Active Directory

Contents

Managing Active Directory

Domain controllers

AD DS structure

Managing Sites

Managing Replication

Accounts

Group Policy

Active Directory database optimization

Active Directory snapshots

Active Directory backup

Restoring deleted items

Managing AD DS with PowerShell

Active Directory, the identity glue that binds on-premises Microsoft networks, is at the center of almost all on-premises networks. Although each computer can have its own unique individual user and service accounts, Active Directory provides a central user, computer, and service account store.

But Active Directory is more than an identity store; it can also be used to store data for Active Directory–aware applications. One example of this is Microsoft Exchange Server, which stores server configuration information in Active Directory. Other applications, such as Microsoft Configuration Manager (formerly System Center Configuration Manager), are also highly dependent on Active Directory.

In this chapter, we look at managing Active Directory. We also cover deploying domain controllers, forests, domains, sites, Group Policy, user, computer, and service accounts, and a host of other Active Directory administrative tasks.

Managing Active Directory

Domain controllers are one of, if not the, highest value target for attackers on your network. An attacker who is able to take control of a domain controller has control over every domain-joined computer in the organization. Having control of a domain controller, which is also known as “domain dominance,” means having control of all the authentication and authorization processes in the domain.

While we will discuss server hardening in more detail in Chapter 12 and Active Directory hardening in Chapter 13, one strategy for increasing server security is to reduce the attack surface. Where possible, you should deploy roles on computers installed in the Server Core configuration because this configuration has a smaller attack surface than a server that includes desktop components. Server Core is a great option for domain controller deployment because it provides a reduced attack surface, which strengthens the security of the installation.

Remote rather than local administration

You should perform Active Directory management tasks remotely using Windows Admin Center, management consoles, or PowerShell rather than signing on to the domain controller directly using RDP. If you’re doing all your administrative tasks remotely, it won’t make any difference to you that you’ve deployed the domain controller in the Server Core configuration. Using remote consoles also reduces the chance of malware being introduced to the domain controller. There are countless stories of organizations having their security compromised because an administrator signed in to a server using Remote Desktop, went to download a utility from the Internet using the built-in web browser, and ended up with more than they bargained for in terms of malware because they weren’t careful about their browsing destinations.

There are a number of consoles that you can use to perform Active Directory administrative tasks. These include the following:

  • Active Directory Administrative Center

  • Active Directory Users And Computers

  • Active Directory Sites And Services

  • Active Directory Domains And Trusts

  • Group Policy Management Console

Windows Admin Center provides some Active Directory administrative functionality, but not nearly enough that AD administrators could use it as their primary tool for managing Active Directory.

Active Directory Administrative Center

Active Directory Administrative Center was introduced with Windows Server 2008 R2, but it never really caught on as the primary method of managing Active Directory for most administrators. Active Directory Administrative Center (ADAC) allows you to manage users, computers, and service accounts to perform tasks with the Active Directory, such as the Recycle Bin, and to manage functionality, such as Dynamic Access Control.

Active Directory Administrative Center has better search functionality than the other consoles listed in this chapter, which haven’t substantively changed since the release of Windows 2000.

You can use Active Directory Administrative Center to manage the following:

  • User, computer, and service accounts

  • Domain and forest functional level

  • Fine-grained password policies

  • Active Directory Recycle Bin GUI

  • Authentication policies

  • Dynamic Access Control

ADAC is built on PowerShell, meaning that it provides a graphical interface to build and enact PowerShell cmdlets. You can use the PowerShell History Viewer, shown in Figure 4-1, to see which cmdlets were used to carry out a task that you configured in the GUI. This simplifies the process of automating tasks because you can copy code straight out of the PowerShell history and then paste it into tools such as PowerShell ISE or Visual Studio Code.

Figure 4.1

Figure 4-1 Active Directory Administrative Center

One of the most useful elements of Active Directory Administrative Center is the search functionality. You can use this functionality to locate accounts that might require further attention, such as users who haven’t signed in for a certain period of time, users configured with passwords that never expire, or users with locked accounts. Using the Add Criteria option in the Global Search node of the Active Directory Administrative Center, you can search based on the following criteria:

  • Users with disabled/enabled accounts

  • Users with expired passwords

  • Users whose passwords have an expiration date or no expiration date

  • Users with enabled but locked accounts

  • Users with enabled accounts who have not signed in for more than a given number of days

  • Users with a password expiring in a given number of days

  • Computers running as a given domain controller type

  • Last modified between given dates

  • Object type is user/inetOrgPerson/computer/group/organizational unit

  • Directly applied password settings for a specific user

  • Directly applied password settings for a specific global security group

  • Resultant password settings for a specific user

  • Objects with a given last known parent

  • Resource property lists containing a given resource property

  • Name

  • Description

  • City

  • Department

  • Employee ID

  • First name

  • Job title

  • Last name

  • SamAccountName

  • State/province

  • Telephone number

  • UPN

  • Zip/postal code

  • Phonetic company name

  • Phonetic department

  • Phonetic display name

  • Phonetic first name

  • Phonetic last name

There are several tasks that you can’t do with Active Directory Administrative Center or with PowerShell, such as running the Delegation Of Control Wizard.

Active Directory Users and Computers console

The Active Directory Users and Computers console is the one that many system administrators use to perform basic AD-related tasks. They use this console primarily out of habit because almost all functionality present in this console is also present in the Active Directory Administrative Center. Active Directory Users and Computers has been around since the days of Windows 2000 Server.

Active Directory Users and Computers allows you to perform tasks, including

  • Running the Delegation Of Control Wizard

  • Administering different domains within the forest

  • Selecting which domain controller or LDAP port the tool connects to

  • Finding objects within the domain

  • Raising the domain functional level

  • Managing the RID Master, PDC Emulator, and Infrastructure Master FSMO role locations

  • Creating and editing the properties of

    • Computer accounts

    • User accounts

    • Contacts

    • Groups

    • InetOrgPerson

    • msDS-ShadowPrincipalContainers

    • msDS-DelegatedManagedServiceAccount

    • msImaging-PSPs

    • MSMQ Queue Alias

    • Organizational unit

    • Printers

    • Shared Folder

  • Resultant Set of Policy planning

The View Advanced Features function allows you to see more details of the Active Directory environment. You enable this from the View menu of Active Directory Users And Computers. Enabling this view allows you to see containers that aren’t visible in the standard view. If you’ve ever read a set of instructions that tell you to locate a specific object using Active Directory Users And Computers, and you haven’t been able to find that object, chances are that you haven’t enabled the View Advanced Features option as shown in Figure 4-2.

Figure 4.2

Figure 4-2 Active Directory Users and Computers Advanced Features

The Delegation Of Control Wizard is only available in Active Directory Users And Computers. This wizard allows you to delegate control over the domain and organizational units (OU). For example, you use this wizard to delegate the ability for a specific group to reset user passwords in an OU. This wizard is useful when you want to delegate some privileges to a group of IT ops staff, but you don’t want to grant them all the privileges that they’d inherit if you made them a member of the Domain Admins group. You’ll learn more about delegating permissions in Chapter 13, “Hardening Active Directory.”

Active Directory Sites And Services console

You use the Active Directory Sites And Services console to manage Active Directory sites, which indirectly allows you to control a number of things, including replication traffic and which server a client connects to when using products such as Exchange Server. Sites are configured for the forest, with each domain in the forest sharing the same set of sites.

An Active Directory site is a collection of TCP/IP subnets. Sites allow you to define geographic locations for Active Directory on the basis of TCP/IP subnets. You can have multiple TCP/IP subnets in a site. You should put subnets together in a site where the hosts in that site have a high-bandwidth connection to each other. Usually, this means being in the same building, but it could also be multiple buildings with very-low-latency gigabit links between them.

You’ll learn more about Active Directory sites and replication later in this chapter.

Active Directory Domains and Trusts console

You use the Active Directory Domains And Trusts console to configure and manage trust relationships. By default, all domains in a forest trust each other. Your primary use of this console is to create trust relationships between

  • Domains in separate forests

  • Separate forests

  • Kerberos V5 realms

When creating a trust, you can choose between the following types:

  • One-Way: Incoming In this trust relationship, your local domain or forest is trusted by a remote domain or forest.

  • One-Way: Outgoing In this trust relationship, your local domain or forest trusts a remote domain or forest.

  • Two-way In this trust relationship, your local domain or forest trusts (and is trusted by) a remote domain or forest.

You’ll learn about trust relationships later in this chapter.

Group Policy Management console

The Group Policy Management console, shown in Figure 4-3, is the primary method by which Group Policy is managed in a standard Windows Server environment. This tool allows you to view Group Policy items from the forest level down. It provides information on which GPOs are linked at the domain, site, and OU levels. You can see a list of all GPOs in a domain under the Group Policy Objects node. There is also a WMI Filters node that contains all WMI filters configured for the domain, a Starter GPOs node that contains all starter GPOs, a Group Policy Modeling node, and a Group Policy Results node. By right-clicking a GPO and selecting Edit, you can edit a GPO in the Group Policy Management Editor. You can output information about a GPO, including which settings are configured and where the GPO is linked, to a file in HTML format using the Get-GPOReport cmdlet. You’ll learn more about managing Group Policy later in this chapter.

Figure 4.3

Figure 4-3 Group Policy Management Console

Save to your account

This chapter is from the book