Teach on Udemy

Turn what you know into an opportunity and reach millions around the world.

Learn More

Your cart is empty.

Keep shopping

Active Directory: Securing Active Directory Domain Services

Name: Active Directory: Securing Active Directory Domain Services
Rating: 4.5 (747 reviews)

AD DS Security with Lab: domain controllers, account security, audit authentication, managed service accounts, PSO

Highest Rated

Created byVitalii Shumylo

Last updated 10/2025

English

What you'll learn

Securing domain controllers
Security risks that can affect domain controllers
Modifying the security settings of domain controllers
What are RODCs?
Deploying an RODC
Configuring a password replication policy
Implementing account security
Password policies
Account lockout policies
Configuring a fine-grained password policy
Tools for creating PSOs
Implementing audit authentication
Account logon and logon events
Configuring managed service accounts

Course content

10 sections • 128 lectures • 13h 16m total length

Security risks that can affect domain controllers12:54
Identify and defend against threats to your Windows Server domain controllers and Active Directory environment, from network security and authentication attacks to privilege escalation and physical security.
Kerberoasting Attack Demonstration Example: Service Account Configuration9:44
Demo: Kerberoasting Attack Example: Ticket Extraction with Mimikatz11:41
Demo: Kerberoasting Prevention via AES Encryption and GMSA Implementation9:09
Prevent kerberoasting by enforcing aes encryption for kerberos tickets and deploying gmsa, while monitoring event logs and using PowerShell to detect suspicious ticket requests.
Demo: Network Security Assessment on Domain Controllers Using Nmap10:40
Knowledge Check: Security risks that can affect domain controllers7:11
Explore knowledge checks on security risks to Active Directory and domain controllers, including authentication credentials, denial of service, elevation of privilege, and protections via certificates, updates, and physical security.
Domain Controller Security Fundamentals via GPO Management9:19
Centralize domain controller security management with group policy objects, applying default domain policy and custom gpos, audit and account policies, plus standardized event log retention.
Advanced Security Controls for Enterprise Infrastructure11:56
Knowledge Check: Modifying the security settings of domain controllers7:45
Demo Example 1: Configuring and Verifying Domain Controller Security Policies5:14
Demo Example 2: Configuring Custom Security Policies for Domain Controllers7:07
Demo Example 3: Windows Server 2025 Practical Implementation of DC Security11:47
Knowledge Check: Configuring and Verifying Domain Controller Security Policies6:40
Scripts to create lab users1:19
Benefits of Custom GPOs for Domain Controllers: Best Practices and Consideration3:38
Knowledge Check: Benefits of Custom GPOs for Domain Controllers: Best Practices7:38
Explore best practices for using custom GPOs with domain controllers, learn the processing order and last-applied policy wins, and understand how to document settings for change management.
Implementing secure authentication8:04
Knowledge Check: Implementing secure authentication9:33
Securing physical access to domain controllers3:52
Secure physical access to domain controllers to protect credentials and prevent bypassing safeguards. Use Bitlocker, monitor hotswap disks, protect virtual disks, and store backups in secure locations.
Knowledge Check: Securing physical access to domain controllers8:30
Focus on securing domain controllers through physical security, read-only domain controllers in less secure environments, BitLocker encryption, hotswap disk monitoring, secure backups, and securing virtual disks.
What are RODCs?11:32
Knowledge Check: What is RODC?9:00
Deploying an RODC3:35
Deploy a read-only domain controller (rodc) remotely using the active directory domain services configuration wizard or powershell, with one-step or two-step deployment and delegated promotion, including password replication policy planning.
Planning and configuring an RODC password replication policy6:19
Demonstration: Configuring a password replication policy7:56
Separating RODC local administration2:44
Best Practices for Securing Active Directory10:31
Knowledge Check: Best Practices for Securing Active Directory7:28

Section Overview4:06
Explore account security in Windows Server 2016 and later, covering password and lockout policies, Kerberos settings, fine-grained policies, protected groups, and Windows Hello plus Azure MFA authentication.
Understanding User Rights in Windows Server Security4:35
Knowledge Check: Understanding User Rights in Windows Server Security8:11
Best Practices for Managing User Rights on Windows Server4:13
Knowledge Check: Best Practices for Managing User Rights on Windows Server7:19
Practical Configuration of User Rights in Windows Server. Example 13:57
Practical Configuration of User Rights in Windows Server. Example 26:33
Password policies4:40
Knowledge Check: Password policies7:02
Account lockout policies3:42
Account lockout policies define thresholds, duration, and unlock methods to deter brute force attacks. Configure thresholds, auto-unlock, and 30-minute reset, and monitor sign-ins in real time.
Knowledge Check: Account lockout policies7:49
Kerberos policies7:36
Configure Kerberos policy settings from the default domain policy to govern ticket lifetimes and TGTs for domain user and computer accounts. Enforce clock synchronization tolerance to ensure accurate Kerberos operations.
Knowledge Check: Kerberos policies7:52
Demonstration: Configuring a fine-grained password policy3:21
Protecting groups in AD DS5:33
Knowledge Check: Protecting groups in AD DS7:15
Explore how restricted groups and protected users strengthen Active Directory domain services, then test your understanding of their membership controls, authentication protocols, and encryption types.
Fine-grained password and lockout policies6:20
Knowledge Check: Fine-grained password and lockout policies7:12
Explore fine-grained password policies in Active Directory by reviewing password settings objects, their container storage, and how to apply policies to groups or users, including shadow groups for OUs.
Tools for creating PSOs6:36
Knowledge Check: Tools for creating PSOs7:26
Demonstration: Configuring authentication-related audit policies and viewing log3:21
PSO precedence and resultant PSO3:51
Knowledge Check: PSO precedence and resultant PSO7:59
Account-security options14:35
Explore credential protection in Active Directory by enforcing protected users for local sign-in and applying authentication policies and Dec claims to restrict sign-in to approved devices.
Knowledge Check: Account-security options7:09
Understand how protected users prevent sensitive credentials from being cached locally and reduce credential theft. See how authentication policies and silos enforce the same policy across users, services, and computers.
Configuring user account policies4:01
Configure local and domain account policies via Secpol.msc and group policy management. The default domain policy applies domain-wide, including Kerberos settings, with precedence over local settings and changes requiring approval.
Knowledge Check: Configuring user account policies7:12
Explore configuring user account policies in an Active Directory domain services environment, covering local security policy, group policy precedence, Kerberos, password and account lockout policies, and the default domain policy.

Section Overview1:46
Overview of service accounts4:16
Challenges of using service accounts3:24
Overview of managed service accounts5:43
What are group MSAs?6:11
Discover how group MSAs extend managed service accounts across multiple servers, enabling automatic password maintenance and simplified service principal management via domain controllers and the KDS root key.
Demonstration: Configuring group MSAs2:53
Demonstrate configuring group managed service accounts in Active Directory, including creating and associating an MSA, installing it on a server, and configuring its logon for a service.

Understanding attacks8:57
Types of Vulnerabilities2:55
Example: Pass-the-Hash Attacks7:03
Demo: Setting Up Sysmon for Enhanced Monitoring11:10
Demo: Using Sysmon to Monitor and Detect Malicious Activity on Windows Systems5:04
Learn how Sysmon logs Windows event IDs—process creation, network connections, service state changes, registry value sets, and DNS queries—to monitor and detect malicious activity.
Demo: Using Autoruns to Identify and Analyze Startup Programs and Autostart Loca8:25
Demo: Using LogonSessions to Examine User Sessions in Windows Environment8:19
install and use logon sessions to view active Windows logon sessions for security analysis and troubleshooting, with details on domain, user, authentication method, and built-in administrator RID 500.
Demo: Using Process Explorer to Examine Windows Environment7:12
Explore how to use Process Explorer to monitor and examine Windows processes, view CPU usage, process IDs, loaded DLLs, and environment details for system administration and troubleshooting.

SMB Security Features3:16
Demo: Securing SMB - Auditing and Blocking SMBv1 with GPO5:46
Demo: Securing SMB Part 2 - SMB Signing and Encryption5:09
NTLM Security4:29
Implementing NTLM Security7:07
Audit ntlm usage with event id 4624 and logon type 3, then enable ntlm version 2 across the domain, audit all accounts via policy, and progressively restrict or disable ntlm.
DNS Security2:27
Implementing DNSSEC6:44
implement dnssec to secure the section company dot primary zone between the primary domain controller and dc two, configure signing keys and trust anchors, and verify via powershell.
Secure Management1:59
Managing Servers Using Windows Admin Center5:50
Protecting Credentials5:29
Microsoft Tiering Model3:25
Using the Protected Users Group1:50
Authentication Policy and Silo1:57
Protecting Privileged Accounts with Authentication Policies and Silos6:50
Local Admin Password Solution (LAPS)2:34
Preparing Active Directory for LAPS7:51
Installing the LAPS Client Side Extension2:22
Working with LAPS5:58
Obtain local admin passwords with LAPS via the Labs UI or PowerShell, view and convert expiration times in AD attributes, and enforce read vs reset permissions with auditing.
Credential Guard2:12
Verifying Hardware Compatibility for Credential Guard1:20
Enabling Credential Guard2:23
User Rights Assignment2:02
Working with User Rights Assignment7:03
Privileged Access Workstation (PAW)3:26
Knowledge Check 1: AD DS domain functional levels9:04
Knowledge Check 2: AD DS domain functional levels9:48
Learn how to plan Active Directory Domain Services upgrades by migrating from FRS to DFS and understand functional level rollback limitations for Windows Server 2016 and beyond.

Create a User Account from Template1:45
Configure User Rights1:36
Implement Offline Domain Join1:52
Automate User Account Lockout Maintenance1:30
Automate Password Resets2:44
Manage Inactive and Disabled Accounts3:56
Sync Users from a CSV3:05
Manage containers, OUs, Groups5:58
Manage groups12:11
Manage Service Principal Names3:05
Configure and verify service principal names (SPNs) to link a service instance to an account, using spn with list and s switches, and d to remove, for http and classes.
Understand and Manage Group Managed Service Accounts4:55
Configure Kerberos Policy Settings and Constrained Delegation3:42
Configure Virtual Account1:44
Configure Domain Password Policy Settings and Account Lockout Settings6:35
Delegate Password Settings Management and Configure PSOs5:34

Requirements

Familiarity with general Windows and Microsoft server administration and technologies

Description

This course is aimed to IT Pros and is supposed to give the viewer the information they need to know to get started with Active Directory (AD DS) and its key concepts. The goal is to provide coverage of AD DS components of advanced AD DS deployments, how to deploy a distributed AD DS environment and· Configure AD DS Security.

The course is targeted to help learning Active Directory and do your job more efficiently.

After completing this course, you will be able to:

· Describe how to Secure domain controllers

· Implementing account security.

· Implementing audit authentication

· Configuring managed service accounts

In your organization’s information technology (IT) infrastructure, securing Active Directory Domain Services (AD DS) domain controllers is a critical task. Domain controllers provide access to many different resources, and they contain information about users and their passwords. If a single domain controller is compromised, any objects in the same Active Directory domain or in any trusted domain are at risk of being compromised, too.

The Windows Server 2016 operating system provides features and apps that you can use to help secure your network against security threats. The operating system provides measures to secure domain controllers by minimizing their attack surface and determining their domain-controller placements. The operating system also determines the AD DS roles that are used for administration and design, and implements password security, in addition to auditing when attacks occur. You also can use domain controllers to deploy security measures to other clients and servers in your Windows-based infrastructure.

AD DS administrators must understand the threats to domain controllers and the methods that they can use to secure AD DS and its domain controllers.

Objectives

After completing this module, you will be able to:

· Secure domain controllers.

· Implement account security.

· Implement audit authentication.

· Configure managed service accounts (MSAs).

Who this course is for:

Active Directory Administrators
Windows Server Administrators
IT Specialists
Security Specialists

Active Directory: Securing Active Directory Domain Services

What you'll learn

Explore related topics

Course content

Securing domain controllers28 lectures • 3hr 43min

Implementing account security27 lectures • 2hr 49min

Implementing audit authentication4 lectures • 19min

Configuring managed service accounts6 lectures • 24min

Lab5 lectures • 1hr 3min

Securing Windows Server8 lectures • 59min

Securing Windows Server26 lectures • 1hr 58min

Protecting against Malware4 lectures • 29min

Managing and Maintaining Windows Server Active Directory15 lectures • 1hr

Maintaining Active Directory5 lectures • 32min

Requirements

Description

Who this course is for: