Master Class: Active Directory Deep Dive – Installation, Configuration and Operation (SADDD-L0)

Course Content

• Active Directory Overview
• Active Directory Administration
• Powershell für Active Directory
• Active Directory Security Check und Health Check
• Active Directory schema extension and domainprep
• Domain Controller Locator
• Deployment von Active Directory Domain Controllern
• Read-Only Domain Controller (RODC)
• Active Directory und das Domain Name System (DNS)
• Advanced Site Management
• LDAP-Query
• Replication Internals
• Active Directory Forest Functional Level 2016
• Active Directory Backup und Restore

Training Environment:

In the training environment, we work entirely with Hyper-V. For the proactive setup of the training environment, we use a Powershell script that allows you to create new virtual machines in seconds. The script was developed independently by your trainer and allows the training to be set up according to the customer's wishes at extreme speed with little effort.

Hardware:

Each participant has a dedicated server in a data center with a total of 1 Gbit connection to the Internet. Each participant server is equipped as follows:

• 256 GB RAM
• at least 40 vCores
• 2 NVME SSDs with at least 3,000 MB/s writing and at least 2,000 MB/s reading
• 1 Gbit to the Internet Total bandwidth

Your Trainer:

The Advanced Master Class was developed by Andy Wendel and is delivered by himself and his experienced team.

Andy Wendel is a Senior Data Center and Cloud Architect and Certified Security Master Specialization Advanced Windows Security. He was and is trained by the internationally renowned security experts Paula Januszkiewicz and Sami Laiho. This certification is renewed every year. Andy Wendel has been working as an IT trainer and consultant since the late 1990s and is also a Certified Microsoft Learning Consultant (MCLC). Worldwide, Microsoft has only awarded 56 Certified Learning Consultants.

Prerequisites

At least 2 years experience with Microsoft servers and client systems

Who Should Attend

This course is intended for (prospective) system administrators, consultants and Active Directory designers. After this seminar you will be able to design, implement, support and consult Active Directory.

Gedetailleerde cursusinhoud

Active Directory Overview

• Active Directory structures: logical (forest, domain, and organizational unit) and physical (Active Directory sites, subnets, and site connections)
• Multimaster replication of the AD database
• Trust Relationship incl. PIM Trust
• Name contexts of the AD database
• Active Directory objects and their attributes
• Distinguished Names und GUIDs
• sAMAccountName und userPrincipalName
• Operation master / Flexible single master oparations (FSMO) and global catalog server
• Product history from Active Directory 2000 to Active Directory 2022 (what was added when)
• Active Directory Limitierungen
• Windows Admin Center (WAC) mit Active Directory Extension

Active Directory Administration

• Overview of administrative boundaries and delegation options
• SACL / DACL - permissions in Active Directory and their inheritance
• Extended rights / property sets / validated writes
• Delegation of administrative tasks in Active Directory
• Implementing an Enhanced Security Administrative Environment (ESAE) structure
• Fine grainted password policies (FGPP)
• Active Directory Monitoring

Powershell für Active Directory

• Powershell-Versionen
• Powershell basics (Get-Help / Get-Command / Get-Member)
• Keyboard shortcuts for Powershell
• Powershell-Variablen, -Aliase und -Pipelining
• Powershell-Profile
• Active Directory Web Services
• Powershell-Scripting für Active Directory

Active Directory Security Check und Health Check

• Secure Channel Check (unicodepwd / ntpwdhistory)
• Measures against golden tickets and silver tickets
• Securely and reliably disable RC4 encryption for Kerberos
• Implement tiering model according to ESAE
• "LAPS" for Domain Controller via own Powershell script
• Prevent misuse of system processes
• Default privileges correction
• Active Directory „Clean-up“
• Check Active Directory replication (repadmin.exe / dcdiag.exe)
• Documentation of the actual environment

Active Directory schema extension and domainprep

• Structure of the Active Directory schema
• Schema objects, object classes and attributes
• Inheritance in Active Directory Schema
• Object Identifier (OID)
• Rule for structure and content
• Schema Master
• Correct manual schema extension with custom attributes and classes
• Schema extension for Active Directory 2022
• Domainprep für Active Directory 2022

Domain Controller Locator

• Domain Controller Locator Typen
• Domain Controller stickyness prevention
• Nearest Domain Controller
• DNS priority vs. DNS weighting of SRV records
• Default Site Coverage vs. Manual Site Coverage (Hub/Spoke)
• Influence on the locator service (relieve, make unattractive and hide domain controllers)
• Netlogon debugging - why does my domain member end up at this domain controller?

Deployment von Active Directory Domain Controllern

• Installation of the role (GUI and Windows Powershell)
• Promoting a Domain Controller on Windows Server 2022 via GUI and as Server Core
• Examine the four possible transition paths
• Transition path 1: Substituting migration (new name + same IP)
• Transition path 2: Substitution migration (new name + new IP)
• Transition path 3: Replacement migration (same name + same IP)
• Transition path 4: Consolidating migration (RODCs instead of RWDCs)

Read-Only Domain Controller (RODC)

• Fields of application of a RODC
• Password replication policy
• Credentials caching
• RODC filtered attribute set
• Installation of a RODC (GUI + Windows Powershell)
• Assigning an RODC to Tier 1
• Domain Join over RODC (djoin.exe)
• RODC as DC reverse proxy (protection of RWDCs)

Active Directory and the Domain Name System (DNS)

• Overview of the interaction between ADS and DNS
• DNS namespace, DNS servers and DNS clients (resolvers)
• Installing the DNS role via GUI and Windows Powershell
• Manage DNS zones
• Replication of AD-integrated zones
• Set up DNS aging in interaction with DHCP
• Global Query Block List, Global Name Zones und Query Resolution Policies

Advanced Site Management

• Replication architecture
• Replication topology
• Knowledge consistency checker (KCC)
• nTDSDSA und invocationID
• Urgent replication und immediately replication
• Intra-Site Replication vs. Inter-Site Replication
• Reduce replication latency intra-site and inter-site

LDAP-Query

• Introduction to the LDAP protocol
• ADSI / Search in ADS via TCP 389 / TCP 636
• Searchflags / Systemflags / SchemaFlagsEx
• List Object Mode (LOM)
• Domain Controller LDAP-Query-Policy
• Active Directory Web Services Config
• Tracking LDAP-Searches on Domain Controllers
• Hardening LDAP Channel Binding

Replication Internals

• Replication Meta Data
• nTDSDSA-GUID vs. InvocationID
• Up-to-dateness-vector und High-Watermark
• Replication conflicts
• Linked Value Replication
• SYSVOL Replication

Active Directory Forest Functional Level 2016

• Moving the operation masters incl. operation master failure
• Optimize the DNS servers
• Replacing the last old domain controller
• 2016 Domain Functional Level
• 2016 Forest Functional Level
• Set up and use Privilege Access Management feature

Active Directory Backup und Restore

• Requirements for the backup - installation of the role via GUI and Windows Powershell
• Backup types for Active Directory
• Policies for securing Active Directory
• Latency intervals for Active Directory backup (daily vs. 89 days)
• Schedule, set up, and deploy scheduled tasks for Active Directory backup using Windows Powershell.
• Sichern des Active Directory
• Restore Active Directory (BMR)
• Restore Internals
• Restore process if the backup is older than 60 days
• Questions from the participants