Difference between revisions of "AD DS"
From AlphaBook
(→Active Directory Domain Service Design) |
(→Detect Password Changes in Active Directory) |
||
(34 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Active Directory Domain Service Design == | == Active Directory Domain Service Design == | ||
* Single forest single domain is preferred, 2,150,000,000 objects per domain, FQDN less than 64 characters | * Single forest single domain is preferred, 2,150,000,000 objects per domain, FQDN less than 64 characters | ||
− | * Implement multiple/backup domain controllers (all GCs) | + | * Selecting the Forest Root Domain (corp.alphabook.cn) https://technet.microsoft.com/en-us/library/cc726016(v=ws.10).aspx |
− | * User | + | * PDC acts as a key role (time root in forest, etc) |
+ | * Implement multiple/backup domain controllers (all GCs) | ||
+ | * Implement multiple sites as needed (site, subnet,site link(180 minutes default, 15 minutes minimum), bridge all site links(default)) | ||
+ | * Enable [[Active Directory Recycle Bin]] | ||
+ | * Enable [[Protect object from accidental deletion]] (User, OU, etc) | ||
+ | * Fill more AD account properties (City, Country, Phone, Job Title, Department, Manager...) [[Create AD user with PowerShell]] | ||
* Grant permission per group, not a single user | * Grant permission per group, not a single user | ||
− | * | + | * [[Account Lockout]] Policy |
− | + | * [[Delegate IT helpdesk group join computer into domain permission]] | |
− | + | ||
− | * Delegate IT helpdesk group join computer into domain permission | + | == Setup the first Domain Controller == |
+ | * https://github.com/shenhuitao2000/PowerShell/blob/master/Setup%20First%20Domain%20Controller | ||
+ | * w32tm /config /computer:BJDC01.corp.alphabook.cn /manualpeerlist:time.windows.com /syncfromflags:manual /update | ||
+ | * BPA (Best Practices Analyzer) | ||
+ | |||
+ | == Reference == | ||
+ | * https://msdn.microsoft.com/en-us/library/bb727085.aspx | ||
+ | * https://www.techrepublic.com/blog/10-things/10-tips-for-effective-active-directory-design/ | ||
== FSMO (Flexible single master operation) == | == FSMO (Flexible single master operation) == | ||
=== 5 FSMO roles === | === 5 FSMO roles === | ||
* Schema master / Forest level | * Schema master / Forest level | ||
− | ** To make change Schema in forest (such as Exchange, Lync, SCCM) | + | ** To make change Schema in forest (such as implement Exchange, Lync, SCCM) |
* Domain naming master / Forest level | * Domain naming master / Forest level | ||
** To add/remove domain in forest | ** To add/remove domain in forest | ||
* PDC / Domain level | * PDC / Domain level | ||
− | ** Time root in forest | + | ** Time root in forest (PDC->DCs->Computers) |
** Group policy central management | ** Group policy central management | ||
** Handle password change specially (the change will sync to PDC immediately) | ** Handle password change specially (the change will sync to PDC immediately) | ||
Line 24: | Line 36: | ||
* Infrastucture master / Domain level | * Infrastucture master / Domain level | ||
** Objects reference in different domains | ** Objects reference in different domains | ||
+ | |||
=== To check the FSMO servers === | === To check the FSMO servers === | ||
* netdom query fsmo | * netdom query fsmo | ||
Line 38: | Line 51: | ||
* Transfer RID master | * Transfer RID master | ||
* Transfer infrastructure master | * Transfer infrastructure master | ||
+ | |||
+ | == How to configure a firewall for domains and trusts == | ||
+ | * https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts | ||
+ | |||
+ | == Detect Password Changes in Active Directory == | ||
+ | * Enable security log | ||
+ | ** Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy -> Audit account management -> Define -> Success and Failure | ||
+ | ** Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Event Log -> Maximum security log size -> 1GB | ||
+ | ** Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Event Log -> Retention method for security log -> Overwrite events as needed | ||
+ | * Get log (password reset attempt by administrator) | ||
+ | ** Get-EventLog -LogName Security -InstanceId 4724 | ||
+ | * Get log (password change attempt by user) | ||
+ | ** Get-EventLog -LogName Security -InstanceId 4723 |
Latest revision as of 12:33, 25 October 2018
Contents
Active Directory Domain Service Design
- Single forest single domain is preferred, 2,150,000,000 objects per domain, FQDN less than 64 characters
- Selecting the Forest Root Domain (corp.alphabook.cn) https://technet.microsoft.com/en-us/library/cc726016(v=ws.10).aspx
- PDC acts as a key role (time root in forest, etc)
- Implement multiple/backup domain controllers (all GCs)
- Implement multiple sites as needed (site, subnet,site link(180 minutes default, 15 minutes minimum), bridge all site links(default))
- Enable Active Directory Recycle Bin
- Enable Protect object from accidental deletion (User, OU, etc)
- Fill more AD account properties (City, Country, Phone, Job Title, Department, Manager...) Create AD user with PowerShell
- Grant permission per group, not a single user
- Account Lockout Policy
- Delegate IT helpdesk group join computer into domain permission
Setup the first Domain Controller
- https://github.com/shenhuitao2000/PowerShell/blob/master/Setup%20First%20Domain%20Controller
- w32tm /config /computer:BJDC01.corp.alphabook.cn /manualpeerlist:time.windows.com /syncfromflags:manual /update
- BPA (Best Practices Analyzer)
Reference
- https://msdn.microsoft.com/en-us/library/bb727085.aspx
- https://www.techrepublic.com/blog/10-things/10-tips-for-effective-active-directory-design/
FSMO (Flexible single master operation)
5 FSMO roles
- Schema master / Forest level
- To make change Schema in forest (such as implement Exchange, Lync, SCCM)
- Domain naming master / Forest level
- To add/remove domain in forest
- PDC / Domain level
- Time root in forest (PDC->DCs->Computers)
- Group policy central management
- Handle password change specially (the change will sync to PDC immediately)
- Handle user account lock specially
- RID pool master / Domain level
- Assign RIDs to DCs (500/time)
- Infrastucture master / Domain level
- Objects reference in different domains
To check the FSMO servers
- netdom query fsmo
To transfer / seize to FSMO roles
- Ntdsutil
- Roles
- Connections
- ?
- Connect to server BJDC01
- Quit
- Transfer schema master
- Transfer domain naming master
- Transfer PDC
- Transfer RID master
- Transfer infrastructure master
How to configure a firewall for domains and trusts
Detect Password Changes in Active Directory
- Enable security log
- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy -> Audit account management -> Define -> Success and Failure
- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Event Log -> Maximum security log size -> 1GB
- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Event Log -> Retention method for security log -> Overwrite events as needed
- Get log (password reset attempt by administrator)
- Get-EventLog -LogName Security -InstanceId 4724
- Get log (password change attempt by user)
- Get-EventLog -LogName Security -InstanceId 4723