Index

A

access-denied assistance, 247

Active Directory Domains and Trusts, 6

Active Directory Federation Services, 74

Active Directory Recycle Bin, 12–13

Active Directory Sites and Services, 6

Active Directory Users and Computers, 5

Delegation of Control Wizard, 5

tasks, 5

View Advanced Features function, 5

Active Directory-integrated zones, 186–187

AD DS (Active Directory Domain Services), 1, 9. See also Azure AD; domain(s)

backup, 10

database optimization, 20–21

DNS integration, 186, 188, 192

Active Directory-integrated zones, 186–187

alias (CNAME) records, 191

conditional forwarders, 193

forwarders, 192–193

GlobalNames zones, 189–190

host records, 190

MX (mail exchanger) records, 191

pointer records, 191

resource records, 190, 194–195

reverse lookup zones, 188–189

scavenging, 192

secondary zones, 188

stub zones, 193

unknown records, 191

zone aging, 191–192

zone delegation, 190

domain(s), 16–17

authentication and, 18

controllers, 1–2, 6–7

forests and, 19–20

functional levels, 19

trees and, 18

DSRM (Directory Services Restore Mode), 7–8

forests, 16

Group Policy, 83. See also AGPM (Advanced Group Policy Management); Group Policy

Administrative template, 92–93

caching, 91

fixing GPO problems, 85–86

forced update, 91–92

GPO backup, 84–85

GPO management, 83–85, 86

implementing, 95

import and copy GPOs, 85

loopback processing, 90–91

preferences, 93–94

security filtering, 89–90

WMI filters, 90

groups, 47

integration with other AD instances, 71

metadata cleanup, 21

multi-domain forests, 17–18

partitions, 41

password(s)

managing, 74–75

policy items, 75

replication, 24–25

settings permissions, 76

replication, 41

conflict resolution, 43

KCC (Knowledge Consistency Checker), 42

managing and monitoring, 44

multi-master, 42

RODC, 43–44

store and forward, 42

triggering, 44

security, 45

site(s), 35–37

creating, 37–38

link bridges, 40

links, 39–40

subnets, 38

snapshots, 22

tombstone lifetime, 10–12

trust(s), 29, 30

direction, 30–31

external, 32

forest, 31–32

name suffix routing, 35

netdom.exe and, 34

realm, 33

shortcut, 32

SID filtering, 34–35

transitivity, 30

ADAC (Active Directory Administrative Center), 3

Powershell and, 3

search functionality, 3–4

Add-Clusternode cmdlet, 257

Add-Computer cmdlet, 52

Add-DhcpServer4Filter cmdlet, 209

Add-DHCPServer4Scope cmdlet, 205

Add-DHCPServer6Scope cmdlet, 205

Add-DhcpServerv4SuperScope cmdlet, 206

Add-DNSPrimaryZone cmdlet, 189

Add-DnsServerConditionalForwarderZone cmdlet, 193

Add-DNSServerDirectoryPartition cmdlet, 187

Add-DnsServerPrimaryZone cmdlet, 187

Add-DNSServerQueryResolutionPolicy cmdlet, 199

Add-DNSServerSecondaryZone cmdlet, 188

Add-DnsServerStubZone cmdlet, 193

Add-DnsServerZoneDelegation cmdlet, 190

ADDomainMode cmdlet, 19

Add-VMAssignableDevice cmdlet, 134

administration tools, Windows Server, 100

jump servers, 101

PAWs (Privileged Access Workstations), 100–101

remote access and, 100

Remote Desktop, 101–102

WAC (Windows Admin Center), 102–105

AGPM (Advanced Group Policy Management), 88–89

alias (CNAME) records, 191

ARM (Azure Resource Manager), templates, 53

assessment, Windows update compliance, 119

authentication

intra-forest, 18

NPS and, 223

pass-through, 74

on-premises environments and, 73

VPN, 213–214

authoritative restore, 13–15

Azure AD, 1, 2. See also domain controllers

Application Proxy, 229–230

Connect Health, 72

deleted items, restoring, 15

Active Directory Recycle Bin, 12–13

AD DS (Active Directory Domain Services), 10

authoritative restore, 13–15

non-authoritative restore, 15

integration with other AD instances, 71

managing, 2–3

using Active Directory Domains and Trusts, 6

using AD sites and Services, 6

using AD Users and Computers, 5

using ADAC (Active Directory Administrative Center), 3–4

Password Protection, 82

Azure AD Connect, 54–55

cloud sync, 67

installing, 58–63

requirements, 56–57

deployment account, 57–58

SQL Server, 57

synchronization, 65–67

Azure AD DS

deploying, 68–70

domain join, 70

integration with other AD instances, 71

managing, 68

Azure App Service Hybrid Connections, 230–231

Azure Arc, 114

connecting to Windows Server instances, 115–116

deployment, 115–116

functionality, 114–115

Azure Automation

Hybrid Runbook Worker, 123–124

runbooks, 123

State Configuration, 124

Azure Bastion, connecting to IaaS VMs, 178

Azure DNS, integrating with Windows Servers DNS, 193–194

Azure ExpressRoute, 228–229

Azure Extended Network, 219–220

Azure File Sync, 233

cloud endpoints, creating, 235

cloud tiering, 237

migrating DFS to, 234–239

monitoring, 234–238

server endpoints, creating, 236

server registration, 235–236

storage sync service, deploying, 234

sync groups, creating, 234–235

Azure Monitor, 120

agent, 121

Azure File Sync and, 234–238

data collection, 120

installing, 121

Log Analytics workspace, 120

Azure Network Adapter, 219

Azure Policy guest configuration, 116–117

Azure Relay, 227–228

Azure Serial Console, connecting to IaaS VMs, 179

Azure Virtual WAN, 229

B

backup and restore, 10–12

Active Directory Recycle Bin, 12–13

AD DS (Active Directory Domain Services), 10

authoritative restore, 13–15

checkpoints and, 137

GPOs, 84–85

non-authoritative restore, 15

bandwidth management, Hyper-V, 155

basic disks, 252

BranchCache, 247–248

C

checkpoints, 136–137, 153

cloning, virtual domain controllers, 16

cloud endpoints, creating, 235

Cloud Shell, 122

cloud sync, 67

cloud tiering, 237

cmdlets, 3

Add-Clusternode, 257

Add-Computer, 52

Add-DhcpServer4Filter, 209

Add-DHCPServer4Scope, 205

Add-DHCPServer6Scope, 205

Add-DhcpServerv4SuperScope, 206

Add-DNSPrimaryZone, 189

Add-DnsServerConditionalForwarderZone, 193

Add-DNSServerDirectoryPartition, 187

Add-DnsServerPrimaryZone, 187

Add-DNSServerQueryResolutionPolicy, 199

Add-DNSServerSecondaryZone, 188

Add-DnsServerStubZone, 193

Add-DnsServerZoneDelegation, 190

ADDomainMode, 19

Add-VMAssignableDevice, 134

checkpoint-related, 136–137

DNSServerCache, 197

Enable-PSRemoting, 106–107, 129

Enter-PSSession, 107, 129, 130

Get-ADTrust, 34

Get-Command-Module <modulename>, 106

Get-NetAdapter, 131

Get-PSSessionConfigurationFile, 113

Get-SRPartnership, 260

Get-StoragePool, 254

getting help with, 106

GPO management, 84

Install-ADDSForest, 9

Install-ADServiceAccount, 49

Invoke-Command, 108

Move-ADDirectoryServer, 40

New-ADDCCloneConfig, 16

New-ADReplicationSiteLink, 40

New-ADReplicationSubnet, 38

New-AzADServicePrincipal, 115–116

New-NetNAT, 131

New-StorageQosPolicy, 262

New-VMSwitch, 131

Register-PSSessionConfiguration, 113

Set-ADComputer, 50

Set-ADForestMode, 20

Set-ADObject, 9

Set-DhcpServerv4DnsSetting, 207

Set-PhysicalDisk, 254

Set-SRPartnership, 260

Test-SRTopology, 259

Uninstall-ADDSDomainController, 21

commands

Docker, 160

docker load, 166

docker rmi, 166

docker run, 167, 169

docker save, 166

docker tag, 166

get-credential, 107

netdom trust, 34

compliance, Windows update, 119

computer accounts, 47

conditional forwarders, 193

conflict resolution, 43

connection request policies, 220

creating, 224

default, 223–224

Realm and RADIUS attributes, 223

consoles, 2–3

Active Directory Domains and Trusts, 6

Active Directory Sites and Services, 6

Active Directory Users and Computers, 5

Delegation of Control Wizard, 5

tasks, 5

View Advanced Features function, 5

ADAC (Active Directory Administrative Center), 3

Powershell and, 3

search functionality, 3–4

constrained delegation, 108

container(s), 158. See also Docker

host, 159

Hyper-V isolation, 160

image dependency, 159

images, 158–159

creating, 171–172

managing, 166

updating, 165–166

Windows Server, 163–164

instance, 159, 167–168

modifying, 168

networking, 168–169

Layer 2 Bridge mode, 171

NAT, 169–170

transparent mode, 170

process isolation, 160

registries, 159, 163

sandbox, 159

Windows, service accounts, 164–165

continuous delivery, IaaS VMs and, 176

copying, VMs, 153

core scheduler, Hyper-V, 135–136

CPU groups, 135

creating

Azure File Sync endpoints, 236

cloud endpoints, 235

connection request policies, 224

container images

from a container, 171

using Dockerfiles, 171–172

container instance, 167–168

GPOs, 86–87

network policies, 225–227

shared folders, 240

site links, 39–40

sites, 37–38

sync groups, 234–235

CSVs (Cluster Shared Volumes), 143

D

DANE (DNS-based Authentication of Named Entities), 198

data disks, 174

DDA (Discrete Device Assignment), 133–134

decommissioning RODCs, 26–27

deduplication, 152, 260–261

defragmentation, Active Directory database, 20–21

delegation, 108

Delegation of Control Wizard, Active Directory Users and Computers, 5

deployment

Azure Arc, 115–116

domain controller, 6–7

global catalog servers, 9–10

Server Core, 8–9

virtualized, 9

IPAM, 200

Windows updates, 118–119

detached clusters, 143–144

DFS (Distributed File System), 248

namespace, 249–250

replication, 234–239, 250

groups, 250–251

replicated folders and targets, 250

schedules, 251

DHCP (Dynamic Host Configuration Protocol)

failover, 209

filtering, 208–209

name protection, 207

policies, 208

relay, 207–208

scopes, 204–206

multicast, 206

split, 207

super, 206

server options, 205–206

server role, deploying, 203–204

differencing disks, 149

DirectAccess, 216

NLS (Network Location Server), 218–219

server, 217–218

topologies, 216–217

Directory Services Restore Mode, authoritative restore, 14–15

disks. See also storage

basic, 252

dynamic, 252

partitions, 252

thin-provisioned, 254–255

DNS (Domain Name System), 186, 188, 192. See also IPAM

cache locking, 197

conditional forwarders, 193

DANE (DNS-based Authentication of Named Entities), 198

forwarders, 192–193

netmask ordering, 197

policies, 199

records

alias (CNAME), 191

host, 190

MX (mail exchanger), 191

pointer, 191

resource, 190, 194–195

unknown, 191

recursion, 197

response rate limiting, 198

scavenging, 192

socket pool, 196

spoofing, 196

Windows Server, event logs, 196

zone(s)

Active Directory-integrated, 186–187

aging, 191–192

delegation, 190

GlobalNames, 189–190

reverse lookup, 188–189

secondary, 188

stub, 193

DNSSEC (Domain Name System Security Extensions), 194–195

DNSServerCache cmdlet, 197

Docker, 160

commands, 160

daemon.json file, 161–163

installing, 160–161

docker load command, 166

docker rmi command, 166

docker run command, 167, 169

docker save command, 166

docker tag command, 166

Dockerfiles, 171–172

domain controllers, 1–2

deploying, 6–7

domain names and, 6–7

FMSO roles, 26–27

domain naming master, 27

infrastructure master, 28

PDC emulator, 28

RID master, 28

schema master, 27

seizing, 29

global catalog servers, 9–10

installing, from media, 8

KCC (Knowledge Consistency Checker), 42

moving, 40

physical security, 24

read-only, 24

decommissioning, 26–27

local administrators, 26

password replication, 24–25

replication, 43–44

Server Core deployment, 8–9

USNs (update sequence numbers), 43

virtual, 9, 16, 23

domain local groups, 48

domain(s), 16–17

computer accounts and, 47

forests, 17–18, 19–20

functional levels, 19

joining, 70

trees, 17, 18

trust(s), 30

direction, 30–31

external, 32

forest, 31–32

name suffix routing, 35

netdom.exe and, 34

realm, 33

shortcut, 32

SID filtering, 34–35

transitivity, 29

DSC (Desired State Configuration), 124

dynamic

disks, 252

memory, 131, 132

quorum, 142

Dynamic Virtual Machine Queue, 156

E

editing, GPOs, 87

Enable-PSRemoting cmdlet, 106–107, 129

encryption

IaaS VMs, 175

NPS and, 224–225

endpoints

Azure File Sync, creating, 236

cloud, 235

JEA, 109, 112–113

Enhanced Session Mode, 130

Enter-PSSession cmdlet, 107, 129, 130

ESAE (Enhanced Security Administrative Environment), forests, 20

event logs, DNS, 196

exporting, VMs, 153

extensions

Azure VM, 117–118

Extended Network, 220

WAC (Windows Admin Center), 104

external switches, 157

external trusts, 32

F

failover

clustering, 140

Active Directory detached clusters, 143–144

cluster networking, 142–143

cluster node weight, 142

cluster quorum, 141

Cluster Shared Volumes, 143

dynamic quorum, 142

Force Quorum Resiliency, 143

guest clusters, 145–147

host cluster storage, 140

preferred owner and failover settings, 144

VM drain on shutdown, 144–145

VM Network Health Detection, 144

DHCP, 209

replica, 139–140

fan-out administration, 107

FAT/FAT32, 265

file classification, 245–246

file screen(s), 241

file groups and, 241–242

templates, 243

filesystems

FAT/FAT32, 265

NTFS, 263–264

ReFS, 264–265

fine-grained password policies, 76–77

FMSO roles, 26–27

domain naming master, 27

infrastructure master, 28

PDC emulator, 28

RID master, 28

seizing, 29

forests, 16, 19–20

authentication and, 18

ESAE (Enhanced Security Administrative Environment), 20

multi-domain, 17–18

trusts and, 31–32

forwarders, 192–193

FSRM (File Server Resource Manager)

access-denied assistance, 247

file classification, 245–246

file management tasks, 246

quotas, 243–244

storage reports, 244–245

G

gateway server, 103

Generation 2 VMs, 128–129

Get-ADTrust cmdlet, 34

Get-Command-Module <modulename> cmdlet, 106

get-credential command, 107

Get-NetAdapter cmdlet, 131

Get-PSSessionConfigurationFile cmdlet, 113

Get-SRPartnership cmdlet, 260

Get-StoragePool cmdlet, 254

global catalog servers, 9–10

global groups, 48

GlobalNames zones, 189–190

GMSAs (group managed service accounts), 48, 49–50, 164–165

GPMC (Group Policy Management Console), 83–85

Group Policy, 83, 95, 247. See also AGPM (Advanced Group Policy Management)

Administrative template, 92–93

caching, 91

DNSSEC and, 195

forced update, 91–92

GPOs

backing up, 84–85

creating, 86–87

editing, 87

import and copy, 85

linking, 87

managing, 83–85, 86

troubleshooting, 85–86

loopback processing, 90–91

Modeling Wizard, 87

policy enforcement and blocking, 88–89

preferences, 93–94

Results, 88

security filtering, 89–90

WMI filters, 88, 90

groups, 47

domain local, 48

global, 48

universal, 47

guest clusters, 145

shared virtual hard disk, 146

storage, 145–146

VHD Sets, 147

H

high availability

DHCP, 209

Hyper-V failover clusters, 140

Active Directory detached clusters, 143–144

cluster networking, 142–143

cluster node weight, 142

cluster quorum, 141

Cluster Shared Volumes, 143

dynamic quorum, 142

Force Quorum Resiliency, 143

host cluster storage, 140

preferred owner and failover settings, 144

VM drain on shutdown, 144–145

VM Network Health Detection, 144

Hyper-V guest clusters, 145

shared virtual hard disk, 146

storage, 145–146

VHD Sets, 147

Hyper-V live migration, 147–148

Hyper-V Replica, 137–138

Broker, 139–140

configuring replica servers, 138

configuring VM replicas, 138–139

replica failover, 139–140

host records, 190

HVC.exe, VM management, 130

hybrid workloads, Azure Automation and, 123–124

Hyper-V, 127, 128

checkpoints, 136–137

CPU groups, 135

Enhanced Session Mode, 130

failover clusters, 140

Active Directory detached clusters, 143–144

cluster networking, 142–143

cluster node weight, 142

cluster quorum, 141

Cluster Shared Volumes, 143

dynamic quorum, 142

Force Quorum Resiliency, 143

host cluster storage, 140

preferred owner and failover settings, 144

VM drain on shutdown, 144–145

VM Network Health Detection, 144

guest clusters, 145

shared virtual hard disk, 146

storage, 145–146

VHD Sets, 147

integration services, 133

isolation, 160

live migration, 147–148

nested virtualization, 130–131

dynamic memory, 131

networking, 131

network adapter

network isolation, 155

NIC teaming, 156

VM MAC address and, 154–155

optimizing network performance, 155

bandwidth management, 155

Dynamic Virtual Machine Queue, 156

SR-IOV, 155–156

Replica, 137–138

Broker, 139–140

configuring replica servers, 138

configuring VM replicas, 138–139

failover, 139–140

scheduling types, 135–136

smart paging, 132–133

storage optimization

deduplication, 152

storage migration, 152–153

storage tiering, 152

virtual hard disks

differencing disks, 149

dynamically expanding disks, 149

fixed-size disks, 149

formats, 148

modifying, 150

pass-through disks, 150–151

Storage QoS, 151

Virtual Fibre Channel adapters, 151

virtual switches, 156

external, 157

internal, 157

private, 157

I

IaaS VMs, 173

configuring continuous delivery, 176

connecting

with Azure AD account, 176–177

JIT access, 178

with Remote PowerShell, 177–178

using Azure Bastion, 178

using Azure Serial Console, 179

using Windows Admin Center, 178

data disks, 174

encryption, 175

images, 174

IP addressing, 180–181

managing, 122–123

NSGs and, 181

RBAC roles, 173–174

resizing, 175–176

shared disks, 174

snapshots, 175

virtual networks, 179–180, 181

identities, hybrid, 54

IKEv2, 214–215

importing, VMs, 153

inactive accounts, 82

infrastructure master, 28

Install-ADDSForest cmdlet, 9

Install-ADServiceAccount cmdlet, 49

installing

Azure AD Connect, 58–63

Azure Monitor, 121

BranchCache, 247

Docker, 160–161

domain controllers, 8

WAC (Windows Admin Center), 103–104

integration services, 133

internal switches, 157

intra-forest authentication, 18

Invoke-Command cmdlet, 108

IP addressing

IaaS VMs and, 180–181

reservations, 208

troubleshooting, 204

IPAM, 200

administration, 201–202

deployment, 200

IP address

space management, 202

tracking, 202–203

server discovery, 201

IPsec, 215

J

JEA (Just Enough Administration), 109

endpoints, 112–113

role-capability files, 110–111

session-configuration files, 111–112

JIT (Just-in-Time) VM access, 178

joining

domains, 70

Windows Server to an Active Directory instance, 52–53

jump servers, 101

K

KCC (Knowledge Consistency Checker), 42

Kerberos

delegation, 50, 108

policies, 51–52

SPNs (service principal names), 52

L

L2TP, 215

LAN routing, 215

Layer 2 Bridge networks, 171

linking GPOs, 87

Linux

integration services, 133

VMs (virtual machines), HVC.exe and, 130

live migration, 147–148

local administrators, RODC, 26

Local Service (NT AUTHORITYLocalService) account, 48

Local System (NT AUTHORITYSYSTEM) account, 48

lockout policies, 79, 81

Log Analytics, integrating with Windows Servers, 120–121

M

MAC address, VM, 153–154

managing. See also administration tools

AD DS passwords, 74–75

Azure AD, 2–3

using Active Directory Domains and Trusts, 6

using AD sites and Services, 6

using AD Users and Computers, 5

using ADAC (Active Directory Administrative Center), 3–4

container images, 166

GMSAs (group managed service accounts), 49

IaaS VMs, 122–123

VMs

using HVC.exe, 130

using PowerShell Direct, 130

using PowerShell remoting, 129

Windows Server instances, 113–116

Windows updates, 119

memory

dynamic, 132

nested virtualization and, 131

smart paging and, 132–133

Startup, 132–133

Microsoft Defender for Cloud, integrating with Windows Servers, 121–122

Microsoft Exchange Server, 2

modifying

containers, 168

virtual hard disks, 150

modules, PowerShell, 106

monitoring

Azure File Sync, 234–238

replication, 44

Move-ADDirectoryServer cmdlet, 40

moving, domain controllers, 40

multi-domain forests, 17–18

multi-master replication, 42

MX (mail exchanger) records, 191

N

name suffix routing, 35

NAT (network address translation), 169–170, 216

nested resiliency, 256

nested virtualization, 130–131

dynamic memory, 131

networking, 131

netdom trust command, 34

netdom.exe, 34

network adapters, Hyper-V

network isolation, 155

NIC teaming, 156

VM MAC address and, 153–154

Network Service (NT AUTHORITYNetworkService) account, 49

networking, containers, 168–169

Layer 2 Bridge mode, 171

NAT, 169–170

transparent mode, 170

New-ADDCCloneConfig cmdlet, 16

New-ADReplicationSiteLink cmdlet, 40

New-ADReplicationSubnet cmdlet, 38

New-AzADServicePrincipal cmdlet, 115–116

New-NetNAT cmdlet, 131

New-StorageQosPolicy cmdlet, 262

New-VMSwitch cmdlet, 131

NIC teaming, 156

NLS (Network Location Server), 218–219

non-authoritative restore, 15

non-Azure machines, deploying Azure services on, 117–118

nonexpiring passwords, 80–81

NPS (Network Policy Server), 211, 220, 221. See also RADIUS servers

authentication, 223

connection request forwarding, 222

connection request policies, 220

default, 223–224

Realm and RADIUS attributes, 223

encryption, 224–225

IP filters, 224

IP settings, 225

network policies, creating, 225–227

policy conditions, 221–222

templates, 227

NSGs (network security groups), IaaS VMs and, 181

ntdsutil.exe, 21

metadata cleanup, 21

snapshots, 22

NTFS, 263–264

O-P

one-to-many remoting, 107

one-way trust, 6

partitions, 41, 252

pass-through

authentication, 74

disks, 150–151

password(s)

DSRM (Directory Services Restore Mode), 7–8

lockout settings, 79

managing, 74–75

nonexpiring, 80–81

policies, 75, 76, 78–79

protection, 82

replication, 24–25

settings permissions, 76

synchronization, 73–74

PAWs (Privileged Access Workstations), 100–101

PDC emulator, 28

permissions, 201–202

NTFS, 263–264

password, 76

Windows update deployment, 119

physical security, domain controllers and, 24

pointer records, 191

policy(ies). See also Group Policy

BranchCache, 247–248

conditions, 221–222

connection request, 220

creating, 224

default, 223–224

Realm and RADIUS attributes, 223

DHCP, 208

DNS, 199

Kerberos, 51–52

lockout, 79, 81

network, creating, 225–227

password, 75, 76, 78–79

PowerShell

cmdlets, 3

Add-Clusternode, 257

Add-Computer, 52

Add-DhcpServer4Filter, 209

Add-DHCPServer4Scope, 205

Add-DHCPServer6Scope, 205

Add-DhcpServerv4SuperScope, 206

Add-DNSPrimaryZone, 189

Add-DnsServerConditionalForwarderZone, 193

Add-DNSServerDirectoryPartition, 187

Add-DnsServerPrimaryZone, 187

Add-DNSServerQueryResolutionPolicy, 199

Add-DNSServerSecondaryZone, 188

Add-DnsServerStubZone, 193

Add-DnsServerZoneDelegation, 190

ADDomainMode, 19

Add-VMAssignableDevice, 134

checkpoint-related, 136–137

DNSServerCache, 197

Enable-PSRemoting, 106–107, 129

Enter-PSSession, 107, 129, 130

Get-ADTrust, 34

Get-Command-Module <modulename>, 106

Get-NetAdapter, 131

Get-PSSessionConfigurationFile, 113

Get-SRPartnership, 260

Get-StoragePool, 254

getting help with, 106

GPO management, 84

Install-ADDSForest, 9

Install-ADServiceAccount, 49

Invoke-Command, 108

Move-ADDirectoryServer, 40

New-ADDCCloneConfig, 16

New-ADReplicationSiteLink, 40

New-ADReplicationSubnet, 38

New-AzADServicePrincipal, 115–116

New-NetNAT, 131

New-StorageQosPolicy, 262

New-VMSwitch, 131

Register-PSSessionConfiguration, 113

Set-ADComputer, 50

Set-ADForestMode, 20

Set-ADObject, 9

Set-DhcpServerv4DnsSetting, 207

Set-PhysicalDisk, 254

Set-SRPartnership, 260

Test-SRTopology, 259

Uninstall-ADDSDomainController, 21

Direct, VM management, 130

Gallery, 106

GMSA management, 49

JEA (Just Enough Administration), 109

endpoints, 112–113

role-capability files, 110–111

session-configuration files, 111–112

modules, 106

remoting, 106–108

IaaS VMs and, 177–178

VM management, 129

WAC (Windows Admin Center) and, 104–105

PPTP (Point-to-Point Tunneling Protocol), 215

private switches, 157

Process Automation, 123

process isolation, 160

protocols, VPN, 214

IKEv2, 214–215

L2TP/IPsec, 215

PPTP, 215

SSTP, 215

PSOs (Password Settings Object), 77–78

Q-R

quotas, FSRM (File Server Resource Manager), 243–244

RADIUS servers, 211

accounting, 212–213

clients, 211–212

proxies, 211

RBAC (remote-based access control), 109, 173–174

realm trusts, 33

ReFS (Resilient File System), 264–265

Register-PSSessionConfiguration cmdlet, 113

registration, Azure File Sync server, 235–236

Remote Access role service, 210

Remote Desktop, 2, 101–102, 130

RemoteFX, 134

repadmin tool, 44

replication

AD DS, 41

KCC (Knowledge Consistency Checker), 42

multi-master, 42

conflict resolution, 43

DFS, 250

groups, 250–251

replicated folders and targets, 250

schedules, 251

managing and monitoring, 44

RODC, 43–44

triggering, 44

reservations, 208

resiliency

nested, 256

storage space, 253

Storage Spaces Direct, 256–257

resizing, IaaS VMs, 175–176

resource

groups, 134–135

records, 190, 194–195

restoring. See backup and restore

Resultant Set of Policy tool, 92

RID (Relative ID) master, 28

RODCs (read-only domain controllers), 24, 187

decommissioning, 26–27

local administrators, 26

password replication, 24–25

replication, 43–44

role-capability files, 110–111

RSO (replicate-single-object) operation, 43–44

runbooks, 123

S

sandbox, 159

scavenging, 192

scheduling, Hyper-V, 135–136

schema master, 27

search functionality, ADAC (Active Directory Administrative Center), 3–4

secondary zones, 188

second-hop remoting, 108

security

DNS (Domain Name System), 196

cache locking, 197

DANE (DNS-based Authentication of Named Entities), 198

netmask ordering, 197

policies, 199

recursion, 197

response rate limiting, 198

socket pool, 196

DNSSEC (Domain Name System Security Extensions), 194–195

Group Policy and, 89–90

physical, domain controllers, 24

seizing FMSO roles, 29

Server Core deployment, 8–9

service accounts, 48, 164–165

session-configuration files, 111–112

Set-ADComputer cmdlet, 50

Set-ADForestMode cmdlet, 20

Set-ADObject cmdlet, 9

Set-DhcpServerv4DnsSetting cmdlet, 207

Set-PhysicalDisk cmdlet, 254

SetSPN utility, 52

Set-SRPartnership cmdlet, 260

shared disks, 174

shared folders, 239–241. See also BranchCache

shortcut trusts, 32

SID filtering, 34–35

site(s), 35–37, 39–40

creating, 37–38

link bridges, 40

subnets, creating, 38

site-to-site VPN, 228

smart paging, 132–133

SMB Direct, 261–262

SMTP (Simple Mail Transfer Protocol), reverse lookup zones and, 189

snapshots, 22, 175

SPNs (service principal names), 52

spoofing, 196

SR-IOV (Single-Root I/O Virtualization), 155–156

SSTP (Secure Socket Tunneling Protocol), 214–215

State Configuration, 124

storage

disks

basic, 252

dynamic, 252

partitions, 252

thin-provisioned, 254–255

guest cluster, 145–146

Hyper-V

deduplication, 152

tiering, 152

migration, 152–153

pools, 253

reports, 244–245

space, 253

resiliency, 253

tiering, 254

trim, 255

Storage QoS, 151, 262–263

Storage Replica, 257–258

requirements, 259–260

supported configurations, 258–259

Storage Spaces Direct, 255

cluster nodes, 257

deployment options, 256

nested resiliency, 256

properties, 255–256

resiliency types, 256–257

store and forward replication, 42

stub zones, 193

subnets, 38

synchronization, password, 73–74

T

tasks, Active Directory Users and Computers, 5

templates

Administrative, 92–93

ARM (Azure Resource Manager), 53

file screen, 243

NPS, 227

quota, 244

Test-SRTopology cmdlet, 259

thin provisioning, 254–255

tombstone lifetime, 10–12

tombstone reanimation, 15

tools. See also PowerShell

Azure AD Connect, 54–55

deployment account requirements, 57–58

Health, 72

installing, 58–63

requirements, 56–57

SQL Server requirements, 57

synchronization, 65–67

Cloud Shell, 122

repadmin, 44

Resultant Set of Policy, 92

SetSPN, 52

Validate-DCB, 143

Windows Server administration, 100

jump servers, 101

PAWs (Privileged Access Workstations), 100–101

remote access and, 100

Remote Desktop, 101–102

WAC (Windows Admin Center), 102–105

topologies, DirectAccess, 216–217

transitivity, trust, 30

transparent networks, 170

triggering, replication, 44

trim, 255

troubleshooting

GPOs, 85–86

IP address issues, 204

Trust Anchor, 195

trust(s), 6, 29, 30

direction, 30–31

external, 32

forest, 31–32

name suffix routing, 35

netdom.exe and, 34

realm, 33

shortcut, 32

SID filtering, 34–35

transitivity, 30

two-way trust, 6

U

UGMC (universal group membership caching), 10

Uninstall-ADDSDomainController cmdlet, 21

universal groups, 47

unknown records, 191

updates, Windows, 118

compliance, 119

deploying, 118–119

managing permissions, 119

UPN (user principal name) suffixes, 63–65

user accounts, 45–46. See also password(s)

inactive, 82

locked-out, 81

lockout settings, 79

nonexpiring passwords, 80–81

UPN (user principal name) suffixes, 63–65

USNs (update sequence numbers), 43

V

Validate-DCB tool, 143

VHD Sets, 147

virtual accounts, 50

virtual domain controllers, 9, 16, 23

virtual hard disks

differencing disks, 149

dynamically expanding disks, 149

fixed-size disks, 149

formats, 148

modifying, 150

pass-through disks, 150–151

Virtual Fibre Channel adapters, 151

virtual switches, 156

external, 157

internal, 157

private, 157

virtualization

Hyper-V, 127. See also Hyper-V

nested, 130–131

dynamic memory, 131

networking, 131

VLAN tagging, 155

VMs (virtual machines). See also Hyper-V

checkpoints, 136–137

configuring replicas, 138–139

CPU groups, 135

DDA (Discrete Device Assignment), 133–134

dynamic memory, 132

Enhanced Session Mode, 130

exporting, 153

extensions, 117–118

Generation 2, 128–129

high availability, Hyper-V Replica, 137–140

IaaS, 173

configuring continuous delivery, 176

connections to, 176–179

data disks, 174

encryption, 175

images, 174

IP addressing, 180–181

managing, 122–123

NSGs and, 181

RBAC roles, 173–174

resizing, 175–176

shared disks, 174

snapshots, 175

virtual networks, 179–180, 181

importing, 153

integration services, 133

live migration, 147–148

MAC address, 153–154

managing

using HVC.exe, 130

using PowerShell Direct, 130

using PowerShell remoting, 129

nested virtualization, 130–131

dynamic memory, 131

networking, 131

optimizing network performance, 155

bandwidth management, 155

Dynamic Virtual Machine Queue, 156

SR-IOV, 155–156

resource groups, 134–135

smart paging, 132–133

VPN

authentication, 213–214

Docker, 1

IaaS virtual networks and, 181

protocols, 214

IKEv2, 214–215

L2TP/IPsec, 215

PPTP, 215

SSTP, 215

server configuration, 213

site-to-site, 228

W

WAC (Windows Admin Center), 102–103

configuring a target machine, 105

extensions, 104

installing, 103–104

managing Azure hybrid services, 105

showing PowerShell source code, 104–105

Web Application Proxy, 227

Windows Admin Center, 2, 3, 178

Windows Server, 124

administration tools, 100

jump servers, 101

PAWs (Privileged Access Workstations), 100–101

remote access and, 100

Remote Desktop, 101–102

WAC (Windows Admin Center), 102–105

Azure VM extensions, 117–118

Backup, 10

checkpoints, 136

container(s)

images, 163–164

service accounts, 164–165

DHCP (Dynamic Host Configuration Protocol) server role, deploying, 203–204

DNS, 196

cache locking, 197

DANE (DNS-based Authentication of Named Entities), 198

event logs, 196

netmask ordering, 197

policies, 199

recursion, 197

response rate limiting, 198

socket pool, 196

IaaS VMs, managing, 122–123

integration

with Azure DNS private zones, 193–194

with Log Analytics, 120–121

with Microsoft Defender for Cloud, 121–122

joining to an Active Directory instance, 52–53

LAN routing, 215

managing, 113–116

NPS, 220, 221

authentication, 223

connection request forwarding, 222

connection request policies, 220, 223–224

encryption, 224–225

IP settings, 225

network policies, creating, 225–227

policy conditions, 221–222

templates, 227

RemoteFX, 134

shared folders, 239–241

updates, 118

compliance, 119

deploying, 118–119

managing permissions, 119

X-Y-Z

zone(s)

Active Directory-integrated, 186–187

aging, 191–192

delegation, 190

GlobalNames, 189–190

reverse lookup, 188–189

secondary zones, 188

Trust Anchor, 195