Section 6 and further

Question 1

Connecting on prem to Azure ADD

Answer 1

Domain name must be available, DNS must be accessible online.

Question 2

Seamless SSO

Answer 2

Users logging in on prem also get logged on through the cloud

Question 3

Create new DNS database

Add this to your domains

See where this is located via a user

Answer 3

DNS > Forward Lookup Zones > zone = abccorp.com > finish

Tools > AD Domains and Trusts > Right click AD Domains and trust > properties > add abccorp.com > ok

AD Users and Computers > right click your user > properties > account > drop down box with logon name suffix > you’ll see domain

Question 4

Sync your domain with Microsoft 365 admin center

Answer 4

admin.microsoft.com > show all > settings > domains > Domain name = abccorp.com > Create a text record with one of the values

From local server
DNS > right click abccorp.com > other new records > TXT > create > Don’t worry about record name, add MS=ms3298638 in text and that’s it.

This needs to be internet facing
TXT record - generic record
MX record - mail exchange record
GoDaddy - put in creds and it will just fill everything out for you.

Question 5

Make your domain the primary domain on microsoft365

Answer 5

portal.microsoft.com
or
admin.microsoft.com?

Show all > settings > domains > Click domain > set as default

Now if got to Users > active users > add users > it will be primary domain

Question 6

If users added ahead of time, before domain was connected, etc

Do via powershell and via microsoft365

Answer 6

admin.microsoft.com

Users > Active Users > click user > manage username > drop down domain for upn > if user has office365 liscence their email with exchange online will get updated

Licenses and Apps > give the user whatever stuff you want like office 365 E5

connect-msolserver <- connect to microsoft365

set-msoluserprincipalname -userprincipalname bobjones@examlaprcactice0920.onmicrosoft.com -newuserprincipalname bobjones@examlabpractice.com

get-msoluser

You’ll need to refresh on Microsoft365

Question 7

Look up what records you need to link up with microsoft365

Answer 7

Lookup external domain name system records for office 365

DNS > right click examlabpractice.com >

Question 8

What are the two options for authentication with the hybrid identity model?

Answer 8

Managed Authentication - Azure AD will handle the authentication process by using a locally-stored hashed version for the password or sends the creds to an on-premise software agent to be authenticated by on-premise AD DS
(Azure gets copy of encrypted creds, so it has what it needs)

Federated Authentication - Azure AD redirects the client computer requesting authentication to another identity provider.
(Federated server can go to an ADFS AD federated server on premist that handles it or it could be authenticated by someone else)

Question 9

What are the two types of managed authentication?

Answer 9

Password hash Synchronization (PHS)
- Azure does Authentication itself
(recommended) Even if contact with lost connection to domain, you can still log in

Pass-Through Authentication (PTA)
- Azure AD has AD DS perform authentication and they don’t know the passwords.
If we lose our domain people authenticating via cloud won’t be able to login

Question 10

What is PHS

Answer 10

Password Hash Synchronization

You sync your ADDS user accounts with Microsoft 365 and manager your users on-premise. Hashes of user passwords are synced from your AD DS to Azure AD so that the users have the same password on-premise and in the cloud. This is the simplest way to enable authentication for AD DS identities in Azure AD.

Question 11

What is PTA

Answer 11

Pass-through authentication

This provides a simple password validation for Azure AD authentication services using a softward agent running on one or more on-premises servers to validate users. You sync ADDS user accounts with Microsoft 365 and manage users on premise
Agent is installed on computer that communicates with AzureAD and authenticates.

Question 12

What is federated authentication

Answer 12

Large Organization

3rd party authentication.

AD DS identities are synced with Microsoft 364 and user accounts are managed on-premises.

Same password on-premises and in cloud, they don’t have to sign in again to user Microsoft 365

Supports smartcard-based authentication or 3rd party multi factor authentication and is typically required when organizations have authentication requirement not natively supported by Azure AD.

If Azure can’t connect with your federated server then everyone outside can’t logon.

Question 13

What to do before syncing to the cloud

Answer 13

IDFix - for Cleanup

Azure AD Connect Helath - Health of the environment

Look back 100 days of errors

Remove object that are un-needed
service accounts, groups, etc

Sync failover and disaster recovery

Question 14

If the Azure AD Connect Sync Server goes offline what happens and what is a solution?

Answer 14

There can only be one sync server

Changes to on-premises cannot be updated in the cloud and can result in access issues for users.

Deploy Azure AD Connect Server in staging mode. - Allows admins to promote the staging server to production by a simple config switch. It sits passive until other server goes down.
OR
Use Virtualization - if Azure AD connect is deployed in a VM, admins can leverage their virtualization stack to live migrate or quickly redeploy the VM and resume sync

Question 15

Where can you enable staging mode?

Answer 15

At the end of the Microsoft Azure Active Directory Connect menu, on Configure, click the box.

Question 16

What is a Source Anchor

VIDEO 55

Answer 16

Attribute that on-premises and Azure AD have, it’s also called immutableID.

Links objects in Azure AD with objects on-premises. For instance, my account on premises is actually different than the account on Azure, technically. This makes them linked/look the same.

Using ms-DS-consistencyguid as source anchor allows easier migration of object across forest and domains, which is common in AD Domain consolidation/cleanup, mergers, acquisitions, and divestitures

Question 17

What is Seamless SSO?

Answer 17

Eliminates unnecessary prompts when users are signed in.

Question 18

Create a group for who get synced first

Answer 18

Server Manager > ADUC > RIght click IT OU > New group > Cloud Admins > add someone to it > add administrator and whoever else.

Question 19

Describe how the Password Hash Sync works

Answer 19

Server running AD > Azure AD Connect installed on server maybe this is a different server > AD Connect creates password hashes and send to AzureAD and can communicate with it > Users can authenticate with Azure AD and he can access Micrsoft365.

Microsoft will monitor passwords to see if they’re on the dark web

Question 20

How does pass-through Authentication work?

Answer 20

On Prem ADDS > Azure AD Connect Server > PTA agents (two of them), should be installed on two different servers, they can be on any type of server, like a file server >

Authentication Agents pull from Azure AD constantly. Nothing’s actually coming in, so no ports are open, so no DMZ or anything needed. They’re waiting for user authentication from the cloud.

Question 21

How does Federated Authentication work?

Answer 21

On premise ADDS > Azure AD connect > Need two ADFS (Active Directory Federation servers) > Tell Azure AD connect about the two servers > We don’t want the ADFS exposed online so use two Federated proxy servers port 443. FIrewall between everything and these, then between those and online.

Federation servers give users an access token to authenticate with azure AD.

User tries to authenticate with Azure AD > Azure AD tells the computer to go to federated proxy > federated proxy will talk to federation server and it will talk to ADDS which will verify creds and get back with Federation Server which creates access token > Federated proxy > User > User is then authenticated with Azure AD > AzureAD generates an access token the allows user to access their cloud products like microsoft 365

REMEMBER THAT AZURE AD CONNECT IS JUST THERE TO TRANSLATE BETWEEN AZURE AD AND YOUR DOMAIN. DIFFERENT PROTOCOLS ARE USED ON A LOCAL DOMAIN RATHER THAN AZURE AD, LIKE LDAP AND KERBEROS AREN’T USED IN AZURE AD.

Question 22

Cleanup AD DS before using Azure AD Connect

Answer 22

Azure AD won’t allow invalid characters like no spaces

Server Manager > tool > ADUC > create new user Sam Jones and make a space in the UPN.

On windows 10 > google search download idfix > grab from github > ClickOnce Launch > run > Install
From IDFIX > query (this will locate problem users > Action should be edit > Apply > rerun query to confirm

Question 23

Download Azure AD Connect

After you’re finished go to Azure Active Directory Connect Health

Answer 23

portal.azure.com

Entrai ID AD

Azure AD connect/entra id connect

Download

Agree to terms
Customize
Don’t choose any of these options
Install

You have your sign in options
choose Password Hash Sync
enable single sign-on
enter global AD creds
AD Forest account - account that create syncronization (has to be global admin)
GAMESHARKS\administrator
password

Domain and OU Filtering - information and users that you want synced.
Sync selected domains and OUs > drop down to IT like we set up earlier (you can sync the rest later)

Optional Features
Azure ad app and attribute filtering -
This syncs attributes from the cloud to on premises.
Password writeback - change password on cloud and it reflect back to on premises.
Directory extension attribute sync - attributes from inside are synced out.

Directory Extensions -
Select what you want to sync

Staging - sets everything up but doesn’t sync. Primary server you wouldn’t want staging mode, you do this on another server for redundancy.

Now on portal.azure.com
Look up Users and it will show the synced users.
Entra-id Connect, will show sync status enabled

Click Azure Active Directory Connect Health

Click for Sync errors
Click for Sync Services to see if healthy
AD DS services < - any problem with syncing with AD Services < you have to install on domain controlled to get this though

Question 24

Edit group policy object for password

Answer 24

Server Manager > Tools > Group Policy MGMT console > Group Policy Objects > Right click Default Domain Policy > edit > computer configuration > policies > Windows Settings > Security Settings > Account Policies > Password policies.

Look at options

Minimum Password length audit policies > gives warning messages

Reversable encryption - old > dos computers couldn’t store passwords that were encrypted so passwords wouldn’t be encrypted on their machines. It should be turned off ALWAYS.

ACCOUNT LOCKOUT POLICY
When accounts locked out due to attempts
duration < - how long they’re locked out
threshold <- how many times failed
Lockout counter after <- counter between each bad password before it is viewed as one duration.

Question 25

GPOs are judged on what order they are in. GPOs at the top are what is followed. Show What GPOs are followed for your domain and what precedence they have

Answer 25

Server Manager > Group Policy MGMT > Click domain > click Group Policy Objects

These GPOs are linked to objects.
For instance, if we drop down the Domain name we’ll find Default DomainPolicy is linked to it.

Question 26

Make a fine grained password policy and describe what it is

Answer 26

It is a password policy for a group rather than a domain.

Server Manager > tools ADAC > Click domain > system folder > password settings container > new > create here.

At the bottom you can add which group it applies to.

Password requirements will need to be set on premise even on hybrid environment. From what I understand you can change password requirements from the cloud but they don’t take affect for hybrid users.

Question 27

What is Group Policy for?

Answer 27

Settings, parameters, features, deploying software (old)

Help control environment

“We need to disable/enable features”

Group Policy Object contains these
Can be applied to different areas/resources based on users/computers primarily.

Question 28

What are the four different levels that a GPO can be applied to?

Answer 28

If ever a conflict, rules above local computer over rule it.

Local Computer - Not AD level

Site - object that represent location

Domain - Anyone logging on domain

OU - OUs and child OUs

Question 29

If there is a policy conflict, who wins out of the different GPO level?

Answer 29

Last policy applied is the one you get. So OU.

Site goes first
Domain second
OU third and that’s the one that sticks.

Question 30

What is block inheritance

Answer 30

When applied to a level, blocks all policies from above aside from password policies

Question 31

What is ENFORCED?

Answer 31

More powerful than block inheritance.

If you have ENFORCED turned onto DOMAIN, even if blockinheritance is on, the user will get what is dictates, even if there is a conflict at a lower level.
If Site and Domain both have ENFORCED on, and we had a wallpaper for Site called this and a wallpapaer for Domain called that, the computer would get the “this”wallpapaer”.

Question 32

Find the two default GPOs

Find where what they’re linked to in the drop down menu

Answer 32

Server Manager > tools > Group policy mgmt > Forest (expand) > Expand domain > Group Policy Objects >
Default Domain Controllers Policy
Default Domain Policy

Default Domain Controller Policy linked to Domain Controllers OU

Default Domain Policy linked to domain
You can tell by the shortcut symbol

Question 33

Create New Starter GPO to disable wallpapers and link it to another GPO

What are the Computer and User configs?

Who wins if there is a conflict?

Answer 33

Starter GPO is a template, you can get to it from the Starter GPOs you can right click that
Call it Starter Settings > Right click it > edit > User Configuration > Desktop > Click Desktop wallpaper and disable it

Server Manager > tools > Group policy mgmt > Forest (expand) > Expand domain > Right click Group Policy Objects > New > Call it Sales Desktop Settings > find your Starter Settings in Secure Starter GPO and select it.

Right click GPO > edit >
Computer Config > any computer settings
User Config > policies to a specific user

If conflict computer config wins.

Question 34

Describe some of the folders in Group Policy Management Editor

Answer 34

Folder Policies - when you want to force something like grey something at

Preferences - defaults, but people can change them.

Software Settings > take msi packages which pre-installs software

Windows Settings > security settings here

Admin Templates - policies that can be added or customized which are stored in ADMX files.
This has everything else.

Question 35

How do you apply a Group Policy?

Answer 35

Drag it over to the OU and drop it

Question 36

Enable block inheritence for an OU

If you block inheritance from the OU you won’t get domain policies you want, Let’s say you want your OU to block inheritance but not block it from Restrict Control

Answer 36

Right click IT > Block Inheritance

Right Click Restrict Control > Enforce

Remember Enforce overrides Block Inheritance

Question 37

Show who your GPO is applied to inside of the OU you put it in.

Say you wanted this policy applied to the Inside sales group rather than the sales group

Answer 37

Scope - where GPO is applied

Drop down your OU > Click your Group Policy

You’ll see the your OU is what’s linked to the GPO and Authenticated users are the group it applies to within that. So any authenticated user inside of that OU falls under these rules.

Add Inside Sales and remove authenticated users

Question 38

What is WMI Filtering

Where do you find it in the GPO and where do you make a new one?

Answer 38

Windows Management Instrumentation
This can be found by clicking on your GPO and going to the drop down at the bottom.

In Group Policy Mgmt > right click WMI Filters folder > new

Question 39

Where are GPOs stored?

What does the settings tab in the GPO do?

What does the Delegation tab do?

Answer 39

GPOs are stored inside you SYSVOL folder under domain > policies

Settings > Report of settings that are enabled in GPS

Delegation > permissions and who can control the GPO

Question 40

Show what settings a user might get in terms of GP policy

View all policies a user has from their client machine

Answer 40

Under Group Policy MGMT > Sites > Right click Group Policy Results > Group Policy Results Wizard

CMD > gpresult /h c:\test.html

Question 41

How long until GPO takes an affect

Update group policy for an OU

Update users GPO immediately

Answer 41

90 -120 mins on Computers and Server

Domain Controlers - 5 minutes

This is because min of 90 mins 30 min offset.
So each computer does 90 minutes then each computer chooses a time within 30 mins so they’re not all updating at the same time.

Right click GPO > group policy update > this only applies to computers not users.

CMD > gpupdate /force

Or a reboot or a user log off and log on

Question 42

Default Group Policy Preferences for computers, set sleep time to 10 mins

Deploy this preference if a battery is present, can you do this with policies?

Answer 42

Server Manager > Group Policy MGMT > ‘Expand domain > Gropu policy object > right click one > edit > Preferences > Power options > right click > power plan > Sleep after 10 mins

Common > item-level targeting > targeting > new item > battery present

Not really, unless you know WMI

Question 43

How Azure AD DS/ Entra ID DS handles group policy

Look at Entra ID GPOs and show more info about them

Answer 43

Resource groups > you’ll need it’s domain and server to rdp to > click server manager > manage > add roles and features > Features: Group POlicy Management > Remote Server Admin > Install

Tools > Group Policy MGMT > Click a GPO > list all
The most important part is at the bottom where it says:
Computer Configuration (Enabled)
User Configuration (Enabled)