Master Class: Active Directory Deep Dive – Installation, Configuration and Operation (SADDD-L0) – Outline

Gedetailleerde cursusinhoud

Active Directory Overview
  • Active Directory structures: logical (forest, domain, and organizational unit) and physical (Active Directory sites, subnets, and site connections)
  • Multimaster replication of the AD database
  • Trust Relationship incl. PIM Trust
  • Name contexts of the AD database
  • Active Directory objects and their attributes
  • Distinguished Names und GUIDs
  • sAMAccountName und userPrincipalName
  • Operation master / Flexible single master oparations (FSMO) and global catalog server
  • Product history from Active Directory 2000 to Active Directory 2022 (what was added when)
  • Active Directory Limitierungen
  • Windows Admin Center (WAC) mit Active Directory Extension
Active Directory Administration
  • Overview of administrative boundaries and delegation options
  • SACL / DACL - permissions in Active Directory and their inheritance
  • Extended rights / property sets / validated writes
  • Delegation of administrative tasks in Active Directory
  • Implementing an Enhanced Security Administrative Environment (ESAE) structure
  • Fine grainted password policies (FGPP)
  • Active Directory Monitoring
Powershell für Active Directory
  • Powershell-Versionen
  • Powershell basics (Get-Help / Get-Command / Get-Member)
  • Keyboard shortcuts for Powershell
  • Powershell-Variablen, -Aliase und -Pipelining
  • Powershell-Profile
  • Active Directory Web Services
  • Powershell-Scripting für Active Directory
Active Directory Security Check und Health Check
  • Secure Channel Check (unicodepwd / ntpwdhistory)
  • Measures against golden tickets and silver tickets
  • Securely and reliably disable RC4 encryption for Kerberos
  • Implement tiering model according to ESAE
  • "LAPS" for Domain Controller via own Powershell script
  • Prevent misuse of system processes
  • Default privileges correction
  • Active Directory „Clean-up“
  • Check Active Directory replication (repadmin.exe / dcdiag.exe)
  • Documentation of the actual environment
Active Directory schema extension and domainprep
  • Structure of the Active Directory schema
  • Schema objects, object classes and attributes
  • Inheritance in Active Directory Schema
  • Object Identifier (OID)
  • Rule for structure and content
  • Schema Master
  • Correct manual schema extension with custom attributes and classes
  • Schema extension for Active Directory 2022
  • Domainprep für Active Directory 2022
Domain Controller Locator
  • Domain Controller Locator Typen
  • Domain Controller stickyness prevention
  • Nearest Domain Controller
  • DNS priority vs. DNS weighting of SRV records
  • Default Site Coverage vs. Manual Site Coverage (Hub/Spoke)
  • Influence on the locator service (relieve, make unattractive and hide domain controllers)
  • Netlogon debugging - why does my domain member end up at this domain controller?
Deployment von Active Directory Domain Controllern
  • Installation of the role (GUI and Windows Powershell)
  • Promoting a Domain Controller on Windows Server 2022 via GUI and as Server Core
  • Examine the four possible transition paths
  • Transition path 1: Substituting migration (new name + same IP)
  • Transition path 2: Substitution migration (new name + new IP)
  • Transition path 3: Replacement migration (same name + same IP)
  • Transition path 4: Consolidating migration (RODCs instead of RWDCs)
Read-Only Domain Controller (RODC)
  • Fields of application of a RODC
  • Password replication policy
  • Credentials caching
  • RODC filtered attribute set
  • Installation of a RODC (GUI + Windows Powershell)
  • Assigning an RODC to Tier 1
  • Domain Join over RODC (djoin.exe)
  • RODC as DC reverse proxy (protection of RWDCs)
Active Directory and the Domain Name System (DNS)
  • Overview of the interaction between ADS and DNS
  • DNS namespace, DNS servers and DNS clients (resolvers)
  • Installing the DNS role via GUI and Windows Powershell
  • Manage DNS zones
  • Replication of AD-integrated zones
  • Set up DNS aging in interaction with DHCP
  • Global Query Block List, Global Name Zones und Query Resolution Policies
Advanced Site Management
  • Replication architecture
  • Replication topology
  • Knowledge consistency checker (KCC)
  • nTDSDSA und invocationID
  • Urgent replication und immediately replication
  • Intra-Site Replication vs. Inter-Site Replication
  • Reduce replication latency intra-site and inter-site
LDAP-Query
  • Introduction to the LDAP protocol
  • ADSI / Search in ADS via TCP 389 / TCP 636
  • Searchflags / Systemflags / SchemaFlagsEx
  • List Object Mode (LOM)
  • Domain Controller LDAP-Query-Policy
  • Active Directory Web Services Config
  • Tracking LDAP-Searches on Domain Controllers
  • Hardening LDAP Channel Binding
Replication Internals
  • Replication Meta Data
  • nTDSDSA-GUID vs. InvocationID
  • Up-to-dateness-vector und High-Watermark
  • Replication conflicts
  • Linked Value Replication
  • SYSVOL Replication
Active Directory Forest Functional Level 2016
  • Moving the operation masters incl. operation master failure
  • Optimize the DNS servers
  • Replacing the last old domain controller
  • 2016 Domain Functional Level
  • 2016 Forest Functional Level
  • Set up and use Privilege Access Management feature
Active Directory Backup und Restore
  • Requirements for the backup - installation of the role via GUI and Windows Powershell
  • Backup types for Active Directory
  • Policies for securing Active Directory
  • Latency intervals for Active Directory backup (daily vs. 89 days)
  • Schedule, set up, and deploy scheduled tasks for Active Directory backup using Windows Powershell.
  • Sichern des Active Directory
  • Restore Active Directory (BMR)
  • Restore Internals
  • Restore process if the backup is older than 60 days
  • Questions from the participants