Title Page Page: 2 Copyright and Credits Page: 2 Active Directory Administration Cookbook Page: 4 About Packt Page: 5 Why subscribe? Page: 6 Packt.com Page: 7 Contributors Page: 8 About the author Page: 9 About the reviewer Page: 10 Packt is searching for authors like you Page: 11 Preface Page: 21 Who this book is for Page: 22 What this book covers Page: 23 To get the most out of this book Page: 24 Download the example code files Page: 25 Download the color images Page: 26 Conventions used Page: 27 Sections Page: 28 Getting ready Page: 29 How to do it... Page: 30 How it works... Page: 31 There's more... Page: 32 See also Page: 33 Get in touch Page: 34 Reviews Page: 35 Optimizing Forests, Domains, and Trusts Page: 36 Choosing between a new domain or forest Page: 37 Why would you have a new domain? Page: 38 What are the downsides of a new domain? Page: 39 Why would you create a new forest? Page: 40 What are the downsides of a new forest? Page: 41 Listing the domains in your forest Page: 42 Getting ready Page: 43 Installing the Active Directory module for Windows PowerShell on Windows Server Page: 44 Installing the Active Directory module for Windows PowerShell on Windows Page: 45 Required permissions Page: 46 How to do it... Page: 47 How it works... Page: 48 Using adprep.exe to prepare for new Active Directory functionality Page: 49 Getting ready Page: 50 Required permissions Page: 51 How to do it... Page: 52 Preparing the forest Page: 53 Preparing the forest for RODCs Page: 54 Preparing the domain Page: 55 Fixing up Group Policy permissions Page: 56 Checking the preparation replication Page: 57 How it works... Page: 58 There's more... Page: 59 Raising the domain functional level to Windows Server 2016 Page: 60 Getting ready Page: 61 Required permissions Page: 62 How to do it... Page: 63 How it works... Page: 64 Raising the forest functional level to Windows Server 2016 Page: 65 Getting ready Page: 66 Required permissions Page: 67 How to do it... Page: 68 How it works... Page: 69 Creating the right trust Page: 70 Trust direction Page: 71 Trust transitivity Page: 72 One-way or two-way trust Page: 73 Getting ready Page: 74 Required permissions Page: 75 How to do it... Page: 76 Verifying and resetting a trust Page: 77 Getting ready Page: 78 Required permissions Page: 79 How to do it... Page: 80 How it works... Page: 81 Securing a trust Page: 82 Getting ready Page: 83 Required permissions Page: 84 How to do it... Page: 85 How it works... Page: 86 There's more... Page: 87 Extending the schema Page: 88 Getting ready Page: 89 Required permissions Page: 90 How to do it... Page: 91 There's more... Page: 92 Enabling the Active Directory Recycle Bin Page: 93 Getting ready Page: 94 Required permissions Page: 95 How to do it... Page: 96 How it works... Page: 97 Managing UPN suffixes Page: 98 Getting ready Page: 99 How to do it... Page: 100 How it works... Page: 101 There's more... Page: 102 Managing Domain Controllers Page: 103 Preparing a Windows Server to become a domain controller Page: 104 Intending to do the right thing Page: 105 Dimensioning the servers properly Page: 106 Preparing the Windows Server installations Page: 107 Preconfigure the Windows Servers Page: 108 Document the passwords Page: 109 Promoting a server to a domain controller Page: 110 Getting ready Page: 111 How to do it... Page: 112 Promoting a domain controller using the wizard Page: 113 Installing the Active Directory Domain Services role Page: 114 Promoting the server to a domain controller Page: 115 Promoting a domain controller using dcpromo.exe Page: 116 Promoting a domain controller using Windows PowerShell Page: 117 Checking proper promotion Page: 118 See also Page: 119 Promoting a server to a read-only domain controller Page: 120 Getting ready Page: 121 How to do it... Page: 122 Installing the Active Directory Domain Services role Page: 123 Promoting the server to a read-only domain controller Page: 124 Promoting a read-only domain controller using dcpromo.exe Page: 125 Promoting a domain controller using Windows PowerShell Page: 126 Checking proper promotion Page: 127 How it works... Page: 128 See also Page: 129 Using Install From Media Page: 130 How to do it... Page: 131 Creating the IFM package Page: 132 Leveraging the IFM package Page: 133 Using the Active Directory Domain Services Configuration Wizard Page: 134 Using dcpromo.exe Page: 135 Using the Install-ADDSDomainController PowerShell cmdlet Page: 136 How it works... Page: 137 Using domain controller cloning Page: 138 Getting ready Page: 139 How to do it... Page: 140 Making sure all agents and software packages are cloneable Page: 141 Supplying the information for the new domain controller configuration Page: 142 Adding the domain controller to the Cloneable Domain Controllers group Page: 143 Cloning the domain controller from the hypervisor Page: 144 How it works... Page: 145 See also Page: 146 Determining whether a virtual domain controller has a VM-GenerationID Page: 147 How to do it... Page: 148 How it works... Page: 149 Demoting a domain controller Page: 150 Getting ready Page: 151 How to do it... Page: 152 Using the wizard Page: 153 Using the Active Directory module for Windows PowerShell Page: 154 How it works... Page: 155 There's more... Page: 156 Demoting a domain controller forcefully Page: 157 How to do it... Page: 158 Using the Active Directory Domain Services Configuration Wizard Page: 159 Using manual steps Page: 160 Performing metadata cleanup Page: 161 Deleting the domain controller from DNS Page: 162 Deleting the computer object for the domain controller Page: 163 Deleting the SYSVOL replication membership Page: 164 Deleting the domain controller from Active Directory Sites and Services Page: 165 Deleting an orphaned domain Page: 166 See also Page: 167 Inventory domain controllers Page: 168 How to do it... Page: 169 Using Active Directory Users and Computers to inventory domain controllers Page: 170 Using the Active Directory module for Windows PowerShell to inventory domain controllers Page: 171 Decommissioning a compromised read-only domain controller Page: 172 How to do it... Page: 173 How it works... Page: 174 Managing Active Directory Roles and Features Page: 175 About FSMO roles Page: 176 Recommended practices for FSMO roles Page: 177 Querying FSMO role placement Page: 178 Getting ready Page: 179 How to do it... Page: 180 How it works... Page: 181 Transferring FSMO roles Page: 182 Getting ready Page: 183 How to do it... Page: 184 Transferring FSMO roles using the MMC snap-ins Page: 185 Transferring FSMO roles using the ntdsutil command-line tool Page: 186 Transferring FSMO roles using Windows PowerShell Page: 187 How it works... Page: 188 Seizing FSMO roles Page: 189 Getting ready Page: 190 How to do it... Page: 191 Seizing FSMO roles using the ntdsutil command-line tool Page: 192 Seizing FSMO roles using Windows PowerShell Page: 193 How it works... Page: 194 Configuring the Primary Domain Controller emulator to synchronize time with a reliable source Page: 195 Getting ready Page: 196 How to do it... Page: 197 How it works... Page: 198 Managing time synchronization for virtual domain controllers Page: 199 Getting ready Page: 200 How to do it... Page: 201 Managing time synchronization for virtual domain controllers running on VMware vSphere Page: 202 Managing time synchronization for virtual domain controllers running on Microsoft Hyper-V Page: 203 How it works... Page: 204 Managing global catalogs Page: 205 Getting ready Page: 206 How to do it... Page: 207 How it works Page: 208 Managing Containers and Organizational Units Page: 209 Differences between OUs and containers Page: 210 Containers Page: 211 OUs Page: 212 OUs versus Active Directory domains Page: 213 Creating an OU Page: 214 Getting ready Page: 215 How to do it... Page: 216 Using the Active Directory Administrative Center Page: 217 Using the command line Page: 218 Using Windows PowerShell Page: 219 How it works... Page: 220 There's more... Page: 221 Deleting an OU Page: 222 Getting ready Page: 223 How to do it... Page: 224 Using the Active Directory Administrative Center Page: 225 Using the command line Page: 226 Using Windows PowerShell Page: 227 How it works... Page: 228 There's more... Page: 229 Modifying an OU Page: 230 Getting ready Page: 231 How to do it... Page: 232 Using the Active Directory Administrative Center Page: 233 Using the command line Page: 234 Using Windows PowerShell Page: 235 How it works... Page: 236 There's more... Page: 237 See also Page: 238 Delegating control of an OU Page: 239 Getting ready Page: 240 How to do it... Page: 241 Using Active Directory Users and Computers Page: 242 Using the command line Page: 243 How it works... Page: 244 Using the built-in groups Page: 245 Using delegation of control Page: 246 See also Page: 247 Modifying the default location for new user and computer objects Page: 248 Getting ready Page: 249 How to do it... Page: 250 How it works... Page: 251 See also Page: 252 Managing Active Directory Sites and Troubleshooting Replication Page: 253 What do Active Directory sites do? Page: 254 Recommendations Page: 255 Creating a site Page: 256 Getting ready Page: 257 How to do it... Page: 258 Using Active Directory Sites and Services Page: 259 Using Windows PowerShell Page: 260 See also Page: 261 Managing a site Page: 262 Getting ready Page: 263 How to do it... Page: 264 Using Active Directory Sites and Services Page: 265 Using Windows PowerShell Page: 266 How it works... Page: 267 See also Page: 268 Managing subnets Page: 269 Getting ready Page: 270 How to do it... Page: 271 Using Active Directory Sites and Services Page: 272 Using Windows PowerShell Page: 273 How it works... Page: 274 See also Page: 275 Creating a site link Page: 276 Getting ready Page: 277 How to do it... Page: 278 Using Active Directory Sites and Services Page: 279 Using Windows PowerShell Page: 280 How it works... Page: 281 See also Page: 282 Managing a site link Page: 283 Getting ready Page: 284 How to do it... Page: 285 Using Active Directory Sites and Services Page: 286 Using Windows PowerShell Page: 287 See also Page: 288 Modifying replication settings for an Active Directory site link Page: 289 Getting ready Page: 290 How to do it... Page: 291 Using Active Directory Sites and Services Page: 292 Using Windows PowerShell Page: 293 How it works... Page: 294 Site-link costs Page: 295 Site-link replication schedules Page: 296 See also Page: 297 Creating a site link bridge Page: 298 Getting ready Page: 299 How to do it... Page: 300 See also Page: 301 Managing bridgehead servers Page: 302 Getting ready Page: 303 How to do it... Page: 304 Using Active Directory Sites and Services Page: 305 Using Windows PowerShell Page: 306 How it works... Page: 307 See also Page: 308 Managing the Inter-site Topology Generation and Knowledge Consistency Checker Page: 309 Getting ready Page: 310 How to do it... Page: 311 Using Active Directory Sites and Services Page: 312 Using Windows PowerShell Page: 313 How it works... Page: 314 See also Page: 315 Managing universal group membership caching Page: 316 Getting ready Page: 317 How to do it... Page: 318 Using Active Directory Sites and Services Page: 319 Using Windows PowerShell Page: 320 How it works... Page: 321 See also Page: 322 Working with repadmin.exe Page: 323 Getting ready Page: 324 How to do it... Page: 325 How it works... Page: 326 See also Page: 327 Forcing replication Page: 328 Getting ready Page: 329 How to do it... Page: 330 How it works... Page: 331 See also Page: 332 Managing inbound and outbound replication Page: 333 Getting ready Page: 334 How to do it... Page: 335 How it works... Page: 336 There's more... Page: 337 See also Page: 338 Modifying the tombstone lifetime period Page: 339 Getting ready Page: 340 How to do it... Page: 341 Using ADSI Edit Page: 342 Using Windows PowerShell Page: 343 How it works... Page: 344 See also Page: 345 Managing strict replication consistency Page: 346 Getting ready Page: 347 How to do it... Page: 348 How it works... Page: 349 Upgrading SYSVOL replication from File Replication Service to Distributed File System Replication Page: 350 Getting ready Page: 351 How to do it... Page: 352 The initial state Page: 353 The prepared state Page: 354 The redirected state Page: 355 The eliminated state Page: 356 How it works... Page: 357 See also Page: 358 Checking for and remediating lingering objects Page: 359 Getting ready Page: 360 How to do it... Page: 361 How it works... Page: 362 See also Page: 363 Managing Active Directory Users Page: 364 Creating a user Page: 365 Getting ready Page: 366 How to do it... Page: 367 Using Active Directory Users and Computers Page: 368 Using the Active Directory Administrative Center Page: 369 Using command-line tools Page: 370 Using Windows PowerShell Page: 371 How it works... Page: 372 There's more... Page: 373 Deleting a user Page: 374 Getting ready Page: 375 How to do it... Page: 376 Using Active Directory Users and Computers Page: 377 Using the Active Directory Administrative Center Page: 378 Using command-line tools Page: 379 Using Windows PowerShell Page: 380 How it works... Page: 381 See also Page: 382 Modifying several users at once Page: 383 Getting ready Page: 384 How to do it... Page: 385 Using Active Directory Users and Computers Page: 386 Using the Active Directory Administrative Center Page: 387 Using Windows PowerShell Page: 388 How it works... Page: 389 There's more... Page: 390 Moving a user Page: 391 Getting ready Page: 392 How to do it... Page: 393 Using Active Directory Users and Computers Page: 394 Using the Active Directory Administrative Center Page: 395 Using command-line tools Page: 396 Using Windows PowerShell Page: 397 How it works... Page: 398 Renaming a user Page: 399 Getting ready Page: 400 How to do it... Page: 401 Using Active Directory Users and Computers Page: 402 Using the Active Directory Administrative Center Page: 403 Using command-line tools Page: 404 Using Windows PowerShell Page: 405 How it works... Page: 406 Enabling and disabling a user Page: 407 Getting ready Page: 408 How to do it... Page: 409 Using Active Directory Users and Computers Page: 410 Using the Active Directory Administrative Center Page: 411 Using command-line tools Page: 412 Using Windows PowerShell Page: 413 How it works... Page: 414 There's more... Page: 415 Finding locked-out users Page: 416 Getting ready Page: 417 How to do it... Page: 418 Using the Active Directory Administrative Center Page: 419 Using Windows PowerShell Page: 420 How it works... Page: 421 See also Page: 422 Unlocking a user Page: 423 Getting ready Page: 424 How to do it... Page: 425 Using the Active Directory Administrative Center Page: 426 Using Windows PowerShell Page: 427 Managing userAccountControl Page: 428 Getting ready Page: 429 How to do it... Page: 430 Reading the userAccountControl attribute Page: 431 Using Active Directory Users and Computers Page: 432 Using the Active Directory Administrative Center Page: 433 Using Windows PowerShell Page: 434 Setting the userAccountControl attribute Page: 435 Using ADSI Edit Page: 436 Using Windows PowerShell Page: 437 How it works... Page: 438 Using account expiration Page: 439 Getting ready Page: 440 How to do it... Page: 441 Using Active Directory Users and Computers Page: 442 Using the Active Directory Administrative Center Page: 443 Using command-line tools Page: 444 Using Windows PowerShell Page: 445 How it works... Page: 446 Managing Active Directory Groups Page: 447 Creating a group Page: 448 Getting ready Page: 449 How to do it... Page: 450 Using Active Directory Users and Computers Page: 451 Using the Active Directory Administrative Center Page: 452 Using command-line tools Page: 453 Using Windows PowerShell Page: 454 How it works... Page: 455 Group scopes Page: 456 Group types Page: 457 Deleting a group Page: 458 Getting ready Page: 459 How to do it... Page: 460 Using Active Directory Groups and Computers Page: 461 Using the Active Directory Administrative Center Page: 462 Using command-line tools Page: 463 Using Windows PowerShell Page: 464 How it works... Page: 465 Managing the direct members of a group Page: 466 Getting ready Page: 467 How to do it... Page: 468 Using Active Directory Groups and Computers Page: 469 Using the Active Directory Administrative Center Page: 470 Using Windows PowerShell Page: 471 How it works... Page: 472 Managing expiring group memberships Page: 473 Getting ready Page: 474 How to do it... Page: 475 How it works... Page: 476 Changing the scope or type of a group Page: 477 Getting ready Page: 478 How to do it... Page: 479 Using Active Directory Groups and Computers Page: 480 Using the Active Directory Administrative Center Page: 481 Using command-line tools Page: 482 Using Windows PowerShell Page: 483 How it works... Page: 484 Group scopes Page: 485 Group types Page: 486 Viewing nested group memberships Page: 487 Getting ready Page: 488 How to do it... Page: 489 How it works... Page: 490 Finding empty groups Page: 491 Getting ready Page: 492 How to do it... Page: 493 How it works... Page: 494 Managing Active Directory Computers Page: 495 Creating a computer Page: 496 Getting ready Page: 497 How to do it... Page: 498 Using Active Directory Users and Computers Page: 499 Using the Active Directory Administrative Center Page: 500 Using command-line tools Page: 501 Using Windows PowerShell Page: 502 How it works... Page: 503 There's more... Page: 504 Deleting a computer Page: 505 Getting ready Page: 506 How to do it... Page: 507 Using Active Directory Users and Computers Page: 508 Using the Active Directory Administrative Center Page: 509 Using command-line tools Page: 510 Using Windows PowerShell Page: 511 How it works... Page: 512 See also Page: 513 Joining a computer to the domain Page: 514 Getting ready Page: 515 How to do it... Page: 516 Using the GUI Page: 517 Using Windows PowerShell Page: 518 How it works... Page: 519 There's more... Page: 520 See also Page: 521 Renaming a computer Page: 522 Getting ready Page: 523 How to do it... Page: 524 Using the settings app Page: 525 Using the command line Page: 526 Using Windows PowerShell Page: 527 How it works... Page: 528 There's more... Page: 529 Testing the secure channel for a computer Page: 530 Getting ready Page: 531 How to do it... Page: 532 Using the command line Page: 533 Using Windows PowerShell Page: 534 How it works... Page: 535 See also Page: 536 Resetting a computer's secure channel Page: 537 Getting ready Page: 538 How to do it... Page: 539 Using Active Directory Users and Computers Page: 540 Using the Active Directory Administrative Center Page: 541 Using the command line Page: 542 Using Windows PowerShell Page: 543 How it works... Page: 544 Changing the default quota for creating computer objects Page: 545 Getting ready Page: 546 How to do it... Page: 547 Using ADSI Edit Page: 548 Using Windows PowerShell Page: 549 How it works... Page: 550 Getting the Most Out of Group Policy Page: 551 Creating a Group Policy Object (GPO) Page: 552 Getting ready Page: 553 How to do it... Page: 554 Using the Group Policy Management Console Page: 555 Using Windows PowerShell Page: 556 How it works... Page: 557 See also Page: 558 Copying a GPO Page: 559 Getting ready Page: 560 How to do it... Page: 561 Using the Group Policy Management Console Page: 562 Using Windows PowerShell Page: 563 How it works... Page: 564 There's more... Page: 565 Deleting a GPO Page: 566 Getting ready Page: 567 How to do it... Page: 568 Using the Group Policy Management Console Page: 569 Using Windows PowerShell Page: 570 How it works... Page: 571 See also Page: 572 Modifying the settings of a GPO Page: 573 Getting ready Page: 574 How to do it... Page: 575 How it works... Page: 576 Assigning scripts Page: 577 Getting ready Page: 578 How to do it... Page: 579 How it works... Page: 580 Installing applications Page: 581 Getting ready Page: 582 How to do it... Page: 583 How it works... Page: 584 Linking a GPO to an OU Page: 585 Getting ready Page: 586 How to do it... Page: 587 How it works... Page: 588 There's more... Page: 589 Blocking inheritance of GPOs on an OU Page: 590 Getting ready Page: 591 How to do it... Page: 592 How it works... Page: 593 Enforcing the settings of a GPO Link Page: 594 Getting ready Page: 595 How to do it... Page: 596 How it works... Page: 597 Applying security filters Page: 598 Getting ready Page: 599 How to do it... Page: 600 How it works... Page: 601 Creating and applying WMI Filters Page: 602 Getting ready Page: 603 How to do it... Page: 604 How it works... Page: 605 There's more... Page: 606 Configuring loopback processing Page: 607 Getting ready Page: 608 How to do it... Page: 609 How it works... Page: 610 Restoring a default GPO Page: 611 Getting ready Page: 612 How to do it... Page: 613 How it works... Page: 614 There's more... Page: 615 Creating the Group Policy Central Store Page: 616 Getting ready Page: 617 How to do it... Page: 618 How it works... Page: 619 There's more... Page: 620 Securing Active Directory Page: 621 Applying fine-grained password and account lockout policies Page: 622 Getting ready Page: 623 How to do it... Page: 624 Using the Active Directory Administrative Center Page: 625 Using the Active Directory Module for Windows PowerShell Page: 626 How it works... Page: 627 There's more... Page: 628 Backing up and restoring GPOs Page: 629 Getting ready Page: 630 How to do it... Page: 631 How it works... Page: 632 There's more... Page: 633 Backing up and restoring Active Directory Page: 634 Getting ready Page: 635 How to do it... Page: 636 How it works... Page: 637 Working with Active Directory snapshots Page: 638 Getting ready Page: 639 How to do it... Page: 640 How it works... Page: 641 There's more... Page: 642 Managing the DSRM passwords on domain controllers Page: 643 Getting ready Page: 644 How to do it... Page: 645 How it works... Page: 646 Implementing LAPS Page: 647 Getting ready Page: 648 How to do it... Page: 649 Implementing LAPS Page: 650 Extending the schema Page: 651 Setting permissions Page: 652 Creating the GPO to install the LAPS Client-side Extensions Page: 653 Linking the GPO to OUs with devices Page: 654 Managing passwords Page: 655 Viewing an administrator password Page: 656 Resetting an Administrator password Page: 657 How it works... Page: 658 See also Page: 659 Managing deleted objects Page: 660 Getting ready Page: 661 How to do it... Page: 662 Using the Active Directory Administrative Center Page: 663 Using Windows PowerShell Page: 664 How it works... Page: 665 There's more... Page: 666 See also Page: 667 Working with group Managed Service Accounts Page: 668 Getting ready Page: 669 How to do it... Page: 670 How it works... Page: 671 There's more... Page: 672 Configuring the advanced security audit policy Page: 673 Getting ready Page: 674 How to do it... Page: 675 How it works... Page: 676 Resetting the KRBTGT secret Page: 677 Getting ready Page: 678 How to do it... Page: 679 How it works... Page: 680 There's more... Page: 681 Using SCW to secure domain controllers Page: 682 Getting ready Page: 683 How to do it Page: 684 Secure a representative domain controller using SCW Page: 685 Roll-out the security settings to all domain controllers using Group Policy Page: 686 How it works... Page: 687 Leveraging the Protected Users group Page: 688 Getting ready Page: 689 How to do it... Page: 690 Using Active Directory Users and Computers Page: 691 Using the Active Directory Administrative Center Page: 692 Using Windows PowerShell Page: 693 How it works... Page: 694 Putting authentication policies and authentication policy silos to good use Page: 695 Getting ready Page: 696 How to do it... Page: 697 Enable domain controller support for claims Page: 698 Enable compound claims on devices in scope for an authentication policy Page: 699 Create an Authentication Policy Page: 700 Create an Authentication Policy Silo Page: 701 Assign the Authentication Policy Silo Page: 702 How it works... Page: 703 Configuring Extranet Smart Lock-out Page: 704 Getting ready Page: 705 How to do it... Page: 706 How it works... Page: 707 Managing Federation Page: 708 Choosing the right AD FS farm deployment method Page: 709 Getting ready Page: 710 How to do it... Page: 711 How it works... Page: 712 There's more... Page: 713 See also Page: 714 Installing the AD FS server role Page: 715 Getting ready Page: 716 How to do it... Page: 717 How it works... Page: 718 Setting up an AD FS farm with Windows Internal Database Page: 719 Getting ready Page: 720 How to do it... Page: 721 Configuring AD FS Page: 722 Checking the proper AD FS configuration Page: 723 How it works... Page: 724 There's more... Page: 725 See also Page: 726 Setting up an AD FS farm with SQL Server Page: 727 Getting ready Page: 728 How to do it... Page: 729 Creating a gMSA Page: 730 Creating the script Page: 731 Creating the databases Page: 732 Configuring AD FS Page: 733 Checking the proper AD FS configuration Page: 734 How it works... Page: 735 There's more... Page: 736 See also Page: 737 Adding additional AD FS servers to an AD FS farm Page: 738 Getting ready Page: 739 How to do it... Page: 740 How it works... Page: 741 See also Page: 742 Removing AD FS servers from an AD FS farm Page: 743 Getting ready Page: 744 How to do it... Page: 745 How it works... Page: 746 There's more... Page: 747 Creating a Relying Party Trust (RPT) Page: 748 Getting ready Page: 749 How to do it... Page: 750 How it works... Page: 751 Deleting an RPT Page: 752 Getting ready Page: 753 How to do it... Page: 754 How it works... Page: 755 Configuring branding Page: 756 Getting ready Page: 757 How to do it... Page: 758 How it works... Page: 759 Setting up a Web Application Proxy Page: 760 Getting ready Page: 761 How to do it... Page: 762 Installing the Web Application Proxy feature Page: 763 Configuring the Web Application Proxy Page: 764 Checking the proper Web Application Proxy configuration Page: 765 How it works... Page: 766 There's more... Page: 767 Decommissioning a Web Application Proxy Page: 768 Getting ready Page: 769 How to do it... Page: 770 How it works... Page: 771 Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and 3SO) Page: 772 Choosing the right authentication method Page: 773 Getting ready Page: 774 How to do it... Page: 775 How it works... Page: 776 Active Directory Federation Services or PingFederate Page: 777 Password Hash Sync Page: 778 Pass-through authentication Page: 779 Seamless Single Sign-on Page: 780 Cloud-only Page: 781 There's more... Page: 782 Verifying your DNS domain name Page: 783 Getting ready Page: 784 How to do it... Page: 785 How it works... Page: 786 Implementing Password Hash Sync with Express Settings Page: 787 Getting ready Page: 788 How to do it... Page: 789 How it works... Page: 790 Implementing Pass-through Authentication Page: 791 Getting ready Page: 792 How to do it... Page: 793 Adding the Azure AD Authentication Service to the intranet sites Page: 794 Configuring Azure AD Connect Page: 795 How it works... Page: 796 There's more... Page: 797 Implementing single sign-on to Office 365 using AD FS Page: 798 Getting ready Page: 799 How to do it... Page: 800 How it works... Page: 801 There's more... Page: 802 Managing AD FS with Azure AD Connect Page: 803 Getting ready Page: 804 How to do it... Page: 805 Reset Azure AD trust Page: 806 Federate an Azure AD domain Page: 807 Update the AD FS SSL certificate Page: 808 Deploy an AD FS server Page: 809 Add a Web Application Proxy server Page: 810 Verify federated login Page: 811 How it works... Page: 812 There's more... Page: 813 Implementing Azure Traffic Manager for AD FS geo-redundancy Page: 814 Getting ready Page: 815 How to do it... Page: 816 Configuring the Web Application Proxies for probing Page: 817 Configuring Azure Traffic Manager Page: 818 Adding DNS records Page: 819 How it works... Page: 820 There's more... Page: 821 Migrating from AD FS to Pass-through Authentication for single sign-on to Office 365 Page: 822 Getting ready Page: 823 How to do it... Page: 824 Adding the Azure AD Authentication Service to the intranet sites Page: 825 Configuring Azure AD Connect Page: 826 Checking domains in the Azure portal Page: 827 Disabling federation in Azure AD Page: 828 Deleting the Office 365 Identity Platform relying party trust Page: 829 How it works... Page: 830 There's more... Page: 831 Making Pass-through Authentication (geo)redundant Page: 832 Getting ready Page: 833 How to do it... Page: 834 Installing and configuring the PTA Agent Page: 835 Checking proper installation and configuration Page: 836 How it works... Page: 837 Handling Synchronization in a Hybrid World (Azure AD Connect) Page: 838 Choosing the right sourceAnchor Page: 839 Getting ready Page: 840 How to do it... Page: 841 How it works... Page: 842 There's more... Page: 843 Configuring staging mode Page: 844 Getting ready Page: 845 How to do it... Page: 846 How it works... Page: 847 See also Page: 848 Switching to a staging mode server Page: 849 Getting ready Page: 850 How to do it... Page: 851 How it works... Page: 852 Configuring Domain and OU filtering Page: 853 Getting ready Page: 854 How to do it... Page: 855 Configuring Azure AD Connect initially Page: 856 Reconfiguring Azure AD Connect Page: 857 How it works... Page: 858 Configuring Azure AD app and attribute filtering Page: 859 Getting ready Page: 860 How to do it... Page: 861 Configuring Azure AD Connect initially Page: 862 Reconfiguring Azure AD Connect Page: 863 How it works... Page: 864 Configuring MinSync Page: 865 Getting ready Page: 866 How to do it... Page: 867 Configuring Azure AD Connect initially Page: 868 Reconfiguring Azure AD Connect Page: 869 How it works... Page: 870 Configuring Hybrid Azure AD Join Page: 871 Getting ready Page: 872 How to do it... Page: 873 Adding the Azure AD Device Registration Service to the intranet sites Page: 874 Distributing Workplace Join for non-Windows 10 computers Page: 875 Setting the Group Policy to register for down-level Windows devices Page: 876 Link the Group Policy to the right Organizational Units Page: 877 Configuring Hybrid Azure AD Join in Azure AD Connect Page: 878 How it works... Page: 879 Configuring Device writeback Page: 880 Getting ready Page: 881 How to do it... Page: 882 How it works... Page: 883 Configuring Password writeback Page: 884 Getting ready Page: 885 How to do it... Page: 886 Configuring the proper permissions for Azure AD Connect service accounts Page: 887 Configuring Azure AD Connect Page: 888 Configuring Azure AD Connect initially Page: 889 Reconfiguring Azure AD Connect Page: 890 How it works... Page: 891 Configuring Group writeback Page: 892 Getting ready Page: 893 How to do it... Page: 894 Creating the Organizational Unit where groups are to be written back Page: 895 Configuring Azure AD Connect Page: 896 Configuring Azure AD Connect initially Page: 897 Reconfiguring Azure AD Connect Page: 898 Configuring the proper permissions for Azure AD Connect service accounts Page: 899 How it works... Page: 900 Changing the passwords for Azure AD Connects service accounts Page: 901 Getting ready Page: 902 How to do it... Page: 903 Managing the service account connecting to Active Directory Page: 904 Managing the service account connecting to Azure AD Page: 905 Managing the computer account for Seamless Single Sign-on Page: 906 How it works... Page: 907 The service account running the Azure AD Connect service Page: 908 The service account connecting to Active Directory Page: 909 The service account connecting to Azure AD Page: 910 The computer account for Seamless Single Sign-on Page: 911 Hardening Azure AD Page: 912 Setting the contact information Page: 913 Getting ready Page: 914 How to do it... Page: 915 How it works... Page: 916 Preventing non-privileged users from accessing the Azure portal Page: 917 Getting ready Page: 918 How to do it... Page: 919 How it works... Page: 920 Viewing all privileged users in Azure AD Page: 921 Getting ready Page: 922 How to do it... Page: 923 Using the Azure AD PowerShell Page: 924 Using the Azure Cloud Shell Page: 925 How it works... Page: 926 Preventing users from registering or consenting to apps Page: 927 Getting ready Page: 928 How to do it... Page: 929 How it works... Page: 930 There's more... Page: 931 Preventing users from inviting guests Page: 932 Getting ready Page: 933 How to do it... Page: 934 How it works... Page: 935 There's more... Page: 936 See also Page: 937 Configuring whitelisting or blacklisting for Azure AD B2B Page: 938 Getting ready Page: 939 How to do it... Page: 940 How it works... Page: 941 Configuring Azure AD Join and Azure AD Registration Page: 942 Getting ready Page: 943 How to do it... Page: 944 Limiting who can join Azure AD devices Page: 945 Limiting who can register Azure AD devices Page: 946 Configuring additional administrators Page: 947 Enabling Enterprise State Roaming Page: 948 How it works... Page: 949 See also Page: 950 Configuring Intune auto-enrollment upon Azure AD Join Page: 951 Getting ready Page: 952 How to do it... Page: 953 How it works... Page: 954 Configuring baseline policies Page: 955 Getting ready Page: 956 How to do it... Page: 957 How it works... Page: 958 Configuring Conditional Access Page: 959 Getting ready Page: 960 How to do it... Page: 961 How it works... Page: 962 See also Page: 963 Accessing Azure AD Connect Health Page: 964 Getting ready Page: 965 How to do it... Page: 966 How it works... Page: 967 There's more... Page: 968 Configuring Azure AD Connect Health for AD FS Page: 969 Getting ready Page: 970 How to do it... Page: 971 Downloading the agent Page: 972 Installing and configuring the agent Page: 973 Consuming the information in the Azure AD Connect Health dashboard Page: 974 How it works... Page: 975 Configuring Azure AD Connect Health for AD DS Page: 976 Getting ready Page: 977 How to do it... Page: 978 Downloading the agent Page: 979 Installing and configuring the agent Page: 980 Consuming the information in the Azure AD Connect Health dashboard Page: 981 How it works... Page: 982 Configuring Azure AD Privileged Identity Management Page: 983 Getting ready Page: 984 How to do it... Page: 985 How it works... Page: 986 There's more... Page: 987 Configuring Azure AD Identity Protection Page: 988 Getting ready Page: 989 How to do it... Page: 990 How it works... Page: 991 MFA registration Page: 992 User risk policies Page: 993 Sign-in risk policies Page: 994 There's more... Page: 995 Other Books You May Enjoy Page: 996 Leave a review - let other readers know what you think Page: 997
Description: