Active Auditing, and Best Practices

The Definitive Guide To
tm tm
Active Directory Troubleshooting, Auditing, and Best Practices

2011 Edition
Don Jones
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
IntroductiontoRealtimePublishers
by Don Jones, Series Editor
Forseveralyearsnow,Realtimehasproduceddozensanddozensofhighqualitybooks thatjusthappentobedeliveredinelectronicformatatnocosttoyou,thereader.Weve madethisuniquepublishingmodelworkthroughthegeneroussupportandcooperationof oursponsors,whoagreetobeareachbooksproductionexpensesforthebenefitofour readers. Althoughwevealwaysofferedourpublicationstoyouforfree,dontthinkforamoment thatqualityisanythinglessthanourtoppriority.Myjobistomakesurethatourbooksare asgoodasandinmostcasesbetterthananyprintedbookthatwouldcostyou$40or more.Ourelectronicpublishingmodeloffersseveraladvantagesoverprintedbooks:You receivechaptersliterallyasfastasourauthorsproducethem(hencetherealtimeaspect ofourmodel),andwecanupdatechapterstoreflectthelatestchangesintechnology. Iwanttopointoutthatourbooksarebynomeanspaidadvertisementsorwhitepapers. Wereanindependentpublishingcompany,andanimportantaspectofmyjobistomake surethatourauthorsarefreetovoicetheirexpertiseandopinionswithoutreservationor restriction.Wemaintaincompleteeditorialcontrolofourpublications,andImproudthat weveproducedsomanyqualitybooksoverthepastyears. Iwanttoextendaninvitationtovisitusathttp://nexus.realtimepublishers.com,especially ifyouvereceivedthispublicationfromafriendorcolleague.Wehaveawidevarietyof additionalbooksonarangeoftopics,andyouresuretofindsomethingthatsofinterestto youanditwontcostyouathing.WehopeyoullcontinuetocometoRealtimeforyour educationalneedsfarintothefuture. Untilthen,enjoy. DonJones
IntroductiontoRealtimePublishers.................................................................................................................i Chapter1:ANonIntroductiontoActiveDirectory..................................................................................1 ABriefADHistoryandBackground............................................................................................................1 InventoryingYourAD........................................................................................................................................2 ForestsandTrusts..........................................................................................................................................3 DomainsandTrusts.......................................................................................................................................4 DomainControllers........................................................................................................................................6 GlobalCatalogs................................................................................................................................................7 . FSMOs..................................................................................................................................................................8 Containers..........................................................................................................................................................8 Subnets,Sites,andLinks.............................................................................................................................9 . DNS.....................................................................................................................................................................12 WhatsAhead......................................................................................................................................................12 ADTroubleshooting...................................................................................................................................12 ADSecurity.....................................................................................................................................................13 ADAuditing....................................................................................................................................................13 ADBestPractices.........................................................................................................................................13 ADLDS..............................................................................................................................................................13 LetsGetStarted!...............................................................................................................................................13 Chapter2:MonitoringActiveDirectory......................................................................................................14 MonitoringGoals..............................................................................................................................................14 . EventLogs...........................................................................................................................................................15 . SystemMonitor/PerformanceMonitor..................................................................................................21 CommandLineTools......................................................................................................................................25 NetworkMonitor..............................................................................................................................................26 SystemCenterOperationsManager.........................................................................................................29 ii
ThirdPartyToolstoConsider....................................................................................................................29 WeaknessesoftheNativeTools............................................................................................................30 WaystoAddressNativeWeaknesses.................................................................................................30 VendorsinthisSpace.................................................................................................................................31 LetsStartTroubleshooting.........................................................................................................................31 . Chapter3:ActiveDirectoryTroubleshooting:ToolsandPractices................................................32 NarrowingDowntheProblemDomain..................................................................................................32 SeansSevenPrinciplesforBetterTroubleshooting....................................................................33 AFlowchartforADTroubleshooting..................................................................................................34 EasyStuff:NetworkIssues...........................................................................................................................35 NameResolutionIssues.................................................................................................................................36 LogSpelunking..................................................................................................................................................37 ADServiceIssues..............................................................................................................................................37 ClientDomainControllerIssues................................................................................................................39 ReplicationIssues.............................................................................................................................................40 ADDatabaseIssues..........................................................................................................................................42 GroupPolicyIssues..........................................................................................................................................43 KerberosIssues.................................................................................................................................................45 ComingUpNext.................................................................................................................................................46 Chapter4:ActiveDirectorySecurity............................................................................................................47 ActiveDirectorySecurityArchitecture...................................................................................................47 Authentication:Kerberos.........................................................................................................................47 Authorization:DACLs................................................................................................................................50 Auditing:SACLs............................................................................................................................................51 Configuration.................................................................................................................................................52 Distributedvs.CentralizedPermissionsManagement....................................................................53 DoItYourselfSecurityReportingandChanges.................................................................................54 iii
Permissions....................................................................................................................................................55 DirectoryObjects.........................................................................................................................................55 ShouldYouRethinkYourSecurityDesign?...........................................................................................56 ThirdPartySecurityCapabilities..............................................................................................................57 Reporting........................................................................................................................................................57 . PermissionsManagement........................................................................................................................59 DNSSecurity.......................................................................................................................................................60 ComingUpNext.................................................................................................................................................62 Chapter5:ActiveDirectoryAuditing...........................................................................................................63 . GoalsofNativeAuditing................................................................................................................................63 NativeAuditingArchitecture......................................................................................................................63 . CommonBusinessGoalsforAuditing......................................................................................................71 WeaknessesofNativeAuditing..................................................................................................................72 ThirdPartyAuditingCapabilities.............................................................................................................74 ComingUpNext.................................................................................................................................................76 Chapter6:ActiveDirectoryBestPractices................................................................................................77 ShouldYouRethinkYourForestandDomainDesign?....................................................................77 ADDisasterRecovery.....................................................................................................................................78 SingleDomainController.........................................................................................................................78 EntireDomain...............................................................................................................................................79 EntireForest..................................................................................................................................................79 ADRestoresandRecycleBins.....................................................................................................................79 Security.................................................................................................................................................................83 ReplicationTopology......................................................................................................................................83 FSMOPlacement...............................................................................................................................................85 Virtualization......................................................................................................................................................85 OngoingMaintenance.....................................................................................................................................86 iv
ComingUpNext.................................................................................................................................................87 Chapter7:ActiveDirectoryLightweightDirectoryServices.............................................................88 WhatIsADLDS?................................................................................................................................................88 Partitions.........................................................................................................................................................89 SynchronizingWithADDS......................................................................................................................90 Replication......................................................................................................................................................90 Authentication..............................................................................................................................................91 WhentoUseADLDS.......................................................................................................................................92 WhenNottoUseADLDS...............................................................................................................................93 TroubleshootingADLDS...............................................................................................................................93 AuditingADLDS................................................................................................................................................93 ComingUpNext.................................................................................................................................................95 Chapter8:AssortedTipsandTricksforActiveDirectoryTroubleshooting...............................96 TroubleshootingFSMORoles......................................................................................................................96 TroubleshootingDomainControllersinGeneral...............................................................................97 TroubleshootingTimeSync.........................................................................................................................98 TroubleshootingKerberos...........................................................................................................................99 TroubleshootingRIDs...................................................................................................................................100 TroubleshootingObjectDeletion............................................................................................................100 . TroubleshootingReplication.....................................................................................................................101 TroubleshootingDNS....................................................................................................................................101 TroubleshootingPermissions...................................................................................................................102 ThanksforReadingandGoodLuck....................................................................................................103 DownloadAdditionaleBooksfromRealtimeNexus!......................................................................103
Copyright Statement
2011 Realtime Publishers. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtime Publishers (the Materials) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtime Publishers or its web site sponsors. In no event shall Realtime Publishers or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. Realtime Publishers and the Realtime Publishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. If you have any questions about these terms, or if you would like information about licensing materials from Realtime Publishers, please contact us via e-mail at info@realtimepublishers.com.
vi
[Editor'sNote:ThiseBookwasdownloadedfromRealtimeNexusTheDigitalLibraryforIT Professionals.AllleadingtechnologyeBooksandguidesfromRealtimePublisherscanbefoundat http://nexus.realtimepublishers.com.]
Chapter1:ANonIntroductiontoActive Directory
TheworldhasbeenusingActiveDirectory(AD)formorethanadecadenow,sotheres probablylittlepointindoingatraditionalintroductionforthisbook.However,theresstill abitofcontextthatweshouldcoverbeforewegetstarted,andweshoulddefinitelythink aboutADshistoryasitappliestoourtopicsoftroubleshooting,auditing,andbest practices. TherealpointofthischapteristoidentifykeyelementsofADthatyouneedtocompletely inventoryinyourenvironmentbeforeproceedinginthisbook.Muchofthematerialinthe followingchapterswillrefertospecificinfrastructureelements,andwillmake recommendationsbasedonspecificsincommonADenvironmentsandscenarios.Tomake themostofthoserecommendations,youllneedtoknowthespecificsofyourown environmentsothatyouknowexactlywhichrecommendationsapplytoyouanda complete,uptodateinventoryisthebestwaytogainthatfamiliarity.Toconcludethis chapter,Illbrieflyoutlinewhatscomingupinthechaptersahead.
ABriefADHistoryandBackground
ADwasintroducedwithWindows2000Server,andreplacedtheNTDomainServices (NTDS)thathadbeenusedsinceWindowsNT3.1.ADisMicrosoftsfirstrealdirectory; NTDSwasprettymuchjustaflatuseraccountdatabase.ADwasdesignedtobemore scalable,moreefficient,morestandardsbased,andmoremodernthatitspredecessor. However,ADwas(andis)stillbuiltontheWindowsoperatingsystem(OS),andassuch sharessomeoftheOSsparticularpatterns,technologies,eccentricities,andother characteristics. ADalsointegratedasuccessortoMicrosoftsthennascentregistrybasedmanagement tools.KnowntodayasGroupPolicy,thisnewfeatureaddedsignificantrolestothe directorybeyondthenormaloneofauthentication.WithGroupPolicy,youcancentrally defineandassignliterallythousandsofconfigurationsettingstoWindowscomputers(and evennonWindowscomputers,withtherightaddins)belongingtothedomain.
WhenADwasintroduced,securityauditingwassomethingthatrelativelyfewcompanies worriedabout.Since2000,numerouslegislativeandindustryregulationsthroughoutthe worldhavemadesecurityandprivacyauditingmuchmorecommonplace,althoughADs nativeauditingcapabilitieshavechangedverylittlethroughoutthattime.Becauseofits centralroleinauthenticationandconfigurationmanagement,ADoccupiesacriticalrolefor securityoperations,management,andreviewwithinorganizations. Wealsohavetorecognizethat,outsidefromgoverningpermissionsonitsownobjects,AD doesntplayacentralroleinauthorization.Thatis,permissionsonthingslikefiles,folders, mailboxes,databases,andsofortharentmanagedwithinAD.Instead,thosepermissions aremanagedattheirpoint,meaningtheyremanagedonyourfileservers,mailservers, databaseservers,andsoforth.Thoseserversmayassignpermissionstoidentitiesthatare authenticatedbyAD,butthoseserverscontrolwhoactuallyhasaccesstowhat.This divisionoflaborbetweenauthenticationandauthorizationmakesforahighlyscalable, robustenvironment,butitalsocreatessignificantchallengeswhenitcomestosecurity managementandauditingbecausetheresnocentralplacetocontrolorreviewallofthose permissions. Overthepastdecade,wevelearnedalotabouthowADshouldbebuiltandmanaged.Gone arethedayswhenconsultantsroutinelystartedanewforestbycreatinganemptyroot domain;alsogonearethedayswhenwebelievedthedomainwastheultimatesecurity boundaryandthatorganizationswouldonlyeverhaveasingleforest.Inadditionto coveringtroubleshootingandauditing,thisbookwillpresentsomeofthecurrentindustry bestpracticesaroundmanagingandarchitectingAD. Wevealsolearnedthat,althoughdifficulttochange,yourADdesignisntnecessarily permanent.ToolsandtechniquesoriginallycreatedtohelpmigratetoADarenowusedto restructureAD,ineffectmigratingtoanewversionofadomainasourbusinesseschange, merge,andevolve.Thisbookdoesntspecificallyfocusonmergersandrestructures,but keepinmindthatthosetechniques(andtoolstosupportthem)areavailableifyoudecide thatadirectoryrestructureisthebestwaytoproceedforyourorganization.
InventoryingYourAD
Beforewegetstarted,itsimportantthatyouhaveanuptodate,accuratepictureofwhat yourdirectorylookslike.Thisdoesntmeanturningtothegiantdirectorydiagramthatyou probablyhavetapedtothewallinyourdatacenterorserverroom,unlessyouvedouble checkedtomakesurethatthingisuptodateandaccurate!Throughoutthisbook,Illbe referringtospecificelementsofyourADinfrastructure,andinsomecases,youmighteven wanttoconsiderimplementingchangestothatinfrastructure.Inordertobestfollowalong, andmakedecisions,youllwanttohaveallofthefollowingelementsinventoried.
ForestsandTrusts
Mostorganizationshaverealizedthat,giventhepoweroftheforestlevelEnterprise Adminsgroup,theADforestisinfactthetoplevelsecurityboundary.Manycompanies havemultipleforests,simplybecausetheyhaveresourcesthatcantallbeunderthedirect controlofasinglegroupofadministrators.However,toensuretheabilityforusers,with theappropriatepermissionsofcourse,toaccessresourcesacrossforests,crossforest trustsareusuallydefined.Yourfirstinventoryshouldbetodefinetheforestsinyour organization,determinewhocontrolseachforest,anddocumentthetruststhatexist betweenthoseforests. Crossforesttrustscanbeoneway,meaningthatifForestAtrustsForestB,theconverseis notnecessarilytrueunlessaseparatetrusthasbeenestablishedsothatForestBexplicitly trustsForestA.Twowaytrustsarealsopossible,meaningthatForestAandForestBcan trusteachotherthroughasingletrustconnection.Foresttrustsarealsonontransitive:If ForestAtrustsForestB,andForestBtrustsForestC,thenForestAdoesnottrustForestC unlessaseparate,explicittrustiscreateddirectlybetweenAandC. Whenwetalkabouttrust,weresayingthatthetrustingforestwillacceptuseraccounts fromthetrustedforest.Thatis,ifForestAtrustsForestB,thenuseraccountsfromForestB canbeassignedpermissionsonresourceswithinForestA.Foresttrustsautomatically includeeverydomainwithintheforestsothatifForestAcontainsfivedomains,thenevery oneofthosedomainswouldbeabletoassignpermissionstouseraccountsfromForestB. Eachforestconsistsofarootdomainandmayalsoincludeoneormorechilddomains. Figure1.1showshowyoumightdocumentyourforests.Keyelementsincludemeta directorysynchronizationlinks,foresttrusts,andageneralindicationofwhateachforestis usedfor(suchasforusersorforresources).
Figure1.1:Documentingforests. Note Forthevariousdiagramsinthischapter,Imgoingtodrawfromavarietyof sources,includingmypastconsultingengagementsandMicrosoft documentation.Mypurposeindoingsoistoillustratethatthesediagrams cantakemanydifferentforms,atmanydifferentlevelsofcomplexity,and withmanydifferentlevelsofsophistication.Considereachofthem,and produceyourowndiagramsusingthebesttoolsandskillsyouhave.
DomainsandTrusts
Domainsactasakindofsecurityboundary.Althoughsubjecttothemanagementof membersoftheEnterpriseAdminsgroup,andtoadegreetheDomainAdminsoftheforest rootdomain,domainsareotherwiseindependentlymanagedbytheirownDomainAdmins group(orwhatevergroupthosepermissionshavebeenassignedordelegatedto). Accountdomainsarethosethathavebeenconfiguredtocontainuseraccountsbutwhich containnoresourceserverssuchasfileservers.Resourcedomainscontainonlyresources suchasfileservers,anddonotcontainuseraccounts.Neitherofthesedesignationsis strict,andneitherexistswithinADitself.Forexample,anyresourcedomainwillhaveat leastafewadministratoruseraccounts,usergroups,andsoforth.Thetypeofdomain designationisstrictlyahumanconvenience,usedtoorganizedomainsinourminds.Many companiesalsousemixeddomains,inwhichbothuseraccountsandresourcesexist.
Domainsaretypicallyorganizedintoatree,beginningwiththerootdomainandthen throughdomainsthatareconfiguredaschildrenoftheroot.Domainnamesreflectthis hierarchy:Company.commightbethenameofarootdomain,andWest.Company.com, East.Company.com,andNorth.Company.commightbechilddomains.Withinsuchatree,all domainsautomaticallyestablishatransitiveparentchildtwowaytrust,effectively meaningthateachdomaintrustseachotherdomainwithinthesametree. Forests,asthenameimplies,cancontainmultipledomaintrees.Bydefault,therootofeach treehasatwoway,transitivetrustwiththeforestrootdomain(whichistherootofthe firsttreecreatedwithinthatforest),effectivelymeaningthatalldomainswithinaforest trusteachother.Thatsthemainreasoncompanieshavemultipleforests,becausethefull trustmodelwithinaforestgivestoplevelforestwidecontroltotheforestsEnterprise Adminsgroup. Evenifyourelyentirelyonthesedefaultinterdomaintrusts,itsstillimportantto documentthem,alongwiththedomainsnames.Figure1.2showshowyoumightbuilda domaindiagraminaprogramlikeMicrosoftOfficeVisio.Theemphasisinthisdiagramis onthelogicaldomainstructure.
Figure1.2:Documentingdomains. Ifyouhaveanyspecializeddomainssuchasresourceonlydomains,useronlydomains, andsoforthnotethoseinyourdocumentation.Alsonotethenumberofobjects (especiallycomputeranduseraccounts)ineachdomain.Thatisactuallyoneofthemost importantmetricsyoucanknowaboutyourdomains,althoughmanyadministratorscant immediatelyrecalltheirnumbers.
DomainControllers
Domaincontrollers(DCs)arewhatmakeADwork.TheyretheserversthatrunADs services,makingthedirectoryareality.Itsabsolutelycrucial,asyoustartreadingthis book,thatyouknowhowmanyDCsyouhave,wheretheyrelocated,whatdomainstheyre in,andtheirindividualIPaddresses. Inmanyenvironments,DCsalsoprovideotherservices,mostfrequentlyDomainName Service(DNS).OtherrolesheldbyDCsmayincludeWINSandDHCPservices. ADCsmainroleistoprovideauthenticationservicesfordomainusersandforresources withinthedomain.Wetypicallythinkofthisauthenticationstuffashappeningmainly whenusersshowupforworkinthemorningandinmostcases,thatiswhenthebulkof theauthenticationtrafficoccurs.However,asusersattempttoaccessresourcesthroughout theday,theircomputerwillautomaticallycontactaDCtoobtainaKerberosticketforthose resources.Inotherwords,authenticationtrafficcontinuesthroughoutthedayalbeitata somewhatslower,moreevenlydistributedpacethanthemorningrush. Thatmorningrushcanbesignificant:EachuserscomputermustcontactaDCtologitself ontothedomain,andthenagainwhentheuserisreadytologon.Usersalmostalwaysstart thedaywithafewmappeddrives,eachofwhichmayrequireaKerberosticket,andthey usuallyfireupOutlook,requiringyetanotherticket.SomeoftheorganizationsIve consultedwithhaveeachuserinteractingwithaDCmorethanadozentimeseach morning,andthenseveraldozenmoretimesthroughouttheday. WetendtosizeourDCsforthatmorningrush,andthatcapacitygenerallyseesus throughoutthedayevenifwetaketheoddDCofflinemiddayforpatchingorother maintenance. EachDCmaintainsacomplete,read/writecopyoftheentiredirectory(theonlyexception beingnewfangledreadonlydomaincontrollersRODCs,whichasthenameimplies, containonlyareadablecopyofthedirectory).Multimasterreplicationensuresthatany changemadeonanyDCwilleventuallypropagatetoeveryotherDCinthedomain. ReplicationisoftenoneofthetrickiestbitsofAD,andisoneofthethingswetendtospend themosttimemonitoringandtroubleshooting.Notalldomaindataiscreatedequally: Somehighprioritydata,suchasaccountlockouts,replicatealmostimmediately(oratleast asquicklyaspossible),whilelesscriticalinformationcantakemuchlongertomakeitsway throughouttheorganization. Figure1.3showswhataDCinventorymightlooklike.Notetheemphasisonphysical details:IPaddresses,DNSconfiguration,domainmembership,andsoforth.
Figure1.3:DCinventory. ItsalsoimportanttonotewhetheranyofyourDCsareperforminganynonADrelated tasks,suchashostingaSQLServerinstance(whichisntrecommended),runningIIS,and soforth.
GlobalCatalogs
Aglobalcatalog(GC)isaspecificservicethatcanbeofferedbyaDCinadditiontoitsusual DCduties.TheGCcontainsasubsetofinformationabouteveryobjectinanentireforest, andenablesusersineachdomaintodiscoverinformationfromotherdomainsinthesame forest.EachdomainneedsatleastoneGC;however,giventhepopularityofExchange ServeranditsheavydependenceonGCs(Outlook,forexample,reliesonGCstodoemail addressresolution),itsnotunusualtoseeamajority,orevenall,DCsinadomain configuredasGCservers. MakesureyouknowexactlywhereyourGCsarelocated.Numerousnetworkoperations canbehinderedbyapaucityofGCs,buthavingtoomanyGCscansignificantlyincreasethe replicationburdenonyournetwork. Note InFigure1.3,GCisusedtoindicateDCsthatarealsohostingtheGCserver role. 7
FSMOs
Certainoperationswithinadomain,andwithinaforest,needasingleDCtobeincharge.It isabsolutelyessentialformosttroubleshootingprocessesthatyouknowwherethese FlexibleSingleMasterofOperation(FSMO)roleholderssitwithinyourinfrastructure: TheRIDMasterisinchargeofhandingoutRelativeIDs(RIDs)withinasingle domain(andsoyoullhaveoneRIDMasterperdomain).RIDsareusedtouniquely identifynewADobjects,andtheyareassignedinbatchestoDCs.IfaDCrunsoutof RIDsandcantgetmore,thatDCcantcreatenewobjects.Itscommontoputthe RIDMasterroleonaDCthatsusedbyadministratorstocreatenewaccountsso thatthatDCwillalwaysbeabletorequestRIDs. TheInfrastructureMastermaintainssecurityidentifiersforobjectsreferencedin otherdomainstypically,thatmeansupdatinguserandgrouplinks.Youhaveone oftheseperdomain. ThePDCEmulatorprovidesbackwardcompatibilitywiththeoldNTDS,andisthe onlyplacewhereNTDSstylechangescanbemade(anyDCprovidesreadaccessfor NTDSclients).GiventhatNTDSclientsarebecomingextinctinmostorganizations, thePDCEmulator(youllhaveoneineachofyourdomains,bytheway)doesntget usedalotforthatpurpose.Fortunately,ithasafewotherthingstokeepitbusy.For example,passwordchangesprocessedbyotherDCstendtoreplicatetothePDC Emulatorfirst,andthePDCEmulatorservesastheauthoritativetimesourcefor timesynchronizationwithinadomain. EachforestwillcontainasingleSchemaMaster,whichisresponsibleforhandling schemamodificationsfortheforest. EachforestalsohasaDomainNamingMaster,whichkeepstrackofthedomainsin theforest,andwhichisrequiredwhenaddingorremovingdomainstoorfromthe forest.TheDomainNamingMasteralsoplaysaroleinmaintaininggroup membershipacrosstheforest.
Markingtheseroleownersonyourmaindiagram(suchasFigure1.3)isagreatwayto documenttheFSMOlocations.SomeorganizationsalsoliketoindicateabackupDCfor eachFSMOrolesothatintheeventaFSMOrolemustbemoved,itsclearwhereitshould bemovedto.
Containers
ThelogicalstructureofADisdividedintoasetofhierarchicalcontainers.ADsupportstwo maintypes:containersandorganizationalunits(OUs).Acoupleofbuiltincontainers(such astheUserscontainer)existbydefaultwithinadomain,andyoucancreatealltheOUsthat youwanttohelporganizeyourdomainsobjectsandresources.Again,aninventoryhereis critical,asseveraloperationsmostespeciallyGroupPolicyapplicationworkprimarily basedonthingslikeOUmembership. Figure1.4showsonewayinwhichyoumightdocumentyourOUandcontainerhierarchy. Dependingonthesizeanddepthofyourhierarchy,youcouldalsojustgrabascreenshot fromaprogramlikeActiveDirectoryUsersandComputers. 8
Figure1.4:DocumentingOUsandcontainers. Trytomakesomenotationofhowmanyobjectsareineachcontainer,andifpossiblemake anoteofwhichcontainershavewhichGroupPolicyObjects(GPOs)linkedtothem.That informationwillbeusefulaswediveintotroubleshootingandbestpracticesdiscussions.
Subnets,Sites,andLinks
InADterms,asubnetisanentryinthedirectorythatdefinesasinglenetworksubnet,such as192.168.1.0/8.Asiteisacollectionofsubnetsthatallsharelocalareanetwork(LAN) styleconnectivity,typically100Mbpsorfaster.Inotherwords,asiteconsistsofallthe subnetsinagivengeographiclocation. Links,orsitelinks,definethephysicalorlogicalconnectivitybetweensites.ThesetellADs replicationalgorithmswhichDCsareabletophysicallycommunicateacrosswidearea network(WAN)linkssothatreplicateddatacanmakeitswaythroughouttheorganization. Documentingyoursubnets,sites,andlinksisquiteprobablythemostimportantinventory youcanhaveforageographicallydisperseddomain.
Typically,youllhavesitelinksthatrepresentthephysicalWANconnectivitybetweensites. Acostcanbeappliedtoeachlink,indicatingitsrelativeexpense.Forexample,iftwosites areconnectedbyahighspeedWANlinkandalowerspeedbackuplink,thebackuplink mightbegivenahighercosttodiscourageitsusebyADundernormalconditions.AsFigure 1.5shows,youcanalsocreatesitelinksthatrepresentavirtualconnection.TheAClink connectstwositesthatdonothavedirectWANconnectivity.Thisisntnecessarilyabest practice,asittellsADtoexpectWANconnectivitywherenoneinfactexists.
Figure1.5:Configuringsitelinks. EliminatingtheACsitelinkwillnothinderADoperations:Thedirectorywillcorrectly determinethebestpathforreplication.Forexample,changesmadeinSiteCwould replicatetoD,thentoB,andeventuallytoA.IfSiteCwerethesourceofmanychanges (perhapsaconcentrationofadministratorsworkthere),youcouldspeedupreplication fromtheretoSiteAbycreatingasitelinkbridge,effectivelyinformingADofthecomplete pathfromCtoAbyleveragingtheexistingAB,BD,andCDsitelinks.Suchabridge accuratelyreflectsthephysicalWANtopologybutprovidesahigherpriorityroutefromC toA.Figure1.6showshowyoumightdocumentthat.
10
Figure1.6:Configuringasitelinkbridge. Asyoudocumentyoursites,thinkagainaboutnumbers:Howmanycomputersareineach site?Howmanyusers?Makeanotationofthesenumbers,alongwithanotationofhow manyDCsexistateachsite. Sitesshould,asmuchaspossible,reflectthephysicalrealityofyournetwork;theydont correspondtothelogicalstructureofthedomaininanyway.OnesitemaycontainDCs fromseveraldomainsorforests,andanygivendomainmayeasilyspanmultiplesites. However,sitelinksarekindofapartofthedomainslogicalstructurebecausethoselinks aredefinedwithinthedirectoryitself.Ifyouhavemultipledomains,itsworthbuildinga diagram(likeFigure1.5or1.6)foreachdomaineveniftheylooksubstantiallythesame. Infact,anygroupofdomainsthatspansthesamephysicalsitesshouldhaveidentical lookingsitediagramsbecausethephysicalrealityofyournetworkisntchanging.Going throughtheexerciseofcreatingthediagramswillhelpensurethateachdomainhasits linksandbridgesconfiguredproperly.
11
DNS
ThelastcriticalpieceofyourinventoryconsistsofyourDNSservers.Youshouldclearly documentwhereeachserverphysicallysitsandthinkaboutwhichclientsitserves.Most companieshaveatleasttwoDNSservers,althoughhavingmore(anddistributingthem throughoutyournetwork)canprovidebetterDNSperformancetodistantclients.AD absolutelycannotfunctionwithoutDNS,soitsimportantthatbothserversandclients havereadyaccesstoahighperformanceDNSserver.MostADproblemsarerootedinDNS issues,meaningmuchofourtroubleshootingdiscussionwillbeaboutDNS,andthat discussionwillbemoremeaningfulifyoucanquicklylocateyourDNSserversonyour network. Alsotrytomakesomenotationofwhichusers,andhowmanyusers,utilizeeachDNS servereitherasaprimary,secondary,orotherserver.Thatwillhelpgiveyouanata glanceviewofeachDNSserversworkload,andgiveyouanideaofwhichusersarerelying onaparticularserver. PuttingYourInventoryintoVisualForm AtoollikeMicrosoftOfficeVisioisoftenutilizedtocreateADinfrastructure diagrams,oftenshowingboththelogicalstructure(domains,forests,and trusts)andthephysicaltopology(subnets,sites,links,andsoforth).There arealsothirdpartytoolsthatcanautomaticallydiscoveryourinfrastructure elementsandcreatetheappropriatechartsanddiagramsforyou.Thebenefit ofsuchtoolsisthattheyrealwaysrightbecausetheyrereflectingreality notsomeonesmemoryofreality.Theycanusuallycatchchangesandcreate updateddiagramsmuchfasterandmoreaccuratelythanyoucan. Ilovetousethosekindsoftoolsincombinationwithmyownhanddrawn diagrams.Ifthetoolgeneratedpictureofmytopologydoesntmatchmyown picture,IknowIvegotaproblem,andthatcantriggeraninvestigationanda change,ifneeded.
WhatsAhead
Letswrapupthisbriefintroductionwithalookatwhatscomingupinthenextseven chapters.
ADTroubleshooting
Chapters2and3willconcernthemselvesprimarilywithtroubleshooting.InChapter2, wellfocusonthewaysandmeansofmonitoringAD,includingnativeeventlogs,system tools,commandlinetools,networkmonitors,andmore.Illalsopresentdesirable capabilitiesavailableinthirdpartytools(bothfreeandcommercial),withagoalofhelping youtobuildasortofshoppinglistoffeaturesthatmaysupporttroubleshooting,security, auditing,andotherneeds.
12
Chapter3willfocusontroubleshooting,includingtechniquesfornarrowingtheproblem domain,addressingnetworkissues,resolvingnameresolutionproblems,dealingwithAD serviceissues,andmore.Wellalsolookatreplication,ADdatabasefailures,GroupPolicy issues,andevensomeofthethingsthatcangowrongwithKerberos.Illpresentthis informationintheformofatroubleshootingflowchartthatwasdevelopedbyaleadingAD MostValuableProfessional(MVP)awardrecipient,andwalkyouthroughthetoolsand tasksnecessarytotroubleshooteachkindofproblem. Illwrapupthisbookwithmoretroubleshooting,devotingChapter8toadditional troubleshootingtipsandtricks.
ADSecurity
InChapter4,welldiveintoanddiscussthebasearchitectureforADsecurity.Welllook moreattheissueofdistributedpermissionsmanagement,anddiscusssomeofthe problemsthatitpresentsandsomeoftheadvantagesitoffers.Welllookatsomedoit yourselftoolsforcentralizingpermissionschangesandreporting,andexplorewhetheryou shouldrethinkyourADsecuritydesign.Wellalsolookatthirdpartycapabilitiesthatcan makesecuritymanagementeasier,anddiveintothelittleunderstoodtopicofDNS security.
ADAuditing
Chapter5willcoverauditing,discussingADsnativeauditingarchitectureandlookingat howwellthatarchitecturehelpstomeetmodernauditingrequirements.Illalsopresent capabilitiesthatareofferedbythirdpartytoolsandhowwellthosecanmeettodays businessrequirementsandgoals.
ADBestPractices
Chapter6willbearoundupofbestpracticesforAD,includingaquicklookatwhetheryou shouldreconsideryourcurrentADdomainandforestdesign(and,ifyoudo,howyoucan migratetothatnewdesignwithminimumriskandeffort).Wellalsolookatbestpractices fordisasterrecovery,restoration,security,replication,FSMOplacement,DNSdesign,and more.IllpresentnewideasforvirtualizingyourADinfrastructure,andlookatbest practicesforongoingmaintenance.
ADLDS
Chapter7givesmeanopportunitytocoveradditionalinformation:ADssmallercousin, ActiveDirectoryLightweightDirectoryServices(ADLDS).Welllookatwhatitis,whento useit,whennottouseit,andhowtotroubleshootandauditthisvaluableservice.
LetsGetStarted!
WithyourADinventoryupdatedandinhand,werereadytobegin.Thenextchapterwill introduceyoutothemajorityofthetoolsthatyoullneedtopryvaluableinformationoutof ADsothatyoucanstartassemblingyoursecurityandtroubleshootingutilitybelt.
13
Chapter2:MonitoringActiveDirectory
ThefactisthatyoucantreallydoanythingwithActiveDirectory(AD)unlessyouhave somewayoffiguringoutwhatsgoingonunderthehood.Thatswhatthischapterwillbe allabout:howtomonitorAD.Ihavetomakeadistinctionbetweenmonitoringand auditing:Monitoring,whichwellcoverhere,isprimarilydonetokeepaneyeon functionalityandperformance,andtosolvefunctionalandperformanceproblemswhen theyarise.Auditingisanactivitydesignedtokeepaneyeonwhatpeoplearedoingwiththe directoryexercisingpermissions,changingtheconfiguration,andsoforth.Wehave chaptersonauditinglinedupforlaterinthisbook.
MonitoringGoals
TherearereallytworeasonstomonitorAD.Thefirstisbecausetheressomekindof problemthatyouretryingtosolve.Inthosecases,youreusuallyinterestedincurrent information,deliveredinrealtime,andyourenotnecessarilyinterestedinstoringthat dataformorethanafewmoments.Thatis,youwanttoseewhatshappeningrightnow. Youalsousuallywanttofocusinonspecificdata,suchasthatrelatedtoreplication,user logonperformance,orwhateveryouretroubleshooting. Thesecondreasontomonitorisfortrendingpurposes.Thatis,yourenotlookingata specificproblembutinsteadcollectingdatasothatyoucanspotpotentialproblems.Youre usuallylookingatamuchbroaderarrayofdatabecauseyoudonthaveanythingspecific thatyouneedtofocuson.Yourealsousuallyinterestedinretainingthatdatafora potentiallylongtimesothatyoucandetecttrends.Forexample,ifuserlogonworkloadis slowlygrowingovertime,storingmonitoringdataandexaminingtrendsperhapsinthe formofchartsallowsyoutospotthatgrowingtrend,anticipatewhatyoumightneedto doaboutit,andgetitdone. Havingthesegoalsinmindaswelookatsomeoftheavailabletoolsisimportant.Some toolsexcelatofferingrealtimedatabutarepooratstoringdatathatwouldprovide trendinginformation.Othertoolsmightbegreatatstoringinformationforlongterm trendingbutarentasgoodatprovidinghighlydetailed,veryspecific,realtime informationfortroubleshootingpurposes.Soaswelookatthesetools,welltrytoidentify whichbitstheyregoodat.
14
Anotherthingtokeepinmindbeforewejumpinisthatsomeofthesetoolsareactually foundationaltechnologies.Inotherwords,whenwediscusseventlogs,youhavetokeepin mindthatthattechnologyisatoolthatyoucanuseanditsafoundationthatothertools use.Anystrengthsorweaknessespresentinthattechnologyaregoingtocarrythroughto anytoolsthatusethattechnology.Soagain,itssimplyimportanttorecognizesuch considerationsbecausetheyllhaveanimpactbeyondthatspecifictool.
EventLogs
WindowsnativeeventlogsplayacrucialroleinmonitoringAD.Theeventlogsarent great,buttheyretheplacewhereADsendsadecentamountofdiagnosticandauditing information,soyouhavetogetusedtousingthem. Theresabitofadistinctionthatneedstobemade:TheeventlogisanativeWindowsdata store.TheEventVieweristhenativetoolthatenablesyoutolookattheselogs.Eventlogs themselvesarealsoaccessibletoawidevarietyofothertools,includingWindows PowerShell,WindowsManagementInstrumentation(WMI),andnumerousthirdparty tools.InWindowsServer2008andlater,theselogsViewerisaccessiblethroughthe ServerManagerconsole,whichFigure2.1shows.
Figure2.1:AccessingeventlogsinServerManager.
15
Therearetwokindsoflogs.TheWindowsLogsarethesamebasiclogsthathavebeen aroundsincethefirstversionofWindowsNT.Ofthese,ActiveDirectory(AD)writes primarilytotheSecuritylog(auditinginformation)andtheSystemlog(diagnostic information).InWindowsServer2008,anewkindoflog,ApplicationsandServicesLogs, wereintroduced.ThesesupplementtheWindowsLogsbygivingeachapplicationthe abilitytocreateandwritetoitsownlogratherthandumpingeverythingintothe Applicationlog,aswasdoneinthepast.Inthesenewlogs,ADcreatesanActiveDirectory WebServiceslog,DFSReplicationlog,DirectoryServicelog,andDNSServerlog. Technically,DFSandDNSarentpartofAD,buttheydointegratewithandsupportAD,so theyreimportanttolookat. WindowsitselfalsocreatesnumerouslogsundertheMicrosoftfolder,asFigure2.1shows: GroupPolicy,DNSClientEvents,andafewothers,allofwhichcanoffercluesintoADs operationandperformance.DontforgetthatclientcomputersplayaroleinAD,aswell. LogsforNTLM,Winlogon,DNSClient,andsoforthcanallprovideusefulinformationwhen youretroubleshootinganADproblem. Althoughtheeventlogscancontainawealthofinformation,theirusefulnesscanbehitor miss.Forexample,theeventthatFigure2.2showsisprettyclear:Smartcardlogonsarent workingbecausethereisntacertificateinstalled.Mydomaindoesntusesmartcard logons,sothisisexpectedanddoesntpresentaproblem.
16
Figure2.2:Helpfulevents. Othereventsjustconstitutenoise,suchastheoneshowninFigure2.3:UserLogon NotificationforCustomerExperienceImprovementProgram.Huh?WhydoIcare?
17
Figure2.3:Noiseevents. ThenyouvegotwinnersliketheoneshowninFigure2.4.Thisistaggedasanactualerror, butitdoesnttellmemuchanditdoesntgivemanycluesabouthowtosolvetheproblem orevenifIneedtoworryaboutit.
18
Figure2.4:Unhelpfulevents. Itsprobablygoingtoofartocallthiseventuseless,butthiseventiscertainlynotvery helpful.Finally,asshowninFigure2.5,sometimestheeventlogswillincludesuggestions. Thatsnice,butisthisthebestplacetoputthese?Theycreatemorenoisewhenyoure tryingtotrackdowninformationrelatedtoaspecificproblem,andtheyretaggedas Warnings(soyoutendtowanttolookatthem,justincasetheyrewarningyouofa problem),buttheycanoftenbeignored.
19
Figure2.5:Suggestions,notevents. Thereprobablyisntanadministratoralivewhohasntspentasignificantamountoftimein GooglehuntingdownthemeaningbehindandresolutionfordozensofeventIDsover thecourseoftheircareers.Thatrealityhighlightskeyproblemsofthenativeeventlogs: Theyrenotcentralized.Althoughyoucanconfigureeventforwarding,itspretty painfultogetallofyourdomaincontrollerslogsintoasinglelocation.Thatmeans yourdiagnosticinformationisspreadacrossmultipleservers,givingyoumultiple placestosearchwhenyouretryingtosolveaproblem. Theyrenotalwaysveryclear.Confusing,vague,orobtusemessagesarewhatthe eventlogsarefamousfor.AlthoughMicrosofthasgraduallyimprovedthatoverthe yearsinsomeinstances,therearestillplentyofpoorexamplesinthelogs. Theyrefullofnoise.Worse,youcantrelyontheInformation,Warning,and Errortags.Sometimes,anInformationeventwillgiveyoutheclueyouneedto solveaproblem,andWarningeventsasweveseencancontaininformation thatisnottroublerelated. ThenativeViewertoolofferspoorfilteringandsearchingcapabilities,andno correlationcapability.Thatis,itcanthelpyouspotrelatedeventsthatmightpoint toaspecificproblemorsolution. 20
Problemsnotwithstanding,youhavetogetusedtotheselogsbecausetheyretheonlyplace whereADanditsvariouscompanionsloganykindofdiagnosticinformationwhen problemsoccur.
SystemMonitor/PerformanceMonitor
AlsolocatedinServerManagerisPerformanceMonitor,thenativeGUIbasedtoolusedto viewWindowsbuiltinperformancecounters.Anydomaincontrollerwillcontain numerouscountersetsrelatedtodirectoryservices,includingseveralDFSrelated categories,DirectoryServices,DNS,andmore.Thesearedesignedtoprovidethefocused, realtimeinformationyouneedwhenyouretroubleshootingspecificproblemstypically, performanceproblems,althoughnotnecessarily.AlthoughPerformanceMonitordoeshave theabilitytocreatelogs,containingperformancedatacollectedoveralongperiodoftime, itsnotagreattoolfordoingso.Moreonthatinabit. Itsdifficulttogiveyouafixedlistofcountersthatyoushouldalwayslookat;anyofthem mightbeusefulwhenyouretroubleshootingaspecificproblem.Thatsaid,thereareafew thatareusefulformonitoringADperformanceingeneral: DRAInboundBytesTotal/Secshowsinboundreplicationtraffic.Ifitszero,theres noreplication,whichisgenerallyaproblemunlessyouhaveonlyonedomain controller. DRAInboundObjectUpdatesRemaininginPacketprovidesthenumberofdirectory objectsthathavebeenreceivedbutnotyetapplied.Thisnumbershouldalwaysbe lowonaverage,althoughitmayspikeasreplicatedobjectsarrive.Ifitremainshigh, yourserverisntprocessingupdatesquickly. DRAOutboundBytesTotal/Secoffersthedatabeingsentfromtheserverdueto replication.Again,unlessyouvegotonlyonedomaincontroller,thiswillrarelybe zeroinanormalenvironment. DRAPendingReplicationSynchronizationshowsthenumberofdirectoryobjects waitingtobesynchronized.Thismayspikebutshouldbelowonaverage. DSThreadsinUseprovidesthenumberofprocessthreadscurrentlyservicing clients.Continuouslyhighnumberssuggestaneedforalargernumberofprocessor corestorunthosethreadsinparallel. KerberosAuthenticationsoffersabasicmeasureofauthenticationworkload. LDAPBindTimeshowsthenumberofmillisecondsthatthelastLDAPbindtookto complete.Thisshouldbelowonaverage;ifitremainshigh,theserverisntkeeping upwithdemand. LDAPClientSessionsisanotherbasicunitofworkloadmeasurement. LDAPSearches/Secoffersanothergoodbasicunitofworkloadmeasurement.
21
Allofthesecountersbenefitfromtrending,astheyallhelpyouformabasicpictureofhow busyadomaincontrolleris.Inotherwords,itsgreatwhenyoucancapturethiskindof dataonacontinuousbasis,thenviewchartstoseehowitchangesovertime.Performance Monitoritselfisntagreattoolfordoingthatbecauseitsimplywasntdesignedtocollect weeksandweeksworthofdataanddisplayitinanymeaningfulway.However,itcanbe suitableforcollectingdataforshorterperiodsoftimesay,afewhoursthenusingthe collecteddatatogetasenseofyourgeneralworkload. Youllhavetodothatmonitoringoneachdomaincontroller,too,becausetheperformance informationislocaltoeachcomputer.Ideally,eachdomaincontrollersworkloadwillbe roughlyequal.Iftheyrenot,startlookingatthingslikeothertasksthecomputeris performing,orthecomputershardware,toseewhyonedomaincontrollerseemstobe workingharderthanothers. Thiskindofperformancemonitoringisoneofthebiggestmarketsforthirdpartytools, whichwelldiscusstowardtheendofthischapter.Usingthesameunderlyingperformance counters,thirdpartytools(aswellasadditional,commercialtoolsfromMicrosoft)can providebetterperformancedatacollection,storage,trending,andreportingandcaneven doabetterjobofsendingalertswhenperformancedataexceedspresetthresholds.What PerformanceMonitorisgoodatasFigure2.6showsisenablingyoutoquicklyview realtimedatawhenyourefocusingonaspecificproblem.
22
Figure2.6:ViewingrealtimeperformancedatainPerformanceMonitor. Oneproblemweshouldidentify,though,isthatPerformanceMonitorrequiresagooddeal ofknowledgeonyourparttobeuseful.First,youhavetomakesureyourelookingatall therightcountersattherighttime.LookingatDSThreadsaloneisuselessunlessyoure alsolookingatsomeothercounterstotellyouwhyallthosethreadsare,orarenot,inuse. Inotherwords,youhavetobeabletomentallycorrelatetheinformationfrommany counterstogetanaccurateassessmentofhowADisreallyperforming.Microsofthelpsby providingpredefineddatacollectorsets,whichcanincludenotonlycountersbutalsotrace logsandconfigurationchanges.OneisprovidedforADdiagnostics(seeFigure2.7).
23
Figure2.7:TheADDiagnosticsdatacollectorset. Onceyoustartacollectorset,youcanletitrunforhoweverlongyoulike.Resultsarent displayedinrealtime;instead,youhavetoviewthelatestreport,whichisasnapshot. Thesesetsaredesignedtorunforlongerperiodsoftimethananormalcountertracelog, andthesetsconfigurationincludessettingsformanagingthecollectedlogsize.Figure2.8 showsanexamplereport.
24
Figure2.8:Viewingadatacollectorsetreport. Thesereportsdoadecentjobofapplyingsomeintelligencetotheunderlyingdata.Asyou canseehere,agreenlighticonletsyouknowthatparticularcomponentsareperforming withinMicrosoftsrecommendedthresholds.Thatintelligencedoesntextendfar,though: OnceyoustartdiggingintoADspecificstuff,yourestilllookingatrawdata,asyoucansee inthesectiononReplicationthatsbeenexpandedinFigure2.8.Thus,youllstillneeda decentamountofexpertisetointerpretthesereportsanddeterminewhetherthey representaproblemcondition.
CommandLineTools
AhostofcommandlinetoolscanhelpdetectADproblemsorprovideinformationneeded tosolvethoseproblems.Thischapterisntintendedtoprovideacomprehensivelistof them,butoneofthemorewellknownandusefulonesincludesRepadmin.Thistoolcanbe usedtocheckreplicationstatusanddiagnosereplicationproblems.Forexample,asFigure 2.9shows,thistoolcanbeusedtocheckadomaincontrollersreplicationneighborsa wayofcheckingonyourenvironmentsreplicationtopology.Youllalsoseeifany replicationattemptswiththoseneighborshavesucceededorfailed.
25
Figure2.9:UsingRepadmintocheckreplicationstatus. Thisandothercommandlinetoolsaregreatforcheckingrealtimestatusinformation. Whattheyrenotgoodatiscollectinginformationoverthelonghaul,orforrunning continuouslyandproactivelyalertingyoutoproblems.
NetworkMonitor
YoumightnotordinarilythinkofNetworkMonitororanypacketcapturetool,including WiresharkandothersasawayofmonitoringAD.Infact,withalotofpractice,theycan begreattools.Afterall,muchofwhatADdoesultimatelycomesdowntonetwork communications,andwithapacketcapturetool,youcaneasilyseeexactlywhats transpiringoverthenetwork.Figure2.10illustratesthemaindifficultyinusingthesetools.
26
Figure2.10:CapturedADtrafficinNetworkMonitor. Youseetheproblem,right?Thisisrocketsciencelevelstuff.Imshowingacapturedpacket fordirectoryservicestraffic,butunlessyouknowwhatthistrafficshouldlooklike,its impossibletotellwhetherthisrepresentsaproblem.Butgainingthatknowledgeisworth thetime:IveusedtoolslikethistofindproblemswithDNS,Kerberos,timesync,and numerousotherADrelatedissues.Unfortunately,acompletediscussionoftheseprotocols, howtheywork,andwhattheyshouldlooklikeisfarbeyondthescopeofthisbook. Atasimplerlevel,though,youcanusepacketcapturetoolsasakindoflowlevelworkload monitor.Forexample,considerFigure2.11.
27
Figure2.11:CapturingtrafficinNetworkMonitor. Ignoringthedetailsoftheprotocol,payattentiontothemiddleframe.Atthetopofthe packetlist,youcanseeafewLDAPsearchpackets.Thisgivesmeanideaofwhatkindof workloadthedomaincontrollerisreceiving,whereitscomingfrom,andsoforth.IfIknow adomaincontrollerisoverloaded,thiscanbethestartoftheprocesstodiscoverwherethe workloadisoriginatinginthiscase,itmightbeanewapplicationsubmittingpoorly constructedLDAPqueriestothedirectory.
28
SystemCenterOperationsManager
SystemCenterOperationsManagerisMicrosoftscommercialofferingformonitoringboth performanceandfunctionalityinADaswellasinnumerousotherMicrosoftproductsand Windowssubsystems.SCOM,asitsaffectionatelyknown,utilizesbothperformance countersandotherdatafeedsmuchasWindowsnativetoolsdo.WhatsetsSCOMapartare twothings: Dataisstoredforalongperiodoftime,enablingtrendingandotherhistoricaltasks DataiscomparedwithasetofMicrosoftprovidedthresholds,packagedinto ManagementPacks,thattellyouwhendatarepresentsagood,bad,orgoingbad condition
ThatlastbitenablesSCOMtomoreproactivelyalertyoutoperformanceconditionsthat aretrendingbad,andtothenshowyoudetailedrealtimeandhistoricaldatatohelp troubleshoottheproblem.Inmanycases,ManagementPackscanincludeprescriptive adviceforfailureconditions,helpingyoutotroubleshootandsolveproblemsmorerapidly. Asatool,SCOMaddressesmost,ifnotall,oftheweaknessesinthenativeWindowstoolset. Itdoessobyrelyingprimarilyonnativetechnologies,anditdoessoinawaythatoften imposeslessmonitoringoverheadthansomeofthenativetools.HavingSCOMcollect performancedataforamonth,forexample,isaloteasieronthemonitoredserverthan runningPerformanceMonitorcontinuouslyonthatserver.SCOMdoes,however,require itsowninfrastructureofserversandotherdependencies,soitaddssomecomplexityto yourenvironment. Unfortunately,oneofSCOMsgreateststrengthsitsabilitytomonitorawidevarietyof productsandtechnologiesfromasingleconsoleisalsoakindofweaknessbecauseit doesntofferalotoftechnologyspecificfunctionality.Forexample,SCOMisntagreatway toconstructanADreplicationtopologymapbecausethatsaveryADspecificcapability thatwouldntbeusedbyanyotherproduct.Inotherwords,SCOMisabitgeneric.Although itcanprovidegreatinformation,andgoodprescriptiveadvice,itisntnecessarilytheonly toolyoullneedtotroubleshooteveryproblem.SCOMcanalertyoutomosttypesof problems(suchasanunacceptablyhighnumberofreplicationfailures),butitcantalways helpyouvisualizetheunderlyingdatainthemosthelpfulway.
ThirdPartyToolstoConsider
Imnotnormallyafanofpitchingthirdpartyproducts,andImnotreallygoingtodoso here.Thatsaid,weveidentifiedsomeweaknessesinthenativetoolsprovidedwith Windows.SomeofthoseweaknessesareaddressedbySCOM,butbecausethattoolitselfis acommercialaddon(thatis,itdoesntcomefreewithWindows),youoweittoyourselfto considerotheraddoncommercialtoolsthatmightaddressthenativetoolsweaknessesin otherways,orperhapsatadifferentpricepoint.Thatsaid,whataresomeofthe weaknessesthatweretryingtoaddress?
29
WeaknessesoftheNativeTools
AlthoughIthinkMicrosofthasprovidedsomegreatunderlyingtechnologiesinthingslike eventlogsandperformancecounters,thetoolstheyprovidetoworkwiththosearepretty basic.Inordertodecideifareplacementtoolissuitable,weneedtoseeifitcancorrect theseweaknesses: NoncentralizedWindowstoolsareperserver,andwhenyouretalkingaboutAD, youretalkingaboutaninherentlydistributedsystemthanfunctionsasasingle, complicatedunit.Weneedtoolsthatcanbringdiagnosticandperformance informationtogetherintoasingleplace. RawdataWindowstoolsreallyjustprovideGUIaccesstounderlyingrawdata, eitherintheformofeventsorperformancecountersorwhatever.Thatsreallysub optimal.WhatwewantissomethingtotranslatethatdataintoEnglish,telluswhat itmeans,andpossiblyprovideintelligencearounditwhichisalotofwhatSCOM offers,really. LimiteddataWindowstoolscollecttheinformationavailabletothemthrough nativediagnosticandperformancetechnologiesandthatsit.Therearecertainly instanceswhenwemightwantmoredata,especiallymorespecificdatathatdeals withADanditsuniqueissues. GenericWindowstoolsareprettygeneric.TheEventViewerandPerformance Monitor,forexample,arentADspecific.ButanADspecifictoolcouldgoalongway inmakingbothmonitoringandtroubleshootingeasierbecauseitcouldpresent informationinaveryADcentricfashion.
WaystoAddressNativeWeaknesses
Thereareafewwaysthatvendorsworktoaddresstheseweaknesses: CentralizationBringingdatatogetherintooneplaceisalmostthefirstthingany vendorseekstoaddresswhenbuildingatoolset.EvenMicrosoftdidthiswithSCOM. IntelligenceTranslatingrawdataintoprocessedinformationtellingusif somethingisgoodorbad,forexampleisonewayatoolcanaddagreatdealof value.Prescriptiveadvice,suchasprovidingadviceonwhataparticulareventID meansandwhattodoaboutit,isalsouseful.Thiskindofbuiltinknowledgebase isamajorsellingpointforsometoolsets. MoredataSometoolseithersupplementorbypassthenativedatastoresand collectmoredetaileddatastraightfromthesource.Thismightinvolvetappinginto LDAPAPIs,ADsinternalAPIs,andsoforth. TaskspecificToolsthatarespecificallydesignedtoaddressADmonitoringcan oftendosoinamuchmorehelpfulwaythanagenerictoolcan.Replicationtopology maps,dataflowdashboards,andsoforthallhelpusfocusonADsspecificissues.
30
VendorsinthisSpace
Therearealotofplayersinthisspace.Alotalot.Someofthemajornamesinclude: Quest ManageEngine Microsoft BlackbirdManagementGroup NetIQ IBM NetPro(whichwaspurchasedbyQuest)
Mostofthesevendorsoffertoolsthataddressnativeweaknessesinavarietyofways.Some utilizeunderlyingnativetechnologies(eventlogs,performancecounters,andsoforth)but gather,store,andpresentthedataindifferentways.Othersbypassthesenative technologiesentirely,insteadpluggingdirectlyintoADsinternalstogatheragreater amountofinformation,differentinformation,andsoforth. Inaddition,thereareanumberofsmallertoolsouttherethathavebeenproducedbythe broaderITcommunityandsmallervendors.Asearchengineisagoodwaytoidentify these,especiallyifyouhavespecifickeywords(likereplicationtroubleshooting)thatyou canpunchintothatsearchengine.
LetsStartTroubleshooting
NowthatyouknowhowtokeepaneyeonwhatADisdoing,yourereadytodiveinto troubleshootingthedirectorywhenitisntdoingtherightthing.Inthenextchapter,Ill introduceyoutoastructureddirectorytroubleshootingapproachdevelopedbyDirectory ServicesMVPAwardrecipientSeanDeuby.WelluseSeansapproachasaguidetoward trackingdownproblematicADsubsystemsandsolvingproblems.Atthesametime,Illbe explainingcoretroubleshootingtechniquesthatwillhelpmakeyouamoreefficientand effectivetroubleshooter.
31
Chapter3:ActiveDirectory Troubleshooting:ToolsandPractices
Forthemostpart,inmostorganizations,ActiveDirectory(AD)justworks.Overthepast 10yearsorso,MicrosofthasimprovedbothADsperformanceanditsstability,tothepoint wherefeworganizationswithawelldesignedADinfrastructureexperiencedaytoday issues.Thatsaid,whenthingsdogowrong,itcanbeprettyscarybecausealotofusdont havedaytodayexperienceintroubleshootingAD.Thegoalofthischapteristoprovidea structuredapproachtotroubleshootingtohelpyouputoutthosefiresfaster. Forthischapter,IllbedrawingalotonthewisdomandexperienceofSeanDeuby,afellow MicrosoftMostValuableProfessionalawardrecipientandarealADtroubleshootingguru. Youmightenjoyreadinghisinfrequentlyupdatedblogat http://www.windowsitpro.com/blogs/ActiveDirectoryTroubleshootingTipsandTricks.aspx. Althoughhedoesntpostalot,whathedoespostisworththetrip.
NarrowingDowntheProblemDomain
HowdoyoufindawolfinSiberia?ItsaquestionIandothershaveusedtokickoffany discussionontroubleshooting.Siberiais,ofcourse,ahugeplace,andfindingaparticular anythingletaloneawolfistough.Theanswertotheriddleisamaximfor troubleshooting: Buildawolfprooffencedownthecenter,andthenlookononesideofthefence. Troubleshootingconsistsmainlyoftests,designedtoseeifaparticularrootcauseis responsibleforyourproblems.Theanswertotheriddleprovidesimportantguidance: Makesureyourtests(thatis,thewolfprooffence)candefinitivelyeliminateoneormore rootcauses(thatis,onewholehalfofSiberia).Dontbotherconductingteststhatcant eliminatearootcause.Forexample,ifausercantlogin,youmightfirstchecktheir physicalnetworkconnection.Doingsodefinitivelyeliminatesapotentialproblem (networkconnectivity)sothatyoucanmoveontootherpossiblerootcauses.Ofcourse, checkingconnectivityonlyeliminatesoneortwopossiblerootcauses;abetterfirsttest wouldeliminateawholehostofthem.Forexample,checkingtoseewhetheradifferent usercouldloginmighteliminatethevastmajorityofpotentialinfrastructureproblems, makingthatabetterwolfprooffence.
32
SeansSevenPrinciplesforBetterTroubleshooting
HereswhereIllrepeatexcellentadviceSeanDeubyonceoffered.Followtheseseven principles(whichIllexplainthroughthefilterofmyownexperience)andyoullbeafaster, bettertroubleshooterinanycircumstance. 1. BeLogical.Payattentiontohowyoureattemptingtosolvetheproblem.Beforeyou doanything,askyourself,WhatoutcomedoIexpectfromthis?IfIgetthat outcome,whatdoesitmean?IfIdontgettheexpectedoutcome,whatdoesthat mean?Dontdoanythingunlessyouknowwhy,andunlessyoucanstatewhatthe followupstepwouldbe. 2. RememberOccamsRazor.Simplyput,thesimplestsolutionisoftenthecorrectone. Dontstartrebootingdomaincontrollersuntilyouvecheckedthattheuseristrying thecorrectpassword. 3. WhatChanged?Ifeverythingwasworkingfineanhourago,whatsdifferent?Thisis wherechangeauditingtoolscancomeinhandy.AlthoughIdontspecifically recommendit,IveusedQuestsChangeAuditorforActiveDirectoryinthepast becauseitkeepsaverydetailed,realtimelogofchanges,anditsbeenabighelpin solvingsometrickyissues.Whateverchangedrecentlyisaverylikelycandidatefor beingtherootcauseofyourcurrentwoes. 4. DontMakeAssumptions.Itseasytomakeassumptions,butstickingwithan orderlyeliminationofpossiblecauseswillgetyoutotherootcauseoftheproblem moreconsistently.Forexample,dontassumethatjustbecauseoneusercanlogon thateverythingsokaywiththeinfrastructure;theproblemusermightbehittinga differentdomaincontroller,forexample. 5. ChangeOneThingataTime,andRetest.Youwontgetanywherewithfivepeople attackingtheproblem,eachonechangingthingsastheygo.Youalsowontget anywhereifyourechangingmultiplethingsatonce.Ifthebossistearinghishairout togetthingsfixed,remindhimthatyouhavejustasmuchcapabilitytofurtherbreak thingsifyourenotmethodical. 6. Trust,butVerify,Evidence.Sometimesaninaccurateproblemdescriptioncanget yougoinginthewrongdirectionsoverifyeverything(thisgoesbacktonot makingassumptions,too).Icantlogin!ausercriesoverthephone.Loginto what?youshouldask,beforedivingintoADproblems.Maybetheuseristalking abouttheirGmailaccount. 7. DocumentEverythingYouTry.Especiallyfortoughissues,documentingeverything youtrywillhelpkeepyoufromrepeatingsteps,andwillhelpyoueliminatepossible causesmoreeasily.Itsalsocrucialintheinevitablepostmortem,whereyouand yourcolleagueswilldiscusshowtokeepthisfromhappeningagain,orhowtosolve itmorequicklythenexttime.
33
AFlowchartforADTroubleshooting
SeanhasfurtherhelpedbycomingupwithanADtroubleshootingflowchart,whichIll reprintinpiecesthroughoutthischapter.YoushouldcheckSeansblogorWebsite(which isshownatthebottomofthechartpages)forthelatestrevisionoftheflowchart.Seans blogalsooffersafullsizedPDFversion,whichIkeeprightnearmydeskatalltimes.The flowchartstartswiththatisshowninFigure3.1,whichisthecorestartingpointthatgets youofftothedifferentsectionsofthechart.
Figure3.1:StartingpointinADtroubleshooting. Note IstronglyrecommendthatyouheadovertoSeansblogorWebsiteto downloadthePDFversionofthisflowchartforyourself.Youmayfindalater version,whichisgreatitllstillstartoffinbasicallythissameway. Startintheupperleft,withCablepluggedintonetwork?andworkdownfromthere.The basicsthewireportionshouldbethingsyoucanquicklyeliminate,butdonteliminate themwithoutactuallytestingthem.Youmight,forexample,attempttopingaknowngood IPaddressonthenetwork(usinganIPaddresspreventspotentialDNSissuesfrom becominginvolvedatthispoint).Ifthatdoesntwork,youvegotahardwareissueofsome kindtosolve.
34
EasyStuff:NetworkIssues
Apingdoes,ofcourse,starttoencroachontheNetworksectionoftheflowchart.Stick withIPaddressestothispointbecausewerenotreadytoinvolveDNSyet.Ifthepingisnt successful,andyouveverifiedthenetworkadapter,cabling,router,andother infrastructurehardware,yourereadytomoveontoFigure3.2,whichistheNetwork Issuesportionoftheflowchart.
Figure3.2:Networkissues. Thetoolsherearestraightforward,soIwontdwellonthem.Youllbeusingping,Ipconfig, Netdiag,andotherbuiltintools.Atworst,youmightfindyourselfhaulingoutWiresharkor NetworkMonitortoactuallychecknetworkpackets.ThatsnottrulyADtroubleshooting, soitsoutofscopeforthisbook,buttheflowchartshouldwalkyouthroughtoasolutionif thisisyourrootcause.
35
NameResolutionIssues
IfapingtoadifferentintranetsubnetworkedbyIPaddress,itstimetostartpingingby computernametotestnameresolution.Watchthepingcommandsoutputtoseeifit resolvesaserversnametothecorrectIPaddress.Ideally,usethenameofadomain controllerortwobecauseweretestingADproblems.Ifpingdoesntresolvecorrectly,or cantresolveatall,yourereadytomoveintothenameresolutionissues. TheClientDCNameResolutionIssuesflowchartisdesignedforwhenyoure troubleshootingconnectivityfromaclienttoadomaincontroller;ifyouretroubleshooting problemsonaserver,youllskipthisstepandmoveoninthecoreflowchart(Figure3.1).If youareonaclient,theflowchartthatFigure3.3showswillcomeintoplay.
Figure3.3ClientDCnameresolutionissues. Again,thetoolsfortroubleshootingnameresolutionshouldbefamiliartoyou.Primarily, youllrelyonpingandNslookup.Ofthese,Nslookupmightbetheoneyouusetheleast butifyouregoingtobetroubleshootingAD,itsworthyourwhiletogetcomfortablewith it.Theflowchartofferstheexactcommandsyouneedtouse,providedyouknowtheFully QualifiedDistinguishedName(FQDN)ofyourdomain(forexample,dc=Microsoft,dc=com fortheMicrosoft.comdomain).
36
TheothertoolyoullfindyourselfusingisNltest,whichpermitsyoutotesttheclients abilitytoconnecttoadomaincontroller,amongotherthings. Resource AcompletedescriptionofNltestcanbefoundat http://support.microsoft.com/kb/158148.
LogSpelunking
Oncenameresolutionisresolved,orifitisnttheproblem,youhaveabitofcheckingtodo beforeyoumoveon.Specifically,youregoingtohavetolookintheSystemandApplication eventlogsonthedomaincontrollersintheclientslocalsite(orwhateverdomain controlleryourehavingaproblemwith,ifitsjustaspecificone).Ifyoufindanyerrors, youllhavetoresolvethemandtheymaybemorespecifictoWindowsthantoAD.Dont ignoreanything.Infact,thatdontignoreanythingisahugereasonIhatedomain controllersthatdoanythingotherthanrunAD,andperhapsDNSandDHCP.Ioncehada domaincontrollerthatwashavingrealissuestalkingtothenetwork.Therewereabunch ofIISrelatederrorsinthelog,butIignoredthosewhatdoesIIShavetodowith networkingorAD,afterall?Ishouldnthavemadeassumptions:ItturnedoutthatIISwas moreorlessjammingupthenetworkpipe.ShuttingitdownsolvedtheproblemforAD. LogExploring Havingtodigthroughtheeventlogsonmorethanonedomaincontroller heck,evendoingitononeserveristimeconsumingandfrustrating.Thisis wheresomekindoflogconsolidationandanalysistoolcanhelp tremendously.Getallyourlogsintooneplace,andhavesoftwarethatcan prefiltertheevententriestojustthosethatneedyourattention.Software likeMicrosoftSystemCenterOperationsManagercanalsohelpbecauseone ofitsjobsistoscaneventlogsandcalltoyourattentionanyeventsthat requireit. Ifyoudontseeanyerrorsspecifictothedomaincontrollerorcontrollers,youmoveon. Yourelookingfirstforerrorsrelatedtotrusts,andifyoufindany,youllneedtoresolve them.Ifyoudidfinderrorsrelatedtothedomaincontrollerorcontrollers,andyou correctedthembutthatdidntsolvetheproblem,youremovingontoADserviceissues.
ADServiceIssues
Figure3.4containstheADserviceissueportionofthetroubleshootingflowchart.Here, wevemovedintothecomplexpartofADtroubleshooting.First,ofcourse,lookintheevent logforerrorsorwarnings.Dontignoresomethingjustbecauseyoudontunderstandit; youregoingtohavetoamassknowledgeaboutobscureADeventssothatyouknowwhich onescanbesafelyignoredinagivensituation.
37
Thisiswhereknowledge,morethanpuredata,comesinhandy.OperationsManager,for example,canbeextendedwithManagementPacksthatshouldbecalledKnowledgePacks. Whenimportanteventspopupinthelog,OpsManagercannotonlyalertyoutothembut alsoexplainwhattheymeanandwhatyoucandotoresolvethem.NetPromadeaproduct calledDirectoryTroubleshooterthatwentevenfurther,incorporatingacomplete knowledgebaseofwhatthoseeventsmeantandhowtodealwiththem.Sadly,theproduct wasdiscontinuedwhenthecompanywaspurchasedbyQuest,butQuestdoesoffera similarproduct:SpotlightonActiveDirectory.Again,itsjobistocallyourattentionto problematiceventsandprovideguidanceonhowtoresolvethem.
Figure3.4:ADservicetroubleshooting. TheremainderoftheADservicetroubleshootingflowcharthelpsyounarrowdownthe potentialspecificADserviceinvolvedintheproblembasedontheerrormessagesyoufind inthelog.YoumightbelookingatKerberos,theADdatabase,GlobalCatalog(GC), Replication,orGroupPolicy.Alongtheway,youllalsotroubleshootsiterelatedissuesand theFileReplicationSystem(FRS).Wellpickupmostofthesemajorserviceissuesin dedicatedsectionslaterinthischapter.
38
ClientDomainControllerIssues
Assumingyouresolvedanyclientnameresolutionissuesearlier,ifyourestillhaving problemswiththeclientcommunicatingwiththedomaincontroller,youllmovetothe ClientDCTroubleshootingchart,whichFigure3.5shows.
Figure3.5:ClientDCtroubleshooting. Here,youllhavetopersonallyobservesymptoms.Forexample,areyougettingAccess Deniederrorsontheclient,ordoeslogonseemunusuallyslowforthetimeofday?Are youloggingonbutnotgettingGroupPolicyObject(GPO)settingsapplied?Youllrely heavilyonNltesttoverifyclientdomaincontrollerconnectivityandcommunications;you couldwindupdealingwithKerberosissues,whichwellcometolaterinthischapter.
39
Thisisalsothepointwhereyouregoingtowantachartofyournetworksothatyoucan confirmwhichdomaincontrollersshouldbeinwhichsites.Youllwantthatcharttoalso listeachsubnetthatbelongstoeachsite.Youhavetoverifythatrealitymatchesthe desiredconfiguration,anddontskipanysteps.Itseemsobvioustoassumethataclient wasgivenaproperaddressbyDHCPandisthereforeinthesamesite;dontevermakethat assumption.Ioncehadaclientthatseemedtobeworkingjustfinebutwasinfacthanging ontoanoutdatedIPaddress,makingtheclientbelieveitwasinadifferentsite.Theway ourLANwasconfigured,theincorrectIPaddresswasstillabletofunction(weusedalotof VLANstuffandIPaddressinggotincrediblyconfusing),buttheclientdidntseeitselfas beinginthepropersitesoitwouldnttalktotherightdomaincontroller.
ReplicationIssues
Iftheflowcharthasgottenyoutothispoint,weredealingwiththepageFigure3.6shows.
Figure3.6:Replicationissues.
40
TroubleshootingADreplicationisoftenperceivedasthemostdifficultandmysterious thingyoucandowithAD.Itslikemagic:eitherthetrickworksoritdoesnt,andyoull neverknowwhyeitherway.Iseemorepeoplestrugglewithreplicationissuesthanwith anythingelse,yetreplicationistheonethingthatcancomeupmostfrequently,duein largeparttoitsheavyrelianceonproperconfigurationandtheunderlyingnetwork infrastructure. Seanproposesfourreasons,whichIagreewith,thatmakereplicationtroubleshooting difficultforpeople.Inmywords,theyare: Theyvenotbeentrainedinaformaltroubleshootingmethodology.Moreadmins thanyoumightbelievetendtotroubleshootbyrote,meaningtheytrythesame thingsinthesameordereverytimewhichisgoodwithoutreallyunderstanding whattheyretestingwhichisbad. Theydontapproachtheproblemlogically.Thinkaboutwhatshappening.Doesit makesensetotestnameresolutionbetweentwodomaincontrollerswhenother communicationsbetweenthemseemunhindered? Theydontunderstandhowreplicationworks.This,Ithink,isthebiggestproblem.If youdontunderstandwhatshappeningunderthehood,youhavenomeansof isolatingindividualprocessesorcomponentstotestthem.Ifyoucantdothat,you cantfindtheproblem. Theydontunderstandwhatthetoolsdo.Thisisalsoabigproblembecauseifyou dontreallyknowwhatsbeingtested,youdontknowhowtoeliminatepotential rootcausesfromyourlistofsuspects.
Ultimately,youcantjustruntoolsintheordersomeoneelsehasprescribed.Seanproposes fourstepstohelpproceed;Iprefertolimitthelisttothree: 1. Formahypothesis.Whatdoyouthinktheproblemis?Afirewallrule?IPaddressing problem?DNSproblem?Applywhateverexperienceyouhavetojustpickaproblem thatseemslikely. 2. Predictwhatwillhappen.Inotherwords,ifyouthinkexternalcommunications mightbefailing,youmightpredictthatinternalcommunicationswillbefine. 3. Testyourprediction.Useatooltoseeifyoureright.Ifyouare,youvenarrowedthe problemdomain.Ifyourenot,youformanewhypothesis. Ifyourememberscienceclassfromelementaryschool,youmightrecognizethisasthe scientificmethod,anditworksaswellfortroubleshootingasitdoesforanyscience. Replicationtroubleshootingcannotproceedunlessyouvealreadyresolvednetworking, localonlyissues,andotherproblemsthatprecedethisstepinthecoreflowchart.Once youvedonethat,youllfindyourselfquicklylookingforOSrelatedissuesintheeventlog, thenmoveontotheDcdiagtooltheflowchartprovidesaURLwithadescriptionofthe teststorun.
41
Youllalsohavetoexercisehumanreviewandanalysis.Doyoursitelinks,forexample, matchyourbignetworkchartprintout?Inotherwords,arethingsconfiguredasthey shouldbe?Thisiswhereachangeauditingtoolcansaveatonoftime.Ratherthan manuallycheckingtomakesureallyoursites,sitelinks,andotherreplicationrelated configurationsareright,youcouldjustcheckanauditlogtodeterminewhetheranythings changed.Infact,somechangeauditingtoolswillalertyouwhenkeychangeshappenlike sitelinkreconfigurationssothatyoucanjumpontheproblembeforeitbecomesanissue intheenvironment.
ADDatabaseIssues
Next,youllmoveintotroubleshootingtheADdatabase,whichiscoveredintheflowchart thatFigure3.7shows.
Figure3.7:ADdatabasetroubleshooting.
42
Here,youllprobablybetakingadomaincontrollerofflinesothatyoucanrebootinto DirectoryServicesRestoreMode(DSRM)makesureyouknowtheDSRMpasswordfor whateverdomaincontrolleryouredealingwith.YoulluseNTDSUTILtocheckthefile integrityoftheADdatabaseitselfbecause,atthispoint,werestartingtosuspect corruptionofsomekind.Ifyoufindit,youllbedoingadatabaserestore.Ifyoudonthavea backup,youreprobablylookingatdemotingandrepromotingthedomaincontroller,if notrebuildingtheserveentirely.Sorry. Again,thisiswherethirdpartytoolscanhelp.YoumayhavethoughtthattheADRecycle BinfeatureofWindowsServer2008R2wasagreatfeature,butitisntdesignedtodeal withatotaldatabasefailure.Thirdpartyrecoverytools(whichareavailablefrom numerousvendors)cangetyououtofajamhere.Makesureyourenotusingtooolda backup;ideally,domaincontrollerbackupsshouldntbeolderthanafewdays.Older backupswillrequirethedomaincontrollertoperformalotmorereplicationwhenitcomes backonline,andaveryoldbackupcanreintroducetombstoned(deleted)objectstothe domain,whichwouldbeaBadThing.
GroupPolicyIssues
Ifyouvemadeitthisfar,ADsmostcomplexcomponentsareworking,andyoureonto troubleshootingoneoftheeasierelements.First,recognizethattherearetwobroad classesofproblemwithGroupPolicy:nosettingsfromaGroupPolicyobjectarebeing appliedorthewrongsettingsarebeingapplied.Thischapter,asshownintheflowchartin Figure3.8,isconcernedonlywiththeformer.Ifyouregettingsettingsbutnottheright ones,youneedtodiveintotheGPOs,ResultantSetofPolicy(RSoP),andothertoolsto discoverwherethewrongsettingsarebeingdefined.
43
Figure3.8:GroupPolicytroubleshooting. TroubleshootingGPOsisprettymuchaboutverifyingtheirconfiguration.Ifauserisnt gettingaspecificGPO,theproblemwillbeduetoreplication,inheritance,asynchronous processing(whichmeanstheyregettingtheGPO,justnotasquicklyasyouexpected),and soforth.GroupPolicyiscomplicated,andknowingallthelittletricksandgotchasiskeyto solvingproblems.IrecommendbuyingJeremyMoskowitzlatestbookonthesubject;hes prettymuchtheindustryexpertonGroupPolicyandhisbookscomeswithgreat explanationsandflowchartstohelpyoutroubleshoottheseproblems. UnravelingwhatschangedisalsotheeasiestwaytofixGPOproblems.Unfortunately, mosttoolsthattrackADconfigurationchangesdonttouchGPOsbecauseGPOsarent storedinADitself.TherearetoolsthatcanplaceGPOsunderversioncontrol,andcanhelp trackthechangesrelatedtoGPOsthatdoliveinAD(suchaswheretheGPOsarelinked). Quest,NetWrix,BlackbirdGroup,andNetIQalloffervarioussolutionsinthesespaces.
44
KerberosIssues
Finally,thelastareawellcoverisKerberos.Figure3.9showsthelastpageintheflowchart.
Figure3.9:Kerberosissues. Here,youllneedtoinstallresourcekittools,preferablyKerbtray.exe,sothatyoucangeta peekinsideKerberos.YoullalsoneedastrongunderstandingofhowKerberosworks. Heresabriefbreakdown: Whenyoulogon,yougetaTicketGrantingTicket(TGT)fromyourauthenticating domaincontroller.ThisenablesyoutogetKerberostickets,whichprovideaccessto aspecificserversresources.Eachserveryouaccesswillrequireyoutohaveaticket forthatserver.Soeachtimeyouaccessanewservereveryday,youllhavetofirst contactadomaincontrollertogetthatticket. Ticketvalidityiscontrolledbytimestamps.Everymachineinthedomainneedsto haveroughlythesameideaofwhattimeitis,whichiswhyWindowsautomatically synchronizestimewithinthedomain.Askewofabout5minutesisallowedby default.
45
TicketsareabitsensitivetoUDPfragmentation,meaningyouneedtolookatyour networkinfrastructureandmakesureitisnthackingUDPpacketsintofragments. YoucanalsoforceKerberostouseTCP,whichisdesignedtohandlefragmentation.
Thereareafewotheruncommonissuesalsocoveredbytheflowchart.
ComingUpNext
Withthistroubleshootingguidanceunderyourbelt,itstimetomoveontoournextAD topic:security.Iveseenanincredibleamountofconfusionandmisinformationwithregard toADsecurityoverthepastfewyears,soweregoingtostartbysteppingbacktobasics andlookingatADssecurityarchitecture.WellspelloutADsrealroleinsecuringyour organizationsresources,andlookatreasonsyoumightwanttorethinkyourcurrent securitydesign.WellevenpeekatDNSsecurity.ItsallcomingupinChapter4.
46
Chapter4:ActiveDirectorySecurity
Inthesecurityworld,AAAisusuallythetermusedtodescribethebroadfunctionalityof security:authentication,authorization,andauditing.ForaWindowscentricnetwork, ActiveDirectory(AD)servesoneofthoseroles:authentication.Internally,ADalsohas authorizationandauditingfunctionality,whichareusedtosecureandmonitorobjects listedwithinthedirectoryitself.Inthischapter,welltalkaboutallofthesefunctions,how ADimplementsthem,andsomeoftheprosandconsofADssecuritymodel.Wellalsolook atreasonsyourownsecuritydesignmightbedueforareview,andpotentiallyaremodel. Thischapterwillalsodiscusssecuritycapabilitiesusuallyacquiredfromthirdparties.I know,itwouldbenicetothinkthatADiscompletelyselfcontainedandcapableofdoing everythingweneedfromasecurityperspective.Inamodernbusinessworld,however, thatsrarelytrue,asweshallsee.
ActiveDirectorySecurityArchitecture
Asmentioned,ADhasaroleineachofthethreemainsecurityfunctions.Letstakeeach oneseparately.
Authentication:Kerberos
MicrosoftadoptedanextendedversionoftheindustrystandardKerberosprotocolforuse withinAD.ComparedwithMicrosoftsolderauthenticationprotocol,NTLM,Kerberos providesdistinctbenefits: Mutualauthentication.Bothsidesofanysecuritytransactionareidentifiedand authenticatedtoeachother.WithNTLM,theclientwasauthenticated,buttheclient wasntabletoverifytheserversidentity. Distributedprocessing.Clientsareresponsibleformaintaining100%ofthe informationneededtoauthenticatethemselvestoaserver;serversmaintain nothing.Thatbehaviorreducesserveroverhead,improvingoverallperformance. Secure.UnlikeNTLM,Kerberosdoesnttransmitanyportionofyourpasswordover thenetworkatanytimenoteveninencryptedform.Thus,passwordsremainabit safer.
ThenameKerberoscomesfromGreekmythology,andidentifiesthemythicalthreeheaded dogthatguardedthegatestotheUnderworld.Thethreeheadedbitistheimportantone becausetheprotocolentailsthreeparties:theclient,theserver,andtheKeyDistribution Center(KDC).
47
InAD,KerberosreliesonthefactthattheKDCsaroleplayedbydomaincontrollers haveaccesstoahashedversionofeveryuserandcomputerpassword.Theusersand computers,ofcourse,knowtheirpasswords,andthecomputers(whichuserslogonto,of course)knowthesamepasswordhashingalgorithmasthedomaincontrollers.Thissetup enablesthehashedpasswordstobeusedasasymmetricencryptionkey:IftheKDC encryptssomethingwithauserorcomputerpasswordastheencryptionkey,thatuseror computerwillbeabletodecryptitusingthesamehashedpassword. Whenauserlogson,theircomputerontheusersbehalfcontactstheKDCandsendsan authenticationpacket.TheKDCattemptstodecryptitusingtheusershashedpassword, andifthatissuccessful,theKDCcanreadtheauthenticationpacket.TheKDCconstructsa ticketgrantingticket(TGT),encryptingitfirstwithitsownencryptionkey(whichtheuser doesntknow),thenagainwiththeuserskey(whichtheuserdoesknow).Theusers computerstoresthisTGTinaspecialareaofmemorythatisntswappedtodiskatany time,sotheTGTisneverpermanentlystored.TheTGTcontainstheuserssecuritytoken, listingallofthesecurityidentifiers(SIDs)fortheuserandwhatevergroupstheybelongto. Whentheuserneedstoaccessaserver,theircomputerresendstheTGTtoadomain controller.ThedomaincontrollerdecryptstheTGTusingitsprivatekeykeepinmind thattheresnowaytheusercouldhavetamperedwiththeTGTandstillhavethat decryptionworkbecausetheuserdoesnthaveaccesstothedomaincontrollersprivate key.TheKDCcreatesacopyoftheTGTcalledaticket,andencryptsitusingthehashed passwordofwhateverservertheuserisattemptingtoaccess.Thatsencryptedagainusing theuserskey,andsenttotheuser.Theuserthentransmitsthattickettotheserverthey wanttoaccess,alongwitharequestforwhateverresourcetheyneed. Theserverattemptstouseitskeytodecrypttheticket.Ifitsabletodoso,thenseveral thingsareknown: Theserveristheonetheuserintended,becauseifitwerent,itwouldnthavethe keyneededtodecryptandreadtheticket. Theusersidentityisknown,becauseitsincludedinaticketthatonlytheserver couldread. Theusersidentifyistrustedbecausetheticketwasencryptednotbytheuserbut bytheKDC,andinawaythatonlytheKDCandtheservercouldread.
Figure4.1showsafunctionaldiagramofhowKerberosworks.Keepinmindthatthisisnt aMicrosoftspecificprotocol;MicrosoftmadesomeextensionstoallowforWindows specificneedssuchastheneedtoincludeasecuritytokenintheticketsbutWindows KerberosstillworkslikethestandardMITdevelopedprotocol.
48
Figure4.1:Kerberosfunctionaldiagram. Theuserscomputercachestheticketfor8hours(bydefault),enablingittocontinue accessingthatserveroverthecourseofaworkday. Note Ifausersgroupmembershipsarechangedduringtheday,thatchangewont bereflecteduntiltheuserlogsoffdestroyingtheirticketsandTGTand logsbackonforcingtheKDCtoconstructanewTGT. MicrosoftprovidesautilitycalledKerbTray.exe,showninFigure4.2,whichprovidesaway toviewlocallycachedtickets.
49
Figure4.2:TheKerbTrayutility. Thisutilityalsoprovidesaccesstoseveralkeypropertiesofaticket,includingwhetherit canberenewed,whetheritcanbeforwardedbyaservertoanotherserverinordertopass alongausersauthentication,andsoforth. KerberosprimaryweaknessisadependenceontimefortheinitialTGTrequesting authenticator.Inordertopreventsomeonefromcapturinganauthenticatoronthe networkandthenreplayingitatalatertime,Kerberosrequiresauthenticatorstobetime stamped,andwillbydefaultrejectanyauthenticatormorethanafewminutesold.Domain computerssynchronizetheirtimewiththeirauthenticatingdomaincontroller(after authentication),anddomaincontrollerssynchronizewiththedomainsPDCEmulatorrole holder.Withoutthistimesync,computersclockswouldtendtodrift,takingthemoutside thefewminutesKerberoswindowandmakingauthenticationimpossible.
Authorization:DACLs
AsIvealreadymentioned,ADsmainroleisauthentication.However,forinformation suchasusersandcomputers,alongwithconfigurationobjectslikesitesandservices insidethedirectory,ADalsoperformsitsownauthorizationandauditing. EveryADobjectsissecuredwithadiscretionaryaccesslist.DACLsfollowthesamebasic structureasWindowsNTFSfilepermissions.TheDACLconsistsofalistofaccesscontrol entries.EachACEgrantsordeniesspecificpermissiontoasinglesecurityprinciple,which wouldbeauseroragroup.Figure4.3showsaprettytypicalADpermissionsdialog.
50
Figure4.3:ADpermissionsdialog. AswithNTFSpermissions,objectscanhavedirectlyappliedACEsintheirDACLs,andthey caninheritACEsfromcontainingobjectsDACLs.Inmostdirectoryimplementations,for example,userobjectshavefewornodirectlydefinedACEsbutinsteadinheritalloftheir ACEsfromacontainingorganizationalunit(OU). ACEsactuallyconsistofapermissionsmask(whichdefinesthepermissionstheACEis grantingordenying)andaSID.WhendisplayingACEsinadialogbox,Windowstranslates thoseSIDstouserandgroupnames.Doingsorequiresaquicklookupinthedirectory,soin abusynetwork,itssometimespossibletoseetheSIDsforabriefmomentbeforetheyre replacedwiththelookedupuserorgroupnames. Itsimportanttounderstandthat,inAD,computersarethesamekindofsecurityprinciple asauser,meaningcomputersdonthaveanyspecialpermissions.Forexample,ifaRouting andRemoteAccessServer(RRAS)machineisattemptingtoauthenticateadialinuser,the servermightneedtolookatpropertiesoftheusersADaccounttoseewhethertheuser hasanydialintimerestrictions.Doingsorequiresthattheserverhavepermissiontoread certainattributesoftheusersaccount,whichiswhythedialoginFigure4.2showsthe RASandIASServersusergroupashavingpermissionstotheusersaccountwithout thatpermission,theserverwouldbeunabletoexaminetheusersaccounttodetermine whetherthedialinwastobeallowed.
Auditing:SACLs
AuditingisdefinedinSecurityAccessControlLists(SACLs),whichsimplydefinewhat actions,bywhichusers,willresultinalogentrybeingmadeinWindowssecuritylog.Well coverauditinginmoredetailinthenextchapter.
51
Configuration
AD,likeanyWindowscomponent,hasitsownconfigurationsettings,manyofwhichcan affectsecurity.Forexample,considerFigure4.4,whichshowstheGroupPolicyObject (GPO)settingsforKerberos.
Figure4.4:KerberossettingsinaGPO. Thesesettingsdefinitelyhaveasecurityimpact:TheycontrolhowlongaKerberosticketis valid,howoftenitcanberenewed,howmuchtimeslipisallowedforclockmissync,and soforth. PartofthechallengewithADisthatsettingslikethesearescatteredallovertheplace. SomeareintheregistryandcanbemodifiedwithaGPO;otherslivewithinADitself,and areaccessedbyvariousconsolesandcommandlinetools.Keepingeverythingstraightcan becomplex;innewerversionsofWindows,MicrosofthasaddedaBestPracticesAnalyzer (BPA),whichhelpsreviewallofthesesettingsandmakerecommendationsabouthowto configurethemforbettersecurity,reliability,performance,andsoforth.Figure4.5shows anexample.
52
Figure4.5:ABPAreportexample. TheBestPracticesusedbythistoolaredevelopedbyMicrosoft,usingtheirown experiencewiththeproduct,aswellastheexperiencesofmajorcustomers.TheBPAis newforWindowsServer2008R2,andtheADmodelcoversaprettylargearrayofsettings. ModelsarealsoavailableforDNSandCertificateServices. Resource AcompletebreakdownofwhattheBPAscans,andhowitworks,canbe foundathttp://technet.microsoft.com/en us/library/dd378893(WS.10).aspx.
Distributedvs.CentralizedPermissionsManagement
ADplayssuchacentralroleinauthenticationthatitseasytoforgetthatthedirectory reallyhasnorolewhatsoeverinenterprisewideauthorizationorauditing.Inotherwords, thedirectoryknowswhoyouare,butithasnocluewhatyoureallowedtodo. Thisisbothastrengthandabenefit.WithWindowscurrentarchitecture,eachserver maintainsitsownDACLsontheresourcesitcontains,whichmightconsistofdatabases, files,mailboxes,orwhatever.Theresnoneedtobuildtherobustcentralpermissions infrastructurethatwouldberequiredifserversdidntmaintaintheirownDACLs.Thus, thearchitectureisbetterperformingandlowercost.
53
Unfortunately,Windowsdistributionpermissionsmanagementevolvedwhenthe operatingsystem(OS)wasprimarilyusedbysmallworkgroups,notbymassivecompanies withmillionsofsecurables.Thedisadvantageofthedistributedpermissionsmanagement isthatcertainsecurityquestionssuchas,Whatresourcesdoesthisuserhaveaccessto? areimpracticaltothepointofimpossibility.Theonlywaytoanswerthequestionwouldbe tomanuallyscaneverysingleDACLoneverysingleservertoseewherethatuserora groupheorshewasamemberofappears.Doingthatondemandjustisntfeasible.And thinkaboutit:Whenanewuserstartswithacompany,someoneneedstoknowwhat permissionsheorsheneeds.Theanswerisusually,Oh,givehimthesamepermissionsas soandso,whodoesthesamejob.Theproblemisthattheresnowaytofindoutwhat permissionssoandsohasinthefirstplace! ADsusergroupsdoallowforsomedegreeofcentralizationifanorganizations administratorsarecareful.Inotherwords,ifyouassignpermissionsonlytousergroups (whichisapracticeMicrosoftrecommends),thenyoucancentrallymanagethosegroups membershipwithinAD.However,althoughthispracticemakesiteasiertogiveanewuser thesamepermissionsasthatotherguy,itsstillimpracticaltogetaninventoryofwhat resourcesagivengrouphasaccesstobecauseyoustillhavetoscanalloftheDACLs. Theresalsonowayofenforcingthispractice,andmanyadministratorshaveputouta firebyignoringtheirorganizationsgroupsonlypolicyandapplyinganACEforasingle usertoaDACL.Overtime,theseoneoffquickfixesadduptoanimpossibletomanage permissionssystem. Infact,mostWindowsbasednetworksthatarentusingsomekindofthirdparty permissionsmanagementutilityare,inalllikelihood,managedverypoorlyfroma permissionsperspective.Theytrytodoagoodjobasmuchaspossible,butthewaythe distributedsystemworksissimplystackedagainstthem. Thereare(asIlldiscusslaterinthischapter)thirdpartyutilitiesthatcanprovidethat kindofinventorybuttheydosobyscanningeverysingleDACL.Theyusuallydosoover severaldaysinitially,buildingasearchabledatabaseofpermissions.Agentsinstalledon serverscanthenwatchforpermissionschangesandreportthosedeltastothedatabase, keepingituptodate.
DoItYourselfSecurityReportingandChanges
Securityisoneofthosethingsthatyourealmostconstantlylookingatforonereasonor another.IvealreadymentionedtheBPA,whichisagoodwaytogetabasiclookatyourAD infrastructuressecurity,performance,andotherconfigurationsettings.Withoutspending anymoneyonthirdpartytools,youcandefinitelydosomedecentreporting.
54
Permissions
Reportingonpermissionsis,frankly,hard,dueentirelytothewaytheyrestoredin Windows.Ifyouwanttobuildyourownpermissionsreportingtool,youregoingtohaveto scanthroughalotofservers.Evenansweringthequestion,WhatresourcescanJillaccess onthissingleserver?canbetimeconsumingbecauseyouhavetoscanthroughevery DACLontheserver.Evenifmostfilesandfoldersinheritsecurityfromatoplevelfolder, youcantassumethattobethecaseyouregoingtohavetocheckeveryfileandfolderto makesure. Forthatreason,Ithinkbuildingyourownpermissionsreportingtoolsissimply impractical.WhatevertoolsyoumayhaveatyourdisposalVBScript,Windows PowerShell,andsofortharegoingtobetooslowtoaccomplishthetaskinany reasonableamountoftime.Sorryitsnotyou,itsWindows.
DirectoryObjects
Reportingondirectoryobjectsdisabledusers,olduseraccounts,lockedoutusers,andso forthiseasiertodoyourself.TheADUsersandComputers(ADUC)consoleprovidesa CustomQueryoptionthatmakesthisprettystraightforward.AsFigure4.6shows,youcan veryeasilycreateaquerythatshowsallusersthathaventloggedonin,say,thelast90 daysagoodstartingpointforastaleaccountsreport.
Figure4.6BuildingacustomADquery.
55
WindowsPowerShellcanalsobeusedtogeneratecustomreportsofasort.Forexample, Figure4.7showsaPowerShellcommandthatsgeneratingalistofuseraccountsthathave neverhadtheirpasswordset.Again,thisisagoodstartingpointforothersecurity activities,suchaspossiblydisablingordeletingthoseaccounts.
Figure4.7:CustomreportsinPowerShell.
ShouldYouRethinkYourSecurityDesign?
Giventheextremecomplexityofdealingwithpermissionsonyourown,whilefollowing bestpractices,youmightwanttoconsideraredesignofyourpermissions.Howyou proceeddependsabituponyourgoals. Forexample,manycompaniesarenowmovingortryingtomovetorolebasedsecurity. Theideaisthatyoucreateatoplevelsetofroles,whichcorresponddirectlytojobtitlesor jobresponsibilitieswithinyourorganization.Youdroppeopleintothoseroles,andthey pickupthenecessarypermissions.
56
Inaverysmall,singledomainenvironmentthathasgooddiscipline,youcanaccomplish thiswithADsdomainusergroups.Inlarger,multidomainenvironments,thatbecomesa lotharder.Groupsareoftenstillusedasanunderthehoodmeansofimplementingroles permissions,butarolewillusuallyberepresentedbymultiplegroupsbecauserolesspan theentireorganization,notjustasingledomainorforest.Itsgenerallyconsidered impossibleoratleastimpracticaltoimplementtruerolebasedpermissionsinacomplex ADenvironmentusingonlyADsnativetools;yougenerallyhavetogowithathirdparty rolebasedmanagementsystemthatoverlaysthenativeADandWindowssecurity. Regardless,mostcompaniestendtogetreallyjitterywhenitcomestoredesigningtheir permissionsarchitecture,mainlybecausedoingsowithoutsomekindofthirdpartytool whichcanbeexpensiveisadauntingtask.Youhavetoinventoryeverything,andfigure outwhatresourcessomeonemightneedaccessto.Itstough.Thirdpartytoolshelp becausetheycanautomatetheprocessatatoplevel,takingmuchofthedrudgeworkand guessworkoutofit.
ThirdPartySecurityCapabilities
ItsarareorganizationthatdoesnthavesomekindofthirdpartyADtoolstosupplement itssecuritymanagement.Themostcommononesfallintothecategoriesofreporting, permissionsmanagement,andauditing;wellsaveauditingforthenextchapterandjust brieflyfocusonthefirsttwo.
Reporting
Thirdpartyreportingtoolsareverycommon,andcanprovidealotofvalue.Figure4.8 illustratesonetool,EnterpriseSecurityReporter,whichisdesignedtoreportonanumber ofsecurityrelatedconcernswithinAD.
57
Figure4.8AlookattheEnterpriseSecurityReporter. Figure4.9showsanothertool,ActiveDirectoryReporter.Thistoolsfocusisbroaderthan security,butitdoesincludeanumberofsecurityrelatedreports,asyoucansee.
58
Figure4.9:TheActiveDirectoryReportertool. Theideahereisthat,ratherthanspendingtime(whichismoney)buildingyourown reportingtools,therightthirdpartyreportingpackagecangiveyoubetterlookingand morerobustreportingcapabilities,makingiteasiertokeepahandleonADsecurity.
PermissionsManagement
Thirdpartypermissionsmanagementtoolstypicallyseektoimplementautomatedrole basedpermissionsfornotonlyADbutalsoWindowsfileserversaswellasotherconnected systemslikeExchange,SQLServer,SharePoint,andsoon.Thesesystemsprovidealayeron topofthenativepermissions.Theyusuallystartbyinventoryingexistingpermissionsinto acentraldatabase.Asyoumakechangestothedatabasespermissions,thosechangesare pushedouttotherelevantresourcesnativeDACLs.Figure4.10showsonesuchtool,called ActiveRolesServer.
59
Figure4.10:AnexampleActiveRolesServerwindow. TheideawithmostofthesetoolsisthatyoustopmanagingDACLsdirectlyonresources. Instead,youmanagethemintheproduct,enablingittoofferrolebasedpermissions.The productthenautomatestheapplicationofthosepermissionstotheactualresources,giving youcentralizedcontrolandreportingmakingitpossibletoquicklyanswerquestionslike, WhatresourcesdoesBillhaveaccessto?
DNSSecurity
ThelastthingIllofferinthischapterisanoverviewofDNSSecurity,morecommonly calledDomainNameSystemSecurityExtensionsorsimplyDNSSEC.DNSobviouslyplaysa vitalroleinADsoperation,andsecuringDNSiscrucialtomaintainingADsownsecurity andreliability.
60
TheoriginalDNSprotocoldidntincludeanysecurity.MicrosoftsimplementationofDNS, particularlywiththerecommendedADintegratedDNSzones,appliesagooddealof securitybydefault.DynamicDNSrecordsareownedbytheircreatorsandcanonlybe modifiedbythem;otherrecordscanhavesecurityappliedaswell.Theoverallgoalof DNSSECistopreventforgeddatafrombeinginsertedintotheDNSzonedatabase.If someonecoulddoso,theycouldspoofinternalserversandpotentiallygathersensitive informationfromunsuspectingusers.Althoughthemutualauthenticationprovidedbythe Kerberosprotocolcanhelpcurtailthatwithinadomainenvironment,Kerberoscant protectnondomaincomputers,andthosecouldstillbespoofedviaDNS. Essentially,DNSSECworksbydigitallysigningDNSrecordsusingdigitalcertificates. SeveralDNSrecordtypesspecificallysupportthisactivity,includingRRSIG,DNSKEY,DS, NSEC,NSEC3,andNSEC3PARAM.WhenclientsmakeaDNSquery,theDNSreplyincludes notonlythetraditionalA(orAAAA)records,butalsoRRSIGrecordsthatcontainadigital signature.TheclientcanthenusetheDNSserverspublickey(obtainableinaDNSKEY record)toverifythesignature,thereforevalidatingtheAorAAAArecords. RelativelyfeworganizationstodayuseDNSSEC,butWindowsdoessupportit,andhastoa degreesinceWindowsServer2003.FullsupportisinWindowsServer2008R2and Windows7.KeepinmindthatDNSclientsmustbeDNSSECawareinorderforthesecurity featurestobeuseful.NonawareclientscanstilluseaDNSSECenabledDNSserver,but theywillnotbeabletovalidatesignaturesandrecords. WhydontmoreorganizationsuseDNSSEC?Presently,itsnotalwayswellsuitedina dynamicDNSenvironment.Forexample,creatingasignedDNSzonerequiresyoutoexport anactivezone,signitusingacommandlineutility(whichaddstheDNSSECrecordstothe zone),thenloadthenewlysignedzoneastheactivedatabaseinyourDNSserver.Dynamic updatesaredisabled,essentiallytakingawayakeyfeaturethatADreliesupon.Forthat reason,DNSSECismostoftenusedinexternalDNSzones,whichtendtoremainfairly static.Thatsactuallynotabadthing:Inadomainenvironment,DNSissecuredbyADand spoofingofdomainmembersisessentiallymadeimpossiblebyKerberos.Inanondomain environment,whereyoudontneeddynamicDNS,DNSSECismorepracticalandmeetsa need. BeawarethatDNSSECsupportisstillevolving:TheworldsDNSrootzonedoesntyet supportit,nordoesthepopular.COMtopleveldomain.Withoutthatsupport,itspossible tospoofentriesinthosetoplevelzones.Thatsupportiscoming,though.Interimsecurity solutionsareavailableinthemeantime,andyoucanreadaboutthemat http://www.windowsitpro.com/article/dns2/DNSEnhancementsinWindowsServer 2008R2/2.aspx.YoucanreadmoreaboutWindowscurrentDNSSECsupportat http://technet.microsoft.com/enus/library/ee649277(WS.10).aspx.
61
ComingUpNext
Securityisonething:Itshowyouprotectyourresources.Inthenextchapter,welllookat auditing,thelastpartoftheAAAacronym,andawaytokeeptrackofhowpeopleare interactingwiththesecuritythatyouvesetup.
62
Chapter5:ActiveDirectoryAuditing
ThepreviouschapterwasaboutActiveDirectorys(ADs)declarativesecuritythatis, howyoutellthedirectorywhohaspermissiontodowhat.WealsohadalookathowADs securityisdesignedandbuilt,andhowADasanauthenticationmechanisminterfaceswith Windowsnativeauthorizationmechanisms.ThosewerethefirsttwoofthethreeAs,and thethirdoneauditingoraccountingisthefocusofthischapter.
GoalsofNativeAuditing
Auditinghasafairlysimplygoal:Keeptrackofeverythingeveryoneisdoing.Withinthe contextofAD,thatmeanskeepingtrackofallusesofprivilege,suchaschanginggroup membershipsorunlockinguseraccounts.Italsomeanskeepingtrackofaccountactivity, suchassuccessfullogonsandfailedlogons.ExtendingthatscopetoWindows,auditing includeskeepingtrackoffileandfolderaccessaswellaschangestofilepermissions. Yourgoalsforauditingmightdiffersomewhatfromthegoalsoftheoperatingsystems (OSs)auditingarchitecture.KeepinmindthattheauditingsystemusedinWindows includingAD,whichessentiallyjustcopiedthearchitectureofthefilesystemdatesback totheearly1990swhenWindowsNTwasbeingdesignedandwritten.Atthattime, Microsoftcouldnthavepredictedorganizationswiththousandsoffileservers,dozensor hundredsofdomaincontrollers,andthousandsofotherserversrunningExchange,SQL Server,SharePoint,andotherbusinessplatforms.ThefactisthatWindowsnativeauditing architecturedoesntalwaysscalewelltoespeciallylargeenvironments,oreventosome midsizeonesafactwellexplorelaterinthischapter.Soalthoughyoumightwanttoaudit everysingleeventinyourenvironment,actuallydoingsomaycreateperformance challenges,managementchallenges,andevenlogisticalchallenges.Forrightnow,letsjust assumeyourgoalisindeedtoauditeverythingthathappensinyourenvironment,andsee wherethearchitecturetakesus.
NativeAuditingArchitecture
Inthepreviouschapter,youlearnedthatpermissionsareappliedtoaDiscretionaryAccess ControlList(DACL).EachDACLconsistsofoneormoreAccessControlEntries(ACEs),and eachACEgrantsordeniesaspecificsetofpermissionstoasinglesecurityprincipalthat is,auseroragroup.TheDACListheauthorizationpartoftheAAAmodel:ADauthenticates you,andgivesyouasecuritytokencontainingauniqueSecurityIdentifier(SID).ThatSIDis comparedwiththeACEsinaDACLtodetermineyourpermissionsonagivenresources.
63
Auditingworksinmuchthesameway.ASecurityAuditingControlList(SACL)consistsof oneormoreentries.Eachentrydesignatesaspecificauditingactionforactivities conductedbyasingleuserorgroup.TheSACLisattachedtoaresource,likeafileor directoryobject,andwheneverthespecifiedsecurityprincipalengagesinthespecified activitywiththatresource,theactionislogged.Typically,youhavetheabilitytolog successand/orfailureactions.Thatis,youcanchoosetologanentrywhensomeone successfullyexercisestheirpermissionsorwhentheyattempttodosoandaredenied. Figure5.1showsaSACLconfigurationforAD.Asyoucansee,thisresourcetheDomain Controllersorganizationalunit(OU)isconfiguredtologseveralsuccessactions performedbythespecialEveryonegroup.Thatis,wheneveranyonesuccessfulperforms anyoftheseactions,anauditentrywillbegenerated.
Figure5.1:SACLinAD. Exactlywhatactionsyoucanauditdependsonwhatresourceyoureworkingwith.For example,Figure5.2showsafilesystemSACL,andyoucanseethatverydifferentactions areavailable.
64
Figure5.2:AfilesystemSACL. Here,youcanchoosetoauditthingslikecreatingfolders,readingattributes,deletingfiles, andsoon.Eachresource,then,canhaveitsownSACL.Inpractice,mostofusassignSACLs atafairlyhighlevelinthehierarchyandletthosesettingspropagatetolowerlevelobjects throughinheritance.Thatway,weonlyhavetomanageSACLsinarelativelysmallnumber ofplaces.ButwestillhavetoconfigureatleastonetoplevelSACLperserver,permajor system.Thatis,eachserverwillneedatoplevelSACLonatleasttherootofeachlogical drive,wellneedaseparateSACLontherootofAD,andsoon. Otherproductsmayormaynotfollowthispattern.ExchangeServer,forexample,usesa similarstructureforitsauditing;SQLServerdoesnot,nordoesSharePoint.Wellstickwith ADandthecoreWindowsOSforthediscussioninthischapter. Onceanauditableactionoccurs,Windowsgeneratesanauditentry.Thesearestoredinthe Securityeventlog,whichFigure5.3shows.Aproblemwiththislogisthateveryauditing eventgoesintoit.Althoughitsnicetohaveeverythinginonebig,centralpile,itcanmake ittoughtopulloutspecificentries.Again,thisreflectsMicrosoftsrelativelylimitedoriginal visionfortheauditingsystem.
65
Figure5.3:TheSecurityeventlog. EachWindowsservermaintainsitsownindividualSecurityeventlogthatincludes domaincontrollers.AlthoughADsSACLscanbeconfiguredonanydomaincontroller,and willreplicatetoallofthem,onlythedomaincontrollerthatactuallyhandlesagivenaction willcreateanauditentryforit.Theresultisacentrallyconfiguredauditingpolicybuta highlydistributedauditinglog. Figure5.4showswhattheseauditentrieslooklike.Theyrefairlytechnical,andoften includerawSIDsandotherunderthehoodinformation.Thisexampleshowsasuccessful domainlogon,processedusingthenativeKerberosprotocol.Theusernameanddomain havebeenblankedoutforthisexamplebutwouldnormallybepopulatedwhenarealuser logson.
66
Figure5.4:Anexampleauditentry. Microsofthasalreadybeguntoaddresstheissueofonelogholdingsomuchinformation.In WindowsVistaandWindowsServer2008,Microsoftintroducedaparalleleventlog architecturethatmakesiteasierforeachproductortechnologytomaintainitsownlog. ThiswasalwayspossibletheoriginalApplication,System,andSecuritylogshavelong beensupplementedbylogsforDirectoryServices,forexample.Butthisnewarchitectureis morerobustinseveralways.Figure5.5showssomeoftheoldandnewstylelogs.
67
Figure5.5:Newlogsalongsidetheoldlogs. UnlikeDACLs,SACLsarenotimmediatelyutilizedbytheOS.SACLssimplydesignatewhat actions,whatsecurityprincipals,shouldbeaudited;theauditingsystemitselfmustalsobe turnedoninorderforeventstobewrittentothelogs.Figure5.6showswherethatis usuallyconfiguredinaGroupPolicyobject(GPO). MostorganizationswillconfigureauditingatahighlevelGPO,suchasoneappliedtoall domaincontrollers,oreventoallserversinthedomain.TheGPOpicturedisspecifically settingtheauditpolicy,whichincludesturningonauditingoflogonevents,account managementactivity,accesstoAD,andsoforth.Theauditpolicy,aswellasresource SACLs,mustbothbeconfiguredinordertogeneratethedesiredauditingevents.
68
Figure5.6:ConfiguringauditinginaGPO. Thisiswhereyouhavetousesomecaution.Youdontwanttoturnonfullboreauditing withoutthinkingabouttheconsequences.Adomaincontrollercangeneratethousandsof logoneventseveryminuteduringthebusymorningloggingonrush,andgeneratingallof thoseeventsrequirescomputingpower.Ifauditingallofthoseeventsistrulya requirement,thenyouregoingtohavetosizeyourdomaincontrollersaccordinglyto handletheload.Thesamegoesforfileservers:Ifafileserverisexpectedtogeneratean eventforeverysuccessfulorfailedfileaccessattempt,itsgoingtoneedtohavethe computingpowernecessarytopullitoff. Generatingthatmuchlogactivitycanalsopoundtheactualeventlogsprettyhard.As Figure5.7shows,youllwanttopairyourauditpolicywithawellplannedeventlogpolicy, settingeventlogssizes,rolloverbehavior,andothersettingstoaccommodatethe workloadyouplanforthemtohandle.
69
Figure5.7:ConfiguringeventlogsettingsinaGPO. TheSecuritylogwhichiswhereauditingeventsarewrittencanbeespeciallytricky. WiththeApplicationlog,youmightfeelcomfortablesimplyallowingittooverwriteitself whenitgetsfull.FortheSecuritylog,youcantpracticallydothat,oryoudopenupthe doorforauditinginformationtobelost.Instead,youllhavetoconfigureanappropriatelog size,andimplementmaintenanceprocedurestoarchiveandclearthelogonaregular basisperhapsasoftenaseveryevening,dependingupontheloadyoureputtingonthat log. AcommoncriticismofWindowsnativeeventlogsistheirhighlydistributednature.For example,anadministratorcouldmodifyagroupmembershipononedomaincontroller, connecttoaseconddomaincontrollertouseanaccountinthatgroup,andconnecttoa thirddomaincontrollertoresetthegroupmembership.Allthreeactionswouldbelogged inthreedifferentSecurityeventlogs,makingitdifficulttocorrelatethoseindependent eventsintoachainofactivity. Microsoftsinitialsolutiontothisproblem,introducedinWindowsServer2008,iseventlog forwarding.PicturedinFigure5.8,theideaisthatindividualserverscanforwardeventsto acentralserver,whichcollectsalloftheeventsinitsownlog.
70
Figure5.8:Eventlogforwarding. Asindicated,thisfeaturecanbeconfiguredwithGroupPolicy,makingitcentrally controllable.Theapproachstillhassomesignificantdrawbacks,however,whichwell discusslaterinthischapter. Sothatshowthenativeauditingsystemisbuilt.Letstalkabitmoreabouthow organizationswanttousethatsystem,andseewhereitmightneedenhancement.
CommonBusinessGoalsforAuditing
Unlikethe1990swhenWindowsNTwasdesigned,mostbusinessestodayaresubjectto somekindofsecuritypolicy.Inmanycases,thatpolicyincorporatesexternalrequirements fromindustryrulesorevenlegislation.Thoserequirementsmayincludeaneedtoaudit everysuccessfulandfailedactionforprettymucheverythingintheenvironmentandthat generatesalotofauditingtraffic. Anothergoalisforthatauditinginformationtobetamperproof,oratleasttamperevident. Inotherwords,thepeoplebeingauditedincludingadministratorsshouldntbeableto removetheirownauditactivityfromtheauditlog.Organizationsalsowanttobeableto search,filter,andreportonthoseevents.Forexample,anauditormightwanttoseeevery auditentrythatcorrespondstoareconfigurationofADsauditpolicy,thenmatcheachof thoseeventstoanapprovedaction.Thatletsanauditorseethattheonlychangesmadeto thedirectorywerethosethathadbeenformallydocumentedandapproved.
71
Organizationsalsoneedtousetheseauditeventsfortroubleshootingpurposes.When somethinggoeswrongintheenvironment,answeringthequestionWhatchanged?is usuallythequickestwaytosolvetheproblemandtheauditlogsshouldbeabletoanswer thatquestionquicklyandeffectively.Sohowdoesthenativeauditingsystemholdup?
WeaknessesofNativeAuditing
Unfortunately,thenativeauditingsystemdoesnotalwaysholdupwell.Ireallydont regardthisasaweaknessonMicrosoftspartafterall,theirjobisnttoanticipateevery possiblebusinessneed,butratherprovideaplatformonwhichothersoftwarecanbe deployedtomeetspecific,varyingbusinessneeds.Theyvedonethat.Thenativeauditing architectureisbarebones,suitableforthesmallestorganizationsthatarelesslikelytobe abletoaffordaddonsoftwaretomeetspecificbusinessneeds.Thenativesystemisalso closetothreedecadesold,andyoucantalwaysexpectsystemsofthatagetomeetevery possiblemodernrequirement. Goalone,beingabletoauditeverything,iscertainlypossiblewithinWindowsalthough youllneedtoplaylogcapacityandserverperformancearoundthatgoal.Thenativeevent logarchitectureisntasperformancetransparentasitperhapscouldbe,andaskinga servertoaudittensofthousandsofeventsanhourwillcreateanimpactonthatserver. Goaltwoatamperevidentlogiswherethesystemreallyfallsapart.Unfortunately,its justnotfeasibletotakeawayadministratorsabilitytocleartheeventlog.Youcandoit,by carefullytweakingprivileges,creatingdedicatedlogmanagementuseraccounts,andso onbutitscomplex,andmanyorganizationsfinditimpractical. Evenassumingyoudoso,meetingthenextgoalcentralizedreporting,filtering,and alertingisntpractical,either.Eventlogforwarding,evenwhenused,doesntoccurinreal timetherecanbesignificantdelaysineventsbeingforwarded.Evenwhenyoudorelyon eventforwarding,youremassingalogofloginformationintoasingleplace,andrelyingon anextremelyprimitiveeventviewerforqueryingthatlog.Figure5.9showsthefiltering capabilitiesofthenativetool,andtheyreindeedprimitive.
72
Figure5.9:Nativeeventlogfiltering. Asshown,youcanfilterforspecificeventtypes,andfilterforspecifictextintheevent description,aswellasothercriteria.Buttheresnowaytocorrelatemultiplerelatedevents inachainofactivity,andtheresnoreportingmechanismtospeakof. Asforthefinalgoalofusingtheseeventsfortroubleshootingwell,goodluck.Itscertainly possible,althoughitusuallytakestheformof,seewhatsinthelog,lookuptheeventIDs toseewhattheymean,andfigureoutifthatsrelevanttothecurrentproblem.Itsmuch hardertoaskthenativeeventviewertogiveyou,allchangesmadetoADwithinthepast4 hours.Althoughtherewillbeeventsrelatedtothosechangesprovidedyourauditpolicy iscapturingthemtheeventlogisntreallydesignedtofacilitatechangemanagementor changeauditing.Itisntauditingthechange,perse,itsauditingthefactthatsomeonemade achange. AsFigure5.10shows,WindowsServer2008ADdidstartcapturingbeforeandafter valuesinchanges,makingitabitmoreusableforchangeauditing.However,thefeature stillisntpervasivethroughoutallofAD,andfindingtheactualeventsinamassivelogfile canstillbechallenging.
73
Figure5.10:EnhancedeventsinWindowsServer2008. Inmostenvironments,asuccessfulauditingprogramalmostalwaysinvolvesthirdparty auditingsupplements.
ThirdPartyAuditingCapabilities
ThirdpartyauditingtoolstakeseveralapproachestosupplementingWindowsnative capabilities.First,thesetoolsmaydoabetter(andfaster)jobofcollectingeventsfrom multipleserverslogsintoacentrallocation.Often,thatcentrallocationisaSQLServer database,althoughothertoolswillalwaysforwardeventsinrealtimetoanexternal loggingmechanism,suchasasyslogserverasFigure5.11illustrates.
74
Figure5.11:Forwardingeventstoasyslogserver. TheideaismainlytogettheeventsoutofWindowsasquicklyaspossible,andintosome separatesystemthatcanbesecureddifferentlyfromtheenvironmentseventlogs. Databasesarepopularchoicesbecausetheycanbesecuredandtheynaturallylend themselvestocomplexqueries,andthus,toreportingcapabilities.Infact,manythirdparty auditingtoolscollecteventsinSQLServermainlytoleverageSQLServerReporting Servicesasareportingmechanism. ThirdpartytoolsmayalsotapdirectlyintonativeApplicationProgrammingInterfaces (APIs)tocollectauditinformationinadditionto,orinsteadof,usingthenativeevent logs.TheseAPIsoftenoffermoredetailedinformation,includingbetterbeforeandafter details.Insomecases,usingtheAPIsmayofferabetterperformingwayofcollectingthe information,reducingserverload. Oncetheeventdataiscentrallylocated,thirdpartytoolscankickinwithrealtimealerts, reporting,eventarchiving,analysisandcollation,andmuchmore.Thetrickisingettingthe eventsintoasinglespotthatcanbequeriedquicklyandeffectively.
75
ComingUpNext
Inthenextchapter,Illstartsummarizingmanyofthetechniquesandconceptsfromthis andtheprecedingchapters,andpresentingthemtoyouasbestpractices.Wellstartwitha lookatwhen,andwhy,youmightwanttoreconsideryourdirectorysdesignasscarya conceptasthatmightbe!Wellalsolookatbestpracticesfordisasterrecoveryand businesscontinuity,security,replication,FSMOplacement,DNSdesign,andmore.Well wrapwithaconsiderationofvirtualizationbecausethatsalltheragethesedays,and discusshowsuitableADis,orisnt,forlivinginsideavirtualmachine.Illalsothrowin somepracticesforongoingADcareandfeeding,tokeepyourdirectoryhealthyandhappy.
76
Chapter6:ActiveDirectoryBestPractices
Thischapterisakindofmiscellaneousbestpracticeslist.ThetrickwithADandbest practicesisthattheresneveranyonerightanswerforeveryorganization.Youhaveto tempereverythingwithwhatsrightforyourorganization.Soreally,thischapteris intendedtosimplygiveyouthingstothinkaboutwithinyourenvironment,andideasthat stemfromwhatsworkedwellforotherfolksinsituationsthatmightbesimilartoyour own.
ShouldYouRethinkYourForestandDomainDesign?
Firstofall,stepbackandtakealookatyourdomainandforestdesign.Howperfectisit? ADdesignunfortunatelyhastwoconflictinggoals:OneistosupportyourGroupPolicy deployment,andtheotheristosupportdelegationofpermissions.Forthefirstgoal,you mightorganizeADtoreallyfacilitateusingaminimalnumberofeffectiveGroupPolicy Objects(GPOs),especiallyifyouneeddifferingGPOsettingsforvariouscompany departmentsanddivisions.ThesecondgoalfocusesonwhowillmanageADobjects:Ifyou plantodelegatepermissionstoresetpasswords,forexample,thenorganizingyour directorytogroupthosedelegateduserobjectswillmaketheactualdelegationeasiertoset upandmaintain. KeepinmindthatGroupPolicyistheonethingyouprettymuchcantseparatefromthe directory.Fromasecurityanddelegationperspective,thirdpartytoolscanabstractyour directorydesign.Forexample,manythirdpartyidentityandaccessmanagement(IAM) toolsenableyoutodelegatepermissionoverobjectsthataredistributedthroughoutthe directory.Youessentiallyusethetooltomanagethedelegation,anditdealswithwhatever ugly,underthehoodpermissionsitneedsto.Insomecases,thesetoolsdontactually modifytheunderlyingdirectorypermissionsatall.Instead,theyprovideintool delegation,meaningtheyactasakindofproxymanager,providingdifferentuser interfacesfordelegateduserstoaccomplishtaskslikeresettingpasswordsormodifying useraccounts.Thatkindofabstractioncanletyourunderlyingdirectorystructureconform tootherneedslikethoseofyouGroupPolicydeployment.
77
Restructuringadomainorforestcanbejustascomplex,risky,andfrustratingasmigrating toADwasinthefirstplace.Themainreasontoconsiderthiskindofprojectisifyour directoryhasgrown,andbeenextended,organicallyovertime.Corporatemergesand acquisitionsareacommonrootcauseofthatkindofgrowth.Youmayalsofindthat whoeveroriginallydesignedthedirectorydidnthaveagoodunderstandingofhowtodo so,orthatthecompanysneedsandoperationshavechangedsincetheoriginaldesignwas putinplace.Inanyevent,rethinkingthedesigncanhaveasignificantpositiveimpacton operations,maintenance,disasterrecovery,andevenonperformanceandusabilitysoits worthatleastconsideringtheproject.Determinewhetherthebusinessbenefitswould outweighthepotentialrisks,andconsiderwaystomitigatethoserisks.Forexample,many thirdpartiesproducemigration/restructuringtoolsthatcanlargelyautomatemuchofthe process,providezeroimpacttestingcapabilities,andevenrollbackmigrationchangesif theyprovetobeproblematic.Thosetoolsobviouslyhaveacost,soyoullhavetoweigh thatcostagainstthebusinessbenefitsandseeifitlookslikeawin.
ADDisasterRecovery
Disasterrecoveryandbusinesscontinuityisalwaysaconcern,soletslookatgeneralbest practicesformakingsurethatyourdirectorycanberecoveredintheeventofafailure. Werenotgoingtolookatthemorecommonlyneededsingleobjectrecoveryjustyet theresasectioninthischapterforthatcomingup.
SingleDomainController
ProbablythemostcommonfailurescenarioinADisthefailureofasingledomain controller,oftenduetoahardwarefailure.Whatdoyoudowhenthishappens?Well,if youvebuiltyourdomaincontrollersproperly,youwontneedtodomuch.Myassumption isthatyourdomaincontrollersaredoingverylittleapartfrombeingdomaincontrollers. TheymayberunningDNS,andiftheyareitshouldbeanADintegratedDNSzone.Ifyou dontuseMicrosoftsDNS,dontputyourDNSserversonyourdomaincontrollers.That way,ifadomaincontrollerfails,youjustrebuildit. Keepinmindthat,inAD,nodomaincontrollerisunique.Theyreallthesame.Ifonefails, itsnobigdealtheothersjustkeepmovingrightalong.Buildareplacementmachine (somethingthatstrivialifyoureusingvirtualmachines),promoteittobeadomain controller,andsitbackandletreplicationtakeover.Inotherwords,youdontbother backingupeverysingledomaincontrollerbecausetheyeachactasbackupsforeachother. Theonlytimethismightnotbeastraightforwardapproachiswhenthefaileddomain controllerisontheothersideofaslowWANlinkfromanyotherdomaincontrollers. WaitingforalargedomaintoreplicateacrosstheWANcanbetimeconsuming.Ifyoudont mindwaiting,itsstillthebestwaytogo.Abouttheonlyotheroptionistokeepabackupof thoseremotedomaincontrollersmakingsureitsnevermorethanafewdaysold.That wayyoucanrestorefromthatbackup,andletamuchlesseramountofreplicationbring thedomaincontrollerbackuptodate.Tapebackupsarefineforthisapproach,andtheyre easyforpeoplewithminimalITskillstooperate,soincaseswhereyoudonthavealotof localexpertisehelpingyouout,itsnotabadapproach.
78
Youlloftenseesmallerremoteofficesusinganallinoneserverasinglemachineacting asdomaincontroller,DNS,DHCP,fileserver,printserver,faxserver,andwhoknowswhat else.Trytoavoidthat:Inthisdayandage,thatphysicalmachineshouldbeavirtualization host,withsomeofthoserolessplitupbetweendifferentmachines.Eitherway,tapebased backupcanstarttobecomecomplexandlarge,andIrecommendmovingtoarealtime, diskbasedbackup.Thatllgettheserverbackonlinequickerintheeventofafailure,and itlldoabetterjobofcapturingallthedatathattheserverhouses.
EntireDomain
Itsprettyraretoloseanentiredomain.Asitsalmostimpossibletoloseeverysingle domaincontrolleratthesametime,losingthedomainusuallymeanssomevastand tragicadministratorerror.Theonlyresolutionis,ofcourse,tohaveagoodandrecent backup. Again,thisiswhereIfirmlyrejecttapebasedbackupandrecommendrealtimediskbased backupsinstead(readmybook,TheDefinitiveGuidetoWindowsApplicationandServer Backup2.0,fromRealtimePublishers,foranexhaustivetreatmentofthesubject).Areal timediskbasedbackupcangetadomaincontrollerupandrunninginminutesorhours, notdays,andyoulllosenomorethanafewminutesworthofactivityfromthedomain. Diskbasedbackupscanalso(usually,dependingonthevendor)bereplicatedoffsite, makingthemsuitablefortruedisasterrecoverywhereyouvelostanentiredatacenter,or losttheuseofit,duetosomedisastersuchasflood,fire,meteorstrikes,andthelike.
EntireForest
ItisvanishinglyraretoloseanentireADforest.Iwasoncetoldthattherearesomething likelessthanadozendocumented,realworld(thatis,nonlabbased)occurrences.Still, thethreatofwholeforestlossisenoughthatMicrosoftofficiallysupportsforestrecovery, andahandfulofthirdpartyvendorsmakewholeforestrecoveryproducts. IfyoufeelthatlosingyourentireADforestisathreatyoumustbepreparedtoface,take myadviceandbuyaforestrecoveryproductnow(theyrenogoodoncetheforesthas actuallyfailed;theyhavetograbthenecessarybackupsfirst).Recoveringaforestisno trivialtask,andhavingatoolonhandwillgetyoubackupandrunningmorequicklythan thealternative,whichisusuallycontactingMicrosoftproductsupportforassistance.
ADRestoresandRecycleBins
LetsturnbrieflytothesubjectofsingleobjectrecoverywithinAD.PriortoWindows Server2008R2,Microsoftdidnthaveagood,supportedsolutionforADsingleobject recovery.Theirapproachwastotakeadomaincontrolleroffline,putitinDirectory ServicesRecoveryMode,performanauthoritativerestoreofwhateverdirectoryobject(s) youlost,thenbringthedomaincontrollerbackonlineandletitreplicateitschanges.
79
LetsbeclearonwhatImeanbysingleobjectrecovery,too:Bringinganentiredeleted objectback,includingallofitsattributes.Youcannotdothisbysimplyuntombstoninga deletedobjectbecausewhenADdeletesandtombstonesanobject,itremovestheobjects attributes. InWindowsServer2008R2,MicrosoftintroducedafeaturecalledtheActiveDirectory RecycleBin,anameofwhichIamnotafan.Thisfeatureisonlyavailablewhentheentire forestisrunningattheWin2008R2functionallevel(meaningeverydomainmustalsobe runningatthislevel),andthefeaturemustbespecificallyturnedonaonetimeaction thatcantbeundone.Figure6.1showsthePowerShellcommandneededtoenablethe feature.
Figure6.1:EnablingtheRecycleBinfeature. Whenon,deletedobjectsarecopiedattributesintactintoaRecycleBincontainer withinthedirectory.OnlyyouwontactuallyseeaRecycleBinicon,andyoucantdrag objectsoutofthebinbackintothemaindirectory(thatlackofactualRecycleBin functionalityiswhyIwishtheyhadntcalleditthat).AsFigure6.2shows,youcanuseGUI toolstoviewthenewDeletedObjectscontaineranditscontents.
80
Figure6.2:ViewingtheDeletedObjectscontainer. ToactuallyrestoreanobjectrequirestheuseofratherbyzantineWindowsPowerShell commands;theresnoactualGUIcomponentforworkingwithrecycledADobjects. TheRecycleBinfeatureisalsoabitunintuitive.Forexample,ifyouneedtorestoreanOU anditscontents,itsatwostepprocess:RestoretheOU,thentheobjectsthatusedtolivein it.Someorganizationswillhaveconcernsaboutthatrecycledinformationincluding employeespersonallyidentifiableinformation(PII)persistinginthedirectorypastthe objectsdeletion.Althoughatraditionalbackupwouldalsopersistthatinformation,it doesntdosoliveinthedirectory,andthatmakesadifferencetosomefolks. TheRecycleBinfeatureisalsolimitedtoobjectrestoration;itcantrestoreasingle attributefromanobjectthatmayhavebeenimproperlychanged. SothisnewRecycleBinfeatureis,atbest,abareboneswayofgettingsingleobject recoveryforaverysmallorganizationthatwillnotconsiderthirdpartytools.Me,Imafan ofthirdpartytools.AsingleADdisasterrecoverysolutioncangiveyouatrue,graphical recyclebinwithdraganddroprecoveryandsingleattributerecoveryandwillscaleallthe wayuptocompletedomainorforestrecoveryifnecessary.Everythingbutadomain/forest restorecanbedonewithouttakingadomaincontrolleroffline,helpingeverythingstay productive,andinmostcases,thesetoolsintegrateintothefamiliarActiveDirectoryUsers andComputersconsole,makingthemeveneasierandmoreaccessible.
81
YoucouldarguethatMicrosoftshouldbuildthatkindoffunctionalityintothebaseproduct. Maybeso,maybeno:EverythirdpartyrecoverytoolIvelookedatworksslightly differently,andthosedifferencesreflectdifferentcustomerneeds.Microsoftwouldonlybe abletosqueezeusallintothesamefunctionality;asthesituationstands,wecanselect fromwhateversolutionfitsourparticularneedsthebest.Microsoft,asIvesuggestedin earlierchapters,needstodeliveragoodplatformIdontnecessarilythinktheyshould delivereverypossiblepermutationofamanagementtoolthatanorganizationmightneed. ThisIsntRetail Ivemadethisargumentaboutthirdpartytoolsbefore.Toooften,Iseea packagedretailmentalityaroundcomputersoftware.Yougoandbuy MicrosoftOffice,youdontexpecttohavetobuyaddonstomakeitwork. Okay,IgetthatOfficeisanenduserproduct.Mostenduserproductscome complete:Carscomecomplete.Evenkidsgamessometimesshipwith batteriesincluded. Windows,asaserveroperatingsystem(OS),isntapackagedretailenduser product.Itsmorelikeahouse:Thebuilderisgivingyouaplatform,andyou expecttospendmoneyaboveandbeyondthatstructure.Thestructure shouldcomewithgoodplumbing,butyouattachyourownfaucets.The floorsshouldbeflatandsolid,butyoureputtingyourownfurnitureon them. Yes,somebuilderswillthrowinminimalversionsoftheseaddonskitchen appliances,bathroomfixtures,andsoforth.Butthesearealmostalwaysthe bareminimumversions.Theyrerarelythehighend,customstuffyouknow youwant. Sure,youcanbuyahousethatcomeswithallthecustomhighendstuff,but thatslikeworkingwithaMicrosoftVAR.Inadditiontothehomebuilder (Microsoft),youvealsogotadesigner(theVAR)buyingyourcurtains, furniture,andsoforth,andgivingyoutheresultingproductforasingle packageprice.YoucandothatwithWindows:Getthebaseplatformandall thethirdpartytoolsneededtomakeitawesome,allfromonevendor,andall foroneprice.ThatvendorjustisntMicrosoft,becausetheyreinthebusiness ofmakingthebasicstructure,notcustomizingittofiteverypossible businessneed. WhenitcomestoWindowsasaserverOS,youhavetoincludecertainthird partytoolsaspartofthecostofdoingbusiness.ThecostfortheWindows licenseisjustthebeginning:Ifyouhaveauditingneeds,ordisasterrecovery needs,thosearegoingtocostextra.Ifyoureinthetypeofcompanythat doesntliketospendmoneyonextrasanytime,ever,thenyoushouldnt expecttobeabletomeetallofthebusinessneedsallofthetime,either.
82
Security
Idontactuallyhavealottosayonthetopicofsecuritybestpractices.IthinkMicrosofts BestPracticesAnalyzer(BPAwhichwillbediscussedinthefinalsectionofthischapter) doesagoodjobofcoveringthehighlevelsecuritysettingsinAD;anythingelsereally comesdowntoyourspecificbusinessandoperationalneeds.Doyoudelegatepermissions withinthedirectoryorrelyonamoremonolithicpermissionsstructurewhereDomain Adminsdoallofthework?Neitherapproachiswrong;itsimplydependsonhowyour organizationisstructuredforthatkindofadministration.
ReplicationTopology
Definitelytakethetime,nowandthen,toreviewyourADreplicationtopology.Usingyour sitearchitecture,drawoutapictureofthereplicationtopology,liketheoneinFigure6.3.
Figure6.3:Mappingyourreplicationtopology. Whatsevenbetteraresomeofthethirdparty(includingsomefreeonesoutthere)tools thatcananalyzeyourdirectoryanddrawthistypeofpictureforyouasFigure6.4shows. Thedifferencesbetweenyouractualtopology,andtheoneyouthinkyouhave,canbe enlightening.
83
Figure6.4:Toolgeneratedactualreplicationtopology. Thegoalshouldbetosimplyensurethatnodomaincontrolleristoomanystepsawayfrom everyotherdomaincontrollersothatreplicationcanquicklygetchangesouttoevery domaincontrollerinaminimumnumberofhops.Atthesametime,youwanttoensure thatthephysicalWANlinkscanhandlethereplicationtrafficyoureputtingonthem.Thats especiallytruewhenyouhavealotofmanuallyconfiguredsitelinkbridges,which deliberatelydoubleupthetrafficonyourWANlinksinanefforttoreducereplication hopsbetweendistantsites. Itsreallyimportantnottorelysolelyonahanddrawndiagramofyourreplication topologybecauseADwontalwaysmaketheexactsamecalculationsasyouaboutwhich domaincontrollersshouldbebridgeheads,anditseasytooverlookthingslikesitelink coststhatmightbemakingADcalculateunexpectedandunwantedtopologies.Getyour handsonsomekindoftoolthatcandrawatopologybasedonwhatADisactuallydoing, andcomparethatwithyourhanddrawnexpectationdiagram.
84
FSMOPlacement
RecommendationsonFSMOplacementhavechangedovertheyears; http://support.microsoft.com/kb/223346offersthelatestguidance.Ingeneral,its consideredsafetostackalloftheFSMOrolesontoasingledomaincontroller,provideditis locatedatahubsite(thatis,hasgoodphysicalWANorLANconnectivitytomostother sites).TheonlyexceptionisforenvironmentsthatdonthaveaGlobalCatalog(GC)hosted oneverydomaincontroller;inthosecases,movetheinfrastructuremastertoadomain controllerthatdoesnthosttheGC. SomeFSMOrolesareforestwide:Theschemamasteranddomainnamingmastershould colocatewiththePDCemulatoroftheforestrootdomain.Again,thatdomaincontroller shouldbewellconnectedtotheotherdomaincontrollersintheforest,ideallylocatedata hubsitethathasgoodWANconnectivitytomostothersites.
Virtualization
CanyouvirtualizeyourADinfrastructure?Ofcourseyoucan.Shouldyou?Inaword,yes. Youshould.Thelongtermbenefitsofvirtualizationhavebeenprovedbyscientists:easier workloadmanagement,easierdisasterrecovery,easierscalability,lowerpower requirements,lowercoolingrequirements,lessdatacenterspaceandthelistgoesonand on. Frankly,theresnoreasonnotto.ADworksandplaysquitewellinavirtualenvironment. Infact,withmodernmemoryovercommit,youcanreallyleverageADsuniqueusage patterns.ADgetsbusyandneedsalotofmemoryinthemorningswheneveryoneis loggingon.SocolocateyourADvirtualmachineswithvirtualmachinesthatrunother tasks,suchaslineofbusinessapplications.Aslogontrafficsettles,peoplegrabthebagel, andgettowork,ADvirtualmachineswillneedlessphysicalmemory,andthatcanthenbe devotedtothelineofbusinessvirtualmachines.JustscatteryourADvirtualmachines acrossseveralvirtualizationhostsandyouregolden. AndconsiderinstallingADonServerCore,notthefullinstallofWindows.ServerCorehasa vastlysmallerfootprint,meaningmoreofthevirtualmachinesresourcescangotoAD. ServerCorerequireslessmaintenance(ithasalotfewerpatchesovertimethanthefull install),soyoullspendlesstimemaintainingyourvirtualmachines.ServerCoresdisk footprintissmaller,makingiteasiertomovefromhosttohost.AndServerCorecanstill runallofyourmanagementtools,agents,antimalware,andotherstuff(popularmythsto thecontrary).IfyoureaccustomedtorunningDNS,DHCP,WINS,andotherinfrastructure functionsonyourdomaincontrollerswell,ServerCorerunsthosetoo.Andthoseroles arecompletelymanageableviathesameGUIconsolesyouusetoday:ActiveDirectory UsersandComputers,DNSManagement,andsoon.Youllfindyourselfloggingontothe consoleveryrarely,ifatall(evenServerManagersupportsremoteconnectivityin Win2008R2).
85
OngoingMaintenance
Asidefromobjectlevelmaintenanceyouknow,cleaningupdisabledusers,stale computeraccounts,andsoforthwhatkindofongoingmaintenanceshouldyoube performinginAD?Backupsareobviouslyimportant.AsIvementionedalready,my preferenceisforcontinualbackupsmadebyadisktodiskrecoverysystemratherthan tape,butiftapeswhatyouvegot,thenatleastusethat. DiskDiskTape Bytheway,justbecauseIadvocatedisktodiskbackupsdoesntmeanIdont seethevalueoftape,especiallyforgettingacopyofyourbackupssafelyoff site.Mostdisktodisksystemsprovidesupportformakingasecondtape basedbackupforjustthatpurpose.Andbecauseyoureessentiallybacking upthebackup,youcanenjoylongerbackupwindowswithoutaffectingthe productionenvironment. CheckthelogsandmakesurethatbothADandtheFileReplicationService(FRS)arent generatinganythingalarming.Withacontinualmonitoringsolution(likeSystemCenter OperationsManagerorsomethingsimilar),youcansimplyletthesolutionkeeptrackand alertyouiftheresaproblem. AlsokeepaneyeondiskspaceonwhatevervolumecontainstheADdatabases.Again,a monitoringsolutioncanbeusedtoalertyouwhendiskspacegetslow,sothisdoesnthave tobeamanualtask.Youshouldalsohaveaplaninplacetoregularlydefragmentthat logicaldiskthirdpartydefragutilitiescandosocontinuouslyoronaroutine maintenanceschedule,oryoucanusethenativedefragtoolonaregularbasis.Oncea quarterworksformanyofmyconsultingclients. Periodicallyreviewthelogtolookforreplicationproblemsjustbeingproactive,here.A monitoringsolutioncandothisroutinelyandalertyoutoanyproblems,butitsalways goodtojustrunsomeofthereplicationmonitoringtools(discussedinpreviouschapters) tomakesureeverythingisworkingsmoothly. Finally,taketimeeachmonthorsotoruntheBPAmodelforAD(onWin2008R2andlater). YoucandothisinPowerShellorviaServerManager(Figure6.5showswheretofinditin ServerManager).TheBPAisacollectionofMicrosoftguidelinesforproperlyconfiguring ADandotherserverroles;runningthemodelonaregularbasishelpsensurethatyoukeep ADproperlyconfiguredoverthelongtermforbettersecurity,performance,reliability,and soforth.
86
Figure6.5:TheBPAinServerManager. MostmaintenanceinADisthatbusinesslevel,objectfocusedkindofmaintenance:stale computeraccountsandsoforth.ADislargelyselfmaintainingotherwise,meaningyoujust needtoglanceatitoccasionallytomakesureeverythingsworkingsmoothly.
ComingUpNext
Inthenextchapter,IwanttotakeasortofintermissionanddiscussActiveDirectory LightweightDirectoryServices,orADLDS.FormerlyknownasActiveDirectory ApplicationMode,orADAM,thistrimmeddownversionofADhasveryspecificuses withinanorganizationandcanhelpsolveveryspecificproblems.Welltalkaboutwhatit is,whentouseit,whennottouseit,andcoversomeofitsuniquetroubleshootingand auditingconcerns.
87
Chapter7:ActiveDirectoryLightweight DirectoryServices
IntheWindowsServer2003timeframe,MicrosoftintroducedActiveDirectoryApplication Mode,charminglyreferredtoasADAM.Thesedays,ADAMhasgrownupandchangedhis nametoADLDS(orADLDS,ifyouprefer):ActiveDirectoryLightweightDirectoryServices, whichisdistinctfromtheADdirectoryservicethatwereusuallyreferringtowhenwejust sayActiveDirectory.Inthisshortchapter,wellexplorewhatADLDSisallabout,when youshould(andshouldnt)useit,andhowtoperformbasictroubleshootingandauditing withit.
WhatIsADLDS?
Generallyspeaking,ADLDSisthesameasregularADineveryway,exceptADLDSdoesnt performauthenticationforyourentirenetwork.ADLDSispositionedasamodeofAD thatprovidesdirectoryservicespecificallyforapplications.MicrosoftcreatedADLDSin parttoaddressthereticencepeoplehavearoundextendingtheschemaoftheirregular directory.Schemaextensionsare,afterall,permanent,andnobodylikestomakethatkind ofpermanentextensiontothemaindirectory.Whatifyoustopusingtheapplicationaftera fewyears?Itsextensionshangaroundforever.SoADLDSgivesapplicationsaseparate directoryinwhichtostoretheirstuff. ADLDSusestheexactsameprogrammingAPIsasADDS(ActiveDirectoryDomain Services,orthenormalAD),soprogrammersdonthavetotakeanyspecialsteps.ADLDS canoperateentirelyindependentlyoritcanoperatewithreplication.Becauseitisntpart ofyourmaindomain,ADLDSalsogivesyouawayofmoreeasilyandsafelydelegating controloverapplicationsdirectoryuse.SomeonecanbeinchargeofanADLDSinstalland havezerocontroloverthemaindirectory. ADLDSdoesnot,however,haveanyoftheinfrastructurecomponentsofADDS.Itisnta directoryservicefortheWindowsoperatingsystem(OS),soclientscantauthenticatetoit. ADLDScanuseyournormaldomainforauthentication,whichIlldiscussinasecond.Thus, ADLDScanbeapartofyourdomaininmuchthesamewaythatanyapplicationcouldbe. ADLDSdoesnthaveFlexibleSingleMasterOperations(FSMO)rolesormanyoftheother infrastructureelementsweassociatewiththefullADDS.Inaddition,MicrosoftExchange cantutilizeADLDSbecauseADLDSdoesntsupporttheMessageApplication ProgrammingInterface(MAPI)orsupportauthentication.
88
ADLDScanberunonawiderarrayofoperatingsystemstheoriginalADAM,forexample, ranfineonWindowsXP.YoucanevenrunmultipleinstancesofADLDSonasingle machine.AnADLDSinstanceisntcalledadomaincontrollerbecausetheinstance doesntprovidetruedomaincontrollerfunctionality;instead,itisreferredtoasadata storeorsimplyADLDSinstance.
Partitions
ADLDSconsistsofaconfigurationandschemapartition,muchlikeADDS.Italsoincludes oneormoreapplicationpartitions,whichiswhereapplicationsstoretheirdata.Data,asin ADDS,isstoredasobjects,andtheschemadefineswhichobjectclassesareavailableand whatattributesthoseclassescanuse.JustasinADDS,theconfigurationpartitioncontains theinternalconfigurationsettingsthatmakethesystemwork. WhenyouinstallADLDS,youhavetheoptiontocreateauniqueinstanceorareplicaofan existinginstance,asFigure7.1shows.ReplicasarehowyouprovidescalabilityforADLDS ininstanceswhereasingleservercantkeepupwiththeapplicationsdemands.Youcan replicatetheconfigurationandschemapartitionsofADLDS,andselectspecificapplication partitionstoreplicate.
Figure7.1:CreatingauniqueorreplicaADLDSinstance.
89
SynchronizingWithADDS
TosynchronizeADLDSwithanormalADDSdomain,youfirsthavetoexportyour directorysschemaandloaditintoADLDS.Thatway,ADLDScanseeallofyournormal domainsobjects.ADLDSinstallsanADSchemaAnalyzertool,andyoucanuseitsLoad TargetSchemaoption(seeFigure7.2)toloadtheschemafromanexistingdomain controller.
Figure7.2:Loadingtheschemafromadomaincontroller. Resource Thereareseveralotherstepsyoullneedtotakeinordertomake synchronizationwork;seethetutorialat http://www.thegeekispeak.com/archives/64foracompletewalkthrough.
Replication
ADLDSinstancescanreplicatewitheachother.JustasinADDS,replicationinADLDS providesbothfaulttoleranceandloadbalancingfortheservicesprovidedbyADLDS. Beforeconfiguringreplication,itsimportanttoconfiguretheADLDSservicetorununder auseraccount.Inaddition,ensurethatthecomputershostingADLDSareinthesame(or trusted)domains.Eachinstancesserviceshouldberunningunderthesameuseraccount, notthebuiltinNetworkServiceaccount.
90
ADLDSreplicatesdatabasedonaconfigurationset.AllADLDSinstancesjoinedtothe sameconfigurationsetwillreplicateacommonconfigurationpartition,acommonschema partition,andwhateverapplicationpartitionsareconfiguredintheconfigurationset.You canveryroughlythinkofaconfigurationsetasadomainfromADDS,meaningthatall theADLDSinstancesinthesameconfigurationsetwillcontainthesamedata.Onetrickis thatanADLDSinstancecancontainapplicationpartitionsbeyondthoseintheconfiguration set.Anyapplicationpartitionsintheconfigurationsetwillbesharedwithallinstances replicatingthatset;anyapplicationpartitionsoutsidetheconfigurationsetwillbeunique totheinstancewheretheylive.AnyADLDSinstancecanparticipateinonlyone configurationsetatatime,soifyouhaveapplicationpartitionsoutsideofaconfiguration set,thosewillnotbereplicated. ADLDSsupportsthesamekindofsiteandsitelinkobjectsasADDS,whichareusedto createandcalculatethereplicationtopology.Ivewrittenaboutreplicationearlierinthis guide,andprettymucheverythingyouknowaboutADreplicationandsitesandsite linksappliestoADLDSaswell.Replicationwithinasitethatis,betweeninstanceson thesamelocalareanetwork(LAN)isautomaticandmoreorlessrealtime.Beyond settingupconfigurationsetstodeterminewhatwillreplicate,youdonthavetodo anything.Betweensites,however,youmustdefinesitelinkobjectssomethingthatyou donthavetodoinADDS.Intersitereplicationalsorequiresyoutosetupthereplication schedule,frequency,andavailabilitysomethingyoucandoinADDS,butwhichmany adminsdontmanuallyconfigure. Note Youcanalsooverridetheautomaticintrasitereplicationsettingstospecifya schedule,frequency,andsoon. Resource MicrosoftprovidesacompleteguidetomanagingADLDSreplication,and configurationsets,athttp://technet.microsoft.com/en us/library/cc816770(WS.10).aspx.
Authentication
ItechnicallyliedaboutADLDSnotdoingauthentication.Whatitcantdoisauthenticatea WindowscomputerinthewaythatADDScan.ADLDScanabsolutelyprovidecustom authenticationforanapplication,andalotofpeopleuseitasthedirectoryfor,say,an extranetWebapplication.Essentially,yourejustusingADLDStostorecustomuserobjects ratherthanstickingthatinformationintoatraditionalrelationaldatabase,whichiswhata lotofdevelopersdo.ADLDSisoptimizedforreadaccess,makingitaveryquickandsimple operationtolookupauser,validatetheirpassword,andsoforth.
91
YoullalsoseefolksusingADLDSwhentheyhaveanapplicationthatrequiressimpleLDAP authenticationandthatwantstostoredataintheLDAPdirectorybuttheydontwantthat tobetheirmaindomain.ADLDSdoessupportthefullLDAPprotocol,including authentication,soitcanworkwellinthatinstance.Theapplicationwouldprovideausers X.500DistinguishedName(DN)andpassword.ADLDSsecuritypolicyforpassword complexity,accountlockout,andsoforthareenforcedbythelocalcomputerssecurity policyratherthanaGPO(ADLDSdoesntdoGPOs).However,ifthecomputerisamember ofadomainandaGPOappliestoitthatsetspasswordcomplexityorotheraccountpolicies, thenthosewillobviouslyapplytoADLDSaswell.Unfortunately,LDAPdoestransmit passwordsincleartextifyouarentusingLDAPoverSSL,sobeawareofthatlimitation. ADLDSalsosupportsWindowsprincipalauthentication,alsoknownasSSPI authentication.ThispermitssomeonetousetheirADDSdomainaccounttoauthenticateto anADLDSinstance,ortouselocaluserandgroupaccountscreatedonthemachinehosting ADLDS.Tousedomainaccounts,ADLDSmustbeamemberofthedomain.Inadomain environment,authenticationhappenswiththeKerberosprotocol,providingbetter security,mutualauthentication,andcompleteprotectionofuserspasswords(althoughit canfallbacktoNTLMauthenticationdependingonyourdomainpoliciesforthat). ADLDSalsosupportsproxyauthentication,alsoknownasbindredirection,inwhichusers authenticateusinganADLDSaccount(thatis,auseraccountstoredinADLDS)butcanuse theirADDSdomainpassword.Again,theADLDShostcomputerneedstobeamemberof theADDSdomain,andyoullusuallyneedsomekindofaccountsynchronizationtoollike ForeFrontIdentityManagertosynchronizetheobjectSIDfromADDStothecorresponding ADLDSuseraccounts.ThisusesLDAP,soitsimportanttosetupLDAPoverSSLtosecure thedomainpasswordsonthenetwork. Resource Thereisagreatarticleathttp://technet.microsoft.com/en us/library/cc784622.aspxthatexplainstheseauthenticationoptionsinsome detail,includinginstructionsforsettinguptheoptions.
WhentoUseADLDS
ADLDSisusefulwheneveryouhaveanapplication(otherthanMicrosoftExchangeServer, whichisanotableexception)thatneedstostoredatainADandyoudontwanttoextend theschemaofyourmaindirectoryforthatpurpose.ADLDSisalsoagoodchoiceifyoure developinganapplicationthatwilleventuallyintegratewithADDS.WithADLDS,youcan havealocallyinstalleddirectoryonyourdevelopmentortestingsystems,becauseADLDS canrunonabroaderrangeofOSsanddoesnthavetheextensiveprerequisitesofADDS. Anytimeyoufindyourselfasking,Shouldweextendtheschemaofourdirectory?then youshouldatleastputADLDSonthetableforconsideration,especiallyifyourgutreaction tothatquestionis,NO!!!
92
WhenNottoUseADLDS
ADLDSisnotareplacementforADDS.Itcantauthenticateuserstoadomain,anditcant authenticatedomainjoinedcomputers.WindowsmachinescantjoinanADLDSinstance. ADLDSisintendedforuseprimarilybyapplications,ofteninconjunctionwithanormalAD DSdomain.
TroubleshootingADLDS
ThebiggestthingyoullwinduptroubleshootinginADLDSisreplication.Fortunately,its replicationworksexactlylikethatinADDS,sothetroubleshootingsectionsintheearlier chaptersofthisguidestillapply.
AuditingADLDS
ADLDSdoessupportchangeauditing,meaningyoucanhaveaneventwrittentothe Windowseventlogswheneverachangeoccurs.Theseeventsoftenincludeoldandnew valuesforobjectattributechanges,whichcanbeusefulforcreatinganaudittrailfor compliance.ItsthesamefeatureasinADDS,infact,andyouenableitinthesameway. Resource Thearticleathttp://technet.microsoft.com/en us/library/cc731764(WS.10).aspxhasinstructionsforcreatinganaudittrail forcompliance.AlthoughthearticlefocusesonADDS,thecontentappliesto ADLDSaswell. Aswithpasswordpolicyandaccountlockout,theauditpolicycanbeappliedtoanADLDS servereitherthroughitslocalsecuritypolicyorfordomainjoinedcomputersthroughan appropriatelylinkedGPO.AuditingworksjustlikeitdoesinADDS: 4. YoulltypicallyenableauditingthroughaGPO,althoughfornondomainhostsyou candosointhelocalsecuritypolicy. 5. SettheSecurityAccessControlList(SACL)ontheobjectsyouwanttoaudit. 6. TheaccountrunningtheADLDSserviceneedstohavetheGenerateSecurityAudit userprivilegeontheserverswhereADLDSruns.NetworkServiceandLocalSystem havethissetbydefault,butifyourereplicatingaconfigurationsetandusinga domainuseraccount,thenyoullhavetograntthisprivilegetothataccount.
93
Inadditiontoauditingattributechanges(whichisfairlynewevenforADDS),youcanin ADLDSauditaccesstothedirectoryserviceandauditlogoneventsjustasyoucaninAD DS.However,twospecificsettingsthatdontapplytoADLDSare: AuditAccountManagementBecauseADLDSobjectsareviewedbyWindowsas objectsinadirectory,Widowsdoesntseethemasaccountsperse,evenifthe objectsclassnameisuser(andbydefault,ADLDSdoesntcontainauserclass). AuditObjectAccess,AuditPolicyChange,ProcessTracking,andSystemEvents ThesettingsalsodontmakesenseinADLDSbecausetheyapplytothingslikefiles andpoliciesthatdontexistinADLDS.
ADLDSdoesntcomewithafullsuiteoftoolslikeADDSdoes,althoughsomeofthenormal ADDStoolswillworkagainstADLDS.TosetupaSACL,youlluseLDP.exeanditsSACL editor.YoucanalsousetheDsacls.execommandlineutility.Simplybindthetooltoyour ADLDSinstance(makesureyoureusinganadminaccounttodoso),enumerateyour partitions,andrightclickwhateverobjectyouwanttoapplyaSACLto.AsFigure7.3 shows,youllgetafamiliarlookingdialogboxinwhichtodefinetheauditpolicyforthat object.
Figure7.3:SettingaSACLinADLDS.
94
Resource Youcanfindmoreinformationaboutsettingupauditing,suchasenabling auditingofreplicationeventsinADLDS,at http://blogs.technet.com/b/askds/archive/2009/04/02/onestopaudit shopforadamandadlds.aspx.Beadvisedthatalotofthisisprettylow level,manualstuffbecauseADLDSdoesntcomewiththesamehighlevel toolsthatyoureusedtowithADDS.
ComingUpNext
Weredowntothefinalchapterinthisguide,whereIllpresentassortedtipsandtricksfor AD.WellcoverthingslikeFSMOroles,syncing,Kerberos,replication,DNSandtrusts, permissions,communications,GroupPolicy,andmuchmore.
95
Chapter8:AssortedTipsandTricksfor ActiveDirectoryTroubleshooting
Wereattheendofthisguide,andIfindmyselfleftwithseveralthingsIwishIdmentioned earlierexceptthatthesethingsdontfitneatlyintoanyofthetopicswevealready discussed.Sointhischapter,Illpresenttheseseeminglyrandom,yetcompletelyhelpful, tipsfortroubleshootingvariousaspectsofActiveDirectory(AD).
TroubleshootingFSMORoles
Typically,theresnogoodfixforabrokenFlexibleSingleMasterOperation(FSMO)role youreoftenlefttonicelytransfertheroletoanotherdomaincontrolleror,inaworstcase scenario,seizetheroleonanotherdomaincontroller.Thereare,however,someindications thattellyouaFSMOroleholderisntworkingproperly: Ifyoucantaddnewdomains,theDomainNamingMasterisdown.ThatFSMOcan bedownforageswithoutyourealizingitbecauseyouprobablydontoftenadd domains. Ifusersarechangingtheirpasswordsbutcantlogon,thePDCEmulatoristhelikely cause.ThisFSMOrolealsoplaysapartintimesynchronization. FailureofthePDCEmulatorcanalsoaffectyourabilitytoeditGroupPolicyObjects (GPOs)andpreventyoufromaddingnewdomainstoaforest. Ifyoucantcreatenewdirectoryobjects,youlostyourRIDMasterprobablya whileback,asdomaincontrollersobtainRIDsinblocksandcachethem. Inamultidomainenvironment,afailedInfrastructureMastercanresultin incompletegroupmemberships,meaningusersmaynotbeabletoaccessalloftheir resources. DomainupgradesandschemaextensionscanrelyontheDomainNamingMaster andtheSchemaMaster,dependingonwhatworktheyredoing.
ThePDCEmulatoristheoneroleyoullprobablymissthesoonestifsomethinggoes wrong;manyofmycustomerskeepthisroleonaclustereddomaincontrollerforthatexact reason.
96
Whateveryoudo,dontforciblyseizeaFSMOrolefromadomaincontrollerunlessyoure takingthatdomaincontrollercompletelyoffline,demotingit(removingAD),andplanning torebuilditbeforeitsreconnectedtothenetwork.ThisisespeciallytrueoftheSchema MasterandDomainNamingMaster:Undernocircumstancesmusttwoserversbelievethey eachholdoneofthoseroles. CheckingyourFSMOsisprettyeasy:UsetheDCDiagtoolonadomaincontrollerineachof yourdomains(itsnotabadideatorunitonseveraldomaincontrollers,indifferentsites, tomakesureyougetthesameresults).ItllcheckyourFSMOsandreportback.Thenext step,ifaFSMOappearstobebroken,istocheckDNS.Really,itseemsliketwothirdsofall ADproblemscanbetracedbacktoaDNSissue.MakesureeachFSMOroleholderis properlyregisteredinDNS,andyoullprobablybefine.
TroubleshootingDomainControllersinGeneral
Domaincontrollers,byandlarge,justwork.Providedeverythingaroundthem replication,timesync,andsoforthisallworking,youlltendtohaveverylittletrouble withtheADdatabaseandservices.Whenyouthinkadomaincontrollerisbroken,startby goingthroughaquickchecklistonconfigurationandsurroundingoperations: Makesurethedomaincontrollerssiteandsubnetconfigurationiscorrect. Makesuretimesyncisworkingandthatthedomaincontrollersclockmatchesthat ofthedomainsPDCEmulator(seethenextsection). Makesurereplicationisworking.Ifadomaincontrollerseemsbroken,either replication,orsomedependencylikethenetworkitself,islikelycausingthe problem. MakesurethedomaincontrollerisproperlyregisteredinDNS,andensurethat clientcomputersandotherdomaincontrollerscanproperlyresolvethedomain controllersDNSrecords. Checkthedomaincontrollerseventlogsforanybadnews,anddealwithwhatever youfind.
Onceyouveeliminatedthoseproblems,youmayinfactbelookingatabrokendomain controller.Thereareanumberofthingsyoucandototroubleshootproblems,rebuildthe directorydatabase,andsoforth.Honestly,alotofcustomersIworkwithwillsimply demoteandrepromotethedomaincontroller.Thatrebuildseverythingfromscratch.Its somewhattimeconsumingbutnotnecessarilymoresothanaprotractedtroubleshooting andrepairprocessthatmayresultinarepromotionanyway.
97
TroubleshootingTimeSync
TimesynchronizationisabsolutelycrucialinAD.Bydefault,authenticationtrafficonly allowsfora5minuteoutofsyncwindow;letanyclientordomaincontrollergetfurther outofsyncthan5minutes,andauthenticationstopsworking.Thesolutiontothisproblem isnottoextendthattimewindow;doingsocreatesahighersecurityriskbecausesomeone canmoreeasilycaptureandreplayauthenticationpacketsagainstyournetwork.Instead, fixthetimesyncproblem. TimesyncishandledbyabackgroundserviceonallWindowscomputers,servers,and clients.Clientcomputersandmemberserverssynctimewiththedomaincontrollerthat authenticatedthemwhentheystarted;domaincontrollerssyncwiththedomaincontroller holdingthePDCEmulatorFSMOrole.ThePDCEmulatorshouldsyncwithanexternal, authoritativetimesource.ThesynctrafficoccursoverUDPport123,soyourfirststepwill betomakesurethatportisopen.Keepinmindthat,bydefault,thePDCEmulatorisnt configuredtosynctime,anditwillrepeatedlylogmessagestothateffectuntilyoudo configureit. ThebesttroubleshootingtoolyouhaveistheW32tmtool,whichmustberunfromthe commandlinebyanadministrator.ThistoolcannotfunctioniftheWindowsTimeService isrunning,sotemporarilystopthatservicebeforerunningW32tm.Besuretorestartthe servicewhenyouredonetroubleshooting.Somespecifictipseachofwhichmustbe completedbyanAdministrator: Runnettime/querysntptochecktimesyncserversondomaincontrollersand workstations Runw32tm/resynctochecksyncwithyourdomaincontroller Runw32tm/monitor/domain:domain_nametocheckthestatusofdomain controllertimesources. Runnettime/domain:domain_name/set/ytotrytosynchronizewiththelocal domaintimesource
Theerrorsgeneratedbythosecommands,ifany,willtellyouwhatneedstobefixed.Also notethattheTimeServicewontalwaysimmediatelycorrectanoutofsynclocalclock:If thelocalclockisfasterthanitstimesourcebutlessthan3minutesoutofsync,theTime Servicewillmerelyslowtheclocksothatiteventuallycomesbackintosync.Whendoing so,theTimeServicewillcheckthetimeaboutevery45minutesuntiltheclockisinsync forthreeconsecutivechecks.Theservicethenresumesitsnormalbehaviorofcheckingthe clockevery8hours. Resource Youcanfindmorestepbysteptipsontroubleshootingtimesyncat http://cainmanor.com/tech/windowstimetroubleshooting/.
98
TroubleshootingKerberos
Providedtimesyncisworking,Kerberoswillgenerallyworkasadvertised.Trytoavoid fiddlingwithKerberosconfiguration(whichcanbedonethroughGroupPolicy),as tweakingKerberossettingsincorrectlycanleadtoproblems.MostKerberosissuesstem fromunderlyingDNSornetworkconnectivityissues;startbyassumingthataproblemis withDNSorthenetworkandresolvethoseproblemsfirst. SpecificsymptomsofapossibleKerberosissue: Usersorcomputerscantlogonorcantaccessnetworkresources,andKerberosis theprotocolinuse.Youdohavetocheckthis,assometimesadifferentprotocolcan beusedandtroubleshootingKerberosisjustawasteofyourtime. TheeventlogwillshowerrorsrelatedtoKerberosKeyDistributionCenter(KDC), LocalSecurityAuthorityServer(LsaSrv),orNetLogon(Netlogon)services. FailureeventsintheSecuritylogwillindicatewhichprotocolisbeingused:Enable auditingoffailedlogons,ifyouhaventdoneso,toseeifanyoftheseauditsare logged.Notethatenablingthislevelofauditingcanincreaselogvolume significantly;besuretoturnoffthissettingifitisntnormallyoninyour environment.
TotroubleshootKerberos: YoullneedtobeanAdministratoronthecomputersinvolved. Obviously,makesureyoureonthelatestservicepack,hotfixes,andwhatnot. Restartthecomputer(s)affected. MakesureDNSisworkingandthattheaffectedcomputercanresolveadomain controllerviaDNS. Makesurealldomaincontrollersaclientmightuseareaccessibleandcanbe resolvedviaDNS. Checktimesync.
InstalltheWindowsSupportTools(fromtheserverinstallationDVD),includingLdifde, LDP,Setspn,andTokensz.Youshouldalsoenablelogonfailureauditingbecausethose eventscancontainusefuldiagnosticinformation(seehttp://technet.microsoft.com/en us/library/cc736727(WS.10).aspxforinstructionsondoingso). Finally,starttroubleshooting.Usethestepbystepguideat http://technet.microsoft.com/enus/library/cc786325(WS.10).aspxtousetheWindows SupportToolstoresolvespecificproblemareas.
99
TroubleshootingRIDs
RelativeIdentifiers(RIDs)areusedtoensurethatauniqueIDnumbercanbeassignedto eachdirectoryobjectcreatedbyadomaincontroller.TheRIDMasterFSMORolehandsout uniqueRIDsinbatchestodomaincontrollers;thecontrollerscachethoseRIDsanduse themwhencreatingnewobjects.WhenadomaincontrollerrunsoutofRIDs,itasksthe RIDMasterformore.Earlierinthischapter,Imentionedthataninabilitytocreatenew objectsisasignthattheRIDMasteriseitherbroken,offline,orinaccessibletodomain controllers(inaccessibilityisoftenaDNSissueornetworkinfrastructureproblem). Thereareanumberofeventlogentriesyoucanwatchfor: 16642indicatesthatthedomaincontrollerisoutofRIDs.Itshouldhaverequested more;checktheRIDMasterandrestartthedomaincontroller. 16643indicatesthatthedomaincontrollerhasntgottenapoolofRIDsyetoften becausetheRIDMasterisntaccessible. 16644tellsyouthatthedomainisoutofRIDs.ThisisaBadSituationandshouldnt normallyoccur,eveninhugedomains.ThelimitofRIDsisabitover1billion (1,073,741,825,tobeexact). 16645saysthatthedomaincontrollerjustassigneditslastRIDandcouldntget more.Again,checktheavailabilityof,andconnectivityto,theRIDMaster. 16646indicatesaprocessingproblemwhereadomaincontrollertriedtousean invalidRID.ForcethedomaincontrollertoinvalidateitsRIDpool,whichshould forceittoaskforanewone. 16647meansthedomaincontrollerisrequestinganewRIDpool.Thisisgood. 16648meansadomaincontrollergotanewRIDpoolthisisexcellentnews. 16651meansaRIDpoolrequestfailedBadNews.Thedomaincontrollerwill retrylookforanother16647event.
TroubleshootingObjectDeletion
ItsimportanttounderstandhowobjectdeletionoccursinADsothatyoucantroubleshoot problems: 7. Whenyoudeleteanobject,itisactuallyjustmarkedasdeleted,aprocesscalled tombstoning. 8. Likeanyotherchangetoanobject,thetombstonechangeisreplicated,thus deletingtheobjectonallotherdomaincontrollers. 9. Theolddefaultvaluefortombstonecleanupwas60days;asofWindowsServer 2003,itwassetto180days.Afterthisperiod,eachdomaincontrollerpermanently deletestombstonedobjects.
100
Therearesomeconsequencestothisbehavior: Ifyourestoreadomaincontrollerfromabackupthatisolderthanthecleanup window,orconnectadomaincontrollerthathasbeenofflinelongerthanthat, deletedobjectswillcomebackbecausetheolddomaincontroller(oritsbackup)will recreatetheobject. TheActiveDirectoryRecycleBinfeatureintroducedinWindowsServer2008R2 actuallycopiesdeletedobjectstoaseparateareaofthedirectoryratherthan deletingthem.Again,revivingaveryolddomaincontrollercanthusmakeobjects reappearintheiroriginallocation.
Mostobjectdeletionissuescanbepreventedbysimplyneverallowinganolderdomain controller,orabackupofone,tobereconnectedtothenetwork.
TroubleshootingReplication
ReplicationisprobablythetrickiestthingtotroubleshootinAD.Beforeyoudivein,Ihave somerecommendationsthatcanmakereplicationlesspronetoproblems: Keepyoursitesandsubnetsuptodate.Thisisreallycrucial,asreplicationrelieson thetopologyofyoursitesandsubnets.AsubnetisasingleIPsubnetClassA,Class B,ClassC,whateveryouuse.Asiteisacollectionofsubnetsthatallexistinthesame LANqualitybandwidththatis,allthesubnetswitha100GbpsorbetterEthernet connection. MakeyoursitelinksreflectyourphysicalWANarchitecture,andavoidcreatingsite bridgelinksunlessyouabsolutelymustdosoinordertospeedreplicationtofar flungsites.Allowingthedirectorytocalculateitsownreplicationtopologybasedon yourphysicalWANisthebestcourseofaction.
Assumingyouhaventdorkedaroundwithyoursite,subnet,andsitelinkconfiguration, youllneedsometoolstostarttroubleshootingthings.Microsoftprovidesagood walkthroughathttp://technet.microsoft.com/enus/library/cc738415(WS.10).aspx; personally,Imuchpreferthirdpartytoolsthatcanhelpmevisualizethereplication topologyandthatcancheckitformeandeveninitiatefixes.QuestsSpotlightonActive DirectoryisonesuchtoolIveused;searchforActiveDirectoryreplicationtoolinyour favoritesearchengineandyoullfindothers.
TroubleshootingDNS
DNS,asIveindicatedelsewhereinthischapter,turnsouttobetherootcauseforalotof ADtroubles.Infact,IcounselallofmycustomerstogetasolidADspecificDNSmonitoring toolinplacetocontinuouslycheckDNSoperationsandproactivelyalertthemifsomething goeswrong.WhyADspecific?BecauseofthewayinwhichADusesDNS.Atremendous numberofDNSrecordsgetaddedbydomaincontrollers,andamonitoringsolutionthats awareofthosethingscandoabetterjobofmonitoringtheoverallinfrastructure.
101
Forexample,asolutioncanchecktheADitselftoseewhichdomaincontrollersexist,then verifythateachonehasregisteredalltheproperDNSrecords,andthenverifythatDNSis properlyreturningthoserecords,andthenverifythatthecomputersarereachableusing thedatainthoserecordscoveringtheentireloopofpossibleproblems,essentially.Such monitoringtoolsarenearlyalwayscommercial,meaningyoullhavetopayabitforthem. TherearesomeobviousfirststepstomakingsurethatDNSisworkingproperly.Eachof these,however,requiresthatyouknowwhatDNSshouldbedoing.Whensittingdownata clientcomputer,forexample,youneedtoknowwhichdomaincontrollersitshouldexpect tosee,whatDNSrecordsitshouldexpecttoreceivefromaquery,andsoforth.Allyoucan doisverifythatDNSisreturningwhatyouexpect;ifitdoesnt,youvefoundyourproblem. Ifyoudontknowwhatshouldbehappening,however,youllneverfindtheproblem. Thosefirststeps: CleartheclientDNScachebyrunningipconfig/flush. ChecktheDNScachetomakesureyoudonthaveanystaticrecordsfromahosts file. UseNslookuptoperformthesamequeriesaclientcomputerwould,andverifythe results.Whatyouqueryisgoingtodependonwhatsituationyouretryingto replicate,ofcourse.http://technet.microsoft.com/enus/library/bb726934.aspx hasagreatlistofstartingpoints,particularlywithregardtoimproperDNSserver configuration.
Withthosebasicsoutoftheway,youcanstarttroubleshooting.DNStroubleshootingisa massivetopicallbyitself,andthereareseveralentirebooksonthesubject,soIcantgo intoagreatdealofdepthhere.Buthttp://technet.microsoft.com/en us/library/cc787724(WS.10).aspxisagoodguidetogettingstartedandcoverssomeofthe mostcommonproblems.
TroubleshootingPermissions
Lastupistheprocessoftroubleshootingpermissions.Thisiswhensomeoneshouldhave permissiontosomethinginADbuttheydontortheopposite,whentheydobut shouldnt.Really,thisisntmuchdifferentthantroubleshootingthesameprobleminthe Windowsfilesystem.Keepinmindthefollowingfacts: Permissionscanbeapplieddirectlyatanorganizationalunit(OU)orcontainer,then inheritedbyobjects. Permissionscanbeapplieddirectlyonanobject.
102
AuserseffectivepermissionsarethecombinationofeveryinheritedparentOUpermission plusthepermissionsdirectlyontheobject.ADenypermissionanywhereinthatchainof inheritancewilloverrideanAllowthatoccursanywhereelse.Youcanminimizethe complexityoftroubleshootingbyneverapplyingpermissionsdirectlytoobjectsandby minimizingthenumberofOUsyouapplypermissionsto.Thatway,youhavefewerplaces tolook. TotroubleshootpermissionsinActiveDirectoryUsersandComputers,youllfirstneedto enableAdvancedFeaturesfromtheViewmenu.Otherwise,objectsSecuritytabsarent evenvisible.TellsyouhowmuchMicrosoftthinksyoushouldmesswiththisstuff! OnceontheSecuritytabforanobject,clickAdvanced.ThenusetheEffectivePermissions tab.Thisisprobablytheeasiestwaytoresolvetheinheritanceofpermissionsandseethe final,effectivepermissionsagivenuserhasoveragivenobjectorcontainer.Justselectthe useryouretroubleshooting,thenreviewthepermissions.
ThanksforReadingandGoodLuck
ThanksverymuchforreadingthisDefinitiveGuide.Ihopeyouvefoundhelpfultipsand usefulexplanationsandthatyourereadytogothenexttimeaproblemstrikesyourAD infrastructure.
DownloadAdditionaleBooksfromRealtimeNexus!
RealtimeNexusTheDigitalLibraryprovidesworldclassexpertresourcesthatIT professionalsdependontolearnaboutthenewesttechnologies.IfyoufoundthiseBookto beinformative,weencourageyoutodownloadmoreofourindustryleadingtechnology eBooksandvideoguidesatRealtimeNexus.Pleasevisit http://nexus.realtimepublishers.com.
103

Active Auditing, and Best Practices

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Active Auditing, and Best Practices

Hochgeladen von

Copyright:

Verfügbare Formate

The Definitive Guide To

Active Directory Troubleshooting, Auditing, and Best Practices

[Editor'sNote:ThiseBookwasdownloadedfromRealtimeNexusTheDigitalLibraryforIT Professionals.AllleadingtechnologyeBooksandguidesfromRealtimePublisherscanbefoundat http://nexus.realtimepublishers.com.]

Figure1.3:DCinventory. ItsalsoimportanttonotewhetheranyofyourDCsareperforminganynonADrelated tasks,suchashostingaSQLServerinstance(whichisntrecommended),runningIIS,and soforth.

Markingtheseroleownersonyourmaindiagram(suchasFigure1.3)isagreatwayto documenttheFSMOlocations.SomeorganizationsalsoliketoindicateabackupDCfor eachFSMOrolesothatintheeventaFSMOrolemustbemoved,itsclearwhereitshould bemovedto.

Figure1.4:DocumentingOUsandcontainers. Trytomakesomenotationofhowmanyobjectsareineachcontainer,andifpossiblemake anoteofwhichcontainershavewhichGroupPolicyObjects(GPOs)linkedtothem.That informationwillbeusefulaswediveintotroubleshootingandbestpracticesdiscussions.

Figure2.2:Helpfulevents. Othereventsjustconstitutenoise,suchastheoneshowninFigure2.3:UserLogon NotificationforCustomerExperienceImprovementProgram.Huh?WhydoIcare?

Figure2.3:Noiseevents. ThenyouvegotwinnersliketheoneshowninFigure2.4.Thisistaggedasanactualerror, butitdoesnttellmemuchanditdoesntgivemanycluesabouthowtosolvetheproblem orevenifIneedtoworryaboutit.

Problemsnotwithstanding,youhavetogetusedtotheselogsbecausetheyretheonlyplace whereADanditsvariouscompanionsloganykindofdiagnosticinformationwhen problemsoccur.

Figure2.9:UsingRepadmintocheckreplicationstatus. Thisandothercommandlinetoolsaregreatforcheckingrealtimestatusinformation. Whattheyrenotgoodatiscollectinginformationoverthelonghaul,orforrunning continuouslyandproactivelyalertingyoutoproblems.

TheothertoolyoullfindyourselfusingisNltest,whichpermitsyoutotesttheclients abilitytoconnecttoadomaincontroller,amongotherthings. Resource AcompletedescriptionofNltestcanbefoundat http://support.microsoft.com/kb/158148.

TicketsareabitsensitivetoUDPfragmentation,meaningyouneedtolookatyour networkinfrastructureandmakesureitisnthackingUDPpacketsintofragments. YoucanalsoforceKerberostouseTCP,whichisdesignedtohandlefragmentation.

ThenameKerberoscomesfromGreekmythology,andidentifiesthemythicalthreeheaded dogthatguardedthegatestotheUnderworld.Thethreeheadedbitistheimportantone becausetheprotocolentailsthreeparties:theclient,theserver,andtheKeyDistribution Center(KDC).

Figure4.1showsafunctionaldiagramofhowKerberosworks.Keepinmindthatthisisnt aMicrosoftspecificprotocol;MicrosoftmadesomeextensionstoallowforWindows specificneedssuchastheneedtoincludeasecuritytokenintheticketsbutWindows KerberosstillworkslikethestandardMITdevelopedprotocol.

WindowsPowerShellcanalsobeusedtogeneratecustomreportsofasort.Forexample, Figure4.7showsaPowerShellcommandthatsgeneratingalistofuseraccountsthathave neverhadtheirpasswordset.Again,thisisagoodstartingpointforothersecurity activities,suchaspossiblydisablingordeletingthoseaccounts.

Figure4.8AlookattheEnterpriseSecurityReporter. Figure4.9showsanothertool,ActiveDirectoryReporter.Thistoolsfocusisbroaderthan security,butitdoesincludeanumberofsecurityrelatedreports,asyoucansee.

Figure4.9:TheActiveDirectoryReportertool. Theideahereisthat,ratherthanspendingtime(whichismoney)buildingyourown reportingtools,therightthirdpartyreportingpackagecangiveyoubetterlookingand morerobustreportingcapabilities,makingiteasiertokeepahandleonADsecurity.

Figure5.1:SACLinAD. Exactlywhatactionsyoucanauditdependsonwhatresourceyoureworkingwith.For example,Figure5.2showsafilesystemSACL,andyoucanseethatverydifferentactions areavailable.

Organizationsalsoneedtousetheseauditeventsfortroubleshootingpurposes.When somethinggoeswrongintheenvironment,answeringthequestionWhatchanged?is usuallythequickestwaytosolvetheproblemandtheauditlogsshouldbeabletoanswer thatquestionquicklyandeffectively.Sohowdoesthenativeauditingsystemholdup?

Figure5.10:EnhancedeventsinWindowsServer2008. Inmostenvironments,asuccessfulauditingprogramalmostalwaysinvolvesthirdparty auditingsupplements.

Figure6.3:Mappingyourreplicationtopology. Whatsevenbetteraresomeofthethirdparty(includingsomefreeonesoutthere)tools thatcananalyzeyourdirectoryanddrawthistypeofpictureforyouasFigure6.4shows. Thedifferencesbetweenyouractualtopology,andtheoneyouthinkyouhave,canbe enlightening.

Figure6.5:TheBPAinServerManager. MostmaintenanceinADisthatbusinesslevel,objectfocusedkindofmaintenance:stale computeraccountsandsoforth.ADislargelyselfmaintainingotherwise,meaningyoujust needtoglanceatitoccasionallytomakesureeverythingsworkingsmoothly.

Figure7.2:Loadingtheschemafromadomaincontroller. Resource Thereareseveralotherstepsyoullneedtotakeinordertomake synchronizationwork;seethetutorialat http://www.thegeekispeak.com/archives/64foracompletewalkthrough.

ThePDCEmulatoristheoneroleyoullprobablymissthesoonestifsomethinggoes wrong;manyofmycustomerskeepthisroleonaclustereddomaincontrollerforthatexact reason.

Das könnte Ihnen auch gefallen