WS-011 Windows

Server 2019/2022
Administration
Module 02: Identity services
in Windows Server
Module overview

This module describes how to implement identity services in a Windows Server 2019 environment
 Lessons:
o Overview of AD DS
o Deploying Windows Server domain controllers
o Overview of Azure AD

o Implementing Group Policy

o Overview of AD CS
Lesson 1: Overview of AD DS
Lesson 1 overview

This lesson describes the core logical components and physical components that make up an AD DS
deployment
 Topics:
o What is AD DS?
o AD DS objects
o AD DS forests and domains
o OUs

o AD DS schema
o Overview of AD DS replication
o AD DS sign-in process

o Overview of AD DS administration tools

o Demonstration: Use tools to manage objects and properties in AD DS
What is AD DS?

AD DS is composed of both logical and physical components

Logical components Physical components

• Partitions • Domain controllers

• Schema • Data stores
• Domains • Global catalog servers
• Domain trees • RODCs
• Forests
• Sites
• OUs
• Containers
AD DS objects

 User objects
 Group objects
o Group types: Security and distribution
o Group scopes: Local, Domain-local, Global, and Universal
 Computer objects
AD DS forests and domains

 A forest: Types of trust:

o Is a security boundary
 Parent and child
o Is a replication boundary
 Tree-root
 A domain:
 External
o Is a replication boundary
 Realm
o Is an administrative center
 Forest
o Provides:
 Shortcut
• Authentication
• Authorization
 Trust relationships:
o Provide access to resources in a complex
AD DS environment
OUs

 Use containers to group objects within a domain:

o You cannot apply GPOs to containers
o Containers are used for system objects and as the default location for new objects
 Create OUs to:
o Configure objects by assigning GPOs to them

o Delegate administrative permissions

AD DS schema
Overview of AD DS replication

 Within an AD DS infrastructure, standard Characteristics of AD DS replication include:

domain controllers replicate Active Directory
information by using a multimaster replication  Multimaster
model  Pull-based
 Active Directory data is separated logically into  Store and forward
several partitions:  Data store partitioning
o Configuration partition  Automatic generation of an efficient and robust
o Schema partition replication topology
o Domain partition  Attribute-level replication
o Application partition  Distinct control of intersite replication
 Collision detection and management
AD DS sign-in process

1. The user account is authenticated to the domain controller

2. The domain controller returns a TGT back to client
3. The client uses the TGT to apply for access to the workstation
4. The domain controller grants access to the workstation
5. The client uses the TGT to apply for access to the server
6. The domain controller returns access to the server
Overview of AD DS administration tools
Demonstration: Use
tools to manage
objects and
properties in AD DS
 Navigate within the Active Directory
Administrative Center
 Perform an administrative task within the
Active Directory Administrative Center
 Create objects
 View all object attributes
 Use the Windows PowerShell History viewer
Lesson 2: Deploying Windows
Server domain controllers
Lesson 2 overview

This lesson describes the purpose and functionalities of using domain controllers in a Windows Server
environment
 Topics:
o What is a DC?
o What is the global catalog?
o What are operations masters?
o Install a DC

o Upgrade from a previous version of AD DS

o DC cloning
o Overview of DC SRV records
o Demonstration: Explore DC SRV records in DNS
o Transfer and seize roles
o Deploy a DC in Azure IaaS
What is a DC?

Domain controllers:
 Are servers that host the AD DS database (Ntds.dit) and SYSVOL
 Host the Kerberos authentication service and KDC services to perform authentication
 Have best practices for:
o Availability:
• Use at least two domain controllers in a domain
o Security:
• Use an RODC or BitLocker
What is the global catalog?

 The global catalog:

o Hosts a partial attribute set for other domains in the forest
o Supports queries for objects throughout the forest
 In a single domain, you should configure all the domain controllers to hold a copy of the global
catalog
 In a multiple-domain environment, the infrastructure master should not be a global catalog server
unless all the domain controllers in the domain are also global catalog servers
 When you have multiple sites, you should also make at least one domain controller at each site a
global catalog server
What are operations masters?

 In the multimaster replication model, some operations must be single master operations
 Many terms are used for single master operations in AD DS, including:
o Operations master (or operations master role)
o Single master role
o FSMO

The five FSMOs

Forest: Domain:
• Domain naming master • RID master
• Schema master • Infrastructure master
• PDC emulator master
Install a DC

 Install a domain controller from

Server Manager
 Install a domain controller on a
Server Core installation of Windows
Server
 Install a domain controller by
installing from media
Upgrade from a previous version of AD DS

You have two options for upgrading AD DS to Windows Server 2019:

 Perform an in-place upgrade from Windows Server 2012 R2 or later to Windows Server 2019:
o Benefit. Except for the prerequisite checks, all the files and programs stay in place, and no
additional work is required
o Risk. It might leave obsolete files and dynamic-link libraries
 Introduce a new server running Windows Server 2019 into the domain, and then promote it to be a
domain controller (this option is usually preferred):
o Benefit. The new server has no obsolete files and settings
o Risk. It might require additional work to migrate administrators’ files and settings
DC cloning

 You might clone domain controllers for:

o Rapid deployment
o Private clouds
o Recovery strategies
 To clone a source domain controller:
o Add the domain controller to the Cloneable Domain Controllers group
o Verify app and service compatibility
o Create a DCCloneConfig.xml file

o Export it once, and then create as many clones as needed

o Start the clones
Overview of DC SRV records
Demonstration:
Explore DC SRV
records in DNS
 Use DNS Manager to view SRV records
Transfer and seize roles

 Transferring is:
o Planned
o Performed using the latest data
o Achieved through snap-ins, Windows PowerShell, or ntdsutil.exe
 Seizing is:
o Unplanned and a last resort
o Performed with incomplete or out-of-date data
o Accomplished through Windows PowerShell or ntdsutil.exe
Deploy a DC in Azure IaaS

 Scenarios in which you might deploy AD DS on an Azure virtual machine include:

o Disaster recovery
o Geo-distributed domain controllers
o User authentication for isolated applications
 Considerations during deployment include:
o Network topology
o Site topology
o Service healing

o IP addressing
o DNS
o Hard disk read/write caching
Lesson 3: Overview of Azure AD
Lesson 3 overview

This lesson describes how you can use Azure AD to provide authentication and authorization for cloud-
based services and apps
 Topics:
o What is Azure AD?
o Azure AD versions
o Connect AD DS with Azure AD by using Azure AD Connect
o Benefits of integrating Azure AD with AD DS
What is Azure AD?
Azure AD versions

 Free
 Office 365 Apps
 Premium P1
 Premium P2
Connect AD DS with Azure AD by using Azure AD Connect
Benefits of integrating Azure AD with AD DS

 Azure Information Protection

 Self-service password reset
 Endpoint co-management
 Manage apps
Lesson 4: Implementing Group Policy
Lesson 4 overview

 This lesson describes how to manage a Windows Server environment by using the Group Policy
infrastructure
 Topics:
• What are GPOs?
• Overview of GPO scope and inheritance
• What are domain-based GPOs?
• Default domain GPOs
• Demonstration: Create and configure a domain-based GPO
• Overview of GPO storage
• What are Starter GPOs?
• What are administrative templates?
• Overview of the Central Store
What are GPOs?

 Group Policy is a powerful administrative tool

 You can use it to enforce various types of settings to a large number of users and computers
 Typically, you use GPOs to:
o Apply security settings
o Manage desktop application settings
o Deploy application software
o Manage Folder Redirection
o Configure network settings
Overview of GPO scope and inheritance

You can scope GPOs by using: GPOs are processed on a client computer in the
 GPO links following order:
 Security filters 1. Local GPOs
 WMI filters
2. Site-level GPOs

3. Domain-level GPOs

4. OU GPOs, including any nested (child) OUs

What are domain-based GPOs?
Default domain GPOs

A domain has two default GPOs:

 Default Domain Policy
 Default Domain Controllers Policy
Demonstration:
Create and
configure a
domain-based GPO
• Manage objects in AD DS
• Create and edit a GPO
• Link the GPO
• View the effects of the GPOs settings
• Create and link the required GPOs
• Verify the order of precedence
• Configure the scope of a GPO with security
filtering
• Verify the application of settings
Overview of GPO storage

 Group Policy settings are presented as GPOs in AD DS user interface tools, but a GPO is actually two
components:
o The Group Policy container
o The Group Policy template

 The Group Policy container and the Group Policy template both replicate between all domain
controllers in AD DS. However, these two items use different replication mechanisms:
o The Group Policy container in AD DS replicates by the Directory Replication Agent
o The Group Policy template in the SYSVOL replicates by using the Distributed File System
Replication
What are Starter GPOs?

A Starter GPO:
 Stores administrative template settings on which new GPOs will be based
 Can be exported to .cab files
 Can be imported into other areas of an organization
What are administrative templates?
Overview of the Central Store

The Central Store:

 Is a central repository for .admx and .adml files
 Is stored in SYSVOL
 Must be created manually
 Is detected automatically by Windows Vista, Windows Server 2008, and newer operating systems
Lesson 5: Overview of AD CS
Lesson 5 overview

This lesson describes how to deploy and manage CAs to manage, distribute, and validate digital
certificates
 Topics:
o What is AD CS?
o Options for implementing CA hierarchies
o Standalone vs. enterprise CAs
o Demonstration: Manage CAs

o What are certificate templates?

o What are CRLs and CRL distribution lists?
o Configure trust for certificates
o Demonstration: Enroll for a certificate
What is AD CS?

 Allows you to implement a PKI for your organization:

o Issue and manage certificates
 AD CS role services in Windows Server:
o Certification Authority
o Certification Authority Web Enrollment
o Online Responder
o Network Device Enrollment Service
o Certificate Enrollment Web Service

o Certificate Enrollment Policy Web Service

Options for implementing CA hierarchies

 Typically, CA hierarchies have two levels:

o A root CA at the top level
o A subordinate issuing CA on the second level
 In general, CA hierarchies fall into one of following categories:
o CA hierarchies with a policy CA
o CA hierarchies with cross-certification trust
o CAs with a two-tier hierarchy
Standalone vs. enterprise CAs
Standalone CAs Enterprise CAs
Must be used if any CA (root/intermediate/policy) Requires the use of AD DS and stores
is offline because a standalone CA is not joined to information in AD DS
an AD DS domain
Must be used if any CA (root/intermediate/policy) Can use Group Policy to propagate certificates to
is offline because a standalone CA is not joined to the trusted root CA certificate store
an AD DS domain

Users must provide identifying information and Publishes user certificates and CRLs to AD DS
specify the type of certificate

Does not support certificate templates Issues certificates based on a certificate template

All certificate requests are kept pending until Supports autoenrollment for issuing certificates
administrator approval
Demonstration:
Manage CAs
• Create a new template based on the Web
Server template
• Configure templates so that they can be
issued
What are certificate templates?

A certificate template defines:

 The format and contents of a certificate
 The process for creating and submitting a valid certificate request
 The security principals that are allowed to read, enroll, or use autoenrollment for a certificate that will
be based on the template
 The permissions that are required to modify a certificate template
What are CRLs and CRL distribution lists?

The following are the steps in the certificate revocation lifecycle:

1. A certificate is revoked
2. A CRL is published
3. A client computer verifies certificate validity and revocation
Configure trust for certificates

 When using certificates for different purposes, it is important to consider who (or rather what) might
be expected to assess the digital certificate as a form of proof of identity
 Generally, there are three types of certificate that you can use:
o Internal certificates from a private CA such as a server installed with the AD CS role
o External certificates from a public CA such as an organization on the internet
o A self-signed certificate
• You can create a self-signed certificate by using the New-SelfSignedCertificate cmdlet
Instructor-led labs:
Implementing
identity services
and Group Policy
 Deploying a new domain controller on Server
Core
 Configuring Group Policy
 Deploying and using certificate services
Module-review questions

1. What are the two reasons to create organizational units (OUs) in a domain?
2. If the domain controller that holds the primary domain controller (PDC) Emulator operations master
role is going to be offline for an extended period, what should you do?
3. True or false? Azure AD is hierarchical.
4. If you have a new version of Microsoft Office to deploy in your on-premises environment, and you want
to configure settings with Group Policy Objects (GPOs), what would you do?
5. What is a certificate template?
Module-review answers (slide 1 of 2)

1. What are the two reasons to create organizational units (OUs) in a domain?
 The first reason is because you want to group users and computers, perhaps by geography or
department. The second reason is that you might then want to delegate administration on the OU or
configure the objects in an OU by using Group Policy Objects (GPOs)
2. If the domain controller that holds the primary domain controller (PDC) Emulator operations master role
is going to be offline for an extended period, what should you do?
 You should transfer the operations master role to another server in the same domain ahead of the
planned outage
3. True or false? Azure AD is hierarchical.
 False. Azure AD has a flat structure.
Module-review answers (slide 2 of 2)

4. If you have a new version of Microsoft Office to deploy in your on-premises environment, and you want
to configure settings with Group Policy Objects (GPOs), what would you do?
 You could download and install the latest .admx files for Office. If you install these into the Central
Store, you could configure the new Office settings in one location
5. What is a certificate template?
 Certificate templates define how you can request or use a certificate, such as for file encryption or
email signing
Thank you