Difference between revisions of "AD DS"
From AlphaBook
(→Detect Password Changes in Active Directory) |
|||
| (18 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Active Directory Domain Service Design == | == Active Directory Domain Service Design == | ||
* Single forest single domain is preferred, 2,150,000,000 objects per domain, FQDN less than 64 characters | * Single forest single domain is preferred, 2,150,000,000 objects per domain, FQDN less than 64 characters | ||
| − | * | + | * Selecting the Forest Root Domain (corp.alphabook.cn) https://technet.microsoft.com/en-us/library/cc726016(v=ws.10).aspx |
| − | * Implement multiple/backup domain controllers (all GCs) | + | * PDC acts as a key role (time root in forest, etc) |
| + | * Implement multiple/backup domain controllers (all GCs) | ||
| + | * Implement multiple sites as needed (site, subnet,site link(180 minutes default, 15 minutes minimum), bridge all site links(default)) | ||
* Enable [[Active Directory Recycle Bin]] | * Enable [[Active Directory Recycle Bin]] | ||
* Enable [[Protect object from accidental deletion]] (User, OU, etc) | * Enable [[Protect object from accidental deletion]] (User, OU, etc) | ||
| − | * Fill | + | * Fill more AD account properties (City, Country, Phone, Job Title, Department, Manager...) [[Create AD user with PowerShell]] |
* Grant permission per group, not a single user | * Grant permission per group, not a single user | ||
| − | * [ | + | * [[Account Lockout]] Policy |
* [[Delegate IT helpdesk group join computer into domain permission]] | * [[Delegate IT helpdesk group join computer into domain permission]] | ||
== Setup the first Domain Controller == | == Setup the first Domain Controller == | ||
* https://github.com/shenhuitao2000/PowerShell/blob/master/Setup%20First%20Domain%20Controller | * https://github.com/shenhuitao2000/PowerShell/blob/master/Setup%20First%20Domain%20Controller | ||
| + | * w32tm /config /computer:BJDC01.corp.alphabook.cn /manualpeerlist:time.windows.com /syncfromflags:manual /update | ||
| + | * BPA (Best Practices Analyzer) | ||
| + | |||
| + | == Reference == | ||
| + | * https://msdn.microsoft.com/en-us/library/bb727085.aspx | ||
| + | * https://www.techrepublic.com/blog/10-things/10-tips-for-effective-active-directory-design/ | ||
== FSMO (Flexible single master operation) == | == FSMO (Flexible single master operation) == | ||
=== 5 FSMO roles === | === 5 FSMO roles === | ||
* Schema master / Forest level | * Schema master / Forest level | ||
| − | ** To make change Schema in forest (such as Exchange, Lync, SCCM) | + | ** To make change Schema in forest (such as implement Exchange, Lync, SCCM) |
* Domain naming master / Forest level | * Domain naming master / Forest level | ||
** To add/remove domain in forest | ** To add/remove domain in forest | ||
| Line 43: | Line 51: | ||
* Transfer RID master | * Transfer RID master | ||
* Transfer infrastructure master | * Transfer infrastructure master | ||
| + | |||
| + | == How to configure a firewall for domains and trusts == | ||
| + | * https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts | ||
| + | |||
| + | == Detect Password Changes in Active Directory == | ||
| + | * Enable security log | ||
| + | ** Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy -> Audit account management -> Define -> Success and Failure | ||
| + | ** Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Event Log -> Maximum security log size -> 1GB | ||
| + | ** Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Event Log -> Retention method for security log -> Overwrite events as needed | ||
| + | * Get log (password reset attempt by administrator) | ||
| + | ** Get-EventLog -LogName Security -InstanceId 4724 | ||
| + | * Get log (password change attempt by user) | ||
| + | ** Get-EventLog -LogName Security -InstanceId 4723 | ||
Latest revision as of 12:33, 25 October 2018
Contents
Active Directory Domain Service Design
- Single forest single domain is preferred, 2,150,000,000 objects per domain, FQDN less than 64 characters
- Selecting the Forest Root Domain (corp.alphabook.cn) https://technet.microsoft.com/en-us/library/cc726016(v=ws.10).aspx
- PDC acts as a key role (time root in forest, etc)
- Implement multiple/backup domain controllers (all GCs)
- Implement multiple sites as needed (site, subnet,site link(180 minutes default, 15 minutes minimum), bridge all site links(default))
- Enable Active Directory Recycle Bin
- Enable Protect object from accidental deletion (User, OU, etc)
- Fill more AD account properties (City, Country, Phone, Job Title, Department, Manager...) Create AD user with PowerShell
- Grant permission per group, not a single user
- Account Lockout Policy
- Delegate IT helpdesk group join computer into domain permission
Setup the first Domain Controller
- https://github.com/shenhuitao2000/PowerShell/blob/master/Setup%20First%20Domain%20Controller
- w32tm /config /computer:BJDC01.corp.alphabook.cn /manualpeerlist:time.windows.com /syncfromflags:manual /update
- BPA (Best Practices Analyzer)
Reference
- https://msdn.microsoft.com/en-us/library/bb727085.aspx
- https://www.techrepublic.com/blog/10-things/10-tips-for-effective-active-directory-design/
FSMO (Flexible single master operation)
5 FSMO roles
- Schema master / Forest level
- To make change Schema in forest (such as implement Exchange, Lync, SCCM)
- Domain naming master / Forest level
- To add/remove domain in forest
- PDC / Domain level
- Time root in forest (PDC->DCs->Computers)
- Group policy central management
- Handle password change specially (the change will sync to PDC immediately)
- Handle user account lock specially
- RID pool master / Domain level
- Assign RIDs to DCs (500/time)
- Infrastucture master / Domain level
- Objects reference in different domains
To check the FSMO servers
- netdom query fsmo
To transfer / seize to FSMO roles
- Ntdsutil
- Roles
- Connections
- ?
- Connect to server BJDC01
- Quit
- Transfer schema master
- Transfer domain naming master
- Transfer PDC
- Transfer RID master
- Transfer infrastructure master
How to configure a firewall for domains and trusts
Detect Password Changes in Active Directory
- Enable security log
- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy -> Audit account management -> Define -> Success and Failure
- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Event Log -> Maximum security log size -> 1GB
- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Event Log -> Retention method for security log -> Overwrite events as needed
- Get log (password reset attempt by administrator)
- Get-EventLog -LogName Security -InstanceId 4724
- Get log (password change attempt by user)
- Get-EventLog -LogName Security -InstanceId 4723
