AD DS

Active Directory Domain Service Design

• Single forest single domain is preferred, 2,150,000,000 objects per domain, FQDN less than 64 characters
• Selecting the Forest Root Domain (corp.alphabook.cn) https://technet.microsoft.com/en-us/library/cc726016(v=ws.10).aspx
• PDC acts as a key role (time root in forest, etc)
• Implement multiple/backup domain controllers (all GCs)
• Implement multiple sites as needed (site, subnet,site link(180 minutes default, 15 minutes minimum), bridge all site links(default))
• Enable Active Directory Recycle Bin
• Enable Protect object from accidental deletion (User, OU, etc)
• Fill more AD account properties (City, Country, Phone, Job Title, Department, Manager...) Create AD user with PowerShell
• Grant permission per group, not a single user
• Account Lockout Policy
• Delegate IT helpdesk group join computer into domain permission

Setup the first Domain Controller

• https://github.com/shenhuitao2000/PowerShell/blob/master/Setup%20First%20Domain%20Controller
• w32tm /config /computer:BJDC01.corp.alphabook.cn /manualpeerlist:time.windows.com /syncfromflags:manual /update
• BPA (Best Practices Analyzer)

Reference

• https://msdn.microsoft.com/en-us/library/bb727085.aspx
• https://www.techrepublic.com/blog/10-things/10-tips-for-effective-active-directory-design/

FSMO (Flexible single master operation)

5 FSMO roles

• Schema master / Forest level
  • To make change Schema in forest (such as implement Exchange, Lync, SCCM)
• Domain naming master / Forest level
  • To add/remove domain in forest
• PDC / Domain level
  • Time root in forest (PDC->DCs->Computers)
  • Group policy central management
  • Handle password change specially (the change will sync to PDC immediately)
  • Handle user account lock specially
• RID pool master / Domain level
  • Assign RIDs to DCs (500/time)
• Infrastucture master / Domain level
  • Objects reference in different domains

To check the FSMO servers

• netdom query fsmo

To transfer / seize to FSMO roles

• Ntdsutil
• Roles
• Connections
•  ?
• Connect to server BJDC01
• Quit
• Transfer schema master
• Transfer domain naming master
• Transfer PDC
• Transfer RID master
• Transfer infrastructure master

How to configure a firewall for domains and trusts

• https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts

Detect Password Changes in Active Directory

• Enable security log
  • Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy -> Audit account management -> Define -> Success and Failure
  • Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Event Log -> Maximum security log size -> 1GB
  • Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Event Log -> Retention method for security log -> Overwrite events as needed
• Get log (password reset attempt by administrator)
  • Get-EventLog -LogName Security -InstanceId 4724
• Get log (password change attempt by user)
  • Get-EventLog -LogName Security -InstanceId 4723