20742WV (55351): Identity with Windows Server Courseware

Module 1 Deploy Active Directory services

Active Directory Domain Services (AD DS) is the cornerstone of on-premises networks for many organizations worldwide. AD DS delivers authentication and authorization by using domain controllers (DCs) for on-premises apps and services. In this module, you’ll learn how to configure DCs to suit your specific organizational needs, and integrate AD DS with Microsoft Entra ID to provide single sign-on (SSO) for users that access both on-premises and cloud-based apps.

 

Lesson 1 Components of AD DS

·       What is an AD DS forest?

·       What is an AD DS domain?

·       What are organizational units (OUs)?

·       What is the AD DS schema?

·       Overview of AD DS administration tools

·       Demonstration: Manage AD DS

 

Lesson 2 AD DS DCs

·       What is a DC?

·       What are the global catalog servers?

·       Overview of service (SRV) records

·       Demonstration: Review SRV records in Domain Name System (DNS)

·       How does the AD DS sign-in process work?

·       Overview of operations masters

·       Transfer and seize roles

 

Lesson 3 Deploy AD DS DCs

·       Install a DC from Server Manager

·       Install a DC on a Server Core

·       Upgrade a DC

·       Install a DC from media

·       Clone DCs

·       Best practices for DC virtualization

 

Lesson 4 Microsoft Entra ID overview

·       What is Microsoft Entra ID?

·       How does Microsoft Entra ID compare with AD DS?

·       Microsoft Entra ID editions

·       Microsoft Entra ID administration tools

·       Microsoft Entra Domain Services

 

Lab 1: Deploy and administer AD DS

·       Deploy AD DS.

·       Administer AD DS.

 

By completing this module, you’ll achieve the knowledge and skills to:

·       Describe the AD DS components.

·       Describe the role of DCs.

·       Deploy DCs.

·       Describe Microsoft Entra ID.

 

Module 2 Manage directory objects

Active Directory, at its heart, is a hierarchical database. Unlike a traditional database, however, you can create many different types of records within Active Directory. These records are referred to as objects, which you can create to represent almost anything in your network, from users and groups to printers, shared folders, and computers.

 

Each object can have many different properties, referred to as attributes. For example, the user object type has attributes in which you can store the user’s sign-in name, and street and email addresses.

 

Not only does Active Directory allow you to store information about objects, but it also enables you to manage those objects. After you create objects, you can use AD DS to manage and control these objects, which you can group together in containers to easily apply policies to them.

 

Active Directory is a powerful tool to centrally manage your network. Large organizations might want to distribute management to different teams of administrators. Active Directory enables this by allowing a domain administrator to provide lower-level administrators access to specific objects and containers.

 

Lesson 1 Manage user accounts

·       Create user accounts

·       Demonstration: Manage user accounts

·       Disable and delete user accounts

·       Perform bulk operations on Active Directory objects

·       Demonstration: Perform bulk operations in Active Directory Users and Computers

·       User-account templates

·       Demonstration: Use templates to create accounts

·       Manage user objects in Entra ID

 

Lesson 2 Manage groups in AD DS

·       Security and distribution groups

·       Group scopes

·       Implement group management (IGDLA)

·       Delegate management of groups in Active Directory

·       Restricted groups

·       Default groups

·       Special identities

·       Demonstration: Manage groups in Windows Server

·       Manage groups in Entra ID

 

Lesson 3 Manage computer objects in AD DS

·       The default Computers container

·       Create an OU structure for managing computer objects

·       Control who can create computer objects

·       Join a computer to an AD DS domain

·       Computer accounts and secure channels

·       Offline domain joins

 

Lab 2: Manage AD DS objects

·       Create and manage groups in AD DS.

·       Create and configure user accounts in AD DS.

·       Manage computer objects in AD DS.

 

Lesson 4 Administer AD DS by using PowerShell

·       Use Windows PowerShell to manage user accounts

·       Use PowerShell for bulk operations

·       Demonstration: Use graphical tools to perform bulk operations

·       Query objects with Windows PowerShell

·       Use text files for bulk operations

·       Demonstration: Perform bulk operations with Windows PowerShell

 

Lesson 5 Implement and manage OUs

·       Plan OUs

·       OU planning strategies

·       Delegate administrative control

·       Create OUs

·       Manage permissions in Active Directory

·       Demonstration: Delegate administrative permissions on an OU

 

Lab 3: Administer AD DS

·       Delegate administration for OUs

·       Create and modify AD DS objects with Windows PowerShell

 

By completing this module, you’ll achieve the knowledge and skills to:

·       Manage user accounts.

·       Manage group objects and understand the different types of groups.

·       Manage computer objects.

·       Manage containers, referred to as organizational units (OUs).

·       Administer Active Directory by using GUI tools and Windows PowerShell.

 

Module 3 Advanced AD DS infrastructure management

This module describes key technologies that serve as the building blocks of more advanced AD DS environments and provides guidance about implementing and managing such environments.

 

Lesson 1 Overview of advanced AD DS deployments

·       Overview of domain and forest boundaries

·       Implementation of multiple domains and forests

·       Deploy a DC in an Azure virtual machine (VM)

·       Manage objects in complex AD DS deployments

 

Lesson 2 Deploy a distributed AD DS environment

·       AD DS domain and forest-functional levels

·       Deploy new AD DS domains

·       Demonstration: Install a DC in a new domain in an existing forest

·       Upgrade and migrate AD DS domains

·       Factors to consider when implementing complex AD DS environments

 

Lesson 3 Configure AD DS trusts

·       Overview of AD DS trust types

·       How do trusts work in a forest?

·       How do trusts work between forests?

·       Configure advanced AD DS trust settings

·       Demonstration: Configure a forest trust

 

Lab 4: Domain and trust management in AD DS

·       Implement forest trusts.

·       Implement child domains in AD DS.

 

By completing this module, you’ll achieve the knowledge and skills to:

·       Describe the technologies that are essential to implementing advanced AD DS environments.

·       Deploy a distributed AD DS environment.

·       Implement trusts in multi-domain and multi-forest AD DS environments.

 

Module 4 Implement and administer AD DS sites and replication

In this module, you’ll learn about the technical details of AD DS replication and how you can leverage that knowledge to optimize the design and implementation of AD DS environments that consist of multiple geographically distributed DCs.

 

Lesson 1 Overview of AD DS replication

·       What are AD DS partitions?

·       Characteristics of AD DS replication

·       How AD DS replication works within a site

·       Resolve replication conflicts

·       How replication topology is generated

·       How SYSVOL replication works

 

Lesson 2 Configure AD DS sites

·       What are AD DS sites?

·       Why implement additional sites?

·       Demonstration: Configure AD DS sites

·       How replication works between sites

·       What is the intersite topology generator (ISTG)?

·       Overview of SRV records

·       How domain-joined computers locate DCs

 

Lesson 3 Configure and monitor AD DS replication

·       What are AD DS site links?

·       What is site-link bridging?

·       Manage site-link replication.

·       Demonstration: Configure AD DS intersite replication.

·       Tools for monitoring and managing replication.

 

Lab 5: Implement AD DS sites and replication

·       Modify the default site.

·       Create additional sites and subnets.

·       Configure AD DS replication.

·       Monitor and troubleshoot AD DS replication.

 

By completing this module, you’ll achieve the knowledge and skills to:

·       Understand how AD DS replication works.

·       Configure AD DS sites to optimize authentication and replication traffic.

·       Configure and monitor AD DS replication.

 

Module 5 Implement Group Policy

For organizations operating in an on-premises AD DS environment, Group Policy offers centralized management of both user and computer settings. This enables administrators to configure, enforce, and maintain their organization’s on-premises configuration. GPOs are linked to container objects such as sites, domains, and OUs. Users and computers placed in those containers inherit the applicable container’s settings. However, GPOs can be blocked, unlinked, or enforced to override the default application behavior. GPOs can also be filtered based on security-group membership and Windows Management Instrumentation (WMI) filters. When settings don’t apply as you expect, it’s important that you know how to investigate and resolve the issues.

 

Lesson 1 What is Group Policy?

·       What is configuration management?

·       Selecting a Group Policy management tool

·       What are the benefits of Group Policy?

·       What are GPOs?

·       Manage GPO scope and inheritance

·       What are the Group Policy Client service and client-side extensions?

·       Implement GPOs in Microsoft Entra Domain Services

 

Lesson 2 Implement and administer Group Policy

·       Implement domain-based GPOs

·       Understand GPO storage and replication

·       What are Starter GPOs?

·       Common GPO management tasks

·       What is Group Policy delegation?

·       Demonstration: Delegate Group Policy administration

 

Lesson 3 Group Policy scope and processing

·       Link GPOs to containers

·       Understand Group Policy processing, inheritance, and precedence

·       Implement security filtering and WMI filtering

·       Demonstration: Filter Group Policy application

·       Enable and disable GPOs and GPO nodes

·       Implement loopback processing

·       Manage slow links and disconnected systems

·       Identify when settings become effective

 

Lab 6: Implement a Group Policy infrastructure

·       Creating and configuring GPOs.

·       Managing GPO scope.

 

Lesson 4 Troubleshoot the application of GPOs

·       What is Resultant Set of Policy (RSoP)?

·       Demonstration: Generate RSoP reports

·       Examine Group Policy event logs

·       Detect issues with the health of GPOs

 

Lab 7: Troubleshoot Group Policy infrastructure

·       Verify GPO application.

·       Troubleshoot GPOs.

 

Module 6 Manage user settings with Group Policy

You can use GPOs to create a standard desktop for the entire organization or on a departmental basis. You construct this standard desktop by using features such as administrative templates, Folder Redirection, and Group Policy preferences.

 

Lesson 1 Implement administrative templates

·       What are administrative templates?

·       Overview of the central store

·       Demonstration: Configure settings with administrative templates

·       Import security templates

 

Lesson 2 Configure Folder Redirection, software installation, and scripts

·       What is Folder Redirection?

·       Settings for configuring Folder Redirection

·       Security settings for redirected folders

·       Demonstration: Configure Folder Redirection

·       Manage software with Group Policy.

·       Group Policy settings for applying scripts.

 

Lesson 3 Configure Group Policy preferences

·       What are Group Policy preferences?

·       Compare Group Policy preferences with settings

·       Features of Group Policy preferences

·       Item-level targeting options

·       Demonstration: Configure Group Policy preferences

 

Lab 8: Manage user settings with Group Policy

·       Use administrative templates to manage user settings.

·       Implement settings by using Group Policy preferences.

·       Configure Folder Redirection.

 

By completing this module, you’ll achieve the knowledge and skills to:

·       Implement administrative templates.

·       Configure Folder Redirection, software installation, and scripts.

·       Configure Group Policy preferences.

 

Module 7 Secure AD DS

AD DS contains sensitive information about many parts of your IT infrastructure, such as users and their passwords. An issue with your AD DS security can result in data loss, data leakage, parts of your IT infrastructure being disabled, or even your entire IT infrastructure being compromised. As an AD DS administrator, you need to understand the potential threats to AD DS and how to mitigate them.

 

Lesson 1 Secure DCs

·       What security risks can affect DCs?

·       Modify security settings of DCs

·       Implement secure authentication

·       Secure physical access to DCs

·       What are read-only DCs (RODCs)?

·       Deploy an RODC

·       Plan and configure an RODC password-replication policy

·       Demonstration: Configure a password-replication policy

·       Separate RODC local administration

 

Lesson 2 Implement account security

·       Account security in Windows Server

·       Understand password policies, account lockout policies, and Kerberos authentication policies

·       Demonstration: Configure domain account policies

·       Protect groups in AD DS.

·       Fine-grained password and lockout policies.

·       Create and manage Password Settings objects (PSOs).

·       Demonstration: Configure a fine-grained password policy

·       Enhance password authentication with Windows Hello

·       Options for securing accounts in Entra ID

 

Lesson 3 Implement authentication auditing

·       Account logon and logon events

·       Demonstration: Configure authentication-related audit policies

·       Scope audit policies

·       Demonstration: Review logon events

 

Lesson 4 Configure managed service accounts

·       Overview of service accounts

·       Challenges of using service accounts

·       Service principal names (SPNs) and Kerberos delegation

·       Overview of managed service accounts

·       What are group managed service accounts (MSAs)?

·       Demonstration: Configure group MSAs

 

Lab 9: Secure AD DS

·       Implement security policies for accounts, passwords, and administrative groups.

·       Deploy and configure an RODC.

·       Create and associate a group MSA.

 

By completing this module, you’ll achieve the knowledge and skills to:

·       Explain how to secure DCs.

·       Implement account security.

·       Plan and configure audit authentication.

·       Configure managed service accounts (MSAs).

 

Module 8 Deploy and manage AD CS

Public key infrastructure (PKI) is the tools and processes that allow you to issue digital certificates, which are commonly used for authentication and to help secure network communication. You can configurate Windows Server as a CA that issues digital certificates by installing the AD CS role.

 

Lesson 1 Deploy CAs

·       What is AD CS?

·       Options for implementing CA hierarchies

·       Standalone vs. enterprise CAs

·       Factors to consider when deploying a root CA

·       Demonstration: Deploy an enterprise root CA

·       Considerations for deploying a subordinate CA

·       How to install a CA by using the CAPolicy.inf file

 

Lesson 2 Administer CAs

·       Manage CAs

·       Configure CA security

·       Security roles for CA administration

·       Configure CA policy and exit modules

·       Configure certification revocation list distribution point (CDP) and authority information access (AIA) locations

·       Demonstration: Configure CA properties

 

Lesson 3 Troubleshoot and maintain CAs

·       Monitor CA operations

·       Troubleshoot CAs

·       Renew a CA certificate

·       Move a root CA to another computer

 

Lab 10: Deploy and configure a two-tier CA hierarchy

·       Deploy an offline root CA.

·       Deploy an enterprise subordinate CA.

 

By completing this module, you’ll achieve the knowledge and skills to:

·       Deploy CAs.

·       Administer CAs.

·       Troubleshoot and maintain CAs.

 

Module 9 Deploy and manage certificates

Planning a CA hierarchy is just the first part of implementing PKI for your organization. You also need to understand how to manage certificate templates to ensure that users and computers get certificates with the correct configuration. Additionally, you need to know how to manage certificates, including certificate revocation, and how you can use certificates for purposes such as securing network communication.

 

Lesson 1 Deploy and manage certificate templates

·       What are certificates and certificate templates?

·       Schema versions for certificate templates

·       Configure certificate-template settings and permissions

·       Options for updating a certificate template

·       Demonstration: Modify and enable a certificate template

 

Lesson 2 Manage certificate deployment, revocation, and recovery

·       Certificate enrollment methods

·       Overview of certificate autoenrollment

·       What is an enrollment agent?

·       How does certificate revocation work?

·       Overview of key archival and recovery

·       Configure automatic key archival

·       Demonstration: Configure a CA for key archival

 

Lesson 3 Use certificates in a business environment

·       Use certificates for Transport Layer Security (TLS)

·       Use certificates for digital signatures

·       Demonstration: Sign a document digitally

·       Use certificates for content encryption

·       Demonstration: Encrypt a file with EFS

·       Use certificates for authentication

 

Lab 11: Deploy and use certificates

·       Configure certificate templates.

·       Enroll and use certificates.

·       Configure and implement key recovery.

 

By completing this module, you’ll achieve the knowledge and skills to:

·       Deploy and manage certificate templates.

·       Manage certificate deployment, revocation, and recovery.

·       Use certificates in a business environment.

 

Module 10 Implement and administer AD FS

Windows Server provides AD FS, an SSO solution. AD FS enables organizations to provide users with the ability to sign in and authenticate to services and apps locally, in partner companies, and online. AD FS service provides SSO functionality for many services in various organizations. In this module, you’ll learn how AD FS works and how to implement it in different scenarios.

 

Lesson 1 Overview of AD FS

·       What is identity federation?

·       What are claims-based identity and claims-based authentication?

·       What is AD FS?

·       How does AD FS enable SSO in a single organization?

·       How does AD FS enable SSO in a business-to-business federation?

 

Lesson 2 AD FS requirements and planning

·       AD FS components and requirements

·       PKI and certificate requirements

·       Plan an AD FS deployment for online services

·       Plan a highly available AD FS deployment

·       Capacity planning

·       Deploy AD FS in Azure

·       Demonstration: Install the AD FS server role

 

Lesson 3 Deploy and configure AD FS

·       What are AD FS claims and claims rules?

·       What is a claims provider trust?

·       What is a relying party trust?

·       Demonstration: Configure claims provider and relying party trusts

·       Install and configure AD FS

·       Configure an account partner and resource partner

·       Configure claims rules

·       How does home realm discovery work?

·       Demonstration: Configure claims rules

·       Manage an AD FS deployment

 

Lesson 4 Web Application Proxy overview

·       What is Web Application Proxy?

·       Web Application Proxy authentication methods

·       Scenarios for using Web Application Proxy

·       Install and configure Web Application Proxy

·       Entra ID Application Proxy overview

·       Demonstration: Install and configure WAP

 

Lab 12: Implement AD FS

·       Configure AD FS prerequisites.

·       Install and configure AD FS.

·       Configure an internal application for AD FS.

·       Configure AD FS for federated business partners.

 

By completing this module, you’ll achieve the knowledge and skills to:

·       Describe Active Directory Federation Services (AD FS).

·       Describe AD FS requirements and planning.

·       Deploy and configure AD FS.

·       Describe Application Proxy.

 

Module 11 Implement AD DS synchronization with Microsoft Entra ID

In this module, you’ll learn how to plan, prepare, and implement directory synchronization between local AD DS and Entra ID.

 

Lesson 1 Plan and prepare for directory synchronization

·       AD DS scope and limitations

·       Microsoft Entra ID as a cloud identity service

·       Authentication with Entra ID

·       Overview of directory synchronization

·       Plan directory synchronization

·       Prerequisites and preparation for directory synchronization

·       Prepare Entra ID tenant for directory synchronization

·       AD FS and Entra ID

·       Overview of Entra Cloud Sync

 

Lesson 2 Implement directory synchronization by using Entra Connect

·       Overview of Entra Connect

·       Entra Connect requirements

·       Entra Connect express synchronization

·       Entra Connect customized synchronization

·       Demonstration: Install and configure Entra Connect

·       Monitor directory synchronization with Entra Connect Health

 

Lesson 3 Manage identities with directory synchronization

·       Options for identity synchronization and authentication

·       Writeback options with directory synchronization

·       Modify directory synchronization

·       Manage privileged identities in Entra ID

·       Monitor directory synchronization

·       Troubleshoot directory synchronization

 

Lab 13: Configure directory synchronization

·       Prepare for directory synchronization

·       Configure directory synchronization

·       Manage Active Directory users and groups, and validate directory synchronization

 

By completing this module, you’ll achieve the knowledge and skills to:

·       Plan and prepare for directory synchronization.

·       Implement directory synchronization by using Microsoft Entra Connect.

·       Manage identities with directory synchronization.

 

Module 12 Monitor, manage, and recover AD DS

At the heart of AD DS is the Active Directory database. A major responsibility for administrators is to monitor AD DS and its associated services, which ensures you’re managing issues proactively. In a worst-case scenario, administrators might have to restore the Active Directory database from a backup, which requires a methodical approach to creating, testing, and performing regular backups. Microsoft provides several tools for monitoring AD DS in real time, and for storing data to recognize trends over time. There are also specific tools to help you backup and restore an Active Directory database.

 

Lesson 1 Monitor AD DS

·       Performance bottlenecks

·       Potential hardware bottlenecks

·       Monitoring tools in Windows Server

·       Use Performance Monitor

·       Demonstration: Monitor AD DS

 

Lesson 2 Manage the Active Directory database

·       Active Directory database overview

·       Use NtdsUtil.exe to manage the Active Directory database

·       Demonstration: Perform database management

·       Active Directory snapshots

 

Lesson 3 Active Directory backup and recovery solutions

·       Modern Best Practices for AD DS Monitoring and Recovery

·       Understand object deletion and recovery

·       Undelete objects without the recycle bin

·       Enable the AD Recycle Bin tool

·       Configure the AD Recycle Bin tool

·       General backup and recovery tools

 

Lab 14: Recover objects in AD DS

·       Backup and restore AD DS

·       Recover AD DS objects using Active Directory Recycle Bin