You're reading from React Key Concepts
Feedback
We are constantly looking at improving our content, so what could be better than listening to what you as a reader have to say? Your feedback is important to us and we will do our best to incorporate it. Could you take two mins to fill out the feedback form for this book and let us know what your thoughts are about it? Here's the link: https://packt.link/A8yX4.
Thank you in advance.
This chapter covers the following recipes:
- Installing a Forest Root Domain
- Testing an AD Installation
- Installing a Replica Domain Controller
- Installing Child Domain
- Creating and Managing AD Users and groups
- Managing AD Computers
- Adding/Removing users using a CSV file
- Creating a Group Policy Objects
- Reporting on AD Computers
- Reporting on AD Users
- Managing AD Replication
Introduction
A core component of almost all organizations’ IT infrastructure is Active Directory (AD). AD provides access control, user and system customization, and a wealth of directory and other services. Microsoft first introduced AD with Windows 2000 and has improved and expanded the product with each successive release of Windows Server.
At the core is Active Directory Domain Services (AD DS). Over the years, Microsoft has made “AD” more of a brand than a single feature. There are four additional Windows Server features under the AD brand:
- AD Certificate Services (AD-CS) - this allows you to issue X.509 certificates for your organization. For an overview of AD-CS, see https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831740(v=ws.11).
- AD Federation Services (AD-FS) - this feature enables you to federate identity with other organizations to facilitate interworking. You can find an overview of AD-FS at https://docs.microsoft...
Installing a Forest Root Domain
Installing Active Directory and DNS has always been reasonably straightforward. You can always use the Server Manager GUI, but using PowerShell is easier to automate. You create an AD forest by creating your first domain controller.
To create a DC, you start with a system running Windows Server. You then add the AD DS services Windows feature to the server and the management tools. Then you use the management tools to promote DC1
to be your first DC (aka DC1.Reskit.Org)
within the Reskit.Org
domain.
Getting ready
You run this recipe on DC1
after installing PowerShell 7 and VS Code.
How to do it...
- Installing the AD Domain Services feature and management tools
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
- Importing the ADDeployment module
Import-Module -Name ADDSDeployment
- Examining the commands in the ADDSDeployment module
Get-Command -Module ADDSDeployment
- Creating a secure password for the Administrator
$PSSHT...
Testing an AD installation
In “Installing an Active Directory Forest Root Domain,” you installed AD on DC1. In that recipe, you installed AD initially, without rebooting, then did some basic testing, followed by a reboot. After the required reboot, it is useful to check to ensure that your domain and domain controller are fully up, running, and working correctly. In this recipe, you examine core aspects of the AD infrastructure on your first DC.
Getting ready
You run this recipe on DC1
, the first domain controller in the Reskit.Org
domain, after you have promoted it to be a DC. You promoted DC1
as a domain controller in the Reskit.Org
domain in “Installing an Active Directory forest root domain.” Log on as Reskit\Administrator using the password set in the previous recipe, Pa$$w0rd
.
How to do it...
- Examining Root Directory Service Entry (DSE)
Get-ADRootDSE -Server DC1.Reskit.Org
- Viewing AD forest details
Get-ADForest
- Viewing AD Domain details
Installing a replica Domain Controller
In “Installing an Active Directory forest root domain,” you installed AD on DC1
. If you have just one DC, then that DC is a single point of failure. If the DC goes down with a single domain controller, you cannot manage or log in to the domain. It is always a best practice to install at least two DCs. If you are using VMs for your DCs, you should also ensure that each DC VM is on a separate virtualization host – otherwise, the VM host is a single point of failure.
To add a second DC to your domain, you run Install-ADDSDomainController
on another host, that is DC2
. This cmdlet is similar to the Install-ADDSForest
in terms of parameters. It is useful to conduct tests to ensure the second DC’s promotion can succeed as with creating your first DC.
In this recipe, you promote a host, DC2
, to be the second DC in the Reskit.Org domain. Like creating your first DC, after you promote DC2
to be a DC, you need to reboot the server...
Installing a Child domain
In “Installing a replica domain controller,” you added a DC to an existing domain. With all the prerequisites like DNS in place, the promotion process is simple and quick.
An AD forest can contain more than one domain, with one domain having zero, one, or more child domains. This architecture provides for delegated administration and reduction in replication traffic across a global network. Like creating a replica DC, creating a new child domain is simple, as you can see in this recipe.
Best practice calls for a contiguous namespace of domains, where the additional domain is a child of another existing domain. In this recipe, you create a child domain, UK.Reskit.Org
. You begin with the domain joined server UKDC1
and with this recipe, covert it to be the first DC in a new child domain UK.Reskit.Org
. In doing so, the hostname changes from UKDC1.Reskit.Org
to UKDC1.UK.Reskit.Org
.
The steps in this recipe are very similar to those in “Installing...
Creating and Managing AD Users and groups
After you have created your forest/domain and your domain controllers, you can begin to manage the core objects in AD, namely, users, groups, computers, and organizational units (OUs). User and computer accounts identify a specific user or computer. Windows uses these objects to enable the computer and the user to log on securely using passwords held in the AD.
AD Groups enable you to collect users and computers into a single (group) account that simplifies setting access controls on resources such as files or file shares. As you saw in “Testing an AD installation,” the AD promotion process creates many potentially useful groups when you create a new forest.
Organizational Units (OUs) enable you to partition users, computers, and groups into separate container OUs. OUs provide you with essential roles in your AD. The first is role delegation. You can delegate the management of any OU (and child OUs) to be carried out by different...