WS-011 Windows

Server 2019
Administration

© Copyright Microsoft Corporation. All rights reserved.

Module 02: Identity
services in Windows
Server
Module overview

This module describes how to implement identity services in a Windows Server 2019
environment
 Lessons:
o Overview of AD DS

o Deploying Windows Server domain controllers

o Overview of Azure AD

o Implementing Group Policy

o Overview of AD CS
Lesson 1: Overview of AD
DS
Lesson 1 overview

This lesson describes the core logical components and physical components that make up an
AD DS deployment
 Topics:
o What is AD DS?

o AD DS objects

o AD DS forests and domains

o OUs

o AD DS schema

o Overview of AD DS replication

o AD DS sign-in process

o Overview of AD DS administration tools

o Demonstration: Use tools to manage objects and properties in AD DS

What is AD DS?

AD DS is composed of both logical and physical components

Logical components Physical components

• Partitions • Domain controllers
• Schema • Data stores
• Domains • Global catalog servers
• Domain trees • RODCs
• Forests
• Sites
• OUs
• Containers
AD DS objects

 User objects
 Group objects
o Group types: Security and distribution
o Group scopes: Local, Domain-local, Global, and Universal

 Computer objects
AD DS forests and domains

 A forest:
o Is a security boundary
o Is a replication boundary

 A domain:
o Is a replication boundary

o Is an administrative center

o Provides:

• Authentication
• Authorization
 Trust relationships:
o Provide access to resources in a
complex AD DS environment
OUs

 Use containers to group objects within a domain:

o You cannot apply GPOs to containers
o Containers are used for system objects and as the default location for new objects

 Create OUs to:

o Configure objects by assigning GPOs to them

o Delegate administrative permissions

AD DS schema
Overview of AD DS replication

 Within an AD DS infrastructure, standard

domain controllers replicate Active
Directory information by using a
multimaster replication model
 Active Directory data is separated
logically into several partitions:
o Configuration partition

o Schema partition

o Domain partition

o Application partition
AD DS sign-in process

1. The user account is authenticated to the domain controller

2. The domain controller returns a TGT back to client
3. The client uses the TGT to apply for access to the workstation
4. The domain controller grants access to the workstation
5. The client uses the TGT to apply for access to the server
6. The domain controller returns access to the server
Overview of AD DS administration tools
Demonstration:
Use tools to
manage objects
and properties in
AD DS
 Navigate within the Active Directory
Administrative Center
 Perform an administrative task within the
Active Directory Administrative Center
 Create objects
 View all object attributes
 Use the Windows PowerShell History
viewer
Lesson 1: Test your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 2: Deploying
Windows Server domain
controllers
Lesson 2 overview

This lesson describes the purpose and functionalities of using domain controllers in a
Windows Server environment
 Topics:
o What is a DC?

o What is the global catalog?

o What are operations masters?

o Install a DC

o Upgrade from a previous version of AD DS

o DC cloning

o Overview of DC SRV records

o Demonstration: Explore DC SRV records in DNS

o Transfer and seize roles

o Deploy a DC in Azure IaaS

What is a DC?

Domain controllers:
 Are servers that host the AD DS database (Ntds.dit) and SYSVOL
 Host the Kerberos authentication service and KDC services to perform authentication
 Have best practices for:
o Availability:

• Use at least two domain controllers in a domain

o Security:

• Use an RODC
What is the global catalog?

 The global catalog:

o Hosts a partial attribute set for other domains in the forest
o Supports queries for objects throughout the forest

 In a single domain, you should configure all the domain controllers to hold a copy of the
global catalog
 In a multiple-domain environment, the infrastructure master should not be a global
catalog server unless all the domain controllers in the domain are also global catalog
servers
 When you have multiple sites, you should also make at least one domain controller at
each site a global catalog server
What are operations masters?

 In the multimaster replication model, some operations must be single master

operations
 Many terms are used for single master operations in AD DS, including:
o Operations master (or operations master role)

o Single master role

o FSMO

The five FSMOs

Forest: Domain:
• Domain naming master • RID master
• Schema master • Infrastructure master
• PDC emulator master
Install a DC

 Install a domain controller from

Server Manager
 Install a domain controller on a
Server Core installation of
Windows Server
 Install a domain controller by
installing from media
Upgrade from a previous version of AD DS

You have two options for upgrading AD DS to Windows Server 2019:

 Perform an in-place upgrade from Windows Server 2012 R2 or later to Windows Server
2019:
o Benefit. Except for the prerequisite checks, all the files and programs stay in
place, and no additional work is required
o Risk. It might leave obsolete files and dynamic-link libraries

 Introduce a new server running Windows Server 2019 into the domain, and then
promote it to be a domain controller (this option is usually preferred):
o Benefit. The new server has no obsolete files and settings

o Risk. It might require additional work to migrate administrators’ files and settings
DC cloning

 You might clone domain controllers for:

o Rapid deployment
o Private clouds

o Recovery strategies

 To clone a source domain controller:

o Add the domain controller to the Cloneable Domain Controllers group

o Verify app and service compatibility

o Create a DCCloneConfig.xml file

o Export it once, and then create as many clones as needed

o Start the clones

Overview of DC SRV records
Demonstration:
Explore DC SRV
records in DNS
 Use DNS Manager to view SRV records
Transfer and seize roles

 Transferring is:
o Planned
o Performed using the latest data

o Achieved through snap-ins, Windows PowerShell, or ntdsutil.exe

 Seizing is:
o Unplanned and a last resort

o Performed with incomplete or out-of-date data

o Accomplished through Windows PowerShell or ntdsutil.exe

Lesson 2: Test your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 3: Overview of Azure
AD
Lesson 3 overview

This lesson describes how you can use Azure AD to provide

authentication and authorization for cloud-based services and apps
 Topics:
o What is Azure AD?

o Azure AD versions

o Connect AD DS with Azure AD by using Azure AD Connect

o Benefits of integrating Azure AD with AD DS

What is Azure AD?
Azure AD versions

 Free
 Office 365 Apps
 Premium P1
 Premium P2
Connect AD DS with Azure AD by using Azure AD Connect
Benefits of integrating Azure AD with AD DS

 Azure Information Protection

 Self-service password reset
 Endpoint co-management
 Manage apps
Lesson 3: Test your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 4: Implementing Group
Policy
Lesson 4 overview

 This lesson describes how to manage a Windows Server environment by using the
Group Policy infrastructure
 Topics:
• What are GPOs?
• Overview of GPO scope and inheritance
• What are domain-based GPOs?
• Default domain GPOs
• Demonstration: Create and configure a domain-based GPO
• Overview of GPO storage
• What are Starter GPOs?
• What are administrative templates?
• Overview of the Central Store
What are GPOs?

 Group Policy is a powerful administrative tool

 You can use it to enforce various types of settings to a large number of users and
computers
 Typically, you use GPOs to:
o Apply security settings

o Manage desktop application settings

o Deploy application software

o Manage Folder Redirection

o Configure network settings

Overview of GPO scope and inheritance

You can scope GPOs by using: GPOs are processed on a client computer in
 GPO links the following order:
 Security filters 1. Local GPOs
 WMI filters
2. Site-level GPOs

3. Domain-level GPOs

4. OU GPOs, including any nested (child) OUs

What are domain-based GPOs?
Default domain GPOs

A domain has two default GPOs:

 Default Domain Policy
 Default Domain Controllers Policy
Demonstration:
Create and
configure a
domain-based
GPO
• Manage objects in AD DS
• Create and edit a GPO
• Link the GPO
• View the effects of the GPOs settings
• Create and link the required GPOs
• Verify the order of precedence
• Configure the scope of a GPO with
security filtering
• Verify the application of settings
Overview of GPO storage

 Group Policy settings are presented as GPOs in AD DS user interface tools, but a GPO is
actually two components:
o The Group Policy container

o The Group Policy template

 The Group Policy container and the Group Policy template both replicate between
all domain controllers in AD DS. However, these two items use different replication
mechanisms:
o The Group Policy container in AD DS replicates by the Directory Replication Agent

o The Group Policy template in the SYSVOL replicates by using the Distributed File
System Replication
What are Starter GPOs?

A Starter GPO:
 Stores administrative template settings on which new GPOs will be based
 Can be exported to .cab files
 Can be imported into other areas of an organization
What are administrative templates?
Overview of the Central Store

The Central Store:

 Is a central repository for .admx and .adml files
 Is stored in SYSVOL
 Must be created manually
 Is detected automatically by Windows Vista, Windows Server 2008, and newer
operating systems
Lesson 4: Test your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 5: Overview of AD CS
Lesson 5 overview

This lesson describes how to deploy and manage CAs to manage, distribute, and validate
digital certificates
 Topics:
o What is AD CS?

o Options for implementing CA hierarchies

o Standalone vs. enterprise CAs

o Demonstration: Manage CAs

o What are certificate templates?

o What are CRLs and CRL distribution lists?

o Configure trust for certificates

o Demonstration: Enroll for a certificate

What is AD CS?

 Allows you to implement a PKI for your organization:

o Issue and manage certificates
 AD CS role services in Windows Server:
o Certification Authority

o Certification Authority Web Enrollment

o Online Responder

o Network Device Enrollment Service

o Certificate Enrollment Web Service

o Certificate Enrollment Policy Web Service

Options for implementing CA hierarchies

 Typically, CA hierarchies have two levels:

o A root CA at the top level
o A subordinate issuing CA on the second level

 In general, CA hierarchies fall into one of following categories:

o CA hierarchies with a policy CA

o CA hierarchies with cross-certification trust

o CAs with a two-tier hierarchy

Standalone vs. enterprise CAs
Standalone CAs Enterprise CAs
Must be used if any CA Requires the use of AD DS and stores
(root/intermediate/policy) is offline because information in AD DS
a standalone CA is not joined to an AD DS
domain
Must be used if any CA Can use Group Policy to propagate
(root/intermediate/policy) is offline because certificates to the trusted root CA
a standalone CA is not joined to an AD DS certificate store
domain

Users must provide identifying information Publishes user certificates and CRLs to AD
and specify the type of certificate DS

Does not support certificate templates Issues certificates based on a certificate

template
All certificate requests are kept pending Supports autoenrollment for issuing
until administrator approval certificates
Demonstration:
Manage CAs
• Create a new template based on the Web
Server template
• Configure templates so that they can be
issued
What are certificate templates?

A certificate template defines:

 The format and contents of a certificate
 The process for creating and submitting a valid certificate request
 The security principals that are allowed to read, enroll, or use autoenrollment for a
certificate that will be based on the template
 The permissions that are required to modify a certificate template
What are CRLs and CRL distribution lists?

The following are the steps in the certificate revocation lifecycle:

1. A certificate is revoked
2. A CRL is published
3. A client computer verifies certificate validity and revocation
Configure trust for certificates

 When using certificates for different purposes, it is important to consider who (or rather
what) might be expected to assess the digital certificate as a form of proof of identity
 Generally, there are three types of certificate that you can use:
o Internal certificates from a private CA such as a server installed with the AD CS
role
o External certificates from a public CA such as an organization on the internet

o A self-signed certificate

• You can create a self-signed certificate by using the New-

SelfSignedCertificate cmdlet
Demonstration:
Enroll for a
certificate
 Enroll the Web Server certificate on sea-
adm1
Lesson 5: Test your knowledge

Refer to the Student Guide for lesson-review questions

Instructor-led
labs:
Implementing
identity
services and
Group Policy
 Deploying a new domain controller on
Server Core
 Configuring Group Policy
 Deploying and using certificate
services
Lab: Implementing identity services and Group Policy

Exercise 1: Deploying a new domain controller on Server Core

Exercise 2: Configuring Group Policy
Exercise 3: Deploying and using certificate services
Sign-in information for the exercise(s):
 Virtual Machines:
o WS-011T00A-SEA-DC1

o WS-011T00A-SEA-SVR1

o WS-011T00A-SEA-ADM1

o WS-011T00A-SEA-CL1

 Username: Contoso\Administrator
 Password: Pa55w.rd
Lab scenario

You are working as an administrator at Contoso, Ltd. The company is expanding its business
with several new locations. The Active Directory Domain Services (AD DS) Administration
team is currently evaluating methods available in Windows Server for rapid and remote
domain controller deployment.
The team is also looking for a way to automate certain AD DS administrative tasks.
Additionally, the team wants to establish configuration management based on Group Policy
Objects (GPO) and enterprise certificate authority (CA) hierarchy.
Lab-review question

During the lab, you collected data in a data collector set. What is the advantage of collecting
data in this way?
Lab-review answer

During the lab, you collected data in a data collector set. What is the advantage of collecting
data in this way?
 You can review data in a data collector set periodically for comparative purposes
Module-review questions

1. What are the two reasons to create organizational units (OUs) in a domain?
2. If the domain controller that holds the primary domain controller (PDC) Emulator
operations master role is going to be offline for an extended period, what should you do?
3. True or false? Azure AD is hierarchical.
4. If you have a new version of Microsoft Office to deploy in your on-premises environment,
and you want to configure settings with Group Policy Objects (GPOs), what would you do?
5. What is a certificate template?
Module-review answers (slide 1 of 2)

1. What are the two reasons to create organizational units (OUs) in a domain?
 The first reason is because you want to group users and computers, perhaps by
geography or department. The second reason is that you might then want to delegate
administration on the OU or configure the objects in an OU by using Group Policy
Objects (GPOs)
2. If the domain controller that holds the primary domain controller (PDC) Emulator
operations master role is going to be offline for an extended period, what should you do?
 You should transfer the operations master role to another server in the same domain
ahead of the planned outage
3. True or false? Azure AD is hierarchical.
 False. Azure AD has a flat structure.
Module-review answers (slide 2 of 2)

4. If you have a new version of Microsoft Office to deploy in your on-premises environment,
and you want to configure settings with Group Policy Objects (GPOs), what would you do?
 You could download and install the latest .admx files for Office. If you install these into
the Central Store, you could configure the new Office settings in one location
5. What is a certificate template?
 Certificate templates define how you can request or use a certificate, such as for file
encryption or email signing
Thank you