovery tools
Windows Server Backup
Microsoft Azure Backup
Data Protection Manager
Active Directory backup and recovery
Nonauthoritative or normal restore:
Restore domain controller to previously known good state
Domain controller updates by using standard replication from
partners
Authoritative restore:
Restore domain controller to previously known good state
Mark objects that you want to be authoritative
Domain controller updates from its up-to-date partners
Domain controller sends authoritative updates to its partners
Full server restore:
Typically perform in Windows RE
Alternate location restore
Lab Scenario
Yesterday, you discovered that one user account
was deleted by accident. A few days ago,
additional user accounts were deleted accidentally.
You want to recover these accounts.
It is your responsibility to ensure that the directory
service is backed up. Today, you notice that last
night's backup did not run as scheduled. You
therefore decide to perform an interactive backup.
Shortly after the backup, a domain administrator
accidentally deletes the IT OU. You must recover
this OU.
Lab Review
When you restore a deleted user or an OU with
user objects by using authoritative restore, will the
objects be exactly the same as before? Which
attributes might not be the same?
In the lab, would it be possible to restore the
deleted objects if they were deleted before you
enabled Active Directory Recycle Bin?
Lab: Recovering objects in AD DS
Exercise 1: Backing up and restoring AD DS
Exercise 2: Recovering objects in AD DS
Logon Information
Virtual machine:
20742B-LON-DC1
User name:
Adatum\Administrator
Password:
Pa55w.rd
Estimated Time: 40 minutes