Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
Active Directory Administration Cookbook, Second Edition
Active Directory Administration Cookbook, Second Edition

Active Directory Administration Cookbook, Second Edition: Proven solutions to everyday identity and authentication challenges for both on-premises and the cloud , Second Edition

eBook
$36.99 $41.99
Paperback
$51.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with Print?

Product feature icon Instant access to your digital copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Redeem a companion digital copy on all Print orders
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Table of content icon View table of contents Preview book icon Preview Book

Active Directory Administration Cookbook, Second Edition

Chapter 2: Managing Domain Controllers

Active Directory domain controllers are your network's castles of identity. They offer services such as LDAP, Kerberos, and NTLM to people using devices, appliances, and servers. The previous chapter introduced the concepts of forests, trees, and domains. In this chapter, we are going to look at some more tangible things, such as server machines. But please don't take that literally; domain controllers these days are found to be virtual machines more often than physical machines.

I'll walk you through creating new domain controllers and show you which type of domain controller to implement. I'll also show you how to create domain controllers quickly, even when there's only a slow connection between the location with existing domain controllers and the location where you want to implement a new domain controller. We'll also look at creating hundreds of domain controllers quickly.

The following recipes are covered in this chapter:

  • Preparing a Windows server to become a domain controller
  • Promoting a server to a domain controller
  • Using Install From Media (IFM)
  • Using domain controller cloning
  • Determining whether a virtual domain controller has a VM-GenerationID
  • Demoting a domain controller
  • Demoting a domain controller forcefully
  • Inventory domain controllers
  • Decommissioning a compromised read-only domain controller

Preparing a Windows server to become a domain controller

To make Active Directory a reliable service in any networking environment, the domain controllers need to be available with high integrity. Any changes an administrator needs to make to a deployed domain controller might diminish the availability. Any component or configuration that is misbehaving might diminish the integrity. Therefore, let's look at how to prepare a Windows Server installation to become a domain controller before we promote it to become one.

The following steps are my time-tested recommended practices for production domain controllers within enterprises. I highly recommend these steps to create highly reliable domain controllers.

Intending to do the right thing

The first few items on the list of preparations involve having the right ideas about promoting domain controllers throughout their life cycles:

  • Intend to create at least two domain controllers per Active Directory domain: This way, both servers can be advertised to networking clients as LDAP servers and DNS servers. Then, when you have to reboot one of at least two servers, these clients won't be hindered. Also, restoring a domain controller while another domain controller is still available allows for scenarios such as non-authoritative restores, domain controller cloning, and domain controller re-promotion.
  • Intend to implement role separation: By any means, do not misuse a domain controller as an exchange server or SQL server, unless it's a Windows Small Business Server. The DNS server, DHCP server, and NPS server roles are gray areas here, which should be addressed with common sense; if it means a domain controller will be harder to restore, manage, or decommission, separate the roles.

Dimensioning the servers properly

Now, let's look at how to dimension intended domain controllers:

  • Intend to create equal domain controllers in terms of hardware dimensions: It's tempting to place one big server and one smaller server as domain controllers but consider the possibility of having to move Flexible Single Master Operation (FSMO) roles or other loads from one domain controller to another. Since domain controllers are randomly assigned to networking clients inside an Active Directory site, clients accessing a server with fewer resources may not exhibit a consistent and acceptable user experience.
  • Dimension the intended domain controllers properly in terms of hardware: Domain controllers offer the best performance when they can cache the Active Directory database, ntds.dit, in RAM. Plan for ample room in RAM to cache up to 4 KB per Active Directory object, plus a 10 MB minimum for the main objects and partitions. You should start with the minimum RAM required to install Windows Server and then add on the additional memory for Active Directory Domain Services (AD DS). For physical servers, use RAID and separate spindles for storage of Active Directory-related data when possible. Use hardware that will be covered by the manufacturer's (extended) guarantee, support, and life cycle policies for the period in which you need to rely on the domain controller.
  • Dimension the intended domain controllers properly in terms of software: Use a version of Windows Server that will be covered by Microsoft's (extended) support and life cycle policies for the period in which you need to rely on the domain controller.
  • Implement the Server Core version of Windows Server when possible: Server Core installations of Windows Server offer higher availability and a smaller attack surface compared to Windows Server installations with the Desktop Experience feature. However, some agents and other software components in use within the organization might not properly run on Server Core installations. In the latter scenario, Windows Server installations with the Desktop Experience feature (called Full Installations in previous versions of Windows Server) should be performed, obviously.
  • Install the latest firmware for devices and/or integration components: On physical boxes that you intend to use as a domain controller, install the latest stable firmware for the Basic Input/Output System (BIOS), the storage controller(s), the video card(s), and Network Interface Card(s) (NIC(s)). On virtual machines, implement the latest stable version of the integration components or VMware tools and follow the recommended practices from the vendor of the hypervisor platform.
  • Use a virtualization platform that offers the VM-GenerationID feature: Place virtual domain controllers on a virtualization platform that offers the VM-GenerationID feature. This will offer the domain controller virtualization safeguards that allow administrators to take snapshots of domain controllers without compromising the integrity of the Active Directory database. Also, domain controller cloning is available on these virtualization platforms.

Preparing the Windows Server installations

Before you install Windows Server on intended domain controllers, perform these actions:

  • Run the memory diagnostics from the Windows Server installation media: The Windows Server DVD allows administrators to check the RAM of physical and virtual machines to ensure that the memory used by the Windows Server installation is not faulty. Checking beforehand means you don't have to replace faulty memory after going live.
  • Run sysprep.exe on cloned disks: When the Windows Server installation is the result of the cloning of a disk with a Windows Server installation on it, ensure that the Windows Server installation is sysprepped. You wouldn't want the Security Identifier (SID) on the cloned disk to become the SID for the new Active Directory forest or domain you might be creating.

Preconfiguring the Windows servers

After Windows Server is installed, configure these items on the Windows Server instance, either through Server Manager on Windows Server installations with the Desktop Experience feature or by using sconfig.cmd on Server Core installations:

  • Change the hostname for the Windows Server installation. Leverage the server naming convention and/or policy within the organization.
  • Check for proper Windows activation of the Windows Server operating system.
  • Update the Windows Server installation with the latest updates.
  • Configure the server with at least one static IPv4 address and/or a static IPv6 address. Leverage the networking plan and zone assignment policies within the organization. Avoid multi-homing domain controllers.

    Tip

    When the intended domain controller is to run as a virtual machine within a cloud environment, such as Amazon's AWS or Microsoft's Azure, let the cloud provider assign the IPv4 and/or IPv6 addresses, because manually setting these addresses might break the connectivity of the Windows Server installation. Instead, use IP address reservations to ensure the intended domain controllers remain reachable over the same addresses.

  • Check for at least one connected LAN connection: Without a connected LAN connection, the promotion of a domain controller will fail. This is by design.
  • Configure a proper naming resolution: As the DNS plays a vital role in locating Active Directory, ensure the DNS is properly configured. Plan for an Active Directory-integrated DNS. Don't forget the DNS stub zones and/or conditional forwarders when creating a new Active Directory domain and/or forest. Deploy Windows Internet Name Service (WINS) or DNS GlobalNames zones in legacy environments.
  • Configure the page file correctly.
  • Implement information security measures: Deploy agents for anti-malware, uninterruptible power supplies, backup and restore, Security Incident and Event Management (SIEM), Technology State and Compliance Monitoring (TSCM), advanced threat analytics, and other information security measures your organization's policies might require.

Documenting the passwords

In large organizations, you can't get anything done without the proper changes being filed through change management. Even if your organization doesn't require these steps, it's still a recommended practice to document at least these items:

  • Document the password for the built-in administrator account: When deploying a new Active Directory forest or domain, deploy using a pre-configured password for the built-in administrator account. After successful promotion, change the password to one that you intend to assign to this account for a longer period. Document the latter password in a password vault.

    Tip

    As domain controllers are promoted using scripts, there is a chance the password for the built-in account will linger around unintentionally. Also, the password initially set for this account is stored with a weaker hashing algorithm than changed passwords.

  • Document the Directory Services Restore Mode (DSRM) password: In dire situations, when the Active Directory-related services are no longer able to start, an administrator can sign in to the server using a fallback account with the DSRM password. Intend to use different DSRM passwords for each domain controller and document these properly in a password vault.

See also

See the Creating conditional forwarders recipe in Chapter 9, Managing DNS, to create conditional forwarders.

Promoting a server to a domain controller

Promoting a Windows Server installation to a domain controller consists of three steps:

  • Installing the Active Directory Domain Services role
  • Promoting a server to a domain controller
  • Checking proper promotion

When using dcpromo.exe, you do not have to install the role beforehand.

You can promote the server in several ways. The following table displays the possibilities:

Table 2.1 – Methods for installing the Active Directory Domain Services role and 
promoting a server to a domain controller

Table 2.1 – Methods for installing the Active Directory Domain Services role and promoting a server to a domain controller

The methods in the table are all explained in more detail in this recipe.

Getting ready

In some organizations, changes can only be made using scripts and must be accompanied by rollback scripts. In these cases, the answer file and PowerShell cmdlets offer the best method. On Server Core installations of Windows Server, only the last two options are available to promote the server, either on the Command Prompt or through Windows Admin Center, unless you use Server Manager to remotely manage the server you intend to promote to a domain controller.

The Active Directory Domain Services Configuration Wizard no longer features the option to not reboot the Windows Server installation intended as a domain controller after successful promotion. If you need this option – for instance, to harden the domain controller before the first boot with custom scripts – then you can't use the Wizard. Use dcpromo.exe or the Install-DDSDomainController, Install-ADDSDomain, or Install-ADDSForest cmdlets in these cases.

When creating an additional domain controller in an existing Active Directory domain or forest, check for proper Active Directory replication before implementing the new domain controller.

How to do it...

Unless you are using dcpromo.exe to promote the Windows Server installation to a domain controller, the Active Directory Domain Services role needs to be installed first.

Installing the Active Directory Domain Services role

There are three ways to install the Active Directory Domain Services role:

  • Using Server Manager
  • Using the Install-WindowsFeature cmdlet
  • Using Windows Admin Center

Using Server Manager

To install the Active Directory Domain Services role using Server Manager, perform these steps:

  1. Press Start.
  2. Search for Server Manager and click its corresponding search result or run servermanager.exe. The Server Manager window appears.
  3. In the gray top bar of Server Manager, click Manage.
  4. Select Add Roles and Features from the menu. The Before you begin screen appears, as shown in the following screenshot:
Figure 2.1 – The Before you begin screen of the Add Roles and Features Wizard

Figure 2.1 – The Before you begin screen of the Add Roles and Features Wizard

  1. On the Before you begin screen, click Next >.
  2. On the Select installation type screen, select Role-based or feature-based installation and click Next >.
  3. On the Select destination server screen, select either the local Windows Server installation from the server pool list, the remote Windows Server installation you intend to promote to the domain controller from the server pool list, or both types of resources.
  4. Click Next >.
  5. On the Select server roles screen, select the Active Directory Domain Services role from the list of available roles. The Add Roles and Features Wizard pop-up window appears, as shown in the following screenshot:
Figure 2.2 – The Add Roles and Features Wizard pop-up window

Figure 2.2 – The Add Roles and Features Wizard pop-up window

  1. On the pop-up screen, click the Add Features button to add the features that are required for Active Directory Domain Services. These features include the Group Policy Management tool, Active Directory module for Windows PowerShell, Active Directory Administrative Center, and AD DS Snap-Ins and Command-Line Tools.
  2. Back on the Select server roles screen, click Next >.
  3. On the Select server features screen, click Next >.
  4. On the Active Directory Domain Services screen, providing an overview of Active Directory and Azure AD, click Next >.
  5. On the Confirm installation selections screen, click Install. The role and features will now be installed:
Figure 2.3 – The Installation progress page of Add Roles and Features Wizard

Figure 2.3 – The Installation progress page of Add Roles and Features Wizard

  1. When configuration of the Active Directory Domain Services server role is done, click Close to close the Add Roles and Features Wizard:

Using the Install-WindowsFeature cmdlet

As an alternative to using Server Manager, the Install-WindowsFeature cmdlet can be used. Perform the following line of Windows PowerShell in an elevated window to install the Active Directory Domain Services role:

Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

The preceding line of Windows PowerShell offers the only way to install the Active Directory Domain Services role on a Server Core installation of Windows Server locally.

Using Windows Admin Center

Although a PowerShell script can be run from Windows Admin Center, it also offers a native way to install roles and features. Perform these steps:

  1. In Windows Admin Center, click the Windows Server installation you want to install the Active Directory Domain Services role onto from the All Connections list.
  2. In the left navigation menu, click Roles & features.
  3. In the main pane, select the Active Directory Domain Services role in the Roles and features list by clicking the selection box to the left of it:
Figure 2.4 – The Active Directory Domain Services role selected in Windows Admin Center

Figure 2.4 – The Active Directory Domain Services role selected in Windows Admin Center

  1. Click + Install. The Install Roles and Features blade appears.
  2. Click Yes to continue the installation with the additional Active Directory module for Windows PowerShell, Group Policy Management, AD DS Snap-Ins and Command-Line Tools, and Active Directory Administrative Center features installed.
  3. A notification pops up, informing you that Windows Admin Center has Successfully completed installation of Active Directory Domain Services, which appears in the notification area when the roles and features have been successfully installed.

Promoting the server to a domain controller

There are three ways to promote a Windows Server installation to a domain controller:

  • Using the Active Directory Domain Services Configuration Wizard
  • Using the Install-DDSDomainController, Install-ADDSDomain, or Install-ADDSForest cmdlets from the Active Directory module for Windows PowerShell
  • Using dcpromo.exe with an answer file

Using the Active Directory Domain Services Configuration Wizard

Perform these steps to promote the server to a domain controller:

  1. Press Start
  2. Search for Server Manager, click its search result, or run servermanager.exe or return to Server Manager when you've accomplished installing the Active Directory Domain Services role using Server Manager.
  3. In the left navigation pane of Server Manager, click AD DS.
  4. Click the More... link in the blue ribbon (as shown in the following screenshot) titled Configuration required for Active Directory Domain Services at server:
Figure 2.5 – Promote this server to a domain controller link in All Servers Task Details and Notifications

Figure 2.5 – Promote this server to a domain controller link in All Servers Task Details and Notifications

  1. On the All Servers Task Details and Notifications screen, follow the Promote this server to a domain controller link. The Active Directory Domain Services Configuration Wizard window appears:
Figure 2.6 – The Deployment Configuration screen of the Active Directory 
Domain Services Configuration Wizard

Figure 2.6 – The Deployment Configuration screen of the Active Directory Domain Services Configuration Wizard

Tip

In the top-right corner of every Active Directory Domain Services Configuration Wizard screen, it shows the hostname of the Windows Server installation that you're promoting to a domain controller.

  1. On the Deployment Configuration screen (as shown in the preceding screenshot), select the type of deployment you intend:
    • Add a domain controller to an existing domain
    • Add a new domain to an existing forest
    • Add a new forest

      Important Note

      By default, the Add a domain controller to an existing domain option is selected. This option will create a replica domain controller in the domain. If you're not sure which selection to make, please refer to the Choosing between a new domain or forest recipe in Chapter 1, Optimizing Forests, Domains, and Trusts. The More about deployment configurations link at the bottom of the Deployment Configuration screen provides a Microsoft link with more information.

  2. Depending on your choices on the Deployment Configuration screen, supply information for the Domain or Credentials fields. Click Next to proceed to the next screen.
  3. In all the other Active Directory Domain Services Configuration Wizard screens, make the appropriate choices for the deployment scenario. Click Next > every time to proceed to the next screen, until you reach the Review Options screen:
Figure 2.7 – The Review Options screen of the Active Directory Domain Services Configuration Wizard

Figure 2.7 – The Review Options screen of the Active Directory Domain Services Configuration Wizard

  1. On the Review Options screen, review the choices made. Click Next> to proceed to the Prerequisites Check screen.

    Tip

    The Review Options screen features a button labeled View script. This button displays the Windows PowerShell script used to execute the domain controller promotion. This reusable script may be a real timesaver, especially when adding several domain controllers to an existing domain.

  2. After the prerequisites checks have been performed, click Install on the Prerequisites Check screen to start promotion.

After successful promotion, the Windows Server installation reboots as a domain controller.

Promoting a domain controller using Windows PowerShell

For the Active Directory module for Windows PowerShell, Microsoft has decided to take a slightly different route. Instead of using a single PowerShell cmdlet to promote a domain controller, there are three separate PowerShell cmdlets for each of the three scenarios, as presented on the Deployment Configuration screen of the Active Directory Domain Services Configuration Wizard:

Table 2.2 – Windows PowerShell cmdlets per domain controller promotion scenario

Table 2.2 – Windows PowerShell cmdlets per domain controller promotion scenario

To add a domain controller to an existing domain, the simplest script would look like this:

Install-ADDSDomainController -DomainName lucernpub.com

However, to add a domain controller to an existing domain, as you would in the previous example, the following script would suffice:

Install-ADDSDomainController -DomainName lucernpub.com -Credential (Get-Credential) -installDNS:$true -NoGlobalCatalog:$false -DatabasePath "E:\NTDS" -Logpath "E:\Logs" -SysvolPath "E:\SYSVOL" -Sitename RemoteLocation

This adds a domain controller to the lucernpub.com Active Directory domain, using credentials you will be prompted for securely. The domain controller is installed with a DNS server and configured as a global catalog server. All the Active Directory-related files are stored in corresponding folders on the E:\ drive, and when successful, the Windows Server installation you intend as the domain controller reboots automatically.

Replace the values in the preceding sample script with the values of your choice.

Promoting a domain controller using dcpromo.exe

Despite many news outlets reporting that dcpromo is dead, the popular option to promote a Windows Server installation to a domain controller is alive and well, even in the latest Windows Server versions. One change to the functionality of dcpromo.exe, when compared to previous versions of Windows Server, is that you can no longer use dcpromo.exe to launch the Active Directory Domain Services Configuration Wizard. You'll need to use dcpromo.exe with an answer file or with all the installation arguments specified.

The benefits of using dcpromo.exe include the use of many options that are not available when using the Active Directory Domain Services Configuration Wizard and also a wide array of sample answer files and scripts. As the type of answer files used when using dcpromo.exe, and the arguments for use on the command line, have been available since the early days of Windows Server, many people have used them, and many people have written them.

Using dcpromo.exe with an answer file consists of running the following command prompt line:

dcpromo.exe /unattend: C:\install\dcpromo.txt

Simply replace the text file location with the file of your choice.

You can also use network paths such as \\server\promotiontext$\dcpromo.txt to supply an answer file to dcpromo.txt. This makes for an ideal scenario where files don't remain lingering on domain controllers promoted this way.

The answer file consists of several arguments. Typical arguments found in the answer file include the ReplicaOrNewDomain, InstallDNS, and ConfirmGC arguments. A prime example of an answer file to add an additional domain controller to an existing domain would look like the following:

[DCINSTALL] 
ReplicaorNewDomain= replica
ReplicaDomainDNSName= lucernpub.com
UserDomain= LUCERNPUB
UserName= Administrator
SiteName= RemoteLocation
Password= "P@$$w0rd"
InstallDNS= Yes
ConfirmGC= Yes
CreateDNSDelegation= No
LogPath= E:\Logs
SYSVOLPath= E:\SYSVOL
SafeModeAdminPassword= "P@$$w0rd"
RebootOnSuccess= true

Using this answer file adds a domain controller to the lucernpub.com Active Directory domain, using the credentials for the administrator account with the P@$$w0rd password. The domain controller is installed with a DNS server and configured as a global catalog server. All the Active Directory-related files are stored in corresponding folders on the E:\ drive, and when successful, the Windows Server installation you intend as the domain controller will be rebooted automatically.

Replace the values in the preceding sample file with the values of your choice.

When promotion is successful, the passwords specified as the values for the Password and SafeModeAdminPassword arguments are cleared from the answer file. However, when promotion is unsuccessful, these values remain and may cause harm when falling into the wrong hands.

The arguments in the answer file can also be specified as command-line arguments. The arguments can be reused one on one, so the preceding sample answer file would correspond to the following command line:

dcpromo.exe /unattend /replicaornewdomain:Replica /replicadomaindnsname:lucernpub.com /userdomain:LUCERNPUB /username:administrator /password:"P@$$w0rd" /sitename:RemoteLocation /installdns:yes /confirmgc:yes /databasepath:"E:\NTDS" /logpath:"E:\logs" /sysvolpath:"E:\sysvol" /safemodeadminpassword:"P@$$w0rd"

Replace the values in the preceding sample file with the values of your choice.

Checking proper promotion

After promoting a Windows Server installation to the domain controller, it's recommended to check for proper promotion. Perform these steps to check the promotion:

  1. Check the logs: The following two files contain all the actions performed when promoting the Windows Server installation to the domain controller. A good way to check for improper promotion is to search for lines containing errors and warnings:
    • C:\Windows\Debug\dcpromo.log
    • C:\Windows\Debug\dcpromoui.log
  2. Check the event viewer: In the event viewer (eventvwr.exe), new dedicated logs are created for Active Directory. Search these logs for any Active Directory-related errors.
  3. Run Windows Update: Even though one of the recommended steps is to update the Windows Server installation you intend to promote to the domain controller, it's also a recommended step to install Windows Updates after the Windows Server installation has been promoted, as updates apply to newly installed server roles and features too. These role-specific updates are only applied after the role is installed.

See also

For more information, refer to the following recipes:

  • See the Preparing a Windows server to become a domain controller recipe.
  • See the Promoting a server to a read-only domain controller recipe.
  • See the Checking replication recipe.
Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • Expert solutions for name resolution, federation, certificates, and security with Active Directory
  • Explore Microsoft Azure AD and Azure AD Connect for effective administration on the cloud
  • Automate security tasks using Active Directory tools and PowerShell

Description

Updated to the Windows Server 2022, this second edition covers effective recipes for Active Directory administration that will help you leverage AD's capabilities for automating network, security, and access management tasks in the Windows infrastructure. Starting with a detailed focus on forests, domains, trusts, schemas, and partitions, this book will help you manage domain controllers, organizational units, and default containers. You'll then explore Active Directory sites management as well as identify and solve replication problems. As you progress, you'll work through recipes that show you how to manage your AD domains as well as user and group objects and computer accounts, expiring group memberships, and Group Managed Service Accounts (gMSAs) with PowerShell. Once you've covered DNS and certificates, you'll work with Group Policy and then focus on federation and security before advancing to Azure Active Directory and how to integrate on-premise Active Directory with Azure AD. Finally, you'll discover how Microsoft Azure AD Connect synchronization works and how to harden Azure AD. By the end of this AD book, you’ll be able to make the most of Active Directory and Azure AD Connect.

Who is this book for?

This book is for administrators of existing Active Directory Domain Service environments as well as for Azure AD tenants looking for guidance to optimize their day-to-day tasks. Basic networking and Windows Server Operating System knowledge will be useful for getting the most out of this book.

What you will learn

  • Manage the Recycle Bin, gMSAs, and fine-grained password policies
  • Work with Active Directory from both the graphical user interface (GUI) and command line
  • Use Windows PowerShell to automate tasks
  • Create and remove forests, domains, domain controllers, and trusts
  • Create groups, modify group scope and type, and manage memberships
  • Delegate, view, and modify permissions
  • Set up, manage, and optionally decommission certificate authorities
  • Optimize Active Directory and Azure AD for security
Estimated delivery fee Deliver to United States

Economy delivery 10 - 13 business days

Free $6.95

Premium delivery 6 - 9 business days

$21.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Jul 15, 2022
Length: 696 pages
Edition : 2nd
Language : English
ISBN-13 : 9781803242507
Category :
Languages :
Tools :

What do you get with Print?

Product feature icon Instant access to your digital copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Redeem a companion digital copy on all Print orders
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Estimated delivery fee Deliver to United States

Economy delivery 10 - 13 business days

Free $6.95

Premium delivery 6 - 9 business days

$21.95
(Includes tracking information)

Product Details

Publication date : Jul 15, 2022
Length: 696 pages
Edition : 2nd
Language : English
ISBN-13 : 9781803242507
Category :
Languages :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 186.97
Active Directory Administration Cookbook, Second Edition
$51.99
Windows Server 2022 Administration Fundamentals
$79.99
Mastering Windows Security and Hardening
$54.99
Total $ 186.97 Stars icon

Table of Contents

17 Chapters
Chapter 1: Optimizing Forests, Domains, and Trusts Chevron down icon Chevron up icon
Chapter 2: Managing Domain Controllers Chevron down icon Chevron up icon
Chapter 3: Managing Active Directory Roles and Features Chevron down icon Chevron up icon
Chapter 4: Managing Containers and Organizational Units Chevron down icon Chevron up icon
Chapter 5: Managing Active Directory Sites and Troubleshooting Replication Chevron down icon Chevron up icon
Chapter 6: Managing Active Directory Users Chevron down icon Chevron up icon
Chapter 7: Managing Active Directory Groups Chevron down icon Chevron up icon
Chapter 8: Managing Active Directory Computers Chevron down icon Chevron up icon
Chapter 9: Managing DNS Chevron down icon Chevron up icon
Chapter 10: Getting the Most Out of Group Policy Chevron down icon Chevron up icon
Chapter 11: Securing Active Directory Chevron down icon Chevron up icon
Chapter 12: Managing Certificates Chevron down icon Chevron up icon
Chapter 13: Managing Federation Chevron down icon Chevron up icon
Chapter 14: Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and DSSO) Chevron down icon Chevron up icon
Chapter 15: Handling Synchronization in a Hybrid World (Azure AD Connect) Chevron down icon Chevron up icon
Chapter 16: Hardening Azure AD Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Full star icon Full star icon 5
(3 Ratings)
5 star 100%
4 star 0%
3 star 0%
2 star 0%
1 star 0%
Kindle Customer Apr 03, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I received this book from a cyber connection. My field is not in Active Directory administration but it is a great book to read. The information is very knowledgeable and interesting. It covers the GUI, Powershell automation, and a lot more. I will definitely recommend this book to my tech network.
Amazon Verified review Amazon
klingsman Oct 29, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I like this this book touches on all the Key responsibilities for a sysadmins including managing cloud resources. Each IT department needs to have a copy of this book handy.
Amazon Verified review Amazon
Dave Franklyn, MCT Dec 21, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I've been teaching the Active Directory for 2 decades and I've also written Microsoft Official Courseware about it. People will often ask me what book outside of Microsoft I would recommend for further information and specific knowledge, and it always comes back to this one. The Active Directory Administration Cookbook by Sander Berkouwer is THE definitive guide for all things Active Directory! It proudly sits by my computer, and I use it often. The new work by Sander in this Second Edition now includes Windows Server 2022 and a vast array of knowledge on integration Microsoft Azure.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the digital copy I get with my Print order? Chevron down icon Chevron up icon

When you buy any Print edition of our Books, you can redeem (for free) the eBook edition of the Print Book you’ve purchased. This gives you instant access to your book when you make an order via PDF, EPUB or our online Reader experience.

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on customercare@packt.com within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on customercare@packt.com who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela