Agency Over Active Directory

Table of Contents

• Introduction to Active Directory
• Understanding Active Directory Components
  • Domains
  • Organizational Units (OUs)
  • Trees and Forests
  • Domain Controllers
  • Global Catalog
  • FSMO Roles
• Active Directory Objects
  • Users
  • Groups
  • Computers
  • Contacts
• Active Directory Schema
• Group Policy Management
  • Understanding Group Policy Objects (GPOs)
  • Creating and Managing GPOs
  • Group Policy Inheritance and Precedence
  • Common Group Policy Settings
• Active Directory Sites and Replication
  • Configuring Sites and Subnets
  • Understanding Replication Topology
  • Monitoring and Troubleshooting Replication
• Active Directory Security and Delegation
  • Implementing Least Privilege
  • Delegating Administrative Control
  • Auditing and Monitoring
• Active Directory Backup and Recovery
  • Backup Strategies
  • Authoritative and Non-Authoritative Restores
  • Active Directory Recycle Bin
• Integrating Active Directory with Other Services
  • DNS Integration
  • Certificate Services
  • Federation Services
• Active Directory Management Tools
  • Active Directory Users and Computers
  • Active Directory Administrative Center
  • PowerShell for Active Directory
• Best Practices for Active Directory Administration
  • Naming Conventions
  • Password Policies
  • Regular Audits and Maintenance
• Troubleshooting Common Active Directory Issues
  • Authentication Problems
  • Replication Failures
  • Group Policy Errors
• Advanced Topics
  • Read-Only Domain Controllers (RODC)
  • Active Directory Federation Services (AD FS)
  • Active Directory Lightweight Directory Services (AD LDS)
• Glossary

---

Introduction to Active Directory

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It provides a centralized platform for network administration and security, allowing administrators to manage and secure network resources efficiently.

Key Features

• Centralized Resource Management: Manage users, computers, printers, and other resources from a single point.
• Authentication and Authorization: Provides secure authentication and authorization mechanisms.
• Scalability: Supports small to large enterprise environments.
• Group Policy Management: Enforce policies and configurations across the network.

---

Understanding Active Directory Components

Active Directory is composed of several key components that work together to provide directory services.

Domains

A domain is a logical grouping of objects (users, computers, devices) that share the same Active Directory database. Domains provide an administrative boundary for managing objects and security.

• Fully Qualified Domain Name (FQDN): Uniquely identifies a domain within the network, e.g., example.com.
• Domain Functional Levels: Determine the available Active Directory features based on the versions of Windows Server running on domain controllers.

Organizational Units (OUs)

Organizational Units are containers within a domain that organize objects into logical hierarchies. They help in:

• Delegating Administrative Control: Assign permissions to specific administrators or groups over certain OUs without granting them broader domain privileges.
• Applying Group Policies to Specific Subsets of Objects: Link Group Policy Objects (GPOs) to OUs to enforce settings on the contained objects.
• Organizing Objects Based on Departments, Locations, or Functions: Create a clear and manageable structure.

Example:

Suppose an organization has multiple departments such as HR, IT, and Sales. You can create OUs for each department:

• OU=HR
• OU=IT
• OU=Sales

Within each OU, you can further organize objects like users and computers.

Trees and Forests

• Tree: A collection of one or more domains that share a contiguous namespace.

  Example:

  • example.com
  • sales.example.com
  • hr.example.com

• Forest: The topmost logical container, consisting of multiple trees that share a common schema and global catalog.

  Example:

  • A forest containing example.com and example.net domains.

Domain Controllers

A Domain Controller (DC) is a server that responds to authentication requests and stores the Active Directory database.

• Responsibilities:
  • Authentication and authorization.
  • Replication of directory data.
• Best Practices:
  • Redundancy: Have at least two DCs per domain to ensure availability.
  • Security: Secure physical and network access to DCs.
  • Maintenance: Regularly back up DCs and monitor their health.

Global Catalog

The Global Catalog (GC) is a distributed data repository that contains a searchable, partial representation of every object in every domain within a forest.

• Functions:
  • Facilitates searches for objects across the entire forest.
  • Assists in user logon processes by providing universal group membership information.

• Example:

  When a user from sales.example.com wants to access a resource in hr.example.com, the GC helps locate the resource and verify permissions.

FSMO Roles

Flexible Single Master Operations (FSMO) roles are specialized domain controller tasks to prevent conflicts in the Active Directory.

• Types of FSMO Roles:

  Forest-wide Roles (one per forest):

  • Schema Master:
    • Controls updates and modifications to the schema.
    • Only one DC in the forest can hold this role.
    • Example: Extending the schema to support new applications.
  • Domain Naming Master:
    • Manages additions or removals of domains and application partitions.
    • Example: Adding a new domain to the forest.

  Domain-wide Roles (one per domain):

  • RID Master:
    • Allocates pools of unique Relative Identifiers (RIDs) to DCs.
    • Ensures unique SIDs for security principals.
    • Example: Creating new user or computer accounts.
  • PDC Emulator:
    • Acts as a primary domain controller for backward compatibility.
    • Handles password changes and time synchronization.
    • Example: Providing immediate account lockout information.
  • Infrastructure Master:
    • Updates group-to-user references when users are moved between domains.
    • Example: Reflecting changes when a user from another domain is added to a group.

• Best Practices:

  • Place the Schema Master and Domain Naming Master on the same DC.
  • The Infrastructure Master should not be on a Global Catalog server unless all DCs are GCs.

---

Active Directory Objects

Active Directory stores information about various objects, each representing a network resource.

Users

User objects represent individuals who need access to network resources.

• Attributes:
  • sAMAccountName: Pre-Windows 2000 logon name (e.g., jdoe).
  • User Principal Name (UPN): Logon name in email format (e.g., jdoe@example.com).
  • Password: Stored in hashed form.
  • Contact Information: Email, phone number, department.
• Management Tasks:
  • Creating User Accounts:
    • Use the Active Directory Users and Computers (ADUC) console.
    • Right-click the desired OU > New > User.
  • Modifying User Accounts:
    • Update attributes like phone numbers or job titles.
  • Disabling and Deleting User Accounts:
    • Disable accounts when users leave the organization.
  • Password Resets and Account Unlocks:
    • Assist users who have forgotten passwords or locked their accounts.

Example:

Creating a new user account for John Doe:

1. Open ADUC.
2. Navigate to OU=Sales.
3. Right-click Sales > New > User.
4. Enter first name, last name, and logon name (jdoe).
5. Set an initial password and configure password options.

Groups

Groups simplify administration by grouping users or other objects.

• Types of Groups:
  • Security Groups: Used for assigning permissions to resources.
  • Distribution Groups: Used for email distributions (not security-enabled).

• Group Scopes:

  • Domain Local:
    • Can include users, groups, and computers from any domain.
    • Used to assign permissions to resources within the same domain.
    • Example: Granting access to a printer in the domain.
  • Global:
    • Can include users, groups, and computers from the same domain.
    • Can be assigned permissions in any domain.
    • Example: A SalesTeam group containing all sales users.
  • Universal:
    • Can include users, groups, and computers from any domain in the forest.
    • Replicated to the Global Catalog.
    • Example: An AllEmployees group used for company-wide email distributions.
• Best Practices:
  • Use the AGDLP strategy:
    • Accounts (users) are members of Global groups.
    • Global groups are members of Domain Local groups.
    • Domain Local groups are assigned Permissions.

Computers

Computer objects represent devices joined to the domain.

• Attributes:
  • Computer Name: The name of the computer in the domain.
  • Operating System Version: Information about the OS.
• Management Tasks:
  • Joining Computers to the Domain:
    • On the computer, go to System Properties > Change Settings > Change > Domain.
    • Enter domain name and credentials with permission to join computers.
  • Managing Computer Accounts:
    • Reset computer accounts if trust relationship fails.
    • Move computers to appropriate OUs for policy application.

Example:

Resetting a computer account:

1. Open ADUC.
2. Locate the computer object.
3. Right-click > Reset Account.
4. Rejoin the computer to the domain if necessary.

Contacts

Contact objects store information about people or organizations but do not have logon capabilities.

• Use Cases:
  • Include external contacts in the Global Address List (GAL).
  • Store vendor or partner contact information.

---

Active Directory Schema

The schema defines the structure of the directory, detailing the types of objects and attributes that can be stored.

• Schema Components:
  • Classes: Definitions of objects (e.g., User, Computer, Group).
  • Attributes: Properties of objects (e.g., mail, telephoneNumber).
• Extending the Schema:
  • Necessary when installing applications that require additional object types or attributes.
  • Example: Exchange Server extends the schema to include mailbox attributes.
• Best Practices:
  • Caution: Schema changes affect the entire forest and are irreversible.
  • Testing: Perform schema extensions in a test environment first.
  • Documentation: Keep records of schema changes.

---

Group Policy Management

Group Policy allows administrators to define configurations for both users and computers within the Active Directory environment.

Understanding Group Policy Objects (GPOs)

A Group Policy Object is a collection of policy settings.

• GPO Storage:
  • Stored in two parts:
    • Group Policy Container (GPC) in AD (holds metadata).
    • Group Policy Template (GPT) in SYSVOL (holds policy settings).
• GPO Linking:
  • GPOs are linked to Sites, Domains, or OUs.
  • Multiple GPOs can be linked to a single container, and a single GPO can be linked to multiple containers.

Creating and Managing GPOs

• Creating a GPO:

  1. Open the Group Policy Management Console (GPMC).
  2. Navigate to the desired domain or OU.
  3. Right-click > Create a GPO in this domain, and Link it here….
  4. Name the GPO appropriately (e.g., “Disable Control Panel Access”).

• Editing a GPO:

  • Right-click the GPO > Edit.
  • In the Group Policy Management Editor, navigate to the policy setting.
    • Example: To disable the Control Panel:
      • Go to User Configuration > Policies > Administrative Templates > Control Panel.
      • Enable Prohibit access to Control Panel and PC settings.

• Filtering GPOs:

  • Security Filtering:
    • By default, GPOs apply to authenticated users.
    • Modify the security filtering to apply the GPO only to specific users or groups.
  • WMI Filtering:
    • Apply GPOs based on attributes of the target computers (e.g., operating system version).

Group Policy Inheritance and Precedence

• Inheritance:
  • GPOs linked to parent containers are inherited by child containers.
  • Settings can be overridden by GPOs linked directly to child containers.
• Precedence:
  • Order of application:
    1. Local Group Policy (on the computer).
    2. Site-linked GPOs.
    3. Domain-linked GPOs.
    4. OU-linked GPOs (from highest to lowest OU in the hierarchy).

• Blocking Inheritance and Enforcing GPOs:

  • Block Inheritance:
    • Right-click on the OU > Block Inheritance.
    • Prevents higher-level GPOs from applying to this OU.
  • Enforce:
    • Right-click on the GPO link > Enforce.
    • Ensures the GPO takes precedence, even over blocked inheritance.

Example:

A company wants to enforce a security policy across all computers but allows the IT department to have exceptions.

• Link the security GPO at the domain level.
• For the IT OU, block inheritance or create a separate GPO with higher precedence.

Common Group Policy Settings

• Password Policies:

  • Enforce password complexity, length, and expiration.
  • Location: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.

• Account Lockout Policies:

  • Define lockout thresholds and durations.
  • Location: Same as password policies, under Account Lockout Policy.

• Software Deployment:

  • Assign or publish applications to users or computers.
  • Location: Computer Configuration or User Configuration > Policies > Software Settings > Software Installation.

• Security Settings:

  • Configure firewall settings, user rights, and security options.
  • Location: Computer Configuration > Policies > Windows Settings > Security Settings.

• Folder Redirection:

  • Redirect user folders (e.g., Documents) to network locations.
  • Location: User Configuration > Policies > Windows Settings > Folder Redirection.

• Scripts:

  • Assign startup, shutdown, logon, and logoff scripts.
  • Location: Computer Configuration or User Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown).

---

Active Directory Sites and Replication

Active Directory uses sites to represent the physical topology of the network.

Configuring Sites and Subnets

• Sites:

  • Represent physical locations with reliable, high-speed connectivity.
  • Default site is Default-First-Site-Name.
  • Use the Active Directory Sites and Services console to manage sites.

• Subnets:

  • Associate IP address ranges with sites.
  • Helps AD clients locate the nearest domain controller.

Example:

An organization has offices in New York and Los Angeles.

• Create Sites:
  • Site-NewYork
  • Site-LosAngeles
• Create Subnets:
  • 192.168.1.0/24 associated with Site-NewYork.
  • 10.0.0.0/24 associated with Site-LosAngeles.

Understanding Replication Topology

Intra-site Replication

• Occurs within a site.
• Replication is frequent (every 15 seconds by default).
• Not compressed, assuming reliable connections.

Inter-site Replication

• Occurs between sites.
• Replication is scheduled (every 180 minutes by default).
• Data is compressed to optimize bandwidth.
• Uses Site Links to define replication paths.

Configuring Site Links

1. In Active Directory Sites and Services, expand Inter-Site Transports.
2. Under IP, create a new site link.
3. Add the sites to the link and configure replication frequency.

---

Monitoring and Troubleshooting Replication

Tools

• Repadmin: Command-line tool for diagnosing and troubleshooting replication.

Examples

• View replication partners:

  repadmin /showrepl
  

• Force replication:

  repadmin /syncall
  

• Active Directory Replication Status Tool: GUI tool for monitoring replication status.

Common Issues

• Network Connectivity Problems:
  • Use ping or tracert to test connectivity.
• DNS Misconfigurations:
  • Ensure DCs are correctly registered in DNS.
  • Verify SRV records exist.

Resolution Steps

• Check event logs for replication errors.
• Use dcdiag to diagnose domain controller health.
• Verify time synchronization between DCs.

---

Active Directory Security and Delegation

Implementing security measures and delegating administrative tasks are crucial for efficient management.

Implementing Least Privilege

Principle:

• Users and administrators should have the minimum level of access required to perform their jobs.

Strategies:

• Use Role-Based Access Control (RBAC):
  • Define roles with specific permissions.
  • Assign users to roles based on their job functions.
• Separate Administrative Accounts:
  • Administrators should have separate accounts for administrative tasks and standard user tasks.
• Limit Membership in Privileged Groups:
  • Restrict membership in groups like Domain Admins, Enterprise Admins.

Example:

• Create a group called HelpDeskAdmins with permissions to reset passwords and unlock accounts.
• Delegate these permissions at the OU level where user accounts reside.

Delegating Administrative Control

Delegation of Control Wizard:

• Used to grant permissions to users or groups on OUs.
• Simplifies the process of assigning specific administrative tasks.

Steps to Delegate Control:

1. Open Active Directory Users and Computers.
2. Right-click the OU where you want to delegate control > Delegate Control.
3. Follow the wizard:
   • Select the user or group.
   • Choose the tasks to delegate (e.g., create, delete, and manage user accounts).

Best Practices:

• Granular Permissions:
  • Only delegate necessary permissions.
• Documentation:
  • Keep records of delegated permissions for auditing.
• Use Groups:
  • Delegate permissions to groups rather than individual users for easier management.

Auditing and Monitoring

Enable Auditing:

• Configure auditing policies via Group Policy.

Steps:

1. Open Group Policy Management Editor.
2. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration.
3. Enable relevant audit policies (e.g., Account Logon, Account Management).

Monitor Logs:

• Use Event Viewer to review security logs.
• Look for unusual activities like multiple failed logon attempts.

Implement Security Information and Event Management (SIEM):

• Tools like Microsoft Sentinel or third-party solutions can aggregate logs and provide advanced monitoring.

---

Active Directory Backup and Recovery

Protecting directory data is essential for business continuity.

Backup Strategies

System State Backup:

• Includes Active Directory database, SYSVOL, registry, and other critical system components.

Using Windows Server Backup:

1. Install the Windows Server Backup feature.
2. Open Windows Server Backup.
3. Select Backup Once or Backup Schedule.
4. Choose Custom and select System State.

Third-Party Tools:

• Tools like Veritas NetBackup, Veeam Backup & Replication offer advanced features.

Best Practices:

• Regular Backups:
  • Schedule daily backups to minimize data loss.
• Offsite Storage:
  • Store backups in a secure, offsite location.
• Test Restores:
  • Periodically test backups to ensure they are recoverable.

Authoritative and Non-Authoritative Restores

Non-Authoritative Restore:

• Restores the DC to its state at the time of backup.
• After restoration, the DC receives updates from other DCs.
• Use Case: Recovering from data corruption or hardware failure.

Authoritative Restore:

• Marks restored data as authoritative.
• Replicates restored data to other DCs.
• Use Case: Recovering accidentally deleted objects.

Performing an Authoritative Restore:

1. Reboot the DC into Directory Services Restore Mode (DSRM).
2. Use Windows Server Backup to perform a System State Restore.
3. After the restore, use ntdsutil to mark objects as authoritative.

Example:

ntdsutil
authoritative restore
restore object "CN=John Doe,OU=Sales,DC=example,DC=com"

Active Directory Recycle Bin

Function:

• Allows restoration of deleted objects without rebooting or restoring from backup.
• Retains all object attributes.

Requirements:

• Forest functional level must be Windows Server 2008 R2 or higher.

Enabling the Recycle Bin:

• Using Active Directory Administrative Center (ADAC):

  1. Open ADAC.
  2. Click on your domain name.
  3. In the Tasks pane, select Enable Recycle Bin.

• Using PowerShell:

  Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "example.com"
  

Restoring Deleted Objects:

1. In ADAC, navigate to Deleted Objects.
2. Right-click the object > Restore or Restore To.

---

Integrating Active Directory with Other Services

Active Directory works closely with several other services to provide a comprehensive network environment.

DNS Integration

Importance:

• Active Directory relies heavily on DNS for domain controller location and service discovery.
• Uses SRV records to locate services like LDAP and Kerberos.

Best Practices:

• AD-Integrated DNS Zones:
  • Store DNS zones in AD for replication and security.
• Ensure Proper DNS Records:
  • Verify that SRV records are correctly registered.
  • Use nslookup or dnscmd to troubleshoot DNS issues.

Example:

• When a client wants to authenticate, it queries DNS for _ldap._tcp.dc._msdcs.example.com to find a domain controller.

Certificate Services

Active Directory Certificate Services (AD CS) provides a framework for creating and managing public key infrastructure (PKI) within an organization. It allows you to issue, manage, and revoke digital certificates that can be used for secure email communication, network authentication, data encryption, and more.

Key Components of AD CS

• Certification Authorities (CA):
  • Root CA: The top-level CA in a PKI hierarchy. It signs its own certificate and is the trust anchor for all certificates issued within the PKI.
  • Subordinate CA: Also known as Intermediate CAs, they are certified by the Root CA and can issue certificates to end entities or other subordinate CAs.
• Certificate Templates:
  • Predefined settings that determine the format and content of certificates issued by the CA.
  • Templates can be customized to meet specific organizational requirements.

Implementing AD CS

1. Planning the PKI Hierarchy:
   • Decide on a single-tier or multi-tier CA hierarchy.
   • For enhanced security, consider using an offline Root CA and online Subordinate CAs.
2. Installing AD CS Role:
   • Open Server Manager > Add Roles and Features.
   • Select Active Directory Certificate Services.
3. Configuring the CA:
   • Specify the CA type (Root or Subordinate).
   • Define the private key settings and certificate validity period.
4. Customizing Certificate Templates:
   • Open Certification Authority console.
   • Navigate to Certificate Templates.
   • Duplicate an existing template and modify settings as needed.

Best Practices

• Security of CA Servers:
  • Protect private keys using Hardware Security Modules (HSMs).
  • Limit physical and network access to CA servers.
  • Keep Root CA offline when not issuing certificates.
• Regular Backups:
  • Backup the CA database and private keys regularly.
  • Store backups in a secure, offsite location.
• Certificate Revocation Lists (CRLs):
  • Publish CRLs regularly to allow clients to verify certificate validity.
  • Ensure CRL distribution points are accessible.

Example: Issuing Certificates for Web Servers

1. Create a Certificate Template for Web Servers:
   • Duplicate the Web Server template.
   • Configure settings such as key length, validity period, and enrollment permissions.
2. Enroll for a Certificate:
   • On the web server, use the Certificates MMC Snap-in.
   • Request a new certificate based on the custom template.
3. Bind the Certificate to IIS:
   • Open Internet Information Services (IIS) Manager.
   • Navigate to the website > Bindings.
   • Add an HTTPS binding and select the installed certificate.

Federation Services

Active Directory Federation Services (AD FS) enables organizations to provide users with Single Sign-On (SSO) access to systems and applications located across organizational boundaries. It uses claims-based authentication to allow trusted partners to access resources without the need for multiple credentials.

Key Concepts

• Claims-Based Authentication:
  • Users are authenticated based on a set of claims (attributes) about their identity.
• Relying Party:
  • An application or system that trusts and accepts tokens issued by the federation service.
• Federation Trust:
  • A trust relationship established between two organizations or between an organization and a cloud service.

Implementing AD FS

1. Install AD FS Role:
   • Open Server Manager > Add Roles and Features.
   • Select Active Directory Federation Services.
2. Configure AD FS:
   • Use the AD FS Configuration Wizard.
   • Create a new federation service and specify the Federation Service name (e.g., fs.example.com).
3. Set Up SSL Certificates:
   • Obtain an SSL certificate for secure communication.
   • Install the certificate on the AD FS server.
4. Add Relying Party Trusts:
   • In the AD FS Management console, add new relying party trusts for applications that will use AD FS.
5. Configure Claim Rules:
   • Define rules that specify which claims are sent to the relying party.

Example: Integrating AD FS with Office 365

1. Establish Federation with Office 365:
   • Use Azure AD Connect to synchronize on-premises AD with Azure AD.
   • Configure federation settings during setup.
2. User Experience:
   • Users log in to Office 365 using their on-premises AD credentials.
   • AD FS provides SSO capabilities.

Best Practices

• High Availability:
  • Deploy multiple AD FS servers behind a load balancer.
  • Use Web Application Proxy servers for external access.
• Security:
  • Keep AD FS servers updated.
  • Monitor for unusual authentication activities.

---

Active Directory Management Tools

Efficient management of Active Directory is facilitated by a variety of tools provided by Microsoft.

Active Directory Users and Computers (ADUC)

• Functionality:
  • Manage users, groups, computers, and OUs.
  • Modify object properties and permissions.
• Features:
  • Find Objects: Search for objects using various criteria.
  • Advanced Features: Enable advanced features to view additional object attributes.
• Example Tasks:
  • Reset a user’s password.
  • Move a computer object to a different OU.

Active Directory Administrative Center (ADAC)

• Functionality:
  • Enhanced GUI for managing AD DS.
  • Provides a modern interface with advanced capabilities.
• Features:
  • Recycle Bin Management: Restore deleted objects.
  • Fine-Grained Password Policies: Create and manage password policies for specific users or groups.
  • PowerShell History Viewer: See the PowerShell commands associated with actions performed in the GUI.
• Example Tasks:
  • Enable the Active Directory Recycle Bin.
  • Create Dynamic Access Control policies.

PowerShell for Active Directory

• Benefits:
  • Automate repetitive tasks.
  • Manage large numbers of objects efficiently.
  • Perform complex queries and modifications.
• Common Cmdlets:
  • User Management:
    • New-ADUser - Create a new user.
    • Get-ADUser - Retrieve user information.
    • Set-ADUser - Modify user properties.
  • Group Management:
    • New-ADGroup - Create a new group.
    • Add-ADGroupMember - Add members to a group.
  • Computer Management:
    • Get-ADComputer - Retrieve computer information.
  • Group Policy:
    • Get-GPO - Retrieve GPO information.
    • Backup-GPO - Backup a GPO.

• Example: Bulk User Creation

  Import-Csv "C:\NewUsers.csv" | ForEach-Object {
      New-ADUser -Name $_.Name -GivenName $_.FirstName -Surname $_.LastName `
      -SamAccountName $_.Username -UserPrincipalName $_.Username@example.com `
      -Path "OU=Sales,DC=example,DC=com" -AccountPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) `
      -Enabled $true
  }
  

  • This script reads user information from a CSV file and creates new user accounts.

---

Best Practices for Active Directory Administration

Following best practices ensures a secure, efficient, and reliable Active Directory environment.

Naming Conventions

• Consistency:
  • Use a standardized format for naming objects.
  • Simplifies management and reduces errors.
• Examples:
  • User Accounts: firstname.lastname (e.g., john.doe)
  • Computer Names: LOC-DEP-NUM (e.g., NYC-SALES-001)
  • Group Names: Prefix with purpose (e.g., GRP-SalesTeam)

Password Policies

• Enforce Strong Passwords:
  • Minimum length (e.g., 12 characters)
  • Complexity requirements (uppercase, lowercase, numbers, symbols)
• Account Lockout Policies:
  • Lockout threshold (e.g., 5 failed attempts)
  • Lockout duration (e.g., 30 minutes)
• Fine-Grained Password Policies:
  • Apply different policies to different users or groups as needed.

Regular Audits and Maintenance

• Audit Permissions:
  • Review user and group permissions periodically.
  • Ensure the principle of least privilege is maintained.
• Cleanup Obsolete Objects:
  • Remove inactive user and computer accounts.
  • Use scripts or tools to identify stale objects.
• Monitor Domain Controllers:
  • Check replication health.
  • Monitor performance counters.
• Documentation:
  • Keep records of changes, configurations, and procedures.

---

Troubleshooting Common Active Directory Issues

Effective troubleshooting is essential for maintaining the health and functionality of Active Directory.

Authentication Problems

Symptoms:

• Users cannot log on.
• Access to resources is denied.
• Error messages related to credentials.

Possible Causes:

• Incorrect passwords.
• Account lockouts.
• Kerberos issues.
• Time synchronization problems.

Resolution Steps:

1. Verify Account Status:
   • Check if the account is disabled or locked out.
   • Reset passwords if necessary.
2. Check Time Synchronization:
   • Ensure client and server clocks are within 5 minutes of each other.
   • Use the w32tm /query /status command.
3. Review Event Logs:
   • Look for authentication errors in the Security and System logs.
4. Test DNS Resolution:
   • Ensure the client can resolve the domain controller’s name.

Replication Failures

Symptoms:

• Inconsistent directory data across domain controllers.
• Errors in replication monitoring tools.

Possible Causes:

• Network connectivity issues.
• DNS misconfigurations.
• Firewall blocking replication ports.
• USN rollback or lingering objects.

Resolution Steps:

1. Run Replication Diagnostics:
   • Use repadmin /replsummary to identify failures.
2. Check Network Connectivity:
   • Ping between domain controllers.
   • Verify firewall settings.
3. Verify DNS Configuration:
   • Ensure correct DNS servers are specified.
   • Check for duplicate or missing SRV records.
4. Use DCDiag Tool:
   • Run dcdiag /v for a detailed health check.

Group Policy Errors

Symptoms:

• Group policies are not applying.
• Slow logon times.
• Error messages during policy processing.

Possible Causes:

• GPO corruption.
• Incorrect permissions.
• Replication issues affecting SYSVOL.
• WMI filter errors.

Resolution Steps:

1. Run GPResult:
   • On the affected client, run gpresult /h gpresult.html to generate a report.
   • Identify which policies are applying or failing.
2. Check Event Logs:
   • Review Application and System logs for Group Policy errors.
3. Verify Permissions:
   • Ensure the computer and user have read and apply permissions on the GPO.
4. Test Access to SYSVOL:
   • Confirm that the client can access the \\domain\SYSVOL share.
5. Check WMI Filters:
   • Validate that WMI filters are correct and applicable to the client.

---

Advanced Topics

Read-Only Domain Controllers (RODC)

Purpose:

• Provide domain controller functionality in locations where physical security cannot be guaranteed.
• Enhance security by preventing changes from being written back to the directory.

Features:

• Read-Only Active Directory Database:
  • Does not allow changes to be made locally.
• Credential Caching Control:
  • Specify which user credentials can be cached on the RODC.
• Administrative Role Separation:
  • Delegate local administrative rights without granting domain privileges.

Deployment Steps:

1. Prepare the Forest:
   • Run adprep /rodcprep if necessary.
2. Install RODC Role:
   • Use Server Manager or PowerShell to add the role.
3. Configure Password Replication Policy (PRP):
   • Determine which accounts’ passwords can be cached.

Active Directory Federation Services (AD FS)

Purpose:

• Extend the ability to use single sign-on to applications outside of the organization.

Use Cases:

• Partner organizations requiring access to internal resources.
• Integrating with cloud services like Office 365 or third-party applications.

Key Features:

• Claims-Based Access Control:
  • Define access policies based on user attributes.
• Multi-Factor Authentication:
  • Enhance security by requiring additional authentication methods.
• OAuth and OpenID Connect Support:
  • Enable modern authentication protocols.

Active Directory Lightweight Directory Services (AD LDS)

Purpose:

• Provides directory services without the need for a full Active Directory domain.

Features:

• Lightweight Directory:
  • Suitable for applications requiring directory storage without domain services.
• Multiple Instances:
  • Run multiple directory instances on a single server.

Use Cases:

• Storing application-specific data.
• Providing directory services in DMZ networks.

Deployment Steps:

1. Install AD LDS Role:
   • Use Server Manager or PowerShell.
2. Create an AD LDS Instance:
   • Configure instance-specific settings.
3. Import Schema Extensions:
   • Modify the schema to support application requirements.

---

Glossary

• Active Directory (AD): A Microsoft directory service for Windows domain networks.
• AD CS: Active Directory Certificate Services; provides PKI services.
• AD FS: Active Directory Federation Services; enables SSO across boundaries.
• AD LDS: Active Directory Lightweight Directory Services; a lightweight directory service.
• AGDLP: A best practice for nesting groups (Accounts > Global > Domain Local > Permissions).
• Attribute: A property or characteristic of an Active Directory object.
• Certificate Authority (CA): An entity that issues digital certificates.
• Domain Controller (DC): A server that responds to authentication requests.
• Federation Trust: A relationship that allows organizations to share resources.
• Flexible Single Master Operations (FSMO): Specialized domain controller roles.
• Global Catalog (GC): A distributed data repository with information about every object.
• Group Policy Object (GPO): A set of policy configurations.
• Kerberos: The default authentication protocol in AD environments.
• Organizational Unit (OU): A container for organizing objects.
• Public Key Infrastructure (PKI): A framework for managing digital certificates.
• Replication: The process of synchronizing data across DCs.
• Schema: Defines the objects and attributes in Active Directory.
• Security Identifier (SID): A unique value used to identify a security principal.
• Single Sign-On (SSO): Allows users to access multiple systems with one set of credentials.