BRK3505

70-742: Identity with Windows

Server 2016 (In development)
Alfred Ojukwu Joe Lurie
Senior Consultant, MCS Senior Consultant, MCS
Microsoft Certified Trainer Microsoft Certified Trainer
 Alfred Ojukwu
Senior Consultant - Microsoft
[email protected]

 Mobility Consultant with Microsoft Consulting Services

(MCS)
 Certified Trainer – MCT - Mobility
 20+ Years in IT Administration
 WW Community Lead, Devices and Mobility
 Extensive involvement with Internal and External Readiness
 Blog: http://thedevicepros.com
 Interesting Fact: Grew up in Hawaii

alojukwu@
Joe Lurie
Senior Consultant - Microsoft
[email protected]

 System Center consultant with Microsoft Consulting

Services, including Windows client and server upgrades
 TechReady Speaker, exam prep sessions for Windows 8
and 10, Azure, and EMS
 Microsoft Certified Trainer since 2000
 Active in Devices and Mobility community
 From Boston – GO SOX
 Fun fact (you decide): Never watched Star Trek of any
flavor – no episodes of any variety, no movies
70-742: Identity with Windows Server
2016 (In development)
Install and configure active directory domain services (AD DS)
Manage and maintain AD DS
Create and manage group policy
Implement active directory certificate services
Implement identity federation and access solutions
01-Install and Configure Active Directory Domain Services
(AD DS)
Install and configure
domain controllers
• Install a new forest
• Add or remove a domain controller from a
domain
• Upgrade a domain controller
• Install AD DS on a Server Core installation
• Install a domain controller from Install from Media
(IFM)
• Resolve DNS SRV record registration issues
• Configure a global catalog server
• Transfer and seize operations master roles, install
and configure a read-only domain controller
(RODC), configure domain controller cloning
Installing active directory
• Add the binaries
• Add-WindowsFeature -name ad-domain-services–
IncludeManagementTools –Restart

• Add a new forest

• Install-ADDSForest –DomainName “corp.contoso.com”

• Add a new domain in an existing forest

• Install-ADDSDomain –NewDomainName amer
ParentDomainName “corp.contoso.com”

• Add a new domain controller in an existing domain

• Install-ADDSDomainController –DomainName “amer.
corp.contoso.com”

• Perform a staged read-only domain controller (RODC) installation

• Install-ADDSReadOnlyDomainControllerAccount -
DomainControllerAccountName RODC1 -DomainName
amer.corp.contoso.com -SiteName Boston
• Then on RODC1: add the ad-domain-services feature, and
domain controller role
Additional common active directory install functions
• Install from media
• Useful when the database is on a domain controller across a slow WAN link
• Install-ADDSDomainController –DomainName “amer.corp.contoso.com” –InstallationMediaPath C:\
ADMedia

• Configure a domain controller to not be global catalog server

• Install-ADDSDomainController –DomainName “amer.corp.contoso.com” –NoGlobalCatalog

• Move the Infrastructure Master FSMO role

• Needed if the domain controller will be a global catalog server
• Install-ADDSDomainController –DomainName “amer.corp.contoso.com” -
MoveInfrastructureMasterRoleIfNecessary

• Uninstall active directory and demote to a server

• Uninstall-ADDSDomainController
Troubleshooting DNS registration issues
• Event Viewer system log
• NETLOGON events: 5774, 5775, 5781 indicate the
domain controller cannot dynamically register DNS
records

• Check DNS to ensure zone is set to allow Dynamic

Updates
• Check for Only Secure Updates

• Use dcdiag to troubleshoot

• dcdiag /test:registerindns /dnsdomain:FQDN /v
Create and manage active
directory users and
computers
• Automate the creation of Active Directory
accounts
• Create, copy, configure, and delete users and
computers
• Configure templates
• Perform bulk Active Directory operations
• Configure user rights
• Implement offline domain join
• Manage inactive and disabled accounts
• Automate unlocking of disabled accounts using
Windows PowerShell
• Automate password resets using Windows
PowerShell
Creating active directory objects – adac.exe
• Create and manage active directory
objects
• “Copy” when creating like-objects
• Create Templates including group
memberships
• CSVDE, LDIFDE, DSADD still around
• Redirusr and redircmp to redirect the
default path for new objects

• Active Directory Administrative Center

• Active Directory recycle bin
• Fine-grained password policies
• Windows PowerShell history viewer
• Add navigation node
• View the history

• NEW to Server 2016

• Time-bombed groups
• Federation Services
• ADFS supports LDAPv3
• Conditional Access control
Time-limited group memberships
• Users can be added to a security group with
time-to-live (TTL)
• When the TTL expires, the user’s
membership in that group disappears
Member: <TTL,user-DN>
• Kerberos token lifetime will be determined by
TTL of the user’s memberships Group User
• TGT based on shortest group membership
• ST based on TGT and resource local TGT: Shortest group ST: Shortest of TGT
domain group membership lifetime and resource local
domain group
• Requires new FFL
• Scavenger thread takes care of cleaning up
group memberships
Admin account use, with PAM for Just-In-Time

Approver
1. Users have separate admin accounts
PRIV AD
2. As admin, puts in request to have
Domain Admin rights for 60 minutes
3. Approver approves the request
4. Admin added to “Domain Admins”
shadow group for limited time
5. The separate admin account used to
login to complete tasks
6. Privileged admin right expires and
shadow group membership removed
Admin PAM Portal

These accounts are not used for email, and do not stay “Domain Admin” indefinitely.
Way to join a computer to the domain
• System Control Panel
• System added to default container unless pre-staged

• Windows PowerShell
• Add-Computer -ComputerName ‘Server1' -DomainName
‘amer.corp.contoso.com' -Credential Get-Credential –Restart
• System added to default container unless pre-staged

• Desired State Configuration (DSC)

• Joins a computer to the domain, and re-joins if it “falls out” of the
domain
• Uses Start-DscConfiguration cmdlet, and can be set to check
compliance every x minutes

• Offline domain join

• Run djoin.exe on a domain controller to pre-stage the object and
create provisioning file
• Run djoin.exe on target computer and point to the provisioning file
Transferring and seizing FSMO roles
• Transfer FSMO roles
• Perform this on a domain controller which will be down for maintenance for a period of time, to ensure
there is no loss of the fsmo service
• Move-ADDirectoryServerOperationMasterRole -Identity "Target-DC" -OperationMasterRole
SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator

• Seize FSMO roles

• Perform this if a domain controller is down and can not be recorvered, to ensure there is no loss of the
fsmo service
• Move-ADDirectoryServerOperationMasterRole -Identity "Target-DC" -OperationMasterRole
SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator -Force

• FSMO roles can be represented by numbers: Role Name Number

PDCEmulator 0
• Move-ADDirectoryServerOperationMasterRole -Identity RIDMaster 1
"Target-DC" -OperationMasterRole 0,1,2,3,4 -Force InfrastructureMaster 2
SchemaMaster 3
DomainNamingMaster 4
Create and manage Active
Directory groups and
organizational units (OUs)
 Configure group nesting
 Convert groups, including security, distribution,
universal, domain local, and domain global
 Manage group membership using Group Policy
 Enumerate group membership; automate group
membership management using Windows
PowerShell
 Delegate the creation and management of Active
Directory groups and OUs
 Manage default Active Directory containers
 Create, copy, configure, and delete groups and
OUs
Create and manage groups
• What should I know?
• Distribution Group vs. Security Group
• Global vs. Local vs. Domain Local vs. Universal
group
• Group Nesting
• Changing from Global to Domain Local (or vice
versa) requires changing to Universal first
• Restricted Groups Group Policy: members vs.
member of

• Using PowerShell for managing groups

• New-ADGroup
• Add-ADGroupMember
• Get-ADGroupMember “Account Operators”
• Add the Active Directory module for Windows
PowerShell to a member server
Practice Question
You are the administrator for a domain named corp.contoso.com. You
image a new server named Server1 and want to join the server to the
domain. You decide to use PowerShell.

You logon to the server and open an elevated PowerShell window, and
enter your credentials.

What command should you use?

A. Add-Computer ‘Server1’ –DomainName ‘corp.contoso.com’

B. Add-Computer ‘Server1’ –DomainController ‘DC1”
C. Add-ADComputerServiceAccount –ComputerName ‘Server1’
D. Add-ADComputerServiceAccount –AccountName ‘Server1’
Install and configure active directory domain services

Tip #1 Active Directory

FSMO Roles
Desired State
Configuration
Know the PowerShell
DNS
commands for installing Etc. (DSC)
and managing Active
Directory
Tip #2 Tip #3
Group Types and Scopes
haven’t really changed, DSC can be used to join a
but if you haven’t server to the domain, and
managed them lately, rejoin it if necessary
brush up
02-Manage and Maintain AD DS
Configure service
authentication and account
policies
• Create and configure Service Accounts
• Create and configure Group Managed Service
Accounts (gMSAs)
• Configure Kerberos Constrained Delegation
(KCD)
• Manage Service Principal Names (SPNs)
• Configure virtual accounts
• Configure domain and local user password policy
settings
• Configure and apply Password Settings Objects
(PSOs)
• Delegate password settings management
• Configure account lockout policy settings
• Configure Kerberos policy settings within Group
Policy
Configure service authentication
Service Accounts
Used to enhance security but the pain point is the password management and SPN
mgmt.
Two types: Managed Service Accounts and Group Managed Service Accounts

Create/configure Managed Service Accounts (single server)

New-ADServiceAccount with the –RestrictToSingleComputer parameter
Not supported for scheduled tasks, Exchange, SQL

Create/configure Group Managed Service Accounts (multiple servers)

Minimum of one DC that runs at least Windows Server 2012
Before you begin, must create KDS Root Key: Add-KDSRootKey –
EffectiveImmediately New-ADServiceAccount and Set-ADServiceAccount

Configure Kerberos delegation

IIS may require the Trust this computer for delegation to any service (Kerberos only)
option

Manage Service Principal Names (SPNs)

Use SetSPN <service type>/<instance name>:<port number>/<service name>
Configure virtual accounts
What are they?
Introduced in Server 2008 R2 to simplify service
administration
Offer the following benefits
Aren’t created or deleted
No password management Service Virtual Account Name
Ability to access the network with computer identity Default instance of the Database
NT SERVICE\MSSQLSERVER
Engine service
How to configure the service to use them
Named instance of a Database
Open the Properties of the service and click the Logon tab Engine service named PAYROLL
NT SERVICE\MSSQL$PAYROLL
Configure This Account and type NT SERVICE\service_name SQL Server Agent service on the
Click OK and restart the service NT SERVICE\SQLSERVERAGENT
default instance of SQL Server
SQL Server Agent service on an
How to configure IIS app pool to use them instance of SQL Server named NT SERVICE\SQLAGENT$PAYROLL
Open IIS and browse to the app pool PAYROLL
Go to the Advanced Settings of the app pool
In the Identity field, click AppPoolIdentity
Stop and restart the app pool
Configure account policies
• What should I know?
• Domain policy settings vs. local policy settings
• Delegate password setting management
• Account lockout policies are applied at the domain level
• Password Settings Object (PSO) to apply different password policies to different groups

• Account Policies
• Password policy
• Account lockout policy
• Kerberos Policy

• Password settings object (PSO)

• Fine-grained password policies include password settings container (PSC) and password settings
• PSO has two attributes: PSO link (applied to users and groups); Precedence (for when multiple PSO are applied)
• Cannot be applied to an OU. If you need to apply a PSO to all users in an OU, use a Shadow Group
Maintain active directory
• Back up Active Directory and SYSVOL
• Manage Active Directory offline
• Perform offline defragmentation of an Active
Directory database, clean up metadata
• Configure Active Directory snapshots
• Perform object- and container-level recovery
• Perform Active Directory restore
• Configure and restore objects by using the Active
Directory Recycle Bin
• Configure replication to Read-Only Domain
Controllers (RODCs)
• Configure Password Replication Policy (PRP) for
RODC
• Monitor and manage replication
• Upgrade SYSVOL replication to Distributed File
System Replication (DFSR)
Maintain active directory
Back up Active Directory and SYSVOL
• wbadmin start systemstatebackup -backuptarget:e: (this includes SYSVOL)

Manage Active Directory offline

• Stop the Active Directory Domain Services service (Services console or Stop-Service
cmdlet)
• Can perform offline defrag (or other maintenance) and then start the service

Optimize an Active Directory database

• LDIFDE can be used to manually kick off a garbage collection process (free up
space inside)
• NTDSUTIL can compact ntds.dit file (need adequate disk space to hold second
copy of .dit file)

Perform Active Directory restore

Authoritative vs. non-authoritative

Exam Tip: Watch for scenarios where a deleted object comes back into Active Directory
Additional active directory maintenance tasks
Perform object- and container-level recovery
Ntdsutil or Restore-ADObject (need Recycle Bin to get the link-valued attributes)
Enable-ADOptionalFeature ‘Recycle Bin Feature’ -scope ForestOrConfigurationSet -target DomainName -server
DomainControllerName

Clean up metadata
Deletion of DC from default OU results in automatic metadata cleanup (same as Server 2008/2012)
Deletion of DC’s NTDS Settings from Sites & Services also results in automatic metadata cleanup
Otherwise – ntdsutil, metadata cleanup, remove selected server <DN of DC>

Configure Active Directory snapshots

Ntdsutil, snapshot, activate instance ntds, create
Read-only domain controller replication and password policy
RODC replication
DFS Replication replicates SYSVOL between domain
controllers
DFSR will revert any change made directly to the RODC
by the administrator. Note that the administrator can
make the change, but it will be reverted at next
replication from RW domain controller
Enable-ADOptionalFeature ‘Recycle Bin Feature’ -scope
ForestOrConfigurationSet -target DomainName -server
DomainControllerName

RODC password replication policy

• Determines whether an RODC should cache a user or computer’s password after a successful logon, and for how long
• Uses Allowed and Denied lists
• By default, the Allowed RODC Password Replication group has no members. The Denied RODC Password Replication
Group includes groups like Domain Admins, Enterprise Admins, Enterprise Domain Controllers, and more
Configure active directory in a
complex enterprise environment
• Configure a multi-domain and multi-forest Active
Directory infrastructure
• Deploy Windows Server 2016 domain controllers
within a pre-existing Active Directory environment
• Upgrade existing domains and forests; configure
domain and forest functional levels
• Configure multiple user principal name (UPN)
suffixes
• Configure external, forest, shortcut, and realm
trusts
• Configure trust authentication
• Configure SID filtering
• Configure name suffix routing
• Configure sites and subnets and site links
• Manage site coverage
• Manage registration of SRV records
• Move domain controllers between sites
Configure a forest or a domain
Multi-domain and multi-forest environments
• Domain functional level – All DCs in domain must be at that level or higher
• Forest functional level – All DCs in forest must at that level or higher

Upgrading functional levels

• All DCs must be upgraded first
• Raising functional level usually adds new features

Multiple UPN suffixes

• Can simplify logon process
• Not required to be valid DNS name
• Must be Domain Admin or Enterprise Admin to add UPN suffix

Types of Trusts
• Forest: Transitive. Can be used to share resources between forests
• Shortcut: Transitive. Used to reduce the number of hops between domains
• External: Non-transitive. Access to resources in external (separate) forest
• Realm: Non-transitive. Used to access resources in a non-Windows Kerberos environment
Additional trust information
Trust authentication
• Domain wide: Grants access to all users in the domain
• Selective: Administrators control access to individual resources
• Forest wide: Grants access to all users in the forest

Name Suffix Routing

• Created on both sides of the trust when trust is first enabled
• Comprised of wildcard + DNS suffix (*.contoso.com)
• Directs authentication traffic to the correct domain

SID Filtering
• Prevents administrators in Trusted forest from granting themselves (or others) rights in the trusting forest
• SID Filtering Quarantining can be disabled.

Types of Trusts
• Forest: Transitive. Can be used to share resources between forests
• Shortcut: Transitive. Used to reduce the number of hops between domains
• External: Non-transitive. Access to resources in external (separate) forest
• Realm: Non-transitive. Used to access resources in a non-Windows Kerberos environment
New to server 2016: jit forest
• Create new Server 2016 forest Existing JIT
• No need to change existing forest Forest Forest
• Create new ‘PIM’ trust to existing forest
• Add shadow principals in new forest
• Shadow group which is new object class PIM Forest Trust
created in config NC. Unlike security group,
the security identifier (SID) with a domain in
another forest TTL group
membership
• Add shadow admin user
• Remove admins from existing groups
PIM
• PIM system manages TTL groups
• Workflow to add shadow user to shadow
admin group
 Configuring sites and site links
Sites
• Configured in Active Directory Sites and Services
• Logically represent the physical network
• Associated to other sites by IP Subnets
• Logically connected to other sites using Site Links

Site Links
• Used for active directory replication between domain controllers in different sites
• Each site link has a cost associated to it, making one more preferable than another
• Includes replication schedules and protocols used

Moving domain controllers between sites

• Does not change automatically when plugged into the new location
• Does not change automatically when the IP Address is changed to represent the new location
• Ensure the domain controller is not the Preferred bridgehead Server in its existing site prior to moving it

Exam Tip: Watch for scenarios where logon times or other authentication traffic is slow Check for
correct IP Subnets being linked to the correct sites, that a domain controller is placed in the site, etc…
Practice Question
You are the administrator for corp.contoso.com. Your company password policy states that users must change their
passwords every 60 days. However, a new security policy states that members of the Legal Department should be
required to change their passwords every 30 days.

You need to ensure users of the Legal department are required to change their passwords every 30 days.

You must accomplish this with the least amount of administrative effort.

What should you do?

A. Create a child domain named legal.corp.contoso.com. Add the users to the new domain. Change the default
password policy to specify 30 days.
B. Create a new Organizational Unit (OU) named Legal. Add the users to the Legal OU. Create a new Group Policy
Object (GPO) that sets the password policy to 30 days.
C. Create a new Organizational Unit (OU) named Legal. Add the users to the Legal OU. Create a password Settings
Object (PSO) with the proper settings, and link it to the Legal OU
D. Create a new Security Group named Legal. Add the users to the Legal Security Group. Create a Password Settgins
Object (PSO) with the proper settings. Link it to the Legal Security Group
Manage and maintain active directory domain services

Tip #1 Service Accounts

Group Managed Service Accounts
Sites
and Site
Service Accounts are for a
Virtual Accounts
single server
Links
Group Managed Service
Accounts can be used

Tip #2 Tip #3
across systems

Use Active Directory Know how to configure

Administrative Center to Site Links to optimize
manage Active Directory replication and
Users and Computers authentication traffic
03-Create and Manage Group Policy
Create and manage group
policy objects (gpos)
• Configure a central store
• Manage starter GPOs
• Configure GPO links
• Configure multiple local Group Policies
• Back up, import, copy, and restore GPOs
• Create and configure a migration table
• Reset default GPOs
• Delegate Group Policy management
• Detect health issues using the Group Policy
Infrastructure Status dashboard
Creating group policy objects (GPO)
Administrative Templates Central Store
• Administrative Templates are comprised of ADMX and ADML files
• Group Policy tools ready any ADMX file within the %systemroot%\SYSVOL
• Copy files from a client’s C:\Windows\PolicyDefinitions and C:\Windows\PolicyDefinitions\en-us to the \\
contoso.com\SYSVOL\contoso.com\Policies folder on a domain controller

Starter GPO’s
• Functions like a template
• Can only contain settings found under Administrative Templates
• All GPO’s created from this will start with the same settings
• Once created, New-> GPO will list the Starter GPO’s as a selection to start from

What to know about Group Policy Processing

• Local->Site->Domain->OU
• Enforced, Link Enabled, Block Inheritance
• Loopback Processing: Merge or Replace
• How to manage Slow-Link Processing: Computer Configuration\Administrative Templates\System\Group Policy
(default is 500KB)
Managing group policy objects (GPO)
Filtering GPOs
• WMI filters can be used to restrict an entire GPO to a specific OS version, or hardware type, for example
• Security Filters can be used to restrict processing to only a specific group: Read and Apply Group Policy required

Managing GPO’s
• Backup, Restore, Export, Import can all be done with PowerShell:
• backup-GPO, Import-GPO, CopyGPO, Restore-GPO commands
• Reset default GPOs: dcdiag can be used to reset the Default Domain or Default Domain Controllers GPO to its
default

Create a Migration Table

•Used to migrated GPOs from one domain to another
•Open the Migration Table Editor and specify source and target
Group policy infrastructure status
What is it?
• Developed with Windows Server 2012 so group
Policy admins can see if some other infrastructure
related issue is causing group policy issues
• Added to the Group Policy Management Console

What does it do?

• Because group policy gets replicated to other
domain controllers, any number of issues not
related to group policy may cause an error. This
checks for those other issues
• Can be run at a specific GPO, or at the domain it
the issue is more global
Configure group policy
processing
• Configure processing order and precedence
• Configure blocking of inheritance
• Configure enforced policies
• Configure security filtering and Windows
Management Instrumentation (WMI) filtering
• Configure loopback processing
• Configure and manage slow-link processing and
Group Policy caching
• Configure client-side extension (CSE) behavior
• Force a Group Policy update
Group policy processing and RSoP
What to know about Group Policy Processing
• Local->Site->Domain->OU
• Enforced, Link Enabled, Block Inheritance
• Loopback Processing: Merge or Replace
• How to manage Slow-Link Processing:
Computer Configuration\Administrative
Templates\System\Group Policy (default is
500KB)

Resultant Set of Policies (RSoP)

• Reads all settings applied to the computer
and/or user but does not apply any
additional settings
• Can be run from GPMC or from
command line
• gpresult.exe: generates an html file of all GPO’s
that were either applied or denied application to
the user and or computer
• rsop.exe: generates a report but opens an MMC of
the group policy results
Configure group policy
settings
• Configure software installation
• Configure folder redirection
• Configure scripts
• Configure administrative templates
• Import security templates
• Import a custom administrative template file
• Configure property filters for administrative
templates
Group policy software installation
What is it?
• Deploys software to computers at start up, or users after logon
• Requires that the installer is packaged as an MSI file
• Can be used to install, upgrade, or remove software (full life-cycle)
• FREE to use and requires little infrastructure

Deploy to Computers
• Create a new, or edit an existing, GPO liked to the Site, Domain, or OU that contains the computer objects
• Under Computer Configuration, select Software Installation and create a new package
• Select Advanced to upgrade, point to an MST file, add a Category, etc…
• Automatically installed at next reboot after computer applies the policy

Deploy to Users
• Create a new, or edit an existing, GPO liked to the Site, Domain, or OU that contains the user objects
• Under User Configuration, select Software Installation and create a new package
• Select to Assign or Publish the application to the user

Exam Tip: Assigning creates a Start menu icon, and installs the software when the user clicks the icon.
Publishing makes it available in Control Panel\Programs
Common group policy settings
Folder redirection
• Redirects the user’s common profile folders to a network share or other location

Scripts
• Added to Computer Configuration as a Start up or Shut Down Script, or User Configuration as a Logon or Logoff
script
• Can be written in any scripting language the client understands
• Can only be run at startup, shutdown, logon, or logoff. Will not be run during a refresh cycle

Security Template Description

Security Templates Setup security.inf The baseline security for all workstations or member servers out of the box
• Applies specific security settings to specific
DCsecurity.inf The baseline security template for domain controllers out of the box
types of systems
• Do not take effect until imported into GPO Securews.inf Best described as the middle ground security template for workstations and
and linked member servers before moving up to hisec*.inf template

Securedc.inf The same as the above only specifically for domain controllers

Hisecws.inf The highest level security template available for workstations/member

servers
Hisecdc.inf The same as above, however only for domain controllers

Compatws.inf Designed to resolve compatibility issues with legacy operating systems (see
below)
Administrative templates
Administrative templates settings
• Common settings that write and enforce a registry key or value
• Found under Computer Configuration (HKLM hive) or User Configuration (HKCU hive)
• Tattoos the registry: If you set a setting to Enabled, the registry is reflected by this. If you later change that setting to
Not Configured, the registry is not changed. You must set it to Disabled to automatically back-out the registry
setting

Import administrative templates

•ADMX files from the Central Store are
automatically added to Group Policy editing tools
•Local ADMX files can be added to C:\Windows\INF
to be included in local Group Policy Editor

Filter administrative templates

• Filter the displayed settings by several criteria to
reduce the visible settings
Configure group policy preferences
What is it?
• Configures settings not configurable by
other Group Policy settings
• Does not enforce the settings, it only sets
them
• Common Group Policy Preferences include:
• Configure printer preferences
• Define network drive mappings
• Configure power options
• Configure custom registry settings
• Configure Control Panel settings
• Configure Internet Explorer settings
• Configure file and folder deployment
• Configure shortcut deployment
• Configure item-level targeting
Practice Question
You are the Group Policy (GPO) administrator for Contoso.com. Contoso has a mix of Windows 7 and Windows 10
systems. All computers are in the Workstations Organizational Unit (OU). There are several GPO’s linked to the
Workstations OU that must be applied to all Workstations.

You have been asked to create a new GPO that applies to all of the Windows 7 systems in your company.

You need to accomplish this with the least amount of administrative effort.

What should you do?

A. Create a new GPO with the required settings. Create a WMI filter for Windows 7 systems. Link the WMI filter to the
GPO. Link the GPO to the Workstations OU.
B. Create a new GPO with the required settings. Create a WMI filter for Windows 10 systems. Link the WMI filter to the
GPO. Link the GPO to the Workstations OU.
C. Create a new GPO with the required settings. Create a child OU under Workstations named Windows 10. Move the
Windows 10 computers into the new OU. Link the GPO to the Workstations OU.
D. Create a new GPO with the required settings. Create a child OU under Workstations named Windows 7. Move the
Windows 7 computers into the new OU. Link the GPO to the Windows 7 OU.
Create and manage group policy

Tip #1 Startup Scripts

Logon Scripts
Infrastructure
Status
Use ADMX Central Store for
Administrative Templates that
Logoff Scripts
aren’t native to the domain Shutdown Scripts
controller

Tip #2 Tip #3
Group Policy can be used Use Group Policy
for Software Installation. Management Console to
Know the difference check the status of the
between Assigning and underlying infrastructure
Publishing Software
04-Implement Active Directory Certificate Services
(AD CS)
Install and configure AD
certificate services
• Install Active Directory Integrated Enterprise
Certificate Authority (CA)
• Install offline root and subordinate Cas
• Install standalone Cas
• Configure Certificate Revocation List (CRL)
distribution points
• Install and configure Online Responder
• Implement administrative role separation
• Configure CA backup and recovery
Active directory certificate services
Enterprise Certificate Authority (CA)
• Requires access to Active Directory
• Can be installed on any version of Server 2016, including Server Core, but excluding Nano Server (at this time)
• Root CA’s are the top level of the hierarchy and can send certs to Subordinate CA’s which then issue certs that have
been validated by the root CA
• Offline CA’s can send a cert to a removeable device, which can then be transported to the requesting server

Features of AD Certificate Services

• Certificate Authorities (CA):
• Root and Subordinate CA’s are used to issue certs to users, computers, and services, and to manage certificate validity
• Web enrollment
• Allows users to connect to the CA using a web browser to request certs and retrieve CRL’s (Certificate Revocation Lists)
• Online Responder
• Decodes revocation status requests for specifc certs, evaluates the certs, and sends back a signed response containing the status info
• Network Device Enrollment Service
• Allows routers and other network devices that don’t have domain accounts to obtain certs

Installing AD Certificate Services

• Server Manager
• PowerShell: Install-WindowsFeature –AD-Certificate -IncludeManagementTools
Certificate services – con’t
Standalone Certificate Authority (CA)
• Does not require access to Active Directory
• Must include identifying information about the certificate
• All requested certificates are Pending until Approved

Certificate Revocation Lists (CRL) Distribution Points

• Web-based procedure
• Create the CRL DP using IIS: create a virtual directory and enable directory browsing
• Configure Permissions on the CRL distribution shared folder: assign permissions to the CA server
• Publish the CRL in the shared folder: in the Certificate Authority MMC, right-click Revoked Certificates and then click Publish

Online Responder
• Receives and responds to requests for a certificate
• Responds about individual certificates instead of downloading full CRL

Certificate backup and recovery

• Certutil –backupdb <path>
• Certutil –backupkey >path>
• Certutil –f –restore <path> (stop the AD CS service first)
Manage certificates
• Manage certificate templates
• Implement and manage certificate deployment,
validation, and revocation
• Manage certificate renewal
• Manage certificate enrollment and renewal for
computers and users using Group Policies
• Configure and manage key archival and recovery
Manage certificates
Certificate Templates
• Must be registered with enterprise CA
• Add-CATemplate –Name <Name>

Certificate Autoenrollment
• Group Policy in User Configuration\Windows Settings\Security Settings\Public Key Policies
• Renew expired certificates, update pending, and remove revoked options
• Update certificates that use certificate templates
• Auto-enrollment eases administrative overhead

Key Recovery
• Key recovery agent account (must be registered with CA)
• Configure certificate template for key archival (enroll users based on new template)
• Not protected until certificate has key recovery enabled
Practice Question
You are security administrator for contoso.com. Contoso has an Enterprise Certificate Authority (CA) named CA1.

You need to delete a certificate from the certificate store on CA1.

What should you do?

A. Run certutil.exe -revoke

B. Run certutil.exe -viewdelstore
C. Run certutil.exe -dump
D. Run certutil.exe -deleterow
Implement active directory certificate services

Tip #1 Online Responder

--
Certificate
Services and
Know when to use an AD CA vs. a
Certificate Revocation
standalone CA
Lists
PKI

Tip #2 Tip #3
Know how to create a CRL Active Directory
Distribution Point in IIS Certificate Services can be
installed on Server Core
but cannot be installed on
Nano Server (at this time)
05-Implement Identity Federation and Access
Solutions
Install and configure active
directory federation services
(AD FS)
• Upgrade and migrate previous AD FS workloads
to Windows Server 2016
• Implement claims-based authentication, including
Relying Party Trusts
• Configure authentication policies
• Configure multi-factor authentication implement
and configure device registration
• Integrate AD FS with Microsoft Passport
• Configure for use with Microsoft Azure and Office
365configure AD FS to enable authentication of
users stored in LDAP directories
Active directory federation services
What’s new to 2016?
• Farm Behavior Level (FBL) has been changed to
an integer, not a string. Current is Windows
Server 2016 TP5

Running in Mixed Mode

• Add Windows Server 2016 to Server 2012 R2
FBL
• This will make it run in mixed mode until upgraded
• Will not be able to take advantage of any new FBL
features – including simply testing them out
• Cannot upgrade the OS from Server 2012 R2 to Windows
Server 2016 to automatically upgrade the FBL. A new
Server 2016 AD FS server must be added to upgrade the
FBL
AD FS – upgrade to 2016 FBL
Steps to migrate workloads to Windows Server 2016
1. Install AD FS on Server 2016 server
2. Using ADFS Configuration Wizard, join to existing farm
3. Once join is complete, promote to Primary Computer:
Set-AdfsSyncProperties -Role PrimaryComputer
4. Mark the original Primary Computer (server 2012 R2)
as Secondary: Set-AdfsSyncProperties -Role SecondaryComputer
-PrimaryComputerName {FQDN}
5. Configure web application proxy
6. Run adprep \forestprep
7. Run adprep \domainprep
8. Raise the FBL: Invoke-AdfsFarmBehaviorLevelRaise
AD FS – claims and relying trusts
Claims
• Statements made about users used to authorize
access to claims-based applications
• Each claim statement has a value (department,
group, attribute)

Claim Rules
• Rules include to permit or deny all users, or to
pass-through or filter an incoming claim
• Created in AD FS console in Relying Party Trusts
node

Relying Party Trust

• Partner Organizations
• Can be claims aware or non claims aware
• Can be created with AD FS MMC or PowerShell:
Add-ADFSRelyingPartyTrust –Identifier <String> -Name
<String>
AD FS – additional info
Access Control Policies
• Enforce Policy settings to a group of relying parties
• Can be created via template

Auditing Enhancements on 2016

• More streamlined, less verbose than 2012 R2
• See the log level with PowerShell: Get-AdfsProperties

Configure authentication policies

• Can be set globally across all applications, or per application
• Include settings for Extranet or Intranet
• Extranet settings can be forms or certificate based
• Intranet Settings can be Windows, forms or certificate based
AD FS – authentication
Multi-factor authentication
• Will ask for MFA if previous logon was not MFA
• Determines if there is SSO context, and requests MFA if necessary

Device registration
• After registering device, default user gets 90 days authentication, providing he uses AD FS once every 14 days
• If not, on day 15 he’ll be asked for authentication

Use with Azure apps and O365

• Setup Azure AD
• Create AD FS Farm
• Deploy Azure AD Connect with Custom path to connect AD FS to Azure AD
• For detailed and additional steps, see
https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/operations/configure-device-based-condit
ional-access-on-premises

More information
• AD FS Server 2016 landing page:
https://technet.microsoft.com/en-us/windows-server-docs/identity/active-directory-federation-services
Implement web application
proxy (WAP)
• Install and configure WAP
• Implement WAP in pass-through mode
• Implement WAP as AD FS proxy
• Integrate WAP with AD FS
• Configure AD FS requirements
• Publish web apps via WAP
• Publish Remote Desktop Gateway applications
• Configure HTTP to HTTPS redirects
• Configure internal and external Fully Qualified
Domain Names (FQDNs)
Web application proxy (WAP)
What is it?
• Remote access role service that is used to help secure remote success to web-based applications
• Isolates web apps from direct contact with the internet
• Pre-authenticates internet users to AD FS

New features in Windows Server 2016

• Pre-authentication to HTTP Basic app publishing
• Wildcard domain paublishing of apps
• HTTP to HTTPS redirection
• HTTP publishing
• See
https://technet.microsoft.com/en-us/windows-server-docs/identity/web-application-proxy/web-application-proxy-w
indows-server
for more details on WAP
Web application proxy – installation and configuration
Before Installation and configuration
• Configure certificates
• Configure DNS
• Configure load balancing

How to install
• Server Manager
• PowerShell: Install-WindowsFeature Web-Application-Proxy

How to configure
• Launch remote access management
• Select Run web application proxy configuration wizard
Web application proxy authentication methods
Authentication methods
• Pass-through preauthentication
• AD FS preauthentication

Pass-through preauthentication
• No preauthentication is performed
• Valid requests sent to web-based apps on the intranet
• User authenticated only after connecting to the web-app

AD FS preauthentication
• AD FS preauthenticates the user vefore passing it to the web-app
• Configure the claims-aware application in AD FS as a relying party
Publishing web apps
What can be published?
• SharePoint services
• Exchange services
• Remote desktop gateway servcies
• Custom line-of-business apps

Configuring URL’s and Certificates

• Each app must have an external and internal URL
• You must select the certificate that contains the host name in the external URL
• User authenticated only after connecting to the web-app
Install and configure active
directory rights
management services (AD
RMS)
• Install a licensor certificate AD RMS server
• Manage AD RMS Service Connection Point (SCP)
• Manage AD RMS templates
• Configure Exclusion Policies
• Back up and restore AD RMS
Install and configure active directory RMS
Install a licensing and certificate root cluster
• Additional AD RMS server for only licensing (good for specific department policies/templates, offloading main
cluster)

Manage AD RMS Service Connection Point (SCP)

• Requires Enterprise Admin membership

Manage Trusted User Domains

•Trusted user domains (TUD) – can use to process requests from other AD RMS org
•RMS TRUSTS NOT like AD, more like NT 4.0 rule…

Manage Trusted Publishing Domains

•Can process licensing requests for content from other AD RMS org

Manage Federated Identity support

•Use AD FS to allow AD RMS usage without AD DS trust or AD RMS on both sides

Configure Exclusion Policies

•Users, Applications (PowerPoint), Lockbox (AD RMS)
Practice Question
You are the administrator for Contoso.com. Contoso is doing business with several other copanies. You have a server
named ADFS1 that runs the Active Directory Federated Services role.

One of the relying parties has mandated that all Contoso users are authenticate using both certificate authentication and
Windows authentication.

You need to configure this on ADFS1.

What should you do?

A. Create and configure a Global Authentication Policy

B. Create and configure a Relying Party Trust
C. Create and configure a Transform Claim Rule
D. Create and configure a Delegation Authorization Rule
70-742: Identity with Windows Server
2016 (In development)
Install and configure active directory domain services (AD DS)
Manage and maintain AD DS
Create and manage group policy
Implement active directory certificate services
Implement identity federation and access solutions
Please evaluate this session
Your feedback is important to us!

From your PC or Tablet visit MyIgnite at

http://myignite.microsoft.com

From your phone download and use the Ignite

Mobile App by scanning the QR code above or
visiting https://aka.ms/ignite.mobileapp
© 2016 Microsoft Corporation. All rights reserved.