Appendix A: Assessments · 2019-08-14 · (Microsoft Active Directory (AD) domain controllers keep...

Appendix A: Assessments

Chapter 1: Active Directory FundamentalsWhat is a directory service? Explain the characteristics of a directory1.service.

A directory service is a software system that can be used to store andcentrally manage identities and resources. In a directory system, wecan control who will have access to what resources and how they willhave this access. A directory service should have the followingcharacteristics:

Centralized data repository: A directory service should havea centralized repository to store information about users andresources.High availability: It should have high-availabilitymechanisms built in. This can be achieved by using multiplecopies of the data repository. (Microsoft Active Directory(AD) domain controllers keep a copy of the AD database ineach instance. This means that if one domain controller isdown, then authentication and authorization can beprocessed by any other available domain controller.)Security: Data and identity security are very important inmodern businesses. Therefore, a directory service should becapable of protecting identities from emerging threats.(Microsoft AD has different authentication types, grouppolicies, and workflows to protect identities and data. It alsohas different role services that can be used to further improvesecurity.)


[ 2 ]

Auditing capabilities: A directory service should be able tolog its activities for auditing and troubleshooting purposes.Single sign-on: Applications and services can also use adirectory service to manage their authentication andauthorization requirements. This will allow users to use thesame username and password credentials to access variousapplications and services.

What are the two types of replication of domain controller?2.

Inbound replication: If a domain controller accepts changesadvertised by neighboring domain controllers, it is calledinbound replication. A domain controller has two types ofreplication.Outbound replication: If a domain controller advertises thechanges made on that particular domain controller toneighboring domain controllers, it is called outboundreplication.

The two types of AD components are as follows:3.

Logical components: Logical components of the AD help usto structure the identity infrastructure by considering design,administration, extensibility, security, and scalability. ADforests, domains, domain trees, and organizational units(OUs) are examples of logical components.Physical components: The physical components of AD areresponsible for the connectivity and replication of domaincontrollers. AD sites and domain controllers are examples ofphysical components.

Why is the global catalog server role important in multi-domain4.environments?

The global catalog server holds the full writable copies of objects in itshost domain, and the partial copies of the objects in other domains inthe same forest. The partial replica contains a copy of every object inthe forest and the most commonly used attributes used by queries.Applications and users in one domain can query the objects in anotherdomain (but in the same forest) via the global catalog server.


[ 3 ]

What are the different types of objects?5.

There are two types of objects:

Container objects: Container objects can store other objectsin AD. The domain itself is an example of a container object.An OU is also a container object.Leaf objects: Leaf objects cannot store other objects in AD. Aservice account is an example of a leaf object.

A company wants to publish an on-premises application to the internet6.with minimum changes to the network. They also want to use the sameauthentication experience as their current SaaS apps. What method canthey use?

Azure AD's Application Proxy allows us to publish on-premises webapplications to the internet and apply the same authentication andaccess experiences as existing Azure AD-integrated Software-as-a-Service (SaaS) applications. This is done via a lightweight agentinstalled on the on-premises network. This doesn't require additionalservers (such as AD FS), DNS changes, or complex firewall changes.

What are the benefits of a hybrid Azure AD environment?7.

A hybrid Azure AD setup has many benefits, including the following:

We can control which identities are cloud-only, on-premisesonly, or synced (that is, they work on both).We can decide which authentication type to use (includingpassword hash sync, or federated or pass-throughauthentication).We can provide the same authentication and authorizationexperience to users of the on-premises web application,similar to Azure AD-integrated SaaS applications (by usingAzure AD application proxy).We can use Azure AD features without needing to move toAzure AD completely.Azure AD is enriched with features and services to protectidentities and data from emerging threats. Azure ADupdates are quite frequent; we never have to wait long. In ahybrid environment, we can use these features and servicesto protect on-premises identities and data.


[ 4 ]

Chapter 2: Active Directory DomainServices 2016

What are the benefits of using DFSR over FRS to do SYSVOL replications?1.

Distributed File System Replication (DFSR) has the followingbenefits:

DFSR allows us to replicate partial file changes using block-level replication. It supports asynchronous file replication viaslow links. If you are running Enterprise Edition, it can usecross-file Remote Differential Compression (RDC) to createfiles on the client side using common blocks used by similarfiles. It will reduce the amount of data that needed to transfervia the links.DFSR supports file compression and can control on a per-file-type basis. DFSR is capable of auto-healing when it detects corrupteddata.DFSR supports to generate health reports in XML or HTMLformat. It also includes many counters to reviewperformance stats using PerfMon.There is an enhanced GUI tool to manage related servicesand it can use WMI to monitor the health of the service. Italso has management packs developed to monitor via theSystem Center Operation Manager.

What are the benefits of PAM?2.

Privileged Access Management (PAM) has the following benefits:

Under PAM, users will have administrative privileges onlywhen required. In this method, user accounts do not need tobe members of privileged groups permanently.Privileges will have time limits. Privileged groupmemberships have TTL, and once it exceeds the allocatedtime, members will automatically be removed from groups.


[ 5 ]

Users have to make a request for privileged access. Usersalso have to provide valid reasons for the access requirement.Depending on the workflow, the request will be processedeither automatically or manually.All the events will be recorded for auditing purposes.

What are the components required to implement PAM?3.

PAM implementation requires the following components:

Microsoft Identity Manager 2016A bastion forest with a forest functional level of WindowsServer 2016 or Windows Server 2012 R2

What is the process of upgrading the AD FS 2012 farm to AD FS 2016?4.

We can take the following approach to upgrade AD FS 2012 R2 to ADFS 2016:

Introduce an AD FS 2016 server to an existing AD FS 2012 R21.farm.The farm will be operating in mixed mode. The new AD FS 20162.servers will operate with the same AD FS farm behavior level asthe original servers.Start removing the AD FS 2012 R2 servers from the AD FS farm.3.Once the last AD FS 2012 R2 server is removed from the farm,4.upgrade the AD FS farm behavior level to AD FS 2016.

Apart from time-based group memberships, what are the other methods5.we can use to control privileged access?

If it is an Azure AD environment, we can use Azure AD PrivilegedIdentity Management (PIM) to manage privileged access. If it is an on-premises AD environment, we can use a third-party solution providersuch as Centrify, Bomgar, or CyberArk to provide a privileged accessmanagement solution.


[ 6 ]

What are the two methods that we can use to join a Windows 10 device to6.Azure AD?

The two methods we can use to join Windows 10 devices to Azure ADare as follows:

Azure AD JoinAzure AD registered

What are the differences between the Azure AD device registration and7.Azure AD join device?

When a device is registered with Azure AD, it creates an identity thatcan be used to authenticate devices when the user signs in to AzureAD. This is ideal for a bring-your-own-device (BYOD) environment,as this allows access to Azure AD managed resources using personaldevices.

On the other hand, Azure AD Join will completely change the state ofthe device and allow users to log in to the device using their corporateaccount, instead of their personal account. This allows users to get thebenefits of Azure AD-centric features such as single sign-on (SSO),Enterprise State Roaming, self-service password reset functionality onthe login screen, passwordless authentication, and more.

Chapter 3: Designing an Active DirectoryInfrastructure

Can you downgrade forest and domain functional levels?1.

Yes, it is possible. Downgrades of forest and domain functional levelsare supported from Windows Server 2012 R2 onward.

Describe three things you need to consider before placing a domain2.controller in IT infrastructure.


[ 7 ]

The following are the three things that need to be considered beforeplacing a domain controller in IT infrastructure:

Network topology: Organizations can have differentbuildings, branch offices, and data centers connectedtogether. Services and resources hosted in those locationsmay require domain controller integration. Replication is keyfor domain controllers. The placement of the domaincontrollers in the network will determine whether or not it'spossible to achieve successful replication. Networksegmentation can prevent relevant traffic from passingthrough networks, which can impact replication. It isimportant to adjust the network topology to support the ADdesign you have in place.Security: Physical security is important for domaincontrollers as it holds the identity infrastructure footprint. Itis recommended that you do not place the domain controllerin locations where you cannot guarantee the physicalsecurity of your network. In such scenarios, instead of adomain controller, it is possible to deploy a Read-OnlyDomain Controller (RODC).Link reliability between sites: Replication is key for healthydomain controller infrastructure. If connectivity betweensites is not stable, it is not possible to place the domaincontroller and maintain healthy replication. In suchscenarios, it's advisable that you use RODC.

What is the role of the global catalog server?3.

The role of the global catalog server is to maintain a fully writable copyof objects in its own domain, and a partial copy of all other domainsobjects in the forest. It facilitates making queries about objects in theentire forest. The global catalog service is part of the domain controllerservices, and it cannot be separated from them.

What are the authentication types that are supported by Azure AD?4.

Azure AD supports three authentication types:

Password hash syncPass-through authenticationFederated authentication


[ 8 ]

These are explained in detail in Chapter 17, Azure Active DirectoryHybrid Setup.

What is pass-through authentication?5.

If an organization can't use password hash synchronization, we have touse the federated method so that users can authenticate via on-premises AD. To create federation trust between Azure AD and on-premises AD involves quite a bit of work. We need additional servers,SSL certificates, licenses, high availability solutions, firewall changes,and advanced configuration. But Azure AD pass-throughauthentication allows organizations to do on-premises-only userauthentication with minimum changes to the environment. It uses anagent (https:/ / aka. ms/ getauthagent) and can be installed on anyWindows Server. More information about this can be found in Chapter17, Azure Active Directory Hybrid Setup.

Can Azure AD Connect sync LDAP directories?6.

Yes, Azure AD Connect can sync LDAP directories.

What are the benefits of using password writeback in Azure AD?7.

In hybrid environments, there are two types of users. Cloud-only usersonly appear in Azure AD. AD Sync users appear in both Azure ADand on-premises AD. If we need to reset the password for an AD Syncuser, we normally do it via on-premises AD. However, Azure AD has aself-service password reset feature, with which users can reset theirown passwords without troubling the IT department. This can be donevia the Azure AD login page or Azure AD join device's login screen. Ifwe reset a password for AD Sync users using this method, on-premisesAD will not know about it unless we enable the Password writebackoption. This will write back password changes back to the on-premisesdirectory.


[ 9 ]

Chapter 4: Active Directory Domain NameSystem

If you have a hosts file entry and a DNS record entry related to the same1.FQDN, which one takes the precedence?

The hosts file entry always takes the precedence. If you do a ping testto an FQDN and it returns the wrong IP address, the first thing is tocheck whether the system resolved it from the DNS cache. You cansimply clear it using the ipconfig /flushdns command. If itcontinues to give the wrong IP address, it is best to checkthe hosts file. The hosts file can be foundin C:\Windows\System32\drivers\etc.

What does . represent in FQDN?2.

In a domain tree, "." represents the root of the domain. The next level ofthe domain tree, after the root, features the Top-Level Domains(TLDs) such as .com, .org, and .net.

What is meant by a split-brain DNS?3.

My company is using an on-premises exchange server for email. Ourusers access their emails via https://mail.rebeladmin.com/owa.This is the same URL that they use on their internal and externalnetworks. There is a public IP address (13.72.67.205) mapped to thisURL, and there is an external DNS record in place for it already. Butwhen users access the URL internally, it doesn't make sense for them togo to the public IP address, as this means going through multiplenetwork hops. Instead of that, an internal DNS entry is created formail.rebeladmin.com, which resolves to a local IP address(192.168.30.35). In this example, we have one URL, but there aretwo DNS entries for it. This is called a split-brain DNS deployment.


[ 10 ]

If there is no DNS forwarder set up, how will the DNS server resolve DNS4.queries for an external FQDN?

If there is no DNS forwarder in place, Microsoft DNS will use roothints to process external DNS queries. There are 13 root serversclustered and operating from different geographical locations. Theseroot DNS servers are managed by the Internet Assigned NumbersAuthority (IANA).

What is the difference between a conditional forwarder and a stub zone?5.

The conditional forwarder has a list of DNS servers that can help yourDNS server to resolve DNS queries for a specific domain. Once theDNS server receives a query for that domain, the DNS server forwardsthe query to the servers list in the conditional forwarder. This may ormay not include all the authoritative DNS servers for the domain. Thestub zone is aware of all the authoritative DNS servers for its domain.When the DNS server receives a query for the stub zone, it goes aheadand queries directly from servers listed on the zone and retrieves theresult.

What are the two types of zone file replications?6.

The following are the two types of zone file replications:

Full zone transfer (AXFR): When setting up anew secondary zone, the system will replicate a full copy ofthe zone file from the master server. It is not just for thesecondary zone; it's applicable to other zones, too. In theevent of DNS replication issues, the administrator mayrequire you to request a full zone transfer fromthe zone's master server from time to time.Incremental zone transfer (IXFR): Afterthe initial full zone transfer, only the records that have beenmodified will be replicated. This reduces replication traffic aswell as providing faster replication.


[ 11 ]

What is Azure DNS?7.

With Azure DNS, you can host your DNS domains in Azure. Thisdoesn't require a separate subscription. The service can be set up andmanaged using the same Azure portal. Azure DNS uses a global network of name servers to provide fastresponses to DNS queries. Queries will be always processed throughthe closest name servers. When you add, edit, or remove DNS record inAzure, it will replicate faster than a typical DNS record update. This isdue to the widespread Microsoft global network of nameservers.

Source: https:/ /azure. microsoft. com/ en- gb/services/ dns/ .

Chapter 5: Placing Operations MasterRoles

What is the role of the schema master role?1.

The owner of this role is the only domain controller in the forest thatcan update the AD schema. In order to make schema changes in theforest, it also needs to have a user account that is a member of theSchema Admins group. Once the schema changes are done from theschema master role owner, those changes will be replicated to otherdomain controllers in the forest.

What is the role of PDC in password, the lockout process?2.

The PDC role holder is also responsible for maintaining passwordchange replications. Also, in the event of authentication failures, thePDC is responsible for locking down the account. All the passwordschanged in other domain controllers will be reported back to the PDCrole holder. If any authentication failure occurs in a domain controller,it will check the password saved in the PDC before it passes theauthentication failure message to the user, as this will prevent errorsthat can occur due to password replication issues.


[ 12 ]

Why should the infrastructure operations master role not be placed in3.global catalog server?

The infrastructure operation master role owner checks its databaseperiodically for foreign group members (from other domains) and onceit finds those objects, it checks its SID and DN values with the globalcatalog server. If the value in the global catalog is different from thelocal value, it will replace its value with the global catalog server'svalue. Then, it will replicate it to other domain controllers in thedomain. By design, the global catalog server holds a partial copy ofevery object in the forest. It doesn't need to keep a reference of cross-domain objects. If the infrastructure master is in place in a globalcatalog server, it will not know about any cross-domain objects.Therefore, the infrastructure operations master role owner should notbe a global catalog server. However, this is not applicable when all thedomain controllers are global catalogs in a domain because that way,all the domain controllers will have up-to-date information.

The domain controller that hosts the RID operations master role holder4.server has just crashed. How critical is its availability?

The RID master role is a domain-wide setting, and each domain in theforest can have RID role owners. It is responsible for maintaining apool of relative identifiers that will be used when creating objects in thedomain. Each and every object in a domain has a unique securityidentifier (SID). The RID value is used in the process of SID valuecreation. The RID role owner maintains a pool of RIDs. When thedomain has multiple domain controllers, it will assign a block of 500RID values for each domain controller. When more than 50% of thesevalues have been used, the domain controllers will request anotherblock of RIDs from the RID role owner. The impact of an RID roleowner failure will be almost unnoticeable until all domain controllersrun out of allocated RID values. Such a failure will also prevent youfrom moving objects between domains.


[ 13 ]

What FSMO roles are needed to manage by the root domain, in a5.multidomainforest?

There are two forest-wide roles:

The Schema Master roleThe Domain Naming Master role

What do you need to consider when placing an FSMO role in a branch6.office?

When placing FSMO roles in a branch office network, consider thefollowing:

Connectivity: How stable is the connection between otherdomain controllers and FSMO role holders in other sites?Purpose: Evaluate the reason for FSMO placement. Is it dueto operational requirements? Is it due to resources? Is it dueto application or service requirements?Security: Can we ensure the security of the domaincontrollers in the branch office?Availability: Can we ensure the availability of the domaincontrollers?DR: How fast we can recover the operations of the FSMOrole holder in the branch office?

What do you need to consider before you seize FSMO roles?7.

The FSMO role seize process should be used only in a disaster whereyou cannot recover the FSMO role holder. Some of the FSMO roles(including RID, Domain Naming Master, and Schema Master) canafford a few hours' downtime with minimum business impact.Therefore, we should not use the seize option as the first option if theFSMO role holder can still be recovered or fixed.Once the seize process is completed, the old FSMO role holder shouldnot be brought online again. It is not possible to have the same FSMOrole appear in two servers in the same domain.


[ 14 ]

Chapter 6: Migrating to Active Directory2016

Why are virtualized domain controllers not fit for some environments?1.

For a while, it was recommended to maintain at least one physicaldomain controller for DR purposes, especially if your virtualizationplatform is run on top of a failover cluster (Hyper-V). Were the failovercluster to go down with the domain controllers, it would be a disaster.However, from Windows Server 2016, you can bring a failover clusteronline without depending on domain controllers. Therefore,requirements for physical domain controllers depend on how fast youcan bring your virtual domain controllers to a running state in a DRsituation, and how critical your business operations are.

Can we install a domain controller role in Windows core?2.

Yes, it is completely supported to run on the Windows Server Coreoperating system.

Why should organizations avoid non-routable domain names?3.

Most modern applications and services depend on routeable domainnames, especially if these are cloud-based solutions. Also, if you areconsidering whether to implement a hybrid AD environment, makesure to use routeable domain names, as Azure AD does not supportnon-routeable domains. However, if you already have a non-routabledomain name, it can still be integrated with Azure AD by using arouteable UPN suffix and AlternativeID. More info can be foundat https:/ /docs. microsoft. com/en- us/ office365/ enterprise/prepare- a- non- routable- domain- for- directory- synchronization.

Can we change domain controller IP addresses?4.

Yes, we can change the IP addresses of domain controllers. If it is froma completely new IP subnet, make sure you update the AD site dataaccordingly.


[ 15 ]

How can we avoid initial Active Directory replication via slow links?5.

During the domain controller role configuration process, we can definethe domain controller it should use for initial synchronization. This iscan be done by using the -ReplicationSourceDC command or theDcpromo wizard.

If you are migrating from an older AD version, what do we need to change6.in the SYSVOL replication?

In the early days (before Windows Server 2008), AD used FRS forSYSVOL replication. When we move from an older AD version to anewer one, by default it uses the replication method it was alreadyusing. Therefore, we may also need to consider FRS-to-DFSR migrationas part of the domain migration process.

Chapter 7: Managing Active DirectoryObjects

What is the name of the new server administrator tool introduced by1.Microsoft? What are the benefits of it?

Windows Admin Center aims to provide a lightweight, but powerful,server management experience for Windows users. As Windows users,we use many different Microsoft Management Consoles (MMCs) tomanage roles/features. We also use these to troubleshoot issues. If weare connecting remote computers, most of the time we will be usingRDP or other third-party tools to dial in. With Windows AdminCenter, we can now access all these consoles in one web-basedinterface in a secure, easy, and well-integrated way. Windows AdminCenter can connect to other remote computers as well. Some of thefeatures of Windows Admin Center are as follows:

Easy to deploy: It is easy to deploy. You can install WindowsAdmin Center on Windows 10 or Windows Server 2016 andstart managing devices within a few minutes.Manage from internal networks or external networks: Thissolution is web-based. It can be accessed from an internalnetwork and can also publish to external networks withminimum configuration changes.


[ 16 ]

Better access control: Windows Admin Center supports role-based access control and gateway authentication optionsincluding local groups, Windows AD, and Azure AD.Support for hyper-converged clusters: Windows AdminCenter is very capable of managing hyper-convergedclusters, offering the following:

A single console to manage compute, storage,and networkingThe ability to create and manage storage spacedirect featuresMonitoring and alerting functionality

Extensibility: Microsoft has made the SDK available, whichallows third-party vendors to develop solutions that can beintegrated with, and managed in, Windows Admin Center.

More information on this can be found at http:/ /www. rebeladmin.com/ 2018/ 04/ windowsadmin- center- rich- server- management-experience/ .

How we can use AD management tools from a desktop PC?2.

In order to use AD management tools from a desktop PC, we need toinstall Remote Server Administration Tools (RSAT). The latest RSATtools for Windows 10 are available at https:/ /www. microsoft. com/ en-gb/ download/ details. aspx? id= 45520.

Why is PowerShell better than GUI tools for managing AD objects?3.

The GUI tools use predefined options or wizards to do specific tasks. Ifyou use the GUI tools, you need to work with these limitations. Also,you may need to go in to different windows to define different settings,which can be time-consuming. As an example, if you need to search foran object with specific attribute values in ADUC MMC, you need toselect the relevant fields in the Advanced search option and thensearch for the object. But with PowerShell, you can simply do it usingone line of commands. Also, by using PowerShell, we can combine afew different tasks together. As an example, we can search for a set ofobjects with specific attribute values and move a filtered object to adifferent OU at the same time.


[ 17 ]

What is the Global Search feature in ADAC?4.

ADAC has a feature called Global Search, which can be used to searchfor objects throughout the entire directory. This allows a typical text-based search or advanced Lightweight Directory AccessProtocol (LDAP)-based queries:

Why is the ADAC WINDOWS POWERSHELL HISTORY window5.important for administrators?

ADAC is built based on PowerShell command-line interfacetechnology, so each and every task performed in ADAC is executed asa PowerShell command. In this pane, we can see already executedPowerShell commands. Engineers can copy these commands and reuseor develop them further to manage AD objects via PowerShell directly.It also allows us to search for commands, if required.


[ 18 ]

Chapter 8: Managing Users, Groups, andDevices

In the domain controller, I can't see Active Directory Schema under MMC.1.What might be the issue?

In order to open the AD schema snap-in, you need to run theregsvr32 schmmgmt.dll command from the domain controller.Also, you need to have schema administrator privileges to modify theAD schema.

Why should we not use existing user accounts as templates?2.

The template should be a baseline. If we use an existing user account asa template, it may have some unique privileges and attribute values.Therefore, it is best to keep separate template accounts. It isrecommended to keep the template account disabled, as it should beused for authentication purposes only.

What is the main difference between MSAs and gMSAs? 3.

Managed service accounts can be used with one computer only. Butthere are sometimes operational requirements that necessitate the sameservice account being shared across multiple hosts. Microsoft'sNetwork Load Balancer and the Internet Information Service (IIS)Server farm are good examples of this. All the hosts in these servergroups are required to use the same service accounts forauthentication. Group Managed Service Accounts (gMSAs) providethe same functionalities as MSAs, but the former can be used withmultiple hosts.

What is KDS?4.

Key Distribution Service (KDS) was introduced with Windows Server2012. KDS shares a secret (root key ID) among all the KDS instances inthe domain. This value changes periodically. When the gMSA requiresa password, the Windows Server 2012 domain controller generates apassword based on a common algorithm that includes the root key ID.Then all the hosts that share the gMSA will query the domaincontrollers to retrieve the latest password.


[ 19 ]

What is the default time limit for KDS root key replication? 5.

The default time limit for KDS root key replication is 10 hours. This canbe overridden by running Add-KdsRootKey –EffectiveTime((get-date).addhours(-10)).

Do we need to define a password for MSAs or gMSAs?6.

No, it is not required. Both use a complex, random, 240-characterpassword that is changed automatically when it reaches the passwordexpiry date set on the domain or computer.

What is a iNetOrgPerson object?7.

The inetOrgPerson object is defined in RFC 2798. This object type isused by other directory services based on LDAP and X.500. This existsin AD in order to support migration from non-Microsoft directoryservices and support applications that require iNetOrgPerson objects.This object can be converted into a regular user if required.

Chapter 9: Designing the OU StructureHow does an OU help in a hierarchical design?1.

Organizational units help us to define the hierarchical structure forobjects within the domain boundaries based on the companyrequirements.

What is the difference between a container and an OU?2.

After AD installation, if you check ADUC MMC, you will only see onedefault OU created for domain controllers. All other folders in the treeare containers. Containers also can hold objects similar to the way anOU does. But we can't create new containers apart from the onesalready in there. We also can't apply group policies in container level.Group policies only can apply on the OU level.


[ 20 ]

Why isn't the container model suitable for large organizations?3.

AD containers have large administrative boundaries. The containermodel for OUs also follows a similar concept. This is mainly suited forsmall businesses with limited administrative and security requirementsfor AD objects. With the container model, we can't apply tailoredgroup policies or precise delegated control as each OU can containdifferent classes of objects. This model is not a future-proof modeleither. As the business grows, if company wants to move into differentmodel, it will be difficult to implement without a complete structuralchange.

Can OU administrators delegate control to child OUs?4.

Yes, OU administrators can delegate control to their child OUs.

What are the two different types of OU delegation?5.

The first type of OU delegation is based on default containers and OUs.With this method, delegation will only be done on default ADcontainers and OU levels. The second type of OU delegation is done onthe custom OU level. These OUs can contain different types of objects.With this second method, no delegation will happen in default ADcontainers or OU levels.

Chapter 10: Managing Group PoliciesWhat is the GPT.INI file? Where it is located?1.

The GPT.ini file contains the version number of the Group Policy.After every Group Policy addition, the version number will increaseautomatically and will be used as a reference to sync the Group Policychanges from one domain controller to another.


[ 21 ]

Each Group Policy has its own GPT.ini file and it is located in\\rebeladmin.com\SYSVOL\rebeladmin.com\Policies\GPO.Now, rebeladmin.com can be replaced in this path with your domainFQDN. GPO represents the policy folder. Each Group Policy will have aseparate folder to save policy-related data, including GPT.ini:

What are the three levels we can apply to a Group Policy?2.

Group Policy can be applied to three levels in the AD environment:

The AD Site levelThe domain levelThe OU level

How can we disable local policy processing?3.

Windows systems are supported to set up local security policies. Thesepolicies are not similar to domain GPOs, and they contain limitedfeatures that are more focused on security settings. They are applied toany user who logs in to the system. If required, we can completelydisable local policy processing. This will prevent the application ofnon-recommended settings that administrators do not have controlover or awareness of. This can be disabled by using a Group Policysetting. The policy setting is located at Computer Configuration |Administrative Templates | System | Group Policy | Turn off LocalGroup Policy Objects Processing; to disable policy processing, thevalue should be set to Enable.


[ 22 ]

What are the two types of Group Policy processing modes?4.

Group policies are mainly processed in two different modes. Bydefault, the Group Policy's computer settings will start to processduring computer startup, before the user log-on box prompts. Once theuser enters their username and credentials, the Group Policy's usersettings start processing. This pre-processing mode iscalled foreground processing. During foreground processing, somepolicies will finish processing but some will not. They will beprocessed in the background after the user has logged in and thenetwork connection has been initialized. Also, once the user logs in,every 90 minutes, the group policies will run in the background bydefault. This is the second mode of Group Policy processing.

In a Group Policy conflict, how are the winning policy settings decided?5.

Group Policy precedence order and Group Policy inheritance decidewhich policy will win when there is a conflict. In the AD environment,group policies will be processed in this order:

Local policiesSite policiesDomain policiesOU policies

This is referred to as LSDOU.

Any Group Policy applied in the upper level of the domain structure isinherited by the lower levels. We call this group policy inheritance. Wecan view group policy inheritance for an OU using the Get-GPInheritance command. As an example, we can view group policyinheritance data for the Users OU of the rebeladmin.com domain byusing Get-GPInheritance -Target"OU=Users,OU=Europe,DC=rebeladmin,DC=com".


[ 23 ]

What are the two types of Group Policy filtering?6.

The two types of group policy filtering are the following:

Security filteringWindows Management Instrumentation (WMI) filtering

In security filtering, we can assign group policies to specific securitygroups, users, and machines. This helps to manage group policyprocessing within a site, domain or OU. We also can use the samemethod to deny group policy processing.

Instead of permissions, WMI filters can apply group policies based oncharacteristics of objects. As an example, the WMI filter method can beused to apply a Group Policy to machines running the 64-bit version ofWindows 10.

What are the two modes in loopback processing? How do they work?7.

There are two modes of loopback processing:

Replace mode: In replace mode, user settings attached to theuser from the original OU will be replaced by the usersettings attached to the destination OU.Merge mode: If merge mode is enabled, the user will havethe settings from the OU that their account belongs to, andthe user policy settings from the OU in which their machineis located. (This is the same place where loopback policysettings are configured.)

Chapter 11: Active Directory ServicesWhat is the OS requirement for installing LDS?1.

AD LDS can be installed on any Microsoft operating system afterWindows Vista (Server and desktop). If you are running Windows 7,AD LDS needs to be downloaded from https:/ /www. microsoft. com/en- gb/ download/ details. aspx? id=14683. For all other operatingsystems, it comes as a feature (for desktops) or a role (for servers).


[ 24 ]

What is the main difference between FRS and DFSR when it comes to2.replication?

FRS uses the last-write-wins method. When the system detects a filechange in one of the SYSVOL folders, it becomes the authoritativeserver and will replicate the entire file on the other domain controllers.It will not merge the changes. It doesn't matter how small the changeis. It always copies the entire file, which can cause performance issues,especially if the domain controllers are on slow connections.

DFSR allows the replication of partial file changes using block-levelreplication. It supports asynchronous file replication via slow links. Ifyou are running Enterprise Edition, it can use cross-file RemoteDifferential Compression (RDC) to create files on the client side usingcommon blocks used by similar files. It will reduce the amount of datathat needs to be transferred via the links.

What role does a bridgehead server play?3.

In the AD infrastructure, the Knowledge Consistency Checker (KCC)is an in-built process that runs on domain controllers and is responsiblefor generating replication topology. It will configure the replicationconnection between domain controllers. When it comes toreplication between sites, the KCC selects a domain controller asa bridgehead server, which will send and receive replication traffic for itssite. If you have multiple domains in multiple sites, each domainshould have its own bridgehead server. A site can have multiplebridgehead servers for the same domain, but at a given time, only onewill be active. This is decided based on the domain controller's lowestGUID value. In the AD environment, if intra-site replication isinvolved, AD automatically selects the bridgehead servers. However,there are situations where you may prefer a specific server to act as abridgehead server. In such a scenario, we can change the bridgeheadserver by using the AD Sites and Services MMC.


[ 25 ]

In the AD environment, there are mainly two types of replication:4.Intra-site replication: Intra-site replication covers thereplications happening within AD Site. By default, any domaincontroller will be aware of any directory update within 15seconds. Within the site, no matter the number of domaincontrollers, any directory update will be replicated in less than aminute.Inter-site replication: If the AD infrastructure contains morethan one AD site, a change in one site needs to be replicated overto other sites. This is called inter-site replication.

What is the role of the UTDV table?5.

The up-to-dateness vector (UTDV) table is maintained locally by eachdomain controller to prevent unneeded replications. A UTDV table isalso created per naming context and each domain controller has aminimum of three UTDV tables. The UTDV table contains the highestUPN value it learned from any connected domain controller per NC(Naming Context) basis. This will prevent domain controllers fromreplicating the same changes over and over. For example, if domaincontroller A receives a domain NC from domain controller B, it willupdate the UTDV table and update the UPN value for it. Based on that,it will not retrieve the same update from the other connected domaincontrollers.

What is the use of PRP in an RODC environment?6.

By default, RODC does not save any passwords (except RODC objects)for AD objects. Every time authentication happens, it will need toretrieve the data from the closest domain controller. Using PasswordReplication Policy (PRP), we can allow the caching of certainpasswords for objects. In that case, if the connection between a remotesite and the closest domain controller is interrupted, RODC will be ableto process the request.


[ 26 ]

What we can recover using AD snapshot?7.

With Windows Server 2008, Microsoft introduced the AD snapshotfeature. With this, a snapshot is taken of an AD database at a giventime. Later, it can be used to compare object value changes, and exportand import objects that have been deleted or modified. Do not mistakethis for a typical snapshot. This is happening inside AD, and we cannotuse it to completely recover a domain controller. It allows us to mountthe snapshot while the existing AD DS configuration is running.However, we cannot move or copy objects between snapshots and aworking AD DS instance.

Chapter 12: Active Directory CertificateServices

What is the main difference between symmetric and asymmetric keys?1.

The symmetric method uses a shared secret or private key to encryptand decrypt data. The asymmetric method, on the other hand, usesa key pair to do the encryption and decryption. It includes two keys:one is a public key and the other one is a private key. Public keys arealways distributed publicly and anyone can have them. Private keysare unique to the object and will not be distributed to others. Anymessage encrypted using a public key can be decrypted only using itsprivate key. Any message encrypted using a private key can bedecrypted only using a public key.

What is a message digest?2.

A message digest helps to ensure data integrity during the datatransmission process. A message digest is a numeric representation ofmessage content and is created using a one-way hashing algorithm. Bycomparing message digests during data transmission, we can identifyany modifications made to e data.


[ 27 ]

How many different types of CA are there?3.

There are mainly two types of CAs:

Public CA: Public CAs are available for anyone, and userscan pay the associated fees and generate certificates. Thesecertificates come with different levels of insurance as well.GoDaddy, Commodo, and Dotster are some serviceproviders that issue certificates.Private CAs: This type of CA is mainly for the internalinfrastructures, and it can be used to issue, manage, renew,and revoke certificates for internal objects and services.

What PKI deployment models are easy to extend?4.

The following PKI deployment models are easy to scale:

Two-tier model: In this model, there will be one offline rootCA and several online issuing CAs.Three-tier model: In this model, there will be one offline rootCA, a few offline intermediate CAs, and a few online issuingCAs.

Why is the security of the root CA important?5.

The root CA is the most trusted CA in the PKI environment. Acompromised root CA will compromise the entire PKI. The bestpractice is to bring the root CA online only when required.

What is the role of an intermediate CA?6.

The role of intermediate CAs is to operate as a policy CA. In largerorganizations, different departments, different sites, and differentoperation units can have different certificate requirements. As anexample, a certificate issued to a perimeter network will require amanual approval process, while users in the corporate network preferauto-approval. IT teams prefer to use advanced cryptographicproviders for their certificates and large keys, while other users operatewith the default RSA algorithms. All these different requirements aredefined by the policy CA, and it publishes the relevant templates andprocedures to the issuing CAs.


[ 28 ]

What does the DSConfigDN value do?7.

In a domain-joined CA, CRL Distribution Points (CDP) and authorityinformation access (AIA) data is stored directly on the domaincontroller. But in a standalone CA, this information is stored onthe DSConfigDN registry key.

Chapter 13: Active Directory FederationServices

What is the role of a claims provider?1.

In a federation trust, the organization that provides claims to its usersis called the claim provider (CP):

In this example, Rebeladmin Corp. is using a web service from thecloud service provider. Rebeladmin Corp. has initiated a federationtrust with the service provider, so its users can authenticate intoapplications using their own Windows login credentials. In this setup,Rebeladmin Corp. becomes the CP.

What is the role of a relying party trust?2.

In a federation trust, the organization who receives and processes theclaims is called the relaying party (RP):

In this example, the cloud service provider will receive claims fromRebeladmin Corp. Therefore, the cloud service provider will be the RP.


[ 29 ]

What is a claim type?3.

Claim type defines what sorts of values will be included in the claim.AD Federation Services (FS) supports many different claim types suchas UPN, email, given name, common name, name, surname, andWindows account name.

Why are WAP roles important in security?4.

The Web Application Proxy allows us to publish web applications(including AD FS) to the public internet without exposing its backend.It also can provide basic Denial of Service (DoS) protection bythrottling and quieting connections. This service comes as part of theRemote Access role. It is also recommended to install it in a DMZnetwork.

What the advantages of using the MS SQL database to save AD FS5.configuration?

AD FS uses Windows Internal Database (WID) as its default databasemethod. The IT team doesn't require any additional servers and cansimply install it in the same AD FS server. If it is an AD FS farm withWID, only the primary server can write configuration to WID.

If your operational requirements mean that your AD FS instance usesthe MSSQL configuration database, then you can add high availabilityto the SQL setup using clustering or the Always On method. UnlikeWID, every server in the farm has read/write access to theconfiguration database. It also enables support for features such asSAML artifact resolution and SAML/WS-Federation token replaydetection. Both the features require a configuration stored in the sharedSQL database instead of WID.


[ 30 ]

What are the things we can do to ensure support for future expansions of6.AD FS farms?

If there are plans for future expansion of an AD FS environment withhigh availability, we have to use a single federation server and singleweb application proxy server topology at the very least. Then, we cansimply use Windows Network Load Balancing (NLB) for eachcomponent and configure it just with one node. When the times comes,we can introduce additional servers to NLB with minimal changes tothe environment.

What is the role of the metadata XML?7.

When we establish a trust, we need to provide certain information tomatch the service provider's application configuration. This is painful,as even a small mistake can cause issues. Also, if these settings werechanged on the service provider's side, we will not know until theyinform us of what to modify on the AD FS side. Therefore, serviceproviders use metadata XML files to publish these required settings.This simplifies the configuration. If there is no metadata file, we stillcan create the trust using the required custom settings.

Chapter 14: Active Directory RightsManagement Services

What is data classification and why is it important in data protection?1.

In order to protect data, we first need to know exactly what we areprotecting. In an organization, data can be in many formats andappears in many locations. As an example, the credit card informationof clients is generally considered to be confidential data. It may besaved in Word documents, Excel files, PDF documents, and so on. Itcan also appear in fileshares, emails, and cloud storage. In order toprotect data, we need a way to identify data and tag/label itaccordingly. This process is called data classification.


[ 31 ]

Data classification can be done using two methods. We can depend onusers to label data when they enter it. As an example, if a user sendscredit card details in an email, they can classify it as confidential data.Another method is automated data classification. Based on rules orpolicies, a data classification software/service will scan datarepositories and apply classifications automatically. This is a morepractical method, especially if you are working with large volumes ofdata. Once we have classification in place, then we know what kind ofdata we are working with.

What is the difference between NTFS permissions and AD RMS2.permissions on a document?

NTFS permissions control who has access to what data. But it can'tcontrol the behavior of data. As an example, let's assume we have ashared drive called sales with confidential documents. All themembers of the sales team have full access to it. Access is not allowedfor any other employee of the company. This access is controlled byNTFS permissions. There is a sales representative called Neil in thecompany. According to NTFS permissions, he has full access to thedrive. He wants to send one of the confidential files in that drive to oneof his friends in another company. He can simply copy the file to hiscomputer and forward it using his email. NTFS can't prevent this. Oncethe email is delivered, the recipient can simply open the file and accessthe data in it. This kind of behavior can only be prevented by usingRights Management Services (RMS). Based on policies, RMS canmaintain control over data, even after it leaves your organization'spremises.

What is the difference between a root cluster and a licensing cluster?3.

The root cluster: When we deploy the first RMS server in aninfrastructure, it becomes the root cluster. By default, it responds toboth licensing and certificate requests from clients. When required,additional RMS servers can be added to the cluster. There is only oneroot cluster that can exist in one AD DS forest.

Licensing cluster: If an organization has multiple sites, it is always bestto use local services, especially if the sites are connected through slowlinks. This improves service performance as well as reliability. In suchscenarios, organizations can deploy licensing-only clusters on remotesites to serve licensing requests from clients.


[ 32 ]

Can a root cluster with multiple servers use the WID ?4.

No, it is not possible. If it is going to use multiple users, theconfiguration database should be running on top of Microsoft SQL.

What is an RAC?5.

When a user first authenticates into the AD RMS cluster, it creates aRights Account Certificate (RAC). This will be the user's identity inAD RMS. This is a one-time process. This certificate contains the publickey and private key of the user, which is encrypted by the usercomputer's public key.

What is a CLC?6.

When a user registers with the AD RMS cluster, it also creates anothercertificate called the Client Licensor Certificate (CLC). This CLCincludes the CLC's public and private keys, which are protected by thepublic key of user. It also includes the AD RMS cluster public key,which is signed by the AD RMS private key.

Why is it best to use root clusters if you're concerned about high7.availability?

The AD RMS root cluster answers for both certificates and licensingrequests. The licensing-only cluster can also be deployed in the sameforest, and it will respond to licensing requests only. In the root cluster,load balancing between member servers is handled on the cluster level,and its configurations are independent. It cannot be shared betweendifferent clusters. Therefore, it is recommended to use the root clusterif you're looking for high availability.

What is Azure Information Protection?8.

Azure Information Protection (AIP) is a cloud-based solution thathelps to identify and protect sensitive data in cloud or hybridenvironments. AIP uses labels to classify data. Once data has beenclassified, we can control the flow of data using policies.


[ 33 ]

Chapter 15: Active Directory SecurityBest Practices

What is KDC?1.

The Kerberos protocol has three main components:

A clientA serverA trusted authority to issue secret keys

This trusted authority is called the Key Distribution Center (KDC).

In an AD environment, the KDC is installed as part of the domaincontroller. The KDC is responsible for two main services: one isthe Authentication Service (AS) and the other is the Ticket-Granting Service (TGS).

On which levels can AD-delegated control ACLs apply?2.

In an AD environment, delegated permissions can apply on thefollowing levels:

Site: Delegated permissions will be valid for all the objectsunder the given AD site.Domain: Delegated permission will be valid for all theobjects under the given AD domain.OU: Delegated permissions will be valid for all the objectsunder the given AD OU.

What are the limitations of fine-grained password policies?3.

Fine-grained password policies have the following limitations:

Fine-grained password policies can be applied only to usersand global security groups. They can't be applied to OUs.By default, only Domain Admins/Enterprise Admins can setup/manage/delete fine-grained password policies. It ispossible to delegate permission to other users if required.The minimum domain functional level is Windows Server2008.


[ 34 ]

What are the benefits of protected user groups?4.

AD protected user groups have following benefits.

Members of this group cannot use NTLM, digestauthentication, or CredSSP for authentication. Plaintextpasswords are not cached. So, any of the devices using theseprotocols will fail to authenticate to the domain.Kerberos long-term keys not cached. For accounts in thisgroup, the Kerberos protocol verifies authentication at eachrequest (the TGT acquired at login).Sign-in is offline. A cached verifier is not created at sign-in.No Kerberos TGT can be valid more than 4 hours.No delegation can use the unconstrained or constrainedmethod.There is no DES or RC4 encryption in Kerberos pre-authentication.

What is the difference between JIT administration and JEA?5.

JIT administration allows users to have administrative privilegeswhenever they require them. In this method, user accounts do not needto be members of privileged groups permanently. With JIT, users needto request privileges when they need them. After approval, a givenuser will be a member of the privileged group, but this membership isbound to a TTL. When the TTL value is reached, group membershipwill automatically be removed.

JEA, on the other hand, allows you to provide role-based privilegesinstead of full administrative privileges. In this method, users onlyhave permissions that are required to run the tasks they have beenassigned to do. As an example, we can allow a user to run a specificPowerShell script on Computer A without assigning a privileged role.The user will not be able to use space permission on Computer B or torun any other administrative task.


[ 35 ]

What is an access review in Azure AD PIM?6.

Using Azure PIM access reviews, we can review the activities andaccess of members in privileged groups and adjust their membershipsaccordingly. A PIM access review is fully automated so we canschedule it to run more frequently. We can still do access reviewsmanually, but Azure PIM access reviews can provide the followingbenefits:

Automated: The entire process is automated. You do notneed to go through logs or do anything manually.Actions: We can attach predefined actions to execute at theend of a successful access review job. If required, we also canmanually decide what to do with the findings (approve ordeny access).Schedule: Access reviews jobs can be scheduled to runperiodically. This helps you to complete reviews morefrequently than with the manual method.Recommendation: Access review jobs providerecommendations based on their findings. This helpsreviewers to decide what actions to take.Delegations: Access review jobs allow delegation. We canassign someone else in the team to decide what to do withthe findings. It helps to get more accurate results.

What is the role of approver groups in Azure AD PIM?7.

Once Azure AD PIM in place, users have to request to enable privilegeaccess. If using the manual approval process, these requests should beforwarded to individuals or groups for processing. The best practice isto create a security group and use it as an approver group. It is best touse a group of approvers rather than individuals, as anyone in thegroup can process requests. It is the approvers' responsibility to do thefollowing:

Validate privilege access requests.Check whether the justification matches the business andoperational requirements.Audit user activities to verify whether users are doing whatthey are supposed to do.


[ 36 ]

Revoke permissions in the event of a suspicious act orpermission misuse.Perform periodic access audits and reviews to improve thePIM setup.

What are the benefits of Azure RMS?8.

Azure RMS has the following benefits:

Support for Office 365 and on-premises services throughconnectors: Azure RMS works seamlessly with Office 365. Italso can protect data on on-premises services such asExchange Server, SharePoint, and Windows Server. This isdone through connectors.Supports a wide range of devices: Azure RMS is not aWindows-only service.No boundaries: Once protection is applied, it doesn't matterwhere the file is going to be.Track data: Azure RMS allows you to monitor access andusage of protected data even if it is in a remote network.Supports a wide range of applications: By using the AIPclient, we can protect different types of data using differenttypes of applications.

Chapter 16: Advanced AD Managementwith PowerShell

How we can install Active Directory PowerShell module?1.

By default, the AD PowerShell module comes as part of the AD roleinstallation. We can use this module from any domain controllerwithout any additional configuration. The AD PowerShell module alsocomes as part of the RSAT tools. These can be installed on either aserver OS (using Server Manager) or desktop OS (by downloading itfrom Microsoft Download Center, at https:/ / www.microsoft. com/ en-gb/ download).


[ 37 ]

What is PowerShell core?2.

PowerShell now has two editions. Windows PowerShell is the mostwidespread version and has been around in the industry for the last 10years. It is built on .NET Framework and, therefore, it only works onWindows systems. PowerShell Core is the latest edition and is built on.NET Core. This allows engineers to use PowerShell Core on differentsystems including Windows, macOS, and Linux. This creates auniversal platform for engineers to work on. It is still improving, as atthe moment, PowerShell Core only supports a limited number ofPowerShell modules.

What are the two versions of Azure Active Directory PowerShell for Graph3.module?

The Azure AD PowerShell for Graph module has two versions: thegeneral availability version and public preview version. The generalavailability version is for production use and can be installed usingInstall-Module AzureAD. The public preview version is the latestversion and is recommended for use with testing environments. Wecan install it using Install-module AzureADPreview.

What is Azure Cloud shell?4.

Azure Cloud Shell is a browser-based command-line interface formanaging Azure resources. Cloud Shell can directly be launched fromthe Azure portal (https:/ /portal. azure. com). This can be accessedfrom any system and doesn't required any additional configuration onthe local system. We can also use Azure Cloud Shell to manage AzureAD environments.


[ 38 ]

Chapter 17: Azure Active Directory HybridSetup

What is the main difference between password hash synchronization and1.the federated sign-in method?

In an Azure AD hybrid environment, sign-in methods can be groupedinto two categories:

Authentication takes place against Azure AD: In thiscategory, cloud users and synced on-premises users willdirectly be authenticated via Azure AD. No authenticationrequest will pass to on-premises AD for processing whenusers access Azure services.Authentication takes place against on-premises AD: Underthis category, if synced on-premises users try to authenticateinto Azure services, it will be processed by on-premises AD.

Of these two categories, password hash synchronization falls under thecategory of Authentication takes place against Azure AD. With thismethod in place, users do not depend on local AD for authentication.

The federated sign-in method, on the other hand, will authenticate on-premises users always via on-premises AD.

How are password hashes protected when you're syncing from an2.onpremisesAD?

Hashes stored in AD are in the MessageDigest 4 (MD4) algorithm format. When Azure AD makes a requestfor hashes, DC encrypts the MD4 hash values using a secure key. Thiskey is the MD5 hash value of the Remote Procedure Call (RPC) sessionkey and salt. The salt provides additional security by adding randomcharacters to the hash. Once the encryption is completed, the systemsends the encrypted hash values to the synchronization agent via RPC.On-premises DC also sends the salt to the synchronization agent viathe inter-DC replication protocol.


[ 39 ]

Once the synchronization agent receives the encrypted hash, it usesthe MD5CryptoServiceProvider class and the salt to decrypt thehash envelope and retrieve the original hash values. Then, thesynchronization agent converts the 16-byte hash into a 64-byte hash.After that, the synchronization agent adds a further 10-byte salt asextra protection for the original hash. This salt value is unique for eachuser. The synchronization agent then uses the original MD4 value andsalt value in the Password-Based Key Derivation Function2 (PBKDF2) (https:/ /www.ietf. org/ rfc/ rfc2898. txt). This processwill generate a Hash-Based Message Authentication Code (HMAC)using the Secure Hash Algorithm 256-bit (SHA256) hash function.

Even if someone has access to hashes, why can't they be used in a pass-3.thehashattack?

Even if someone has access to the SHA256 hash of a user, it can't beused for on-premises AD authentication, as the original MD4 hash wasnever transmitted to Azure AD.

Why is pass-through authentication better than the federation sign-in4.method?

To create federation trusts between Azure AD and on-premises AD,quite a bit of work is involved. We need additional servers, SSLcertificates, licenses, a high-availability solution, firewall changes, andadvanced configurations. But Azure AD Pass-through Authenticationallows organizations to carry out on-premises-only user authenticationwith minimum changes to the environment.

How does the HA of pass-through authentication work?5.

It is recommended to use at least three pass-through authenticationagents for an environment. It is a lightweight piece of software. Duringthe authentication, any of the available agents will be used. Microsoftalso recommends using the password hash synchronization method asthe fallback authentication method. This will allow users toauthenticate on cloud services, even if none of the pass-through agentsare online.


[ 40 ]

When Azure AD Seamless SSO is enabled, how do users avoid entering6.usernames in login pages?

Once Azure AD Seamless SSO is enabled, if an application canforward domain_hint (OpenID Connect) or the whr (SAML)parameter to identify the tenant, and the login_hint (OpenIDConnect) parameter to identify the user, then we can log in to AzureAD without typing usernames. This is also possible if the applicationuses a unique URL and is able to pass on the domain info or tenantinfo.

What is the role of the Azure AD Connect staging server?7.

By design, it is not possible to have multiple Azure AD Connectservers sync the same directory data to the same Azure AD Tenant.However, Azure AD Connect supports maintaining a second server instaging mode, which is ideal for high availability. A server in stagingmode reads data from all connected directories but will not sync it tothe Azure AD Tenant. It runs sync jobs as a normal Azure AD Connectserver does, so in the case of disaster, it already has the latest data. Inthe event of a primary server failure, using the Azure AD Connectwizard, we can fail over to the staging server.

Chapter 18: Active Directory Audit andMonitoring

What kind of threats can Microsoft ATA detect?1.

The following types of threats can be detected by Microsoft AdvancedThreat Analytics (ATA):

Reconnaissance using account enumerationNet Session enumerationReconnaissance using DNSReconnaissance using DS enumerationBrute-force attacksSensitive accounts exposed in plaintext authentication


[ 41 ]

Services exposing accounts in plaintext authenticationSuspicious honeytoken account activitiesUnusual protocol implementationMalicious data protection through a private informationrequestAbnormal behaviorPass-the-Ticket attacksPass-the-Hash attacksOverpass-the-Hash attacksMS14-068 exploitsMS11-013 exploitsSkeleton Key malwareGolden Ticket attacksRemote executionMalicious replication requestsATA components

What is the difference between ATA Gateway and ATA Lightweight2.Gateway?

The ATA Gateway needs to be installed as a separate server thatmonitors domain controller traffic using port mirroring method. TheATA Lightweight Gateway, on the other hand, can be directly installedon domain controllers to monitor AD traffic without the need for portmirroring. This is the quickest way to get ATA up and running.

What is the difference between metrics and logs?3.

Metrics are numeric values described as a particular state of a service,system, or application at a given time. As an example, the status of aservice at a given time (up or down) is a metric. It is specific and easyto analyze. Metrics are mostly used with performancedata. Logs contain data from events. This type of data needs to beanalyzed using queries.


[ 42 ]

Why is Azure Monitor better than SCOM?4.

Azure Monitor is better than SCOM for many reasons, including thefollowing:

Minimal configuration and maintenance: If you've workedwith SCOM before, you may know how many differentcomponents we need to configure, such as managementservers, SQL servers, gateway servers, certificate authorities,and so on. But with Azure Monitor, all we need is asubscription and the initial configuration of the monitoringagents or gateway, and there's no more complexmaintenance routing to worry about, either.Frequent feature updates: Microsoft releases a new SystemCenter version every four years. But Azure Monitor updatesand new services come more often. It allows Microsoft toaddress industry requirements quickly.Dashboards: One of the great features of Azure Monitor isthe rich data visualization. SCOM is more of an alert-basedmonitoring system and there is very little data visualizationfunctionality. Data visualization help engineers to accessrelevant data quickly. Azure Monitor contains lots of pre-built tiles to visualize the collected and analyzed data. It alsoallows us to create custom tiles based on our own queries.The dashboard can display both metrics and log data.

How can we monitor identity infrastructure security threats?5.

There are many tools that we can use to monitor identity infrastructurethreats. We have learned about a few of these, including MicrosoftATA, and Azure Monitor, which we can use to identify threats. Apartfrom that, we also can use Microsoft Defender Advanced ThreatProtection, Azure Sentinel, and Log Analytics to identify emergingsecurity threats. However, prevention is always better than a cure. InChapter 15, Active Directory Security Best Practices, we learned aboutthe many different methods, tools, and services that we can use toprotect identity infrastructures from modern threats.


[ 43 ]

What is Azure Sentinel?6.

Azure Sentinel is a cloud-based Security Information EventManagement (SIEM) and Security Orchestration AutomatedResponse (SOAR) solution. At the time this book was written, AzureSentinel was in preview stage. Azure Sentinel is capable of thefollowing:

Collecting data at cloud scale from different users, devices,applications, services, and infrastructure (on-premises andcloud-based)Detecting threats quickly by minimizing false positives usingMicrosoft's analytics and threat intelligenceInvestigating threats with artificial intelligence and findingroot causes effectively by using the vast amount of datacollected by Microsoft from cybersecurity workProviding an automated respond to incidents using its built-in orchestration

Chapter 19: Active DirectoryTroubleshooting

What is the repadmin utility? What does it do?1.

Repadmin.exe is the most commonly used Microsoft utility totroubleshoot AD replication issues. It is available on servers that havethe AD DS or AD LDS roles installed. It is also part of the RSATpackage. It is recommended that this utility to be run as DomainAdmin or Enterprise Admin. However, it is also possible todelegate permissions only to review and manage replication.

What is ADREPLSTATUS capable of?2.

Microsoft has a utility called the AD Replication Status Tool(ADREPLSTATUS), which allows engineers to review the replicationstatus of an AD environment. We can download it via https:/ /www.microsoft. com/ en- gb/ download/ details. aspx? id= 30005.


[ 44 ]

What are AD lingering objects and how do you prevent them?3.

Let's assume a domain controller has been disconnected from the ADenvironment and stayed offline for a greater amount of time than thevalue specified as the tombstone lifetime attribute. Then it was againreconnected to the replication topology. The objects that were deletedfrom AD during the time it was offline will remain as lingering objectsin it.

We can prevent this by enabling Strict Replication Consistency in thedomain controllers. This setting is controlled by a registry key. AfterWindows Server 2003, by default, this setting is enabled. The key canbe found underHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NT

DS\Parameters.

What is Content Freshness protection in DFS?4.

With Windows Server 2008, Microsoft introduced a setting calledContent Freshness Protection to protect DFS shares from stale data.DFS also uses a multi-master database similar to Active Directory. Italso has a tombstone time limit similar to AD. It is 60 days by default.So, if there was no replication more than that time and a re-enablingreplication in a DFS member, it could easily create stale data. This issimilar to lingering objects in AD. To protect from this, we can define avalue for MaxOfflineTimeInDays. If the number of days from the lastsuccessful DFS replication is more than the MaxOfflineTimeInDaysvalue, it will prevent the replication. In such a situation, you will beable to see event 4012. After Windows Server 2012, this feature isenabled by default and the initial value is set to 60 days.


[ 45 ]

What can affect DFS Replication?5.

DFS replication can be affected by the following:

Firewall rules: Once DFSR is enabled, related firewall portsalso need to be opened for successful DFS replication. TCPports 137, 139, 389, 135, and 445 and UDP ports 137, 138,389, and 445 need to be allowed if DFS traffic is passingthrough a hardware/software firewall.Antivirus: If you have antivirus or any other endpointprotection solution in place, it can also make an impact onDFS replication. It is recommended to check with the serviceprovider to tune the solution for DFS replication.

What is the best way to back up Active Directory?6.

We need a system state backup to restore AD in the event of a disaster.The best practice is to take a system state backup of the PDC and atleast one other domain controller. This way, at least two differentbackups will be available for restore.

Appendix A: Assessments · 2019-08-14 · (Microsoft Active Directory (AD) domain controllers keep...

Documents

Transcript of Appendix A: Assessments · 2019-08-14 · (Microsoft Active Directory (AD) domain controllers keep...