Identity with Windows Server 2016

Identity with Windows Server 2016: Microsoft 70-742 MCSA Exam Guide

Deploy, configure, and troubleshoot identity services and Group Policy in

Windows Server 2016

Vladimir Stefanovic

Sasha Kranjac

BIRMINGHAM - MUMBAI

Identity with Windows Server 2016:

Microsoft 70-742 MCSA Exam Guide

Copyright © 2019 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,

without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the

information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its

dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by

the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Kartikey Pandey

Acquisition Editor: Shrilekha Inani

Content Development Editor: Ronn Kurien

Technical Editor: Aditya Khadye

Copy Editor: Safis Editing

Language Support Editor: Mary McGowan

Project Coordinator: Jagdish Prabhu

Proofreader: Safis Editing

Indexer: Pratik Shirodkar

Graphics: Tom Scaria

Production Coordinator: Deepika Naik

First published: January 2019

Production reference: 1310119

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-83855-513-9

www.packtpub.com

mapt.io

Mapt is an online digital library that gives you full access to over 5,000 books

and videos, as well as industry leading tools to help you plan your personal

development and advance your career. For more information, please visit our

website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and

videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

Packt.com

Did you know that Packt offers eBook versions of every book published, with

PDF and ePub files available? You can upgrade to the eBook version at www.packt.

com and as a print book customer, you are entitled to a discount on the eBook

copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up

for a range of free newsletters, and receive exclusive discounts and offers on

Packt books and eBooks.

Contributors

About the authors

Vladimir Stefanovic is a Microsoft Certified Trainer (MCT) and system

engineer with more than 10 years of experience in the IT industry. Over his IT

career, Vladimir has worked in all areas of IT administration, from IT technician

to his current system engineer position. As a lead system engineer at Serbian IT

company SuperAdmins and lead technician trainer at Admin Training Center, he

successfully delivered numerous projects and courses. He is also an active

conference speaker, having spoken at a long list of conferences, such as MCT

Summits (in the USA, Germany, and Greece), ATD, WinDays, KulenDayz, and

Sinergija (Regional Conferences). He is the leader of a few user groups and is an

active community member, with the mission to share knowledge as much as

possible.

Sasha Kranjac is a security and Azure expert and instructor with more than two

decades of experience in the field. He began programming in Assembler on Sir

Clive Sinclair's ZX, met Windows NT 3.5, and the love has existed ever since.

Sasha owns an IT training and consulting company that helps companies and

individuals to embrace the cloud and be safe in cyberspace. He is a Microsoft

MVP, MCT, MCT Regional Lead, Certified EC-Council Instructor (CEI), and

currently holds more than 60 technical certifications. Sasha is a frequent speaker

at various international conferences, and is a consultant and trainer for some of

the largest Fortune 500 companies.

About the reviewer

Mustafa Toroman is a program architect and senior system engineer with

Authority Partners. With years of experience of designing and monitoring

infrastructure solutions, lately he focuses on designing new solutions in the

cloud and migrating existing solutions to the cloud. He is very interested in

DevOps processes, and he's also an Infrastructure-as-Code enthusiast. Mustafa

has over 30 Microsoft certificates and has been an MCT for the last 6 years. He

often speaks at international conferences about cloud technologies, and he has

been awarded MVP for Microsoft Azure for the last three years in a row.

Mustafa also authored Hands-On Cloud Administration in Azure and co￾authored Learn Node.js with Azure, both published by Packt.

Packt is searching for authors like

you

If you're interested in becoming an author for Packt, please visit authors.packtpub.c

om and apply today. We have worked with thousands of developers and tech

professionals, just like you, to help them share their insight with the global tech

community. You can make a general application, apply for a specific hot topic

that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Identity with Windows Server 2016: Microsoft 70-742 MCSA Exam Guide

About Packt

Why subscribe?

Packt.com

Contributors

About the authors

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Conventions used

Get in touch

Reviews

1. Installing and Configuring Active Directory

Introduction to Active Directory

Logical components

Partitions

Schemas

Domains

Domain trees

Forests

Sites

Organizational Units

Containers

Physical components

Domain controllers

Read-only domain controllers

Data stores

Global catalogs

What's new in AD DS in Windows Server 2016

AD DS administration tools

Installing and configuring the Active Directory

Installing a new forest and domain controller

Installing a new forest (GUI)

Installing a new forest on a Server Core installation

Installing a domain controller from Install from Media (IFM)

Removing a domain controller from a domain

Upgrading a domain controller

In-place upgrade

Domain-controller migration

Configuring a global catalog server

Transferring and seizing operation master roles

Transferring FSMO roles

Seizing FSMO roles

Installing and configuring a read-only domain controller (RODC)

Configuring domain controller cloning

Active Directory users and computers

Creating and managing users accounts

Creating and managing computer accounts

Configuring templates

Performing bulk Active Directory operations

Implementing offline domain joins

Managing accounts

Active Directory groups and organizational units

Creating, configuring, and deleting groups

Configuring group nesting

Converting groups

Managing group membership using Group Policy

Enumerating group memberships

Automating group-membership management using Windows PowerShell

Delegating the creation and management of Active Directory groups

Active Directory containers

Creating, configuring, and deleting OUs

Summary

Questions

Further reading

2. Managing and Maintaining Active Directory

Active directory authentication and account policies 

Creating and configuring managed service accounts 

Configuring Kerberos Constrained Delegation (KCD)

Managing service principal names (SPNs) 

Configuring domain and local user password policy settings 

Configuring and applying Password Settings Objects (PSOs)

Delegating password settings management

Configuring account lockout policy settings

Configuring the Kerberos policy settings within the group policy

Configuring authentication policies

Maintaining AD

Backing up AD and SYSVOL

Restoring AD

Non-authoritative restoration

Authoritative restoration

Managing the AD offline

Performing the offline defragmentation of an AD database

Configuring AD snapshots

Performing object-level and container-level recovery

AD Recycle Bin (configuring and restoring objects)

Configuring the Password Replication Policy (PRP) for RODC

Monitoring and managing replication

AD in enterprise scenarios

Configuring a multi-domain and multi-forest AD infrastructure

Upgrading existing domains and forests

Configuring the domain and forest functional levels

Configuring multiple user principal name (UPN) suffixes

Configuring external, forest, shortcut, and realm trusts

Configuring trust filtering

SID filtering

Selective authentication

Named suffix routing

Configuring sites and subnets

Creating and configuring site links

Moving domain controllers between sites

Summary

Questions

Further reading

3. Creating and Managing Group Policy

Creating and managing GPOs

Introduction to Group Policy

Managing starter GPOs

Configuring GPO links

Configuring multiple Local Group Policy

Backing up, importing, copying, and restoring GPOs

Resetting default GPOs

Delegate Group Policy management

Detecting health issues using Group Policy

Understanding Group Policy processing

Configuring the processing order and precedence

Configuring inheritance blocking

Configuring enforced policies

Configuring security filtering and WMI filtering

Configuring loopback processing

Configuring Group Policy caching

Forcing a Group Policy update

Configuring Group Policy settings and preferences

Defining network drive mappings

Configuring custom registry settings

Configuring the Control Panel settings

Configuring folder redirections

Configuring shortcut deployment

Configuring item-level targeting

Summary

Questions

Further reading

4. Understanding and Implementing Active Directory Certificate Services

Installing and configuring AD CS

An overview of AD CS

Installing Active Directory Integrated Enterprise Certificate Authority

Installing offline roots and subordinate CAs

Configuring Offline Root CA

Configuring the subordinate CA

Installing Standalone CAs

Configuring Certificate Revocation List (CRL) distribution points

Installing and configuring Online Responder

Implementing administrative role separation

Configuring CA backup and recovery

Backing up CA

Restoring CA

Managing certificates and templates

 Managing certificates

Managing certificate templates

Implementing and managing certificate deployment, validation, and revocat

ion

Managing certificate renewal

Managing AD CS

Configuring and managing key archival and recovery

Summary

Questions

Further reading