AD DS
From AlphaBook
Contents
Active Directory Domain Service Design
- Single forest single domain is preferred, 2,150,000,000 objects per domain, FQDN less than 64 characters
- Selecting the Forest Root Domain (corp.alphabook.cn) https://technet.microsoft.com/en-us/library/cc726016(v=ws.10).aspx
- PDC acts as a key role (time root in forest, etc)
- Implement multiple/backup domain controllers (all GCs)
- Implement multiple sites as needed (site, subnet,site link(180 minutes default, 15 minutes minimum), bridge all site links(default))
- Enable Active Directory Recycle Bin
- Enable Protect object from accidental deletion (User, OU, etc)
- Fill more AD account properties (City, Country, Phone, Job Title, Department, Manager...) Create AD user with PowerShell
- Grant permission per group, not a single user
- Account Lockout Policy
- Delegate IT helpdesk group join computer into domain permission
Setup the first Domain Controller
- https://github.com/shenhuitao2000/PowerShell/blob/master/Setup%20First%20Domain%20Controller
- w32tm /config /computer:BJDC01.corp.alphabook.cn /manualpeerlist:time.windows.com /syncfromflags:manual /update
- BPA (Best Practices Analyzer)
Reference
- https://msdn.microsoft.com/en-us/library/bb727085.aspx
- https://www.techrepublic.com/blog/10-things/10-tips-for-effective-active-directory-design/
FSMO (Flexible single master operation)
5 FSMO roles
- Schema master / Forest level
- To make change Schema in forest (such as implement Exchange, Lync, SCCM)
- Domain naming master / Forest level
- To add/remove domain in forest
- PDC / Domain level
- Time root in forest (PDC->DCs->Computers)
- Group policy central management
- Handle password change specially (the change will sync to PDC immediately)
- Handle user account lock specially
- RID pool master / Domain level
- Assign RIDs to DCs (500/time)
- Infrastucture master / Domain level
- Objects reference in different domains
To check the FSMO servers
- netdom query fsmo
To transfer / seize to FSMO roles
- Ntdsutil
- Roles
- Connections
- ?
- Connect to server BJDC01
- Quit
- Transfer schema master
- Transfer domain naming master
- Transfer PDC
- Transfer RID master
- Transfer infrastructure master
How to configure a firewall for domains and trusts
Detect Password Changes in Active Directory
- Enable security log
- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy -> Audit account management -> Define -> Success and Failure
- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Event Log -> Maximum security log size -> 1GB
- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Event Log -> Retention method for security log -> Overwrite events as needed
- Get log (password reset attempt by administrator)
- Get-EventLog -LogName Security -InstanceId 4724
- Get log (password change attempt by user)
- Get-EventLog -LogName Security -InstanceId 4723