เกี่ยวกับหลักสูตรนี้
คอร์สนี้ออกแบบขึ้นสำหรับผู้ดูแลระบบที่ต้องการเข้าใจ Active Directory Domain Services อย่างครบทุกแง่มุม ตั้งแต่การวางสถาปัตยกรรม การติดตั้ง การบริหารจัดการ การ migrate ไปจนถึงการ troubleshoot และดูแลในระยะยาว
เนื้อหาครอบคลุมตั้งแต่ Deployment, Day-2 Operations, Hybrid Identity ด้วย Entra ID, Replication, SYSVOL, DNS, Security Hardening, Performance Monitoring และ Operations Excellence — เป็นคอร์สที่ไม่ใช่หลักสูตร Microsoft Certification แต่ออกแบบให้ครอบคลุมสิ่งที่ AD DS Administrator ต้องรู้ในการทำงานจริง
เนื้อหาวิชา
Module 1: AD DS Architecture and Core Concepts
- Active Directory components: forests, domains, trees, and OUs
- Schema, naming contexts, and partition design
- FSMO roles deep dive: Schema Master, Domain Naming, RID, PDC, Infrastructure Master
- Global Catalog purpose and placement strategy
- Trust relationships: parent-child, tree-root, external, forest, shortcut
Module 2: AD DS Deployment
- Planning AD DS forest and domain design
- Installing AD DS roles using Server Manager and PowerShell
- Promoting domain controllers (DC) — first DC, additional DCs, RODC
- Deploying DCs in Azure (IaaS) and on-premises
- Demoting and removing domain controllers safely
- Implementing fine-grained password policies (FGPP)
Module 3: Managing Users, Groups, and Computers
- User, group, and computer account lifecycle management
- Organizational Units (OU) design and delegation
- Group strategy: AGDLP / AGUDLP best practices
- Service accounts: gMSA, sMSA, and traditional service accounts
- Bulk operations with PowerShell and CSV imports
- Account audit, lockout, and stale account cleanup
Module 4: Group Policy Mastery
- GPO architecture, processing order, and inheritance
- Security filtering, WMI filtering, and item-level targeting
- Group Policy Preferences and administrative templates (ADMX)
- Loopback processing, slow link detection, and async/sync processing
- GPO backup, restore, migration, and version control
- Troubleshooting GPO with gpresult, RSoP, and event logs
Module 5: DNS for AD DS
- DNS roles in AD DS: integrated zones, SRV records, and dynamic updates
- Forwarders, conditional forwarders, and stub zones
- DNS scavenging, aging, and record cleanup
- Split-brain DNS and namespace planning
- Troubleshooting DNS issues affecting AD DS replication and logon
- Integration with Azure DNS and Azure Private DNS
Module 6: AD Replication Deep Dive
- Multi-master replication model and update sequence numbers (USN)
- Sites, subnets, site links, and bridgehead servers
- Knowledge Consistency Checker (KCC) and intersite topology generator
- Replication schedules, compression, and notification
- Replication conflicts resolution and tombstone lifetime
- Troubleshooting with repadmin, dcdiag, and replication event logs
Module 7: SYSVOL Replication
- FRS vs DFSR — understanding the migration history
- DFSR architecture and replication mechanics
- Verifying SYSVOL state and replication health
- Migrating from FRS to DFSR (legacy environments)
- Recovering from SYSVOL replication failures and journal wrap
- Authoritative and non-authoritative SYSVOL restore
Module 8: AD DS Upgrade and Migration
- Planning a domain controller upgrade path
- Raising domain and forest functional levels
- Adprep operations: forestprep, domainprep, gpprep
- In-place vs side-by-side DC upgrade strategies
- Cross-forest migration with ADMT — users, groups, computers, SID history
- Cross-domain object migration and trust planning
Module 9: Hybrid Identity with Entra ID
- Entra ID Connect Sync and Cloud Sync — when to use which
- Synchronization rules, filtering, and attribute mapping
- Password Hash Sync, Pass-through Authentication, and Federation
- Seamless SSO and Entra ID Connect Health monitoring
- Entra Domain Services for legacy app modernization
- Hybrid join — registered, joined, and Entra-only devices
Module 10: AD DS Security Hardening
- Tiered administration model (Tier 0 / 1 / 2)
- Protected Users group, Authentication Policies, and Silos
- LAPS for local administrator password rotation
- Kerberos hardening: AES, delegation controls, KRBTGT key rotation
- LDAP signing, channel binding, and SMB hardening
- Mitigating common attacks: Kerberoasting, Pass-the-Hash, DCSync, Golden Ticket
Module 11: Monitoring AD DS Health and Performance
- Key performance counters for DC health
- Using dcdiag, repadmin /showrepl, and Best Practices Analyzer
- AD DS event logs and security audit policies
- Capacity planning: CPU, RAM, NTDS.dit growth, and disk IO
- Integrating AD DS with Azure Monitor and Log Analytics
- Alerting on replication failures, FSMO availability, and authentication issues
Module 12: Backup, Recovery, and Disaster Scenarios
- System State backup and bare-metal restore strategies
- Authoritative and non-authoritative restore
- AD Recycle Bin and tombstone reanimation
- FSMO seizure and recovery from failed DCs
- Forest recovery procedure — Microsoft's recommended steps
- Snapshot-based AD recovery and offline defragmentation
Module 13: Troubleshooting Common AD DS Issues
- Logon failures, slow authentication, and Kerberos errors
- Replication failures: USN rollback, lingering objects, journal wrap
- DNS-related AD failures and SRV record issues
- Time synchronization (W32Time) and Kerberos skew
- Group Policy not applying — order, filtering, and version conflicts
- Diagnostic tools: dcdiag, repadmin, nltest, klist, ntdsutil
Module 14: Operations Excellence
- Change management for AD DS — documenting and reviewing changes
- Patching and rebooting DCs without disruption
- AD DS configuration baselines and drift detection
- Runbooks for common operations and incident response
- Disaster recovery drills and tabletop exercises
- Documentation standards: topology diagrams, FSMO map, OU structure