
Explore the fundamentals of identity in Windows Server 2016 and how it governs access and security within the Microsoft 70-742 framework.
Explore identity management in Windows Server 2016 with Active Directory, domain controllers, and group policy, then extend with Active Directory Certificate Services, ADFS, and Active Directory Rights Management Services.
Meet Patrick Lohner, an 18-year Microsoft certified trainer with extensive Windows Server experience. He has trained Windows 2000 and CompTIA courses and consulted on upgrades and migrations.
Download Supporting files here
Explore identity management concepts and Active Directory Domain Services, focusing on creating and managing unique identities for users, computers, and groups in a secure client-server environment.
Learn information protection concepts by identifying and authorizing users through authentication and authorization, with accounting, while applying the CIA triad of confidentiality, integrity, and availability.
Explain how identities from users to groups are stored in a directory and identified by security identifiers, and how ACL-based security descriptors on resources enforce permissions.
Learn how authentication validates a user’s identity and authorization grants access rights within Active Directory, explaining why both are required and how single sign-on enables resource access.
Learn essential AD DS terms like security identifiers (SIDs) and domain SIDs, security principals, security groups, ACLs, access tokens, and Kerberos as the primary authentication protocol.
Explore how the access token, generated by the LSA with Kerberos, carries a user identity, group SIDs, and user rights to govern login access and resource use.
Learn how access control protects Windows resources with security descriptors, DACLs and SACLs on NTFS and AD objects. ACEs define permissions; if no ACE matches, access is denied.
Demonstrate the Kerberos login process and its three-component design, where a domain controller issues a ticket granting ticket and service tickets to enable single sign-on to local and remote resources.
Compare workgroup and domain environments, using identity stores: local SAM database for standalone systems and Active Directory for domains, with HomeGroup easing sharing in Windows 7 while keeping separate accounts.
Understand how Active Directory domains provide a centralized identity store, domain controllers, Kerberos authentication, and single sign-on for centralized access control and audit trails in business networks.
Examine the Active Directory domain services components, including the AD database, the logical structure (forests, trees, domains, and OUs), physical structure (partitions, sites, and global catalog servers), and trust relationships.
Active Directory domain services acts as a database of objects and attributes, including users and devices, with Kerberos authentication, replication, and management via graphical user interface tools or PowerShell.
Explore the physical data store and its partitions, housing the transactional database and log files, using in-memory changes and recovery to protect directory information across users, services, and applications.
Explore how Active Directory partitions create logical divisions of the database. Explain how the domain partition houses users, groups, and computers, while schema and configuration partitions define objects and topology.
Explore the Active Directory schema as the definitions of object classes and attributes, including mandatory and optional fields, and see how schema extensions enable applications like Exchange.
Identify the domain as the core unit of the Active Directory logical structure that groups objects, establishes administrative and authentication boundaries, and governs domain-wide multi-master replication.
Explore how domains form trees within an Active Directory forest, with a contiguous DNS namespace and two-way transitive trusts, and understand forests as the implementation boundary for authentication and security.
Organizational units organize domain objects, enabling location- or function-based grouping and consistent management. They delegate administrative control and govern group policy application within specific OUs.
Explore Active Directory sites as logical objects representing locations and IP subnets that use high speed links to control login and replication traffic via DNS service records and site links.
Understand how replication keeps Active Directory databases in sync across domain controllers in a multi-master model, with topology forming automatically and site objects controlling the process.
Explore how trust relationships enable external access to resources across domains in an active directory forest, highlighting two-way, transitive, and automatic trusts and their authentication versus authorization.
Explore an overview of Active Directory domain services and domain controllers, and learn how to manage objects using graphical tools and command line administrative tools.
Promote a server to a domain controller to run Active Directory services, store database, authenticate with Kerberos, locate objects via Ldap, and support multi-master replication and read-only domain controller option.
Learn how domain controllers become global catalog servers to enable cross-forest searches and logon using universal group membership, with a shared schema and configuration, and domain partitions.
Utilize read-only domain controllers in branch offices to improve logon performance and availability during WAN outages by caching credentials per policy, with read-only DNS and global catalog to reduce traffic.
Explain how the FSMO roles designate single-domain and forest-wide responsibilities. Highlight the PDC emulator as the domain-wide master for password changes and the time server.
Explore how fsmo roles are held by domain controllers and how to transfer or seize them using gui tools, ntdsutil, and schema management mmc, with cautions about corruption when seizing.
Discover how domain controllers use domain name system srv records, registered by Netlogon, to locate Kerberos, ldap, and Global Catalog services. Explore dynamic updates, site localization, and priority-weight load balancing.
Domain controllers register srv records in dns via dynamic updates, enabling clients to locate and access Kerberos and ldap services for the domain.
Explore the practical deployment of domain controllers, applying the studied functionality to implement this essential identity infrastructure in Windows Server 2016.
Deploy domain controllers to support local logon at each site and improve fault tolerance via multi-master replication. Implement at least two domain controllers per domain.
Install Active Directory domain services via server manager, then promote the server using the AD DS configuration wizard, choosing new forest, new domain, or domain controller options with admin rights.
Plan and specify installation type, domain name, forest and domain functional levels, DNS server and global catalog roles, directory services recovery mode password, and database and log locations.
Install and promote a domain controller in Windows Server 2016 using Server Manager, configure Active Directory Domain Services, verify DNS, and complete replication to join an existing domain.
Choose server core in Windows Server 2016 as the default option for domain controllers and infrastructure servers, and manage it via command line, PowerShell, and remote server manager.
Promote a server core to a domain controller in Windows Server 2016 using PowerShell and Active Directory Domain Services, configuring DNS and credentials, with remote management via Server Manager.
Upgrade domain controllers to Windows Server 2016 by adding new domain controllers on fresh hardware or performing in-place upgrades, using ad prep for forest and domain prep.
Learn about additional installation options for domain controllers, including install from media using an AD DS snapshot created with ntdsutil, and automatic cloning for virtual machines.
Leverage cloning of domain controllers to enable rapid deployment, recovery readiness, and scalable virtualization in private cloud environments using Windows Server 2012/2016.
Discover how to clone a virtual domain controller with Hyper-V in Windows Server 2016, including checking cloneable domain controllers, generating the dc clone config xml, and exporting the virtual machine.
Explore the fundamentals of Active Directory domain services and domain controllers, detailing authentication, authorization, and access control, plus architectures, DC types, deployment options, including cloning of domain controllers.
Review foundational identity topics in windows server 2016 through chapter 01, reinforcing key concepts of identity management.
Download Supporting files here
Explore an overview of Active Directory Domain Services object management and identify the graphical and command line tools available to manage these objects.
Explore how the Active Directory database stores objects—users, computers, groups, and OUs—with a single location and attributes. Mandatory attributes include display name, user principal name, and login name.
Explain the distinguished name and the relative distinguished name for Active Directory objects, including CN, OU, and DC components, and describe the canonical name's relation to the common name.
Compare Active Directory management tools in Windows Server 2016, including AD Users and Computers and the AD Administrative Center built on PowerShell, and learn PowerShell cmdlets like Add-ADUser.
Explore an overview of Active Directory management tools, including Active Directory users and computers, the Admin Center, and Windows PowerShell, with emphasis on PowerShell commands and the PowerShell ISE.
Manage user accounts as the core object in Active Directory to master daily administrative tasks in Windows Server 2016.
Showcase how a user account is the cornerstone of identity and access in Active Directory domain services, uniquely identifying each user and governing sign-on to workstations and resources.
Establish a naming convention for user accounts and their distinguished name and relative distinguished name. Use full name to derive common name and display name, ensuring unique UPN across forest.
Passwords protect user identity and enable login via the domain controller; weak passwords risk spoofing, while Windows Server 2016 uses domain policy and password settings objects for stronger complexity.
Create unique user accounts for new hires using graphical tools or Windows PowerShell, and decide when to use single accounts versus bulk import via csv or ldf.
Explore how to create and manage AD DS user accounts using Active Directory users and computers, the AD administrative center, and PowerShell, including New-ADUser and bulk CSV imports.
Manage user attributes in Windows Server by creating users with Active Directory Administrative Center or PowerShell, or editing properties in Users and Computers; cover account, organization, password, profile, policy, extensions.
Learn to manage user accounts in Windows Server 2016 by creating, moving, enabling or disabling, and deleting or restoring accounts using the Active Directory recycle bin, plus using account templates.
Manage Active Directory user accounts with GUI and PowerShell, including creating accounts, resetting passwords, moving between groups, enabling/disabling, deleting, and bulk updates.
Explore the group object in Active Directory domain services and learn how groups simplify assigning user rights and permissions.
Group types simplify administration by assigning permissions to groups rather than individuals, reducing ACL entries and enabling nesting for department access. Always use groups and add users as needed.
Identify Windows Server 2016 group types: security groups and distribution groups, and learn that security groups enable rights in an access control list, while distribution groups serve as email distribution.
Explore group scopes in Microsoft 70-742, detailing local domain, local, global, and universal scopes for security and distribution groups. Understand how scope affects membership, visibility, nesting, and permission assignment.
Domain local groups grant rights in local domain with open membership for users, global, and universal groups; global groups have limited membership and are nested to grant permissions across forest.
Define the universal group scope and its visibility for rights and permissions, with open membership from anywhere in the forest or trusted domains, stored on global catalog servers for login.
Group nesting simplifies access control by placing groups within other groups to minimize acl entries, while domain local groups can contain users, global groups, and universal groups from trusted domains.
Adopt a standard group naming convention to ease administration and clearly indicate a group's scope, purpose, location, and ownership, following Microsoft guidance on global and domain local indicators.
Create and configure groups using Active Directory tools such as the administrative center and Windows PowerShell. Specify group type and scope; understand managed by and member of.
Create and configure Active Directory groups to simplify permissions, using the admin center or Active Directory users and computers and Windows PowerShell to manage security groups, membership, and group scope.
Explore built-in groups in local servers and Active Directory, and how rights and permissions derive from local and domain policies. Apply least privilege when delegating control to avoid excessive rights.
Identify the differences between default local and active directory groups, review typical rights like administrators and backup operators, and learn to use custom groups for precise delegation.
Identify built-in administrative groups—domain admins, enterprise admins, and schema admins—and learn why careful delegation matters since rights extend across the domain, forest, or the schema partition.
Explore how default Active Directory groups grant rights and how to delegate control by adding users to built-in and user containers. View rights with group policy; prefer custom groups.
Explore Windows Server 2016 special identities, such as anonymous logon and creator owner, whose membership isn't managed, and learn to assign rights using authenticated users and other all-caps groups.
Use groups to minimize access control list entries by nesting account groups into a resource group, applying a single access control entry, and following the least privilege principle.
Apply group nesting strategies by placing accounts in global groups, nesting into domain local groups for permissions, to scale across domains and minimize access control list entries.
demonstrates configuring group nesting with domain local and global groups to grant access to a corporate data share while illustrating explicit ntfs permissions and effective access checks.
Learn to manage computer accounts that identify the computer to the domain and support related administration tasks, including creating computer accounts.
Computer accounts in Active Directory identify machines to the domain controller, enable authentication at startup, support authorization, auditing, and group policy, created automatically on domain join or pre-staged for deployment.
Join computer to the domain via system properties to create a computer account; standard domain users can join up to ten machines by default, with permissions in the computers container.
Identify and fix a broken trust relationship with the domain by resetting the computer's secure channel password using PowerShell commands like Test-ComputerSecureChannel -Repair or Reset-ComputerMachinePassword.
Explore offline domain joins, a two-step process using the join utility to create and load a domain join file, enabling domain membership without contacting a domain controller.
Manage computer accounts in Windows Server 2016 and Active Directory, including creating computer objects, joining the domain, and placing machines in the proper OU for policy deployment.
Explore organizational units in Active Directory and learn how they address varied organizational needs without creating multiple domains, delivering key capabilities introduced with Windows 2000.
Organizational units in Active Directory create a logical hierarchy to partition and organize domain objects. Design location-based OU strategies to delegate control and enable decentralized group policy via OU-linked GPOs.
Plan the OU hierarchy around administrative purpose, including who administers, what they administer, and where, while recognizing inheritance for permissions and group policy across child OUs, and minimize changes.
Create organizational units using the same tools or PowerShell, with automatic protection against accidental deletion via a hidden checkbox, and ensure organizational units cannot be moved easily in complex hierarchies.
Design and create an OU hierarchy to organize, delegate admin control, and govern group policy, then automate its creation with PowerShell using New-ADOrganizationalUnit and a CSV.
Explore how Active Directory uses access control lists to protect objects, with inheritance and entries that grant or deny permissions, including create and delete user accounts for OUs, unlike NTFS.
Explore standard and special permissions in Active Directory, including read/write/full control on user and group objects, and the complexity of attribute-level access, often inherited from OUs.
View and understand the ACLs for any Active Directory object, from users to OUs, using the security tab and advanced features to see explicit and inherited permissions.
Delegate administrative control within Active Directory to decentralize management, enforce separation of power, and reduce costs by assigning rights at OU level, object types, or specific attributes.
Modify delegated rights by updating group membership and adjusting Active Directory permissions, or reset access by recreating the object, noting inherited ACLs.
Delegate administrative control at the OU level to simplify management, document all delegation, and consider how moving objects in the OU hierarchy changes inherited permissions and policies.
Delegate administrative control in active directory domain services from domain to organizational units, granting level-specific tasks like reset passwords, read user info, and manage groups with custom or common permissions.
Explore Active Directory domain services objects, including user accounts, groups, computers, and organizational units, and learn key object management, attributes, and how groups simplify rights, permissions, and group policy.
Review chapter 02 topics on identity in Windows Server 2016, reinforcing core concepts and practical approaches to identity management in enterprise environments.
Download Supporting files here
We examine the security surrounding domain controllers, outline the requirements, and explain why securing domain controllers matters. Then we review the options available to protect them.
Identify and mitigate security risks to domain controllers by enforcing network and physical security, patching systems, and defending against Kerberos, privilege escalation, and denial-of-service attacks.
Use group policy in an Active Directory environment to centrally administer security settings and create custom GPOs linked to domain controllers instead of relying on defaults that may become corrupted.
Explore group policy security settings in Windows Server 2016, including computer and user configurations, account policies, local policy, restricted groups, services, firewall with advanced security, and advanced audit policy.
Secure the authentication process by enforcing password changes and auditing directory access, while implementing multifactor options such as smart cards and biometrics to protect accounts and network resources.
Protect physical access to domain controllers to prevent offline data exposure and credential theft, then use BitLocker, monitor hot-swap disks, and consider read-only domain controllers when security is uncertain.
Deploy branch office domain controllers to reduce wan-based login and service ticket traffic, while noting security risks of writeable domain controllers and how read-only domain controllers mitigate them.
Explore the read-only domain controller (rodc) architecture, including credential caching with a password replication policy, administrative role separation, and read-only dns and read-only global catalog support for branch offices.
Learn ROTC limitations and deployment guidelines, including maximum one per site, no replication changes origin, cannot serve as bridgehead, and incompatibility with apps like Exchange needing a writable global catalog.
Deploy rodc after meeting prerequisites, including ad prep with rodc parameter for domains upgraded from 2003. Choose between a one-step wizard or a two-step installation, pre-stage or delegate as needed.
Demonstrates installing a read-only domain controller (RODC) via two-stage pre-creation and Server Manager. Explains configuring password replication policy, delegation, and DNS/global catalog options for branch offices.
Describe how the password replication policy controls which credentials are cached by the branch office ROTC, with an empty allowed group and a denied group including administrators that affects logins.
Implement account security for user and computer accounts in Windows Server 2016 by configuring group policy settings.
Explore protecting account credentials in Windows Server 2016 by implementing password and account lockout policies, fine-grained password policies via password settings objects, and Kerberos and authentication policies for secure sign-on.
Windows Server 2016 domain controllers enforce password complexity—three of four categories and a minimum length—with longer policies taking precedence; train users to create secure, memorable passwords that avoid login-name patterns.
Use the default domain policy to enforce password history, maximum and minimum age, length, and complexity for domain user accounts, since it's already configured and linked to the domain.
Configure account lockout policies to deter password guessing and shoulder surfing by setting thresholds, duration, and reset timers for failed logins.
Apply password and lockout settings in the default domain policy to affect all domain user accounts; RSOP and user options like password never expires or reversible encryption can override.
Configure account, password, and account lockout policies with group policy to strengthen authentication credentials in a domain environment, using the default domain policy settings.
Learn how to configure fine-grained password policies in Windows Server 2016 using GUI or PowerShell, mirroring domain policy with extra attributes like SSO link and precedence.
Learn how Windows Server 2008 enables fine grained password policies applied directly to users or groups via password settings objects stored in password settings container, without interfering with domain policies.
Determine if a fine-grained password policy applies directly to a user or via group membership, and apply precedence: directly linked PSOs win; if multiple PSOs apply, use the lowest value.
Configure fine grained password policies in Windows Server 2016 using the Active Directory Administrative Center or PowerShell, applying specific password settings and account lockout for IT admins.
Discover how restricted groups and the protected users security group control local group membership on workstations and servers, and how to configure them in group policy.
Discover the protected users security group, a client-side feature protecting domain accounts on member computers by disallowing weak protocols like Nehalem and Digest, enforcing Kerberos encryption and configurable tgt lifetimes.
Implement authentication policies to apply restrictive Kerberos settings to specific service and user accounts. Use dynamic access control claims to define sign-in conditions based on user, device, and department attributes.
Authentication policy silos group users, service accounts, and computers within the same security scope to apply the authentication policy; silos take precedence over policies and can be enforced or audited.
Enhance password security by leveraging Windows Hello biometrics, Microsoft Passport with TPM keys, and Azure multifactor authentication for cloud access via Azure AD and Office 365.
Explore auditing for Active Directory domain services and learn how it enables monitoring of security-related events.
Auditing tracks security events such as logins, shutdowns, and file access in security logs; configure via local or group policy—standard or advanced—on systems and domain controllers.
Auditing tracks user and operating system activities, records events in security logs as success or failure audits, detailing events, who acted, when, and result; it supports baselines and object access.
Plan and monitor security auditing events in Windows Server 2016, covering account log on, domain log ons, object access, policy changes, and privilege use; choose success, failure, or both.
Align audit policies with security requirements by selecting what to track and balancing thorough logs with practicality, using Event Viewer filters or third-party tools to focus on relevant categories.
Configure a two-step audit to track access to Active Directory and file system objects, define events via system access control lists, and review logs for delegated control and admin actions.
Explore advanced auditing in Windows Server 2008 R2 and later, learning to fine-tune account logon subcategories to focus on credential validation and login activity, reducing unnecessary events.
Configure auditing in Windows Server 2016 by exploring standard and advanced auditing, domain controller policy settings, and object access auditing to monitor security events in the security log.
Configure managed service accounts to support applications and services in a Windows Server 2016 environment, recognizing the service account as a distinct object type.
Explore service accounts in Windows Server 2016, avoid standard user and local system accounts, and uphold least privilege. Use the network service with domain machine account permissions for secure access.
Examine the challenges of managing service accounts, including managed service accounts, in Windows Server 2016, such as password updates, cross-system references, SPN management, and DNS name changes.
Managed service accounts, introduced in Windows Server 2008 R2, use a PowerShell-created object with auto-managed passwords and simplified service principal name management; standard MSAs can't be shared across computers.
Use PowerShell to configure group managed service accounts for Windows Server 2016, enabling multi-server authentication stored on domain controllers. Set up the AD DS root key (KDS) once.
Shows configuring a group managed service account with the Active Directory PowerShell module, creating and distributing it to hosts, and wiring the service to an application pool for password management.
Secure active directory domain services by protecting domain controllers, implementing read-only domain controllers in low-security environments, and enforcing robust account security, auditing, and group managed service accounts.
Review chapter 03 in identity in Windows Server 2016 for the Microsoft 70-742 exam, reinforcing core concepts and exam readiness.
Download Supporting files here
Explore the overview of Advanced Active Directory Domain Services deployments, including multi-domain and multi-forest configurations, and examine the reasons behind these deployment strategies.
Domains provide replication and administration boundaries in complex Active Directory, reducing cross-domain replication and governing domain-level group policy, auditing, password and account policies, and DNS zones via application partitions.
Explore how the forest is the ultimate security boundary, enabling isolation beyond domains. It governs replication of schema, configuration partitions, the global catalog, and forest dns zones.
Explore why organizations implement multiple domains, including reducing replication by separating domain controllers, preserving distinct DNS namespaces, enabling distributed administration, and supporting resource domains for applications like Exchange.
Implement multiple forests to achieve security isolation and handle schema incompatibilities, such as Exchange requiring schema extensions, multinational requirements, and merger or extranet scenarios.
Deploy domain controllers in Azure using infrastructure as a service, creating virtual machines that host Active Directory domain services for disaster recovery and regional distribution with lower latency for clients.
Automate user and group management across multi domain and multi forest environments with scripts, ensuring proper attributes, self-service for password reset, and identity synchronization via Microsoft Identity Manager 2016.
Explore the process of deploying a distributed AD DS environment after reviewing why some organizations opt for a complex domain setup.
Raise the domain functional level for Active Directory domains to unlock new features, ensuring all domain controllers run the required Windows Server version; note it is a one-time, non-reversible change.
The forest functional level is determined by the lowest domain functional level. Raise all domain levels before increasing the forest level, as 2008 and later domains shape forest capabilities.
Deploy Active Directory domains by installing the AD DS role, promoting domain controllers, and creating forest root, child, or tree domains with distinct DNS namespaces and trust relationships.
Study DNS considerations in multi-domain, multi-forest environments, including centralized vs decentralized models and AD integrated zones, with replication and name resolution optimization using conditional forwarding and stub zones.
Explore how user principal names streamline authentication in multi-domain and multi-forest environments, customize UPN suffixes, and ensure external DNS domains and the global catalog support federation with Office 365.
Demonstrates deploying a child domain within an Active Directory forest using PowerShell, including DNS setup and trust inspection.
Understand how trust relationships extend authentication across domains and forests, with directional, outgoing and incoming trusts, including automatic two-way, transitive trusts that create a complete forest trust path.
Explore the automatic trusts in Windows Server 2016, including parent-child and tree root trusts. Differentiate external, realm, forest, and shortcut trusts, noting transitivity and complete or selective authentication.
Explain how domain trusts guide ticket-based access across domains, showing how a user obtains a service ticket via domain controllers along trust paths, and how shortcut trusts reduce hops.
Leverage forest trusts to simplify cross-organization access with a complete two-way trust that spans all domains, enabling UPN authentication and Kerberos V5 usage across forests, with optional selective authentication.
Explore advanced trust settings for forest trusts, including SSID filtering, SSID history, and migration considerations, then enable selective authentication and name suffix routing for controlled access.
Configure a forest trust between test labs.net and abc.com by setting up dns with conditional forwarders and using the new trust wizard to establish a two-way, transitive forest trust.
Explore how Active Directory Domain Services replication keeps the database up to date across all domain controllers in the forest and domain, and learn how replication functions.
Examine how the Active Directory data store ntds.dit is partitioned into domain partition, configuration, and schema partitions for replication, with application partitions like dns storing app data.
Demonstrate how multi-master Active Directory replication maintains consistency across partition replicas, balancing integrity and traffic through originating updates, pull, attribute-level updates, and automatic topology, with collision handling.
Explore intra site and inter site replication in active directory, including change notification, polling, bridgehead servers, and site links for efficient domain controller synchronization.
Explore replication conflicts in Active Directory: concurrent attribute edits, orphaned objects moved into a deleted container, and duplicates with the same RDN; resolved by timestamps, versioning, and lost and found.
Configure Active Directory domain services sites to reflect physical locations and control replication and log in traffic across multiple sites.
Sites and subnets map Active Directory to physical locations to control replication and login traffic, localizing logins and guiding site-aware applications and printers.
Plan sites in an active directory forest; start from the default first site name and place locations with no domain controllers into adjacent sites, with a 512kbps minimum.
Learn how Active Directory sites and subnets map physical networks to site objects, create sites with or without subnets, and assign subnets for site-aware authentication and DNS.
Move domain controllers into the correct site with the Active Directory sites and services tool; DNS site records register for site-based client authentication.
Learn how to place domain controllers across sites with local login and DNS, and assess global catalogs for single-domain versus multi-domain forests, considering replication and bandwidth.
Create and map Active Directory sites and subnets using the Active Directory sites and services tool or PowerShell, linking sites to control login and replication traffic.
Learn how the knowledge consistency checker automatically creates intra-site and inter-site replication topology, and how the inter-site topology generator defines bridgehead servers for cross-site replication.
Define a site link to connect Chicago and LA sites, guiding the KCC to specify replication paths; a site link is a logical pathway, not the underlying network.
Create site links with at least two sites to identify replication paths in Active Directory, enabling automatic bridgehead connections for cross-site replication over IP-based links.
Configure site links by managing cost, schedule, and frequency to control replication across multiple sites, selecting the lowest-cost paths and tailoring windows for bandwidth and convergence needs.
Configure ip site links to control replication between sites, create and rename links, view the topology in ntds settings, and optimize with costs and schedules.
Bridgehead servers, managed by the istg, replicate changes across site links and can be set as preferred to improve firewall performance, with two configured to avoid single points of failure.
Site links are transitive by default, and the ISG may bridge them; disable bridging to require direct connections, or define site link bridges for hub-spoke scenarios or chosen transitive links.
Monitor and troubleshoot Active Directory replication in Windows Server 2016 using repadmin, dxdiag, and enhanced PowerShell cmdlets. Use event viewer, scom, and ops manager for enterprise monitoring and exam readiness.
Examine Active Directory infrastructures with multi domain and multi forest deployments, trust relationships, domain controllers, DNS modifications, sites and site links, and intersite replication to keep Active Directory database consistent.
Review chapter 04 content on identity in Windows Server 2016 to reinforce key concepts and exam readiness.
Download Supporting files here
Explore the purpose of group policy, identify its key components, and understand the processes involved in managing identity in Windows Server 2016.
Master group policy in Active Directory by linking GPOs to a domain or to organizational units to centralize and decentralize administration, applying thousands of settings for security and software deployment.
Explore how group policy settings reside in a GPO, with user configuration and computer configuration applied at logon and startup, then refreshed periodically.
Master local group policies and their interaction with domain policies, including workgroup scenarios where local policy provides settings unavailable in control panel, avoiding registry edits.
Compare policies and preferences in group policy objects. Policies enforce settings and disable user interfaces, while preferences are non-enforced and can replace login scripts, mapping drives, and creating shortcuts.
Explore the group policy management console to understand computer and user configurations, administrative templates, security settings, and how to generate GPO reports.
Link GPOs to Active Directory containers like domains or OUs to apply settings to users and computers, using the Group Policy Management Console.
Store GPO content in two locations: the group policy container for replication and the GPT in the shared folder, identified by Gid, with policies applied at login and startup.
Link GPOs to Active Directory containers such as domains, OUs, or sites so user and computer settings apply; default linking enables all settings, so match the GPO to the object.
Understand how the GPO processing order determines which settings apply across domain, site, and OU levels; the last processed GPO wins, with OU overrides domain in key scenarios.
Apply inheritance to propagate domain GPOs to users and computers and parent OU GPOs to children. Block inheritance stops inherited GPOs; you cannot selectively block individual policies.
Explain how group policy inheritance works with Chicago and sales views, showing non-inherited vs block-inheritance scenarios and how conflicting settings favor the directly linked GPO.
Explore how GPO links and precedence determine policy application in Windows Server 2016. Learn how linking, enabling, disabling, and the enforced attribute resolve conflicts between parent and child GPOs.
Explore security filtering for GPOs in Windows Server 2016, including ACLs and options to remove authenticated users or deny apply policy, with guidance to speed logins using OUs.
Discover WMI filtering in Windows Server group policy using WQL and the WMI client service to determine if a GPO applies, mainly for software installations.
See how gpo settings linked to an ou apply automatically, with 90-minute refresh intervals and 16-hour security policy reapplication, plus instant updates via gpupdate, invoke-gpupdate, and gpmc remote policy refresh.
Explore loopback processing to apply computer settings on special machines by using the computer account's user settings and ignoring user policies, and note slow link detection at 500 kbps.
Explore the creation and configuration of GPOs, building on concepts of group policy, its components, and how GPOs are applied.
Create a GPO and link it to an Active Directory container to push policies, using gpmc or the group policy creator owners group to manage permissions.
Create and manage starter GPOs to enforce consistent administrative template settings across the organization, duplicate them for OUs, and link to OUs while enabling essential firewall rules and remote management.
Explore administrative templates, their registry-based policies, and how enabling or disabling settings locks user changes, with central store and importing office templates for consistent policy deployment.
Explore group policy preferences as not mandatory settings within a GPO, enhancing control panel and Windows configurations across user and computer scopes, with a demo of categories and interface.
Create, link, and enforce GPOs with the group policy management console, configure Windows updates and firewall rules, and use the central store of administrative templates.
Use the group policy management console to manage GPOs, edit and enable or disable settings, back up, import settings, view reports, delegate control, and see affected users and groups.
Delegate control across group policy to match structure, assigning rights to create, link, and edit GPOs and WMI filters at OU or domain levels, with monitoring via modeling and results.
Manage GPOs permissions and deployment with the GPMC in Windows Server 2016, delegating link rights, backing up and restoring GPOs, and performing import, copy, and delete tasks.
Monitor and troubleshoot Group Policy deployments to ensure settings apply to intended users and computers, and simulate or test applications before implementation.
Troubleshoot group policy by inspecting event logs for group policy client service and client side extensions, check network connectivity and DNS, and address replication and inheritance issues across domain controllers.
Use the resultant set of policy (rsop) and gpresult in the gpmc to view current policies for a user and computer, and use group policy modeling for planning.
Diagnose why group policy objects fail to apply by using the group policy results and modeling wizards, gpresult, and event viewer to identify applied, denied, and conflicting policies.
Learn to manage security options for computers using group policy, enabling specific configurations and applying settings consistently.
Configure security management with group policy to enforce consistency and control, including account lockout and password policies, plus user rights, user account control, app control, and Windows firewall settings.
Configure and manage user rights across Windows systems using domain-based policies, differentiating privileges from logon rights, and assign rights via GPOs to support personnel and end users.
Explore how security options in GPOs control logon options, network encryption, user account control, related settings, and learn to document changes and deploy security templates for perimeter and non-domain machines.
Apply user account control policies to manage consent prompts and elevation for program installations. Understand admin approval mode, standard user credentials, and GPO settings to balance security with productivity.
Explore managing security options in group policy by creating a domain GPO, editing computer configuration security settings, user rights, and admin approval mode for administrator privileges.
Centralize software control on servers and desktops with enterprise tools, deploying software and patches, and enforcing whitelist or blacklist policies through group policy, software restriction policies, and application control policies.
Configure software restriction policies in Windows Server 2016 using hash, certificate, path, and zone rules to enforce software usage for licensing and malware prevention.
Configure software restriction policies by selecting a security level for rules. Use disallowed, basic user, or unrestricted, with a default security level for whitelisting or blacklisting.
AppLocker, or application control policies, replaces software restriction policies but is not backward compatible; configure group-based rules, audit mode, and separate handling for installers, executables, scripts, and store apps.
AppLocker improves on software restriction policies by restricting unapproved, unused, or unlicensed software. It supports Windows 7 Enterprise/Ultimate, Windows 8 business, Windows 10 Pro/Enterprise, and Windows Server 2012–2016.
Compare AppLocker rules with software restriction policies, highlighting path, hash, and publisher rules; publisher rules leverage the signing certificate to block or allow by product name, reducing maintenance.
Apply applocker default rules to allow programs in the program files directory, with hash or publisher rules overriding; or automatically generate rules from a current system for gpo deployment.
Configure AppLocker in group policy to block or allow executable, installer, script, and packaged app rules, enforce publisher, path, or file hash rules, and test blocking Firefox and iTunes.
Configure and manage the Windows Firewall as a default, host-based, stateful protection for inbound and outbound traffic, shielding systems from malware, using group policy for consistent, easy administration.
Explore how the Windows firewall with advanced security uses a unified MMC snap-in and GPO wizard to manage inbound, outbound, and IPsec rules across devices with import/export policies.
Configure and apply firewall profiles—private, public, and domain—so Windows enforces profile-specific rules as it detects network type, including corporate laptops and hotspot connections.
Create firewall rules to allow traffic blocked by default for file and print sharing, remote management, remote event log collection, and branchcache, using a central configuration method like a gpo.
Use group policy to configure the Windows firewall to reduce administrative overhead and errors by centralizing management, enabling a one-time setup and easy export/import of rules across many systems.
Explore the differences between inbound and outbound firewall rules, how they filter traffic by program, port, and IP, and how connection security rules with IPsec enforce mutual authentication and encryption.
Explore how connection security rules use IPsec in transport mode to secure internal network traffic, define source and destination, and apply isolation and authentication exemptions in server-to-server scenarios.
Configure the Windows firewall with advanced security via group policy to enforce domain-wide inbound and outbound rules, enable core networking, file and print sharing, and IPsec, with logging.
Explore how group policy controls user environments by configuring folder redirection, software distribution, and other desktop environment settings.
Explore how group policy deploys scripts to map drives and printers, create environmental variables, and manage files, with group policy preferences largely replacing login and startup scripts since 2008.
Folder redirection stores user folders on a network server yet presents them as local drives, offering roaming-like access and avoiding roaming profile drawbacks such as long logon times and corruption.
Redirect common folders such as documents, desktop, and app data to a network location. They appear local, with a document shortcut, while data stays on the network.
Understand basic and advanced folder redirection. Redirect to private subfolders under a shared root or group-based Chicago or Miami file servers, and configure start menu and desktop options.
Configure folder redirection with group policy to move user folders to a network location. Create the folder, set permissions, and apply per-user or shared paths to replace roaming profiles.
Explore how to deploy, upgrade, and remove software using group policy, and understand when this fits small programs versus dedicated tools like SCCM or Altiris.
Learn how the Windows Installer service and MSI packages automate software installations, configurations, repairs, and uninstallations, enabling streamlined deployment via group policy.
Windows Installer enables fully automated installations and custom setups with MST transforms on MSI files, while Office 2016 lacks group policy deployment and may require packaging tools or Zap.
Group policy manages the entire software life cycle, including preparation, deployment, maintenance, and removal. Upgrades and removals are possible only if the application was deployed via a GPO.
Prepare Windows installer packages and a shared software distribution point, then create a GPO to deploy packages to computers or users, ensuring network path accuracy.
Decide between deploying to a computer account or a user, then publish or assign; assigned apps appear in the start menu and install automatically.
Deploy software via group policy to manage maintenance, updates, patches, and upgrades. Choose mandatory or optional upgrades; mandatory enforces immediate upgrade, optional prompts users to upgrade.
Explore how removing software deployed via group policy works, with optional removal that blocks new installations while preserving use, and forced removal that uninstalls on next login or startup.
Implement group policy to centralize administration in Active Directory environments, controlling security settings, desktop environments, startup scripts, and Internet Explorer options.
Review chapter 05 of identity in Windows Server 2016 to reinforce core identity concepts and exam readiness.
Download Supporting files here
Explore what directory synchronization is, why it is necessary, and the planning phases for linking an on-premise environment to a cloud-based environment.
Overview of Azure AD as an online identity service underpinning Microsoft cloud offerings, comparing IaaS, PaaS, and SaaS and explaining cloud-only and synchronized identities.
Understand why active directory domain services fall short for cloud connectivity and mobility, and how Azure AD enables internet-facing, BYOD environments with cloud-based access.
Extend active directory authentication with an intermediary system, using Azure AD device registration for device onboarding and federation via AD FS and Web Application Proxy, IaaS domain controllers in Azure.
Compare on premise active directory with Azure AD, highlighting Azure AD's internet-focused identity management, REST/HTTPS communication, SSO via SAML, and the lack of Kerberos, LDAP, group policies, and organizational units.
Explore azure ad authentication options from cloud-only identities to directory synchronization with Azure ad Connect, and single sign on through adfs in hybrid environments.
Plan directory synchronization by identifying on-premise AD preparation tasks, updating attributes and schema, and planning domain/forest level alignment, port 443, and capacity—then verify uPN suffixes.
Enable Active Directory synchronization between on-premises and cloud via Office 365 admin portal, Azure classic portal, or PowerShell; run Set-MsolDirSyncEnabled -EnableDirSync $true -Force as setting, not installing Azure AD Connect.
Explore implementing Azure Ad Connect after reviewing directory synchronization functionality and planning stages, focusing on how to deploy and configure Azure Ad Connect to integrate on-premises identities.
Install Azure AD Connect to enable coexistence between on-premises AD and Azure AD, transferring authority to the on-premises directory and synchronizing new users, groups, and contacts plus deletions and disablements.
Verify domain is added and verified; meet Azure AD Connect requirements: server 2008 or later, NET Framework 4.51, PowerShell 3.0, Azure AD module, admin accounts, and SQL or internal database.
Use Azure AD Connect express settings for a simple installation with a single Active Directory forest and password synchronization; the setup configures the connectors and enables automatic updates.
Configure Azure AD Connect with customized settings for multi-forest environments, including AD FS single sign-on, selective synchronization, and password writeback, via the wizard to manage source anchors and login attributes.
Monitor Azure AD with the Azure AD Connect Health component. An agent on targeted servers feeds the health portal with on-prem identity, synchronization, alerts, and performance.
Use Azure AD privileged identity management to grant on-demand just-in-time admin access, activate temporary roles with duration and assignment info, and discover admin rights with reports in Azure Classic portal.
Explore how to manage identities with directory synchronization across systems in this final topic overview.
Learn to manage Azure AD Connect tasks, including user and password writeback, device writeback, and mailbox attribute upkeep, with directory synchronization, soft deletes, and cloud recycle bin recovery.
Synchronize on-premises and azure ad groups and their membership attributes. Initialize the ad sync group writeback to replicate groups back to on-premises ad, requiring a server 2012 r2 functional level.
Learn how to filter objects synced from on-premises Active Directory to Azure AD using domain, OU, or attribute-based rules in Azure AD Connect, reducing cloud clutter.
Monitor directory synchronization with the synchronization service manager and Azure management pack, via the Azure classic portal; verify last DirSync time, detect errors, and trigger notifications to the technical contact.
Analyze directory synchronization logs to identify errors and remediate with the Azure AD Connect tool. Diagnose installation failures, credential issues, deactivated sync, AD changes, corruption, and network connectivity problems.
Explore synchronizing on premise Active Directory with Azure AD to enable cloud services in hybrid environments, including Azure AD's identity management role and Azure AD Connect installation options.
Review chapter 06 of Microsoft 70-742: identity in Windows Server 2016 to consolidate essential concepts about identity in Windows Server 2016.
Download Supporting files here
Explore the importance of monitoring bottlenecks across critical system areas and learn about Microsoft tools for proactive monitoring in AD DS environments.
Understand the benefits of performance monitoring, including higher service levels, better outage handling, and establishing a baseline for proactive and reactive monitoring of Active Directory domain services.
Establish performance baselines with the Windows Server 2016 performance monitor and data collection set to capture high and low values for counters like percent processor time and disk queue length.
Identify monitoring tools for Windows Server 2016 Active Directory based on environment size and goals, from task manager and event viewer to performance monitor and System Center operations manager.
Explore the enhanced event viewer in Windows Server 2016, featuring XML-based logs, custom views, filters, and subscriptions for centralized, reactive troubleshooting of server and group policy events.
Learn to use event viewer to monitor and troubleshoot Active Directory on Windows Server 2016. Leverage filtered views and custom views with Server Manager integration.
Reliability Monitor in Windows Server 2016 shows a stability index timeline of events across software, application, hardware, Windows, and miscellaneous categories, viewable as a chart or report for troubleshooting performance.
Explore monitoring with resource monitor and performance monitor in Windows Server 2016, tracking CPU, memory, disk, and network usage; manage objects, counters, and instances and control access with security groups.
Use data collector sets in Windows Server 2016 to monitor behind the scenes, build a performance baseline, review event trace data later, with built-in and custom collectors and templates.
Build a data collector set with four data collection points, performance counters, event trace data, and system configuration information, or create alert-based collections with thresholds and notifications.
Identify performance indicators for Active Directory on domain controllers by monitoring CPU percent processor time, processor queue length, pages per second, percent disk time, and Dra, Kerberos, and LDAP counters.
Establish an early performance baseline for monitoring Active Directory to interpret real-time results and detect abnormal values, then develop regular monitoring, escalation, and alert processes.
Learn about various aspects of managing the Active Directory database in Windows Server 2016 identity management.
Explore how the Active Directory database is maintained through the ntds edit file, EDB.log, EDB.check, and circular logging with overflow and reserve logs.
Use the ntds util command line utility to manage fisma roles, perform database maintenance like offline defrag, create snapshots, move database and log files, and clean up domain controller metadata.
Active Directory maintenance runs by default, with 12-hour garbage collection that purges items after tombstone lifetime of 180 days, and online defrag that optimizes NTDS file without shrinking the database.
Learn how to backup and recover objects in Active Directory and safeguard domain controllers. Understand approaches to ensure Active Directory availability and integrity of domain controllers.
Learn disaster recovery for Active Directory, including backup and restore practices, high availability with multiple domain controllers, and the available recovery options.
Enable the Active Directory recycle bin and use critical volume backups for full domain controller recovery within the tombstone lifetime of 180 days, while testing restores for validation.
Install Windows Server Backup via Server Manager or Install-WindowsFeature, then back up with GUI or WBAdmin, using PowerShell to interact with backups to files, CD or DVD, or network locations.
Back up the domain controller’s critical volumes—typically the system and boot volumes (usually the C drive)—and the AD database NTDS.dit, plus the system state data (registry, boot files, components database).
Learn how non authoritative and authoritative restores work in Windows Server 2016, using directory services restore mode and NTDSUtil to recover deleted objects, with a note on primary restores.
Learn to use dsamain and ntds util snapshots to mount and compare backups, then restore deleted objects with the active directory recycle bin across multiple locations.
Enable the Active Directory recycle bin in Windows Server 2016 using PowerShell or the AD administrative center, then restore deleted objects and understand one-time enablement and replication requirements.
Apply backup and recovery best practices by separating operating system files from Active Directory databases and logs, using a dedicated backup volume, and performing frequent backups with monitoring and testing.
Monitor and recover Active Directory with event viewer and performance tools; use NTDSUTIL for database management and FSMO transfers, backups, and snapshots via Windows Server Backup.
Review the identity management concepts in Windows Server 2016 covered in chapter 07, and explore their practical applications.
Download Supporting files here
Explore the fundamentals of a public key infrastructure and the role of Active Directory Certificate Services in Windows Server 2016.
A PKI, or public key infrastructure, combines software and encryption to secure transactions through digital certificates exchanged between authenticated users and trusted resources, enabling confidentiality, authentication, integrity, and non-repudiation.
In a PKI, symmetric key encryption secures bulk data, while asymmetric encryption with public and private keys enables secure key exchange and data decryption using certificates.
Manage digital certificates and keys within a PKI founded by certificate authorities via Active Directory, issuing certificates to users and computers and leveraging CRL distribution points.
Explore PKI enabled applications, including digital signatures for authenticity and non-repudiation, and certificate-based security for email, IPsec, 802.1x, smartcard and multi-factor authentication, and code signing.
Explore how certificate authorities build a PKI, from root to subordinate CAs, and compare standalone and enterprise CAs with Active Directory integration, auto enrollment, and group policy.
Compare enterprise and standalone certificate authorities, noting auto enrollment and certificate templates. Explain why enterprise CA integrates with AD DS for trusted root propagation via group policy.
Choose internal versus external certificate authorities; internal CAs are cost-free and forest-trusted, external CAs are globally trusted with costs, guiding use for websites and internal needs.
Explore AD CS in Windows Server 2016, installing certificate authority and web enrollment services, plus OCSP, network device enrollment service, and policy-based certificate enrollment with TPM support.
Deploy a certificate authority hierarchy with multiple CAs working in concert to provide PKI functionality within your organization.
Identify the PKI users and business needs to shape a CA hierarchy, selecting certificate uses, templates, and server services, then define security and management of CCAs and certificates.
Identify the route CA as the trusted anchor that signs its own certificate and certifies the subordinate policy and issuing CAs, with policy defining requirements and issuing interacting with clients.
Collect requirements for each ca, choose the subordinate for clients, deploy root ca offline, support 3–4 hierarchy levels, and enforce role separation among administrator, certificate manager, auditor, and backup operator.
Plan for Windows Server 2016 AD CS installation by fixing computer name, domain membership, and then configure Root CA with provider, key length, hash algorithm, name, log/database paths, and validity.
Generate root key with the cryptographic service provider, defaulting to Microsoft strong. Use at least 2048-bit keys, SHA-1 by default, five-year validity; offline PKI.
Install and configure a root certificate authority using Active Directory certificate services in Server Manager, selecting enterprise root CA, manage certificate templates, CRL, and administration tools for PKI deployments.
Deploy subordinate CAs to enforce PKI policy and issue client certificates. Choose enterprise subordinate for domain user and computer certificates, auto enrollment, and template management.
Subordinate CAs enable policy separation across uses such as EFS, remote access, and IPsec, and support role-based, geographic, and load-balanced certificate issuance.
Automate certificate services installation using the CA policy INF file to deploy root or subordinate CAs and configure sections, keys, and values, including certificate practice statements and renewal settings.
Learn how to administer certificate authorities with efficient hierarchy management, security configuration, auditing, and monitoring, using the various management methods provided by ADCs.
Configure and manage a PKI using CA management console, PowerShell with ADCs modules, and certutil, then enforce credential roaming, auto enrollment, CRL distribution points, and certificate policies via group policy.
Configure CA security via the security property page to set permissions, including read access and the ability to issue, manage, and request certificates within template constraints.
Create role-based security groups for enterprise or standalone CAs to delegate predefined permissions, such as manage CA, issue and manage certificates, backup, auditor, and enroll, with roles not auto-created.
Configure policy and exit modules on the CA to control certificate requests, including pending-approval or automatic issuance workflows, and post-issuance actions via MIM 2016 policy module with certutil.
Explore certificate revocation lists (CRLs): digitally signed lists of revoked certificates retrieved and cached by clients to verify validity, with base CRLs and delta CRLs for Windows XP or later.
Publish the CRL to clients, using a publication setting or published period; the certificate authority starts with the base CRL and updates with delta CRLs as more certificates are revoked.
Configure and publish AIA and CDP extension fields in X.509 v3 certificates to support offline root and subordinate CAs, enabling clients to locate CRL distribution points and AIA locations.
Explain digital certificates as a file with the public key and base certificate information, paired with a private key stored on the issuing computer, used by SSL and EFS.
Certificate templates define which certificates an enterprise CA can issue and the security principals authorized to read, enroll, or modify them, with defaults like basic EFS and smart card login.
Explore the four template versions in Windows Server 2016. Enable customization and auto enrollment with version 2, add elliptic curve cryptography with version 3, and support renewal with the same key in version 4.
Update certificate templates by either modifying the original to include new settings or superseding it with a new version, which replaces the old template and makes it unavailable to clients.
Configure and enable a certificate template in Active Directory certificate services by duplicating the user template, adjusting properties, and issuing the test labs user template for auto enrollment.
Explore certificate enrollment options, including web enrollment, manual offline enrollment with external CAs, auto enrollment via group policy, and on-behalf enrollment for smart cards.
Choose enrollment type by CA and client OS, use web enrollment to select a certificate template, and install the issued certificate after either internal AD auto-validation or external CA input.
Integrate Active Directory, domain services, and Certificate Services to enable auto enrollment. Group Policy and templates trigger automatic certificate requests to the CA, with issuance to users or computers.
Configure the certificate template with enroll and auto enroll permissions, ensure the CA issues it, and enable auto enrollment via GPO and PKI policies; verify with CSC client.
Learn to configure auto enrollment for user and computer certificates via group policy, enabling renewals, updates, and AD enrollment policies in Windows Server 2016.
credential roaming lets users access credentials remotely across domain-joined systems, while preserving the integrity of private keys and certificates; it updates when keys or certificates change or group policy refreshes.
manage certificate revocation and distribution by implementing crl and ocsp, revoking certificates before expiration and distributing the revocation list.
Explore how the online responder in Windows Server 2016 uses OCSP to query a specific certificate status without downloading the full CRLs, reducing network traffic compared to local CRLs.
Explain how the online responder validates a certificate's location, handles ocsp requests over http, caches responses, decodes and verifies via the web proxy against the local crl, and centralizes workload.
Configure the CA to support an online responder by issuing the OCSP response signing certificate and enabling the AIA extension; install and link the online responder to sign responses.
Learn how to configure certificate recovery to safeguard authentication and authorization in your organization, and ensure you have backups.
Learn how key archival and recovery protect encrypted data by safeguarding and restoring public-private keys stored in user profiles, and understand recovery agents for key restoration after loss or compromise.
Configure key archival in version two and later templates to store the encrypted private key in the CA database and enable recovery by a key recovery agent.
Contrast data recovery and key recovery to show how encrypted content is decrypted by a data recovery agent and the data key, with key recovery simplifying recovery via archive key.
Explore archival methods for certificates, including manual and automated options, with the certificates MMC snap-in for exporting certificates and private keys, depending on the certificate template and automation needs.
Export methods for certificates include pkcs#12 and pdf formats. Locate the certificate in your store and export it, with Outlook 2003 and later supporting direct pkcs#12 export.
Configure certificate templates and key recovery agent permissions to support automated archival, upgrade certificates to version two, designate certificate managers and administrators, and enroll the key recovery agent template.
Recover a lost key by locating recovery candidates and obtaining the serial number with CRA certificates, decrypt the private key from the PKCS7 blob, then import a PKCS12 file.
Learn how Active Directory Certificate Services on Windows Server 2016 enables a public key infrastructure with certificate authorities, hierarchies, templates, and CRL vs OCSP revocation options.
Review chapter 08 content from Microsoft 70-742: identity in Windows Server 2016, consolidating core topics for exam readiness.
Download Supporting files here
Discover the overview of the AD FS feature and its core functionality for identity management in Windows Server 2016.
Define identity federation and enable distributed identification, authentication, and authorization across organizational boundaries. Federated trust delivers single sign-on with one account, while partners define access levels and protect resources.
Improve security and control over authentication through federation, reduce password burdens, and enable interoperability with heterogeneous systems via an attribute store that produces claims for AD DS and AD LDS.
Explore the Active Directory Federated Services infrastructure, focusing on federation trusts, account and resource partners, and how authentication and authorization differ from regular domain trusts using HTTPS.
Describe the AD FS components, including federation servers, proxies, and the primary Active Directory domain services as the attribute store, and outline how single sign-on uses tokens and claims.
Explore federation scenarios including business-to-business access across organizations, business-to-consumer extranets with ADFS, and single sign-on across multiple web applications, plus hybrid cloud Office 365 SSO with security tokens.
In a B2B scenario, a resource partner's web app relies on the account partner's federation server to issue a SAML security token containing Active Directory group memberships, UPN, and email.
Enable the business to employee scenario with federated web single sign-on for traveling employees. Use a single domain forest in a perimeter network to authenticate and authorize web-based applications.
Describe how organizations provide resource access across the internet to individual customers, create customer user accounts, use a data store, and enable single authentication to web based applications.
Explore new features in Windows Server 2016, including ldap v3 attribute store support, multifactor authentication, conditional access via the web application proxy, and enhanced Adfs management.
Explore planning and deploying Adfs in this topic. Learn practical steps to plan and deploy Adfs within Windows Server 2016 identity environments.
Identify the AD FS requirements, including port 80/443 connectivity, DNS resolution to federation servers, AD DS as authentication and attribute store, and certificates for token signing, verification, and SSL.
Identify key server roles in federation, including claims provider federation server, relying party federation server, and the web application proxy on the perimeter for secure access.
Plan high availability for federation with adfs to ensure users obtain security tokens and access web apps. Use federation server farms with network load balancing and highly available configuration database.
AD FS claims provide user information from the claims provider to the relying party, enabling cross-organization authorization with user principal name, email, and group-based attributes.
Discover how AD FS claim rules define business logic for claims from providers to relying parties, including acceptance, issuance, authorization, and delegation rules.
Master trust relationships in adfs by configuring claims provider trust and relying party trust, including importing federation metadata or manually configuring claim rules to manage token flow.
Prepare sql server for the AD FS configuration database, configure certificates and a group managed service account, install AD FS, and run configuration wizard to form the federation server farm.
Install Active Directory Federation Services on the federation server using server manager, add roles, configure certificates, DNS records, and federation settings for hybrid AD federation and single sign-on.
Identify the home federation server that provides claims and direct users to their account partner through home realm discovery, with options for user selection or WA and R parameter redirection.
Manage the AD FS certificate lifecycle with automatic rollover for self-signed certificates and manual renewal for Office 365, using Get-AdfsCertificate to monitor expirations and token signing certificates.
Explore how the web application proxy acts as a Federation Services proxy, enhancing perimeter security while offering additional functionality for identity access in Windows Server 2016.
Discover how the Windows Server 2016 web application proxy secures internal web apps by acting as a reverse and AD FS proxy, enabling external publishing with pre authentication.
Configure the web application proxy as an Adfs proxy on the perimeter and deploy the same SSL certificate and name, then implement split DNS for internal and external Adfs resolution.
The lecture describes using the web application proxy in the perimeter network with ADFS for pre authentication or pass-through authentication, protecting claims-aware applications.
Publish various applications with the web application proxy in server 2016, using wizards to publish exchange services, remote desktop gateway, and other apps, including autodiscovery and exchange server URLs.
Examine Active Directory Federation Services (ADFS) components, including federation server and proxy, claims providers, and relying parties, and explore planning, deployment, and the Web Application Proxy in Windows Server 2016.
Review chapter 09 of identity in windows server 2016 as covered in microsoft 70-742 materials.
This 70-742: Identity in Windows Server 2016 course teaches IT professionals on the deployment, configuration and troubleshooting of identity services such as Active Directory Domain Services (AD DS) and Group Policy in Windows Server 2016. Additionally, this course also covers the deployment and installation of other Active Directory server roles, such as Active Directory Federation Services (AD FS) and Active Directory Certificate Services (AD CS).
The course 70-742: Identity in Windows Server 2016 is part of a three course series required to pass the MCSA: Windows Server 2016 certification. The course curriculum is designed keeping in view the exam topics covered in the Microsoft exam 70-742. In this way, this course is equally helpful for IT professionals looking to gain their knowledge as well as the candidates willing to appear in the said exam.