Windows Server 2019 is Microsoft's new commitment to the entire broad corporate segment that has decided to place its trust, and its services, in this innovative and always reliable operating system. The new 2019 version of Windows Server is based on four fundamental pillars that are:
- Hyperconvergence Infrastructure
This will guarantee us a scalable, secure, reliable system and in which the administration options will be much broader.
When we administer Windows Server there are a number of roles and services that play a vital role in all the performance at the structure and organization level and one of the most important are the Active Directory domain services and that is why TechnoWikis will do A complete analysis of what these services are and what they are composed of in order to have a global understanding of all the impact they have on the system and on the objects that compose it and should be managed..
1. Active Directory domain services in Windows Server 2019
Better known as AD DS (Active Directory Domain Services), they have been established in order to offer the most appropriate methods to store directory data and allow this data to be always available to users and network administrators, just to have An idea of ​​this, the AD DS stores information associated with user accounts with details such as names, passwords, phone numbers, etc., and allows other authorized users in the domain to access this information.
Remember that the Active Directory makes use of a structured data warehouse in order to have a logical and hierarchical organization of the directory information and these objects are normally shared resources, such as servers, volumes, printers and user accounts.
Now in Windows Server 2019, Active Directory domain services have been established to improve the ability of each administrator to protect Active Directory environments by allowing the option to migrate to hybrid and cloud deployments, which is a trend that is taking a fairly high force, since many applications and services are hosted in the cloud..
The improvements we will see in domain services in Windows Server 2019 are:
Privileged Access Management
Also called (PAM - Privileged Access Management), its function is to mitigate the security problems that are always present in Active Directory environments generated by multiple current credential theft techniques such as spear phishing, so that we will have at our disposal a new administrative access solution that must be configured together with Microsoft Identity Manager (MIM).
Some of its advantages are:
- New processes in MIM in order to request administrative privileges
- A new role of the Active Directory forest, generated by MIM
- New security principles (groups)
- The expiring links are available in all attributes linked to the
- KDC enhancements have been integrated into Active Directory domain controllers with the task of restricting the Kerberos ticket life to the lowest possible lifetime value (TTL)
- New monitoring capabilities to expand the results of administrative tasks.
Azure AD Join
Azure Active Directory Join allows you to improve identity experiences at the level of companies and customers of EDU, as it has improved capabilities for corporate and personal devices. Among its advantages we find:
- Availability of modern settings on Windows devices at the organization level
- Roaming or personalization services, new accessibility settings and credential improvements
- Access to the Microsoft store with a work account
- The company's resources can now be accessed on mobile devices that cannot be joined to a corporate Windows domain.
- Single sign-on in Office 365 and other applications
- On BYOD devices, it is allowed to add a work account, either using a local domain or Azure AD, to a personal device and thus make use of SSO resources
Microsoft Passport
Microsoft Passport was developed as a new security alternative which has a key-based authentication method for both organizations and consumers which is much more practical than traditional passwords since with Microsoft Passport authentication is based on violation, theft and phish resistant credentials.
When we use this method, the user logs into the device using a biometric login information or PIN which is linked to a certificate or asymmetric key pair, thus, identity providers (IDPs) validate the user who logs in by assigning the user's public key to IDLocker and thus the login information is obtained using the One Time Password (OTP) method or a different notification mechanism.
2. Design and plan Active Directory domain services in Windows Server 2019
When we have chosen to implement Active Directory Domain Services using Windows Server 2019, it will be possible to access a complete centralized administrative model and have the single sign-on (SSO) function that is generated by AD DS.
Reasons for use
Because it is important to design these services in a concrete way, the reasons are many, some of them are:
- Simplify the administration of resources and users
- Create scalable, secure and simple administration infrastructure.
- Manage network infrastructure, including objects, Microsoft Exchange Server and multiple domain environments.
Fundamental Phases
Basically when as administrators we have started to design these services we must understand that it covers three fundamental points that are:
- Design phase where the design for the logical structure of AD DS is created
- Implementation phase, there the implementation team tests the design in a laboratory environment and then implements it in the production environment so as not to affect the optimal performance of the services and processes.
- Operations phase is where we are responsible for administering and maintaining the directory service in optimal operation.
Basic requirements
The basic requirements for a correct design of our AD DS are:
- Design the logical structure of Active Directory taking into account the number of forests to be used in order to create the necessary designs for the domains, the Domain Name System (DNS) infrastructure and the organizational units (OU)
- Design the topology to use which is a logical representation of the available physical network
- Define the capacity of the domain controller, determining the appropriate amount of domain controllers for each site to use and verify that they meet the hardware requirements for Windows Server 2019.
- Enabling the advanced features of AD DS in Windows Server 2019.
Advantages
By having a properly designed logical structure of Active Directory, we will have the following advantages:
- Simplified management of Microsoft Windows-based networks where large numbers of objects are included
- Ability to delegate administrative control over resources
- A strong domain structure and reduced administration costs
- Reduced impact on network bandwidth increasing performance across the entire company
- Simplified resource sharing
- Optimal search performance
3. Deploy Active Directory Domain Services on Windows Server 2019
Once we define in detail how the domain services of the Active Directory are to be used, we proceed to their installation and for this we have several alternatives being the most traditional graphic form.
Step 1
To do this we go to the Server Administrator and in the option “Add roles and features†we go to the section “Active Directory Domain Services†and follow the steps of the wizard for the configuration of both the domain and the forest:
Step 2
For more detailed information we can go to the following link:
Step 3
We can also execute this process through Windows PowerShell, for this we must execute the following:
Add the role which installs the AD DS server role and installs AD DS and AD LDS server administration tools, including GUI-based tools, such as Active Directory users and computers, and command line tools, we execute the following:
Install-windowsfeature -name AD-Domain-Services -IncludeManagementTools
Step 4
Now, we execute the following command to see the available cmdlets in the ADDSDeployment module:
Get-Command -Module ADDSDeployment
Step 5
If we want to see the list of arguments that can be specified for a specific cmdlets, we execute the following syntax:
Get-Help <cmdlet>
Step 6
Once we configure and install AD DS, we can run one of the test cmdlets to validate our installation. Globally these are the options at the level of AD DS implementation in Windows Server 2019, in the link mentioned above we will find the way to add a new forest or domain.
4. Operation of Active Directory Domain Services in Windows Server 2019
Step 1
Once our Active Directory services are functioning as administrators we must ensure their safety and total performance for this purpose a series of useful tips are:
- Reduce the attack surface of Active Directory since all objects (users and computers) can be vulnerable
- Implement administrative models of minimum privileges to add more security
- Implement Secure Administrative Hosts
- Secure domain controllers against various types of attacks
- Constant monitoring of Active Directory for alarms that jeopardize its integrity
- Create new audit policies
Step 2
One of the simplest but at the same time more integrated ways to see everything that happens with our AD DS services is using the "Event Viewer":
Step 3
There we have a series of event IDs that are useful for administration such as:
- 4618: A supervised security event has occurred.
- 4649: A replay attack was detected. It can be a harmless false positive due to an incorrect configuration error
- 4719: System audit policy changed.
- 4765: High SID history has been added to an account
- 4766: The attempt to add the SID History to an account failed.
- 4794: An attempt was made to set the directory service restore mode.
- 4897: High Role separation enabled
- 4964: Special groups have been assigned to a new login.
- 5124: A security configuration was updated in the OCSP Response Service
- 550: Possible denial of service (DoS) attack
- 1102: The audit log was deleted
- 4621: Middle Administrator Recovered CrashOnAuditFail System. Users who are not administrators
- You can now log in. Some auditable activities may not have been recorded.
- 4692: No attempt was made to create the average backup copy of the data protection master key.
- 4693: The average recovery of the data protection master key was attempted.
- 4706: A new trust has been created for a domain.
- 4713: The Kerberos Media policy was modified.
- 4714: The encrypted data recovery policy was modified.
- 4715: The audit policy (SACL) on an object was modified.
- 4764: A group with security disabled has been deleted
- 4764: The type of a group was changed.
- 4780: The ACL was set up in accounts that are members of administrator groups.
Step 4
To know in detail all the event IDs we can go to the following official Microsoft link. From these event IDs we can carry out a series of administrative tasks to correct many problems associated with AD DS, thus allowing it to work in the correct and expected way.
Windows Server event IDs
5. Commands to manage AD DS in Windows Server 2019
There are some useful commands in Windows Server that will give us the possibility to obtain information and manage objects in a much more complete way, some of them are:
Adprep
It is responsible for extending the Active Directory schema and updating the permissions to prepare a forest and domain for a domain controller running the Windows Server 2019 operating system.
Csvde
Import and export Active Directory data with files that store data in the comma separated values ​​(CSV) format.
Dcdiag
It is responsible for analyzing the status of domain controllers in a forest to determine problems.
Dsadd
Add specific types of objects to the directory, we can use parameters such as:
- Dsadd computer: Add a new device
- Dsadd contact: Add a new contact
- Dsadd user: Add a new user
- Dsadd group: Create a new group
- Dsadd ou: Create a new organizational unit
Dsdbutil
Generates Active Directory Lightweight Directory Services (AD LDS) database utilities.
Dsget
Display the selected properties of a specific object in the directory, some of the available options are:
Dsmgmt
Offers the Active Directory Lightweight Directory Services (AD LDS) management functions.
Dsmod
Allows you to modify an existing object of a specific type in the directory.
Dsmove
It is responsible for moving an object in a domain from its current location in the directory to a new location or renames a single object without moving it in the directory tree.
NET computer
Add or remove a computer from a domain database.
NET group
Add, display or modify global groups in domains.
NET user
Add or modify user accounts or display a user's account information.
Ntdsutil
Provides AD DS administration functions
Repadmin
It gives administrators the ability to diagnose Active Directory replication problems between domain controllers that have Windows operating systems.
Active Directory domain services are one of the base components that allow you to get the most out of Windows Server and thus perform administration tasks in a much more complete way..
