Master Class
Active Directory
Deep Dive
Master Class
Active Directory
Deep Dive

Course overview

The Active Directory is still THE directory service that is used the most worldwide. Training in this area has been discontinued due to Microsoft’s cloud orientation, but is still essential for the operation of every company. That is why we have put together this MasterClass workshop with the best Active Directory trainers and consultants.

In this MasterClass workshop, you will learn how to implement, configure and operate Active Directory environments. The course is designed as a DeepDive, which can be recognized by the content. It incorporates the experience of over 150+ Active Directory concepts written by the trainer over his last 25 years – from SMB to enterprise level with 375,000 users. We promise: Our best know-how for you and your day-to-day work from our most experienced trainers and consultants.

Target group

This course is aimed at (prospective) system administrators, consultants and Active Directory designers. After this seminar you will be able to design, implement, support and advise Active Directory.


At least 2 years of experience with Microsoft servers and client systems

Course objective

This master class course focuses on the topic of Active Directory.

This course covers everything from getting started to the history and troubleshooting.

The environment is set up independently by each participant live during the course and runs in a highly secure data center in Helsinki on its own hardware.

Very responsive training environments paired with the best trainers and consultants available in the Schengen area: THAT is our MasterClass Active Directory

Active Directory is a high potential target for cyberattacks in your organization, which is why we help you understand, maintain and properly administer this environment with this training.


Active Directory Overview
  • Active Directory limitations
  • Windows Admin Center (WAC) with Active Directory Extension
Active Directory Administration
  • Overview of administrative limits and delegation options
  • SACL / DACL – authorizations in Active Directory and their inheritance
  • Extended rights / property sets / validated writes
  • Delegation of administrative tasks in the Active Directory
  • Implementing an ESAE structure (Enhanced Security Administrative Environment)
  • Fine grained password policies (FGPP)
  • Active Directory monitoring
Powershell for Active Directory
  • Powershell versions
  • Powershell basics (Get-Help / Get-Command / Get-Member)
  • Keyboard shortcuts for Powershell
  • Powershell variables, aliases and pipelining
  • Powershell profiles
  • Active Directory Web Services
  • Powershell scripting for Active Directory
Active Directory Security and Health Check
  • Secure Channel Check (unicodepwd / ntpwdhistory)
  • Measures against golden tickets and silver tickets
  • Disable RC4 encryption for Kerberos securely and reliably
  • Implement tiering model according to ESAE
  • “LAPS” for domain controller via own Powershell script
  • Prevent misuse of system processes
  • Correction of default privileges
  • Active Directory “Clean-up
  • Check Active Directory replication (repadmin.exe / dcdiag.exe)
  • Documentation of the actual environment
Active Directory schema extension and domainprep
  • Structure of the Active Directory schema
  • Schema objects, object classes and attributes
  • Inheritance in the Active Directory schema
  • Object Identifier (OID)
  • Rule for structure and content
  • Schema master
  • Correct manual schema extension with own attributes and classes
  • Schema extension for Active Directory 2022
  • Domainprep for Active Directory 2022
Domain Controller Locator
  • Domain controller locator types
  • Domain controller stickyness prevention
  • Nearest Domain Controller
  • DNS priority vs. DNS weighting of the SRV entries
  • Default site coverage vs. manual site coverage (hub/spoke)
  • Influencing the locator service (relieving, making unattractive and hiding domain controllers)
  • Netlogon debugging – why does my domain member end up with this domain controller?
Deployment of Active Directory Domain Controllern
  • Installing the role (GUI and Windows Powershell)
  • Promoting a domain controller under Windows Server 2022 via GUI and as server core
  • Examining the four possible transition paths
  • Transition path 1: Substitution migration (new name + same IP)
  • Transition path 2: Substituting migration (new name + new IP)
  • Transition path 3: Replacing migration (same name + same IP)
  • Transition path 4: Consolidating migration (RODCs instead of RWDCs)
Read-only Domain Controller (RODC)
  • Areas of application of an RODC
  • Password replication policy
  • Credentials caching
  • RODC filtered attribute set
  • Installation of an RODC (GUI + Windows Powershell)
  • Assigning an RODC to Tier 1
  • Domain Join over RODC (djoin.exe)
  • RODC as DC reverse proxy (protection of RWDCs)
Active Directory and the Domain Name System (DNS)
  • Overview of the interaction between ADS and DNS
  • DNS namespace, DNS server and DNS clients (resolvers)
  • Installation of the DNS role via GUI and Windows Powershell
  • Managing DNS zones
  • Replication of AD-integrated zones
  • Setting up DNS aging in conjunction with DHCP
  • Global Query Block List, Global Name Zones and Query Resolution Policies
Advanced Site Management
  • Replication architecture
  • Replication topology
  • Knowledge consistency checker (KCC)
  • nTDSDSA and invocationID
  • Urgent replication and immediate replication
  • Intra-site replication vs. inter-site replication
  • Shortening the replication latency Intra-site and inter-site
  • Introduction to the LDAP protocol
  • ADSI / Searching in ADS via TCP 389 / TCP 636
  • Search flags / system flags / SchemaFlagsEx
  • List Object Mode (LOM)
  • Domain Controller LDAP query policy
  • Active Directory Web Services Config
  • Tracking LDAP-Searches on Domain Controllers
  • Hardening LDAP Channel Binding
Replication Internals
  • Replication Meta Data
  • nTDSDSA-GUID vs. InvocationID
  • Up-to-dateness vector and high watermark
  • Replication conflicts
  • Linked Value Replication
  • SYSVOL replication
Active Directory Forest Functional Level 2016
  • Moving the operating masters incl. operating master failure
  • Optimizing the DNS server
  • Replacing the last old domain controllers
  • 2016 Domain Functional Level
  • 2016 Forest Functional Level
  • Set up and use Privilege Access Management feature
Active Directory Backup und Restore
  • Requirements for the backup – installing the role via GUI and Windows Powershell
  • Backup types for Active Directory
  • Guidelines for backing up Active Directory
  • Latency intervals when backing up Active Directory (daily vs. 89 days)
  • Planning, setting up and distributing scheduled tasks for backing up Active Directory with Windows Powershell
  • Backing up the Active Directory
  • Restoring the Active Directory (BMR)
  • Restore internals
  • Restore process if the backup is older than 60 days

Training environment

The training environment works entirely with Hyper-V. To set up the training environment proactively, we use a Powershell script with which you can create new virtual machines in seconds. The script was developed independently by your trainer and enables the training to be set up as required by the customer extremely quickly and with little effort.


Each participant is provided with a dedicated server in a data center with a total of 1 Gbit connection to the Internet. Each participant server is equipped as follows:

  • 256 GB RAM
  • at least 40 vCores
  • 2 NVME SSDs with at least 3,000 MB/s write and at least 2,000 MB/s read speed
  • 1 Gbit to the Internet total bandwidth

Your Trainer

The Advanced Master Class was developed by Andy Wendel and is conducted by himself and his experienced team.

Andy Wendel is a Senior Data Center and Cloud Architect and Certified Security Master Specialization Advanced Windows Security. He was and is trained by the internationally renowned security experts Paula Januszkiewicz and Sami Laiho. This certification is renewed every year. Andy Wendel has been working as an IT trainer and consultant since the late 1990s and is also a certified Microsoft Learning Consultant (MCLC). Microsoft has only awarded 56 Certified Learning Consultants worldwide.


Duration: 5 Tage

This post is also available in: German