Microsoft Active Directory Permissions: Best Practices for Data Protection

In this article, we are bringing the best practices for data protection in  The most famous directory service. Microsoft Active Directory Domain Services (AD DS).  

Microsoft Active Directory (AD) is a database that keeps track of all the “objects” in the system – users, computers, security groups, services, etc. In AD DS, at one central location, defining and updating all the rights a particular object has on the network. 

In short lines, the vital part of any Microsoft Server System with the recommended highest rate of security.  

So let’s start with tips and best practices for securing Microsoft Active Directory the best way possible.  

Least-Privilege User Access (LUA)  

The principle of least privilege (PoLP, also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose. (Wikipedia Definition) 

As part of those principles, the recommendation is the usage of LUA : 

LUA is the reverse of administrative privileges for all users, and then scaling back permissions as needed. It’s one of the best tips for keeping your network safe. 

The “hard way” of granting permissions to users. In some way, it is personalized per each user. It’s based to determine needs of all users on network and grant permissions for that needs, no more, no less. 

The process is not easy, it requires a lot of communication and takes a lot of time to configure the system that way. But in a long-term, your system will operate safely and as it should. 

There are variations of this plan, like creating “section groups” with different permissions then placing everyone from the section in it. But that is not personalized setup, and still can offer too much or too little to an individual user.  

Know Your Active Directory Security Model 

Microsoft Active Directory security model, keeps every object stored in an Active Directory, safe and protected. 

That includes domain user and computer accounts, security groups, and group policies. 

It can help administrator determining user access to any object, and gives the option to specify access for groups of users, as part of security management. 

Every single object in Microsoft Active Directory has a security descriptor associated with it. Security descriptor defines the permissions on an object. Of course, all these attributes include the permission set or Access Control. List (ACL), which contain numerous Access Control Entries (ACEs) which allows or denies specified security permissions to some user or security group. 

ACEs can be explicit or inherited; explicit ACEs generally override inherited ACEs. 

And this is just a tip of a Microsoft Active Directory Security Model iceberg. 

The security model is not an easy thing to learn or explain in a single article. Even some experienced administrators have a hard time understanding the full model. So it is advised to any system Administrator to make his/her personal goal gathering knowledge about it as much as possible. 

With a better understanding of it, it can provide better insight into system security functioning and better protection of your organization, and with that better productivity and quality of service. 

A lot more regarding Active Directory Security Model can be found at the following link: 

Keep Your Software Up To Date and Secure 

In May 2017, a lot of windows server based system got attacked by WannaCry ransomware worm attack. Even Microsoft has discovered a vulnerability and released a patch, a month before the attack took place, still, a lot of systems haven’t applied it, and got struck by a worm, which intruded system, encrypted data and demanded ransom for it in form of Bitcoin. 

The attack was stopped within a few days of its discovery due to emergency patches released by Microsoft, and the discovery of “kill switch” that prevented infected computers from spreading WannaCry further. 

The consequence of the attack was estimated to more than 200,000 affected computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. 

Experts advise affected users against paying the ransom due to none reports of any data returned after payment and as high revenues would encourage more such attacks. After the attack had subsided, a total of 327 payments totaling $130,634.77 (51.62396539 XBT) had been transferred. 

As all examples, this one is a great opportunity to learn and adopt facts and previous errors so they would not be made again. 

This expensive and very real example shows the importance of software updating and applying official patches to your system software.  

Software without updates applied is unreliable software. Patch or update is made for a reason, and in most cases, it makes security better, and your system less liable for any type of attacks.

For that cases, Microsoft has great sites which can help administrators maintain their systems healthy and protected. It is highly recommended for all admins to monitor TechNet, and Microsoft Secure Blog, to keep up with system software, and security updates. 

It is not only up to administrators, but even their part of the job is also most important,  it is up to organizations to keep their hardware updated too. Even obsolete hardware can make the risk of security breaches high. So realizing that investing in hardware is not thrown money, but it is investing in security and functionality seems like the right way for all organizations. 

Usage of built-in Active Directory Features 

A lot of built-in Active Directory features can help administrators in protecting data and system environment.  None of them are “one program solves all” type of programs or some “big” lifesaving solutions, but correct usage of them can make a risk of potential security breaches lower. 

This is a list of some of the useful built-in features :  

Security Descriptor Propagator –  Compares the permissions on the domain object with the permissions on the domain’s protected user accounts and groups. If it finds any mismatch, it will reset the permissions. 

AdminSDHolder – Ensures enforcement of permissions on protected user accounts and groups, no matter of location on the domain. 

Privileged Identity Management – Allows the administrator to grant temporary rights and permissions to an account to perform any required functions. 

Role-based Access Control– Provides administrator the option of user grouping, and give them access to resources on the domain according to previously defined rules. 

Usage of Isolated workstations managing DCs 

If there is a need for logging on an Active Directory with an elevated account, because of any reason, these operations should always be performed from a special device, preconfigured to reduce the risks associated with everyday tasks.  

Such workstations should be isolated from the internet, and when used, they should be used with Least-Privilege User Access ( Lua) ( described before) principles. 

Those workstations should be completely protected by all kind of security software available. (anti-malware, endpoint firewall and application control). 

DC Workstations should be kept in their own organizational unit so they could have a special group policy set applied ( restricted local logons and other limitations). 

User accounts used on isolated workstations may be Service Desk accounts that have the ability to reset passwords for most of the users in a domain, accounts that are used to administer DNS records and zones, or accounts that are used for configuration management. Secure administrative hosts should be dedicated to administrative functionality, and they should not run software such as email applications, web browsers, or any type of productivity software. 


In conclusion, security of Microsoft Active Directory is huge, live, topic, and it can be studied and elaborated over and over. The best practices are, with a usage of described tools and techniques, only learning and monitoring, not only your systems but Microsoft news and updates regularly. 

It is a hard job, without long-term solutions. As systems develop and change, so are potential threats and malware, but being server administrator is like that, never-ending process. 



Prevent Unauthorized Access to Sensitive Data!

  • No more unauthorized access to sensitive data
  • No more unclear permission assignments
  • No more unsafe data
  • No more security leaks

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

Active Directory Authoritative Restore with Windows Server Backup


In short lines, an authoritative restore is a Windows Server process of return of a designated deleted Active directory object or container of an object to the state before deletion, at the time when it was backed up. 

An authoritative restore process will replicate the restore object across organization’s domain controllers, but, restore process will increase the Unique Sequence Number (USN) of all attributes on the restored object.  

Because the object will have a much higher Unique Sequence Number, it will replicate across all domain controllers of organization and overwrite anything associated to the previous object. 

In this article, our goal is to describe the procedure and make test example of this process. 

Procedure and Examples 

In an example, hypothetic scenario, it is needed to restore user deleted from Active Directory Users and Computers. 

First thing in the scenario is a restoration from backup. For a backup start, it is needed to restart the domain controller in Directory Recovery Mode (Safe mode). It can be done with a reboot and press key F8 on startup. 

Login is made with local admin, using username.\administrator, and password setter up during domain controller installation for Directory Services Restore Mode ( DSRM ). 

After login, right-click start menu and choose Command Prompt ( Admin ) option. 

When Command Prompt is accessed, following command,  will show available backups:

wbadmin get versions 

Following command (followed by “yes” option ) will start restoration based on the chosen backup entry : 

wbadmin start systemstaterecovery version: (chosen version) 

 And user will be prompted to reboot with “Yes” option. 

After reboot, it is needed to start the Command Prompt (Admin) again, and run ntdsutil command for accessing and managing a Windows Active Directory (AD) database. (Ntdsutil should only be used by experienced administrators and it should be used from an elevated command prompt). 

At ntdsutil prompt, it is needed to enter following commands: 

 activate instance ntds 

And after that : 

authoritative restore 

At authoritative restore prompt terminal, the full path to the object that is wanted to restore should be entered. 

restore object cn=(object name),OU=(organizational unit) ,DC=(domain controller),DC=local 

It is needed to confirm it with “yes”, and restoration will start.  

Exit the authoritative restore with the command:”quit” and ntdsutil with the command: “quit”. 

From Command Prompt terminal, disable safe boot sequence of a server with a command:

bcdedit /deletevalue safeboot 

After reboot and login to the server, a wanted object should be restored in Active Directory. 



Do you want to prevent unauthorized deletion of directory objects or something similar to this problem?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Windows Server: Clean Up Orphaned Foreign Security Principals

This article will show different ways to clean up orphaned Foreign Security Principals. There are more ways to do it, but before any method described, it is needed to say that if it is possible, clean your “orphaned FSP’s” with GUI method. PowerShell methods are not recommended to users without excellent knowledge of console, due to possible issues that method can cause. 

But first, let’s see overview – What is FSP? 


Foreign Security Principals (FSPs) are security principals, created when an object ( user, computer or group) is added to some domain group, but with origins from an external trusted domain. 

FSP is recognized by mark. It is marked with a red curly arrow connected to an icon of object and acts as a pointer. 

Active Directory creates them automatically, after adding security principal from another forest to a group from that domain. 

When security principal, on which FSP is pointing,  is removed, the FSP becomes orphan. Orphan is a term used for FSP’s which have no more principals, FSP is pointing on.   

In the case of the creation of the same principle, old FSP will still be orphaned. New FSP will have different   SID ( security identifier) number, no matter what principle is the same. 

The outcome could be that FSP that is once orphaned, stays orphaned forever until it is removed/cleaned up by the administrator. 

There are two ways of identification and cleaning orphaned FSP. It can be done by GUI ( Graphics User Interface), and by PowerShell console. 

Identification and clean up of orphaned FSP via GUI 

As mentioned before, this is the most recommended way of cleaning orphaned FSP’s. 

In “GUI” way, orphaned FSP can be found in Active Directory Users and Computers console, when advanced features are enabled (If advanced features are not enabled, FSP won’t be seen). They are stored in the ForeignSecurityPrincipals container. Orphaned FSP can be identified through column “Readable Name”. 

If FSP is orphaned, Readable Name column in the console will show up empty. 

They can be cleaned by selection and right-click deletion. 

Cleaning FSP via PowerShell 

For PowerShell cleaning, all FSP objects first have to be listed. 

All FSP’s can be listed by usage of Get-ADObject cmdlet. 

Get-ADObject -Filter {ObjectClass -eq ForeignSecurityPrincipal'} 

When listed, they can be removed by usage of the Translate method, but precaution is advised. There is a possibility, in case of network connectivity issue  FSP’s can be seen as momentarily orphaned, PowerShell method will delete them too, and that can make problems due to SID change.

$ForeignSecurityPrincipalList = Get-ADObject -Filter {ObjectClass eq 
 ‘foreignSecurityPrincipal' }    
foreach($FSP in $ForeignSecurityPrincipalList)  
 {$null=(New-Object System.Security.Principal.SecurityIdentifier($FSP.objectSid)).Translate([System.Security.Principal.NTAccount])}      
  {Remove-ADObject -Identity $FSP}  

Scheduled removal of orphaned FSP 

A task can be scheduled to make removal of orphaned FSP automatic.  

The best way to remove FSP by schedule  is by created script like for example : 

 The fictive company has a monthly turnover of  50 employees. 

A custom script can be made to delete orphaned FSP’s in the time range of 1 month  : 


Import-Module -Name OrphanForeignSecurityPrincipals 
$MyCompanyTurnover = 20 
 $OrphanFSPListFilePath ='c:\temp\OFSP.txt' 
$OrphanForeignSecurityPrincipalsList = Get-OrphanForeignSecurityPrincipal TabDelimitedFile $OrphanFSPListFilePath 

If ($OrphanForeignSecurityPrincipalsList) 
    If ($OrphanForeignSecurityPrincipalsList.Count -gt $MyCompanyTurnover) 
        $MailParameters = @{ 
            SmtpServer = '' 
            From       = '' 
            To         = '' 
            Subject    = "Orphan Foreign Security Principals found" 
            Body       = 'Please check attached file.' 
            Attachment = $OrphanFSPListFilePath 
          Send-MailMessage @MailParameters 
    }    else { 
        Remove-OrphanForeignSecurityPrincipal -TabDelimitedFile $OrphanFSPListFilePath 

Recovery of deleted FSP 

Deleted orphaned FSP’s can be restored by restoring it from recycle bin if recycle bin feature is activated before deletion is made. 

FSP can be restored via PowerShell cmdlets too : 

An object can be found  with the following cmdlet, and after they are listed, selected orphaned FSP’s can be restored: 

Get-ADObject -Filter 'IsDeleted -eq $TRUE' -IncludeDeletedObjects | Where-Object {$_.DistinguishedName -like "CN=S-*"} 

There is one more way of restoring orphaned Foreign security principals that we need to mention.  

It is the way of following same steps as made before first creation. By adding foreign user/computer/group account into the same groups where it has been before it got orphaned status. This step will create the same Foreign Security principal as it was before, just with different SID number. 


Avoid having problems on the FSP or Foreign Security Principals

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Active Directory Design Guide

Companies use the Active Directory Domain Services (AD DS) in a server environment to make the work of network users less complicated and ensure resource sharing and management is secure, scalable, and all objects work as per their respective configurations. A well-designed AD DS can be used to manage the entire network infrastructure including the branch office and multiple forest environment. System Administrators should develop a habit of documenting all aspects of the domain structure and security strategies, as this becomes the new plan for future infrastructure and possible migration.  

The Basics of Active Directory Planning  

When planning for a domain, two things come into play: domain upgrading and domain restructuring. Upgrading your domain is more than just upgrading every domain controller; it involves the upgrading of both the Primary Domain Controller (PDC) and the Backup Domain Controller (BDC). Restructuring involves the creation of a new Active Directory from scratch. Restricting may lead to few but expanded domains. 

Develop a Migration Strategy

Having a migration strategy in place is an integral part of your overall design plan. Migration strategy involves studying the current or proposed configuration details and identifying which aspects of the domain will be migrated. A fall back system also has to be in place to counter any possible failure.  

Working with a Simple Design  

An Active Directory should be flexible in giving you an easy time when designing the forests. Designing a Domain for every department may look desirable in an organization but do not forget the general rule of running fewer but effective domains. An alternative to creating domains for every department is to use the Organizational Units, which are flexible and easy to manage.   

Active Directory Domain Design  

An Active Directory has four main divisions: the forests, the domain, the sites, and the organizational units. The system Administrators should maximize on the potential of these divisions to get the best out of any directory structure. 

When creating your domains, it is recommended that you use domain members who are near each other as possible. This is the best practice because the level of traffic within a domain is higher than you would expect between two different domains. Smaller domains also limit the need for investing in expensive connections to increase bandwidth. Remember to use the Organizational units to delegate Administrative privileges within an Active Directory. 

The Design of Groups and Organizational Units  

Before thinking of how the Groups and Organizational Units will work, System Administrators should know in advance the role of each group or units. The idea is to have a functional Organizational Unit and Groups in a bid to simplify the Active Directory environment. This goes a long way in simplifying management by giving you more control over the Active Directory. An active directory without a logical design of its users may lead to confusion. Here are some of the best practices when designing Organizational Units: 

  • Maintain a simple OU structure  
  • Limit OU nesting to less than 10 layers  
  • Apply Group Policy to groups via the Group Policy Filtering  
  • Do not utilize local groups for permissions in a domain environment 
  • Use local groups in the domain to control access to resources and group similar user groups. 

You can also use hidden OU to prevent viewing or altering in an environment where network application services are shared within departments and with external customers.  

Use Rules for Active Directory Sites  

Using Directory sites is an important element for any Active Directory domain. Sites can be limited to any computer object within a forest. Thus, they can be found across domains and organizational units. Sites are used to impose physical network to facilitate traffic flow. Sites also regulate traffic flowing to slower WAN links within the network; this will effectively increase productivity and serve to reduce costs on connectivity. 

The general good practice when designing sites  

  • Sites should be a reflection of the physical and geographical topology 
  • Every site should have at least one local Domain Controller 
  • Sites should be connected to faster links  
  • Remote clients do not need a dedicated site  
  • Sites are desirable when replication services are needed  
  • Sites can be added, changed, removed, without affecting network operations or configurations 

Active Directory Design Requirements  

Before the deployment of any Active Directory Services, the logical structure that reflects the working environment should be in place. The AD DS logical structure defines directory objects are organized and a method of managing individual accounts and shared resources. When planning for the logical structure, determine the number of forests, domain designs, the Domain Name System infrastructure, and Organizational Units. 

The Design of the Logical Structure should follow the following process 

  • Identification of the technical staff in charge of deployment  
  • Creation of the forest design  
  • Creation of the domain design for each forest  
  • Design a DNS infrastructure to support AD DS for every forest  
  • Design organizational units for delegating administrative tasks for every forest  
  1. Designing the Site Topology 

The site topology of the Active Directory network is a logical representation of the physical network. It has all the information about the AD DS location sites, the site of Domain Controllers, and the site links that support the AD DS replication taking place between sites.  

The site topology design goes through the following process 

  • Gather all network information  
  • Plan where to place the domain controllers  
  • Create the site design  
  • Create the link design  
  • Create the site link bridges

2. Planning for Domain Controller Capacity  

For an efficient output of the AD DS, System Administrators should determine the number of domain controllers for each site. Capacity planning for the domain controllers takes care of all the hardware requirements and avoids incidences of poor performance by the domain controllers 

The process of planning for the domain controller capacity planning involves: 

  • Collect site topology and design information  
  • Determine the number of domain controllers  
  • Create the site design  
  • Assess disk space and memory requirements  
  • Monitor domain controller performance  

Please note that some features can be added to the Domain design by raising the functional levels of the forests.  


The strategies presented in this guide apply in any server-operating environment. If you are not sure if your environment can meet the minimum system requirements, consult with other professionals on what needs to be done to deploy the AD DS. 


Want to have efficient and accurate reports about NTFS permissions on all your folders on your Windows Server Environment?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

How to Optimize Your Active Directory for Windows Server 2016

Microsoft Windows Server 2016 is still new in the market and organizations are already asking their IT experts to evaluate its added value and possible challenges that one may encounter when moving from the current systems to the new server platform. In addition to the features found on Windows Server 2012 and 2012 R2, Windows Server 2016 presents new possibilities and capabilities that are missing on previous Windows Server platforms. Any new Windows Server Operating System that breaks the market gets more attention. Windows Server 2016 had made tremendous improvements to its Active Directory Optimization.

The best approach to take before implementing Windows Server 2016 is to test its readiness by looking for ways of minimizing the likely impact of migration. Another way to look at it would be to identify organizational needs and how they can be integrated for future implementations. The reason Administrators would want to try on the Windows Server 2016 Active Directory Optimization is to provide an opportunity for growth, offer flexibility, and enhance security setup in the organization. Now let us talk about active directory optimization

Why Does Windows Server 2016 Matter

Windows Server 2016 is a representation of combinations from different principles that define computation, identity, management and automation, security and assurance, and storage. All these are broken down into the core elements of the Server Operating System that consists of Visualization, System Administration, Network Management, and Software Defined Network (SDN) technologies, Cloud Integration and Management, Disk Management and Availability. All these are supposed to bring organizations to the future of technology without the need to discard some of the infrastructures being used in the current environment.

Windows Server 2016 is a full-featured server Operating System boasting of solid performance with modern advancements. This new server shares so many similarities with the Data Center edition that incorporates support for Hyper-V containers and new storage features and enhanced security solely to protect virtual machines and network communications that have no trust configured between them.

This article should help you the reader learn more about Windows Server 2016 features, factors to consider before moving from old to a new setup, and how to do Active Directory Optimization. More details on how to prepare to move and migrate efficiently by managing the new environment effectively.

Windows Server 2016 New Features

Several features and enhancements form part of this server operating system. Here are some of the highlights:

Temporary Group Membership

This form of membership gives Administrators a way of adding new users to a security group for a limited time. For this feature to work, Windows Server 2016 Active Directory must be operating at the functional level. System Administrators need to know beforehand all the system installation requirements during and after the transition.

Active Directory Federation Service

There are essential changes that come with Microsoft Windows 2016 Server Federation Service:

Conditional Access Control

Active Directory in previous installations had straightforward access controls because the assumption had always been that all users would be logging in from a computer joined to a domain with proper Group Policy Security settings. The conditional access gives users access to resources that have been assigned to them.

In the current technological setup users’, access resources from different types of devices that are not connected to the domain and usually work outside the organizations operating norms. This is a direct call for the improvement of security by introducing a Conditional Access Control Feature enabling administrators to have better controls over users whose requests should be handled on per application basis. For example, administrators may enforce multi-factor authentication when the compliant devices try to access business applications.

Support for Lightweight Directory Access Protocol (LDAP) v3

Another change that has been introduced in line with regard to the Active Directory Federation Systems is the Support for Lightweight Directory Access Protocol. The capability makes it easier to centralize identities across different directories. For example, an organization that uses non-Microsoft directory format for identification and access control can centralize identities to office Azure cloud or Office 365. LDAP v3 making it easier to configure a single sign-on for SaaS applications.

Domain Naming Service (DNS)

Active Directory and DNS go hand in hand because of the dependency of Windows Server systems on DNS. There have been no significant changes in the Windows Server DNS service until the arrival of Windows Server 2016. The following are new features under the DNS:

1.     DNS Policies

The inherent ability to create new DNS policies is said to be the most significant. These policies enable administrators to control the way DNS responds to different queries. Some examples of these policies are load balancing and Blocking of DNS requests coming from IP addresses whose domain have been listed as malicious.

2.     Response Rate Limit

The rate of the server response to DNS queries can now be controlled. This control is designed to help defend against external attacks such as denial of service by limiting the number of times in a second a DNS can respond to a client

3.     Microsoft IP Address Management (Microsoft IPAM)

The most significant improvement to the DNS is in its IP Address Management System that helps in the tracking of IP address usage. The integration of Microsoft IPAM feature on DHCP has been robust while the DNS one is minimal. The introduction of Windows Server 2016 brings in some new changes like DNS management capabilities by recording inventory. The support for multiple Active Directory forests by IPAM is a welcome feature. Supporting multiple forests is only possible if there is already an existing trust between them and that IPAM is installed on each forest.

Migration Considerations

Planning is critical when moving from an earlier Windows Server version to Server 2016. The goal of any migration should be minimizing its impact on business operations. Going ahead with the migration should be an opportunity for administrators to set up a scalable, flexible, compliant, and secure platform.

1.     Understanding the Existing Server Environment.

It is a rookie mistake to jump into implementation without a proper analysis of the current server environment. Assessment at this stage should look at users, groups, distribution lists, applications, folders, and Active Directory. On the business side, there is a workflow, emails, programs, and any infrastructure used that should be assessed before making the big move.

It is also vital that you:

  • Understand what needs to be moved and what is to be left as it is. For example, there is no need of moving inactive accounts and old data that is no longer relevant. All active data stores, mailboxes, and users are part of what you should not leave behind.
  • You will also want to analyze applications, users, and processes that need access and should be migrated to ensure that the relevant resources are available during and after the transfer.

2.     Improving Active Direct Security and Compliance Settings

Another critical factor to consider during migration is security and delegation by controlling who makes changes to Window Active Directory objects and policies. Most organizations choose to give access to Active Directory objects to solve an immediate problem and never clear the permissions. Proper controls should be in place to manage what can be added to the AD and who should be responsible for making such changes.

Continuous monitoring of activities in the Active Directory to ascertain if they comply with both internal and external performance regulations should be ongoing. Microsoft Windows Server and AD can audit events with visible output and can be implemented quickly in a busy setup. Having a coherent AD audit cluster with analytical capabilities is critical for marking unauthorized changes, spotting inappropriate use of the AD and related resources, tracking users in the entire infrastructure, and give compliance reports to the auditors.

3.     Ensuring Application Compatibility

Before making an effort to initiate migration, make sure that all software and third-party application used on your organization are compatible and can work with Windows Server 2016. All the in-house applications should also be tested to make sure they work correctly in the new environment.

4.     Minimizing Impact on Business

Minimizing in-house software compatibility is one aspect of reducing the cost of migration on the business. As an Administrator, you need to know how the issue of downtime will be handled when moving from legacy to new system. One thing you need to avoid is underestimating the impact of migration on users and operations by failing to analyze all access points. Many such challenges can be avoided by scheduling resource intensive migration tasks during off-peak hours.

Failure to have a smooth transition between legacy and the new system can lead to service disruptions lost productivity and increased the cost of doing business. The co-existence of both the old and the new system is essential in any Active Directory migration because users still need to access resources to ensure continuity. Directory synchronization is important at this stage to make sure that users can access their data.

5.     Restructure the Activate Directory

Moving from your legacy system to Windows Server 2016 should be taken seriously and not treated like any other routine IT task. This is an opportunity to restructure your Active Directory Optimization to meet its current and future needs. Every time there is a significant system upgrade, changes in organizational models and requirements may have prompted it. Changes in the IT technology is also a major force that influences restructuring of the Active Directory.

Determine the number of domains and forests needed. Examine the need to merge some forests or create new ones. You can also take an opportunity to join new infrastructure to remote offices that may not have been in existence in the legacy system.

Active Directory Management and Recovery

Every IT management faces challenges when managing the Active Directory on a daily basis. The configuration of user properties is time-consuming and error-prone when dealing with a large and a complex Windows Network. Some of these duties have to be performed manually leading repetitive and mundane tasks that end up taking up most of the Administrators time. However, when you decide to accomplish the above tasks using Windows Native Tools or the PowerShell means that you must have a deeper understanding of how the Active Directory and its features work.

The use of software to manage the Active Directory repetitive tasks simplifies the process. You can also get detailed reports on tasks and their status. Using software offers solutions that help in the planning and execution of an efficient AD restructuring, which will eventually help you, implement a secure system. Managing AD using software gives a common console where the management can view and manage Active Directory, users, computers, and groups. Some software’s enable the administration to plan for a secure way of delegating repetitive tasks and perform controlled automation of the Active Directory Structure.

Software Implementation

Two popular software being used in the management of Active Directory optimization tasks are:

  1. ADManager Plus
  2. Quest Software

They both can help in the restructuring and consolidation of Windows Server 2016 in a new environment.

1.     ADManager Plus

The ADManager Plus has additional features such as sending and receiving customized notifications via SMS or emails. The search options make it easier for IT managers to search the directory with ease through its software interface panel. Using the ADManager Plus, the IT department can execute windows optimization tasks with ease in addition to the integration of utilities such as ServiceNow, ServiceDesk, and AdselfService Plus.

Active Directory User management

ADManager Plus manages thousands of your Active Directory through its interface. This property helps you create and modify users by configuring general attributes, exchange server attributes, and apply exchange policies, terminal service attributes, and remote login permissions. You can set new users in Office 365 and G suite when creating the new accounts in the Active Directory. You can design templates that can help the help desk team to modify and configure user accounts and properties by a single action.

Active Directory Computer Management

This solution allows for the management of all computer in the existing environment from any location. You can create objects in bulk using CSV templates by modifying group and general attributes of computers, move them between organizational units, and enable/disable them.

Active Directory Group Management

The management of groups is made more flexible using the software modules used in the creation and modification of groups using templates and conduct all configuration attributes in an instant.

Active Directory Contact Management

You can use this software management tool to import and update Activate Directory contacts as a single process. Therefore, this implies that you do not have to select individual contacts for an update.

Active Directory Help Desk Delegation

The ADManager Plus delegation feature can help administrators to create help desk administrators, and delegate desired tasks related to user attributes. The various repetitive management tasks for users, group, computers, and contacts can be delegated using customized account creation templates. The help desk users can share the workload of the administrators which frees them up giving them more time to work on core duties.

Active Directory Optimization Reports and Management

The ADManager plus provides information on different objects within the AD which allows for the viewing and analysis of information on its web interface. For example, you can see a list of all inactive users and modify the accountant accordingly.

2.     Quest

Quest software takes a different approach because it deals with preparation, recovery, security and compliance, migration, consolidation, and restructuring.


During preparation, Quest helps in the assessment of the existing environment with the enterprise reporter gives a detailed evaluation of the current setup that includes the Active Directory, Windows Server, and SQL Server. During this assessment, Quest can report the number of accounts you have in the Active Directory and isolate the active and the disabled ones. Knowing the exact status of your environment is paramount before the migration begins.

Quest helps discover identities and inventories on application servers that are dependent on the Active Domains that are being moved to enable you to fix or redirect them on the new server.

Migration, Consolidation, and Restructuring

The Migration Manager for Active Directory gives the Zero IMPACT AD restructuring and consolidation. The Migration Manager offers a peaceful coexistence to both the migrated and yet to be migrated by maintaining secure access to workstations and resources.

Secure Copy offers an automated solution for quick migration and restructuring files on the data server by maintaining the security and access points. Its robustness makes the tool to be rated as perfect for planning and verification of successful file transfers.

Migrator for Novell Directory Service (NDS) helps administrators move from Novel eDirectory to Active Directory. The tool also moves all data within Novell and re-assigns permission to new identities in the new server.

Security and Compliance

The Change Auditor for Active Directory gives a complete evaluation of all the changes that have taken place in the Active Directory Optimization. The evaluation report contains information such as who made the changes, what kind of changes was made, what were the initial and final values before and after adjustment, and the workstation name where the change occurred. The change auditor tool also prevents changes, for example, you can disable the deletion of or transfer of Organization Units and changes that can be made Group Policy Settings.

Access Control

Active Roles modules ensure that security of the AD complies by enabling you to control access by delegating tasks using less privilege. This gives an opportunity to generate access rules based on defined administrative policies and access rights. You can use the Active Roles to bring together user groups and mailboxes as well as changing and removing access rights based on role changes.

Centralized Permission Management

The Security Explorer facilitates the management of Microsoft Dynamic Access Controls (DAC) by enabling administrators to add, remove, restore, backup, and copy permission all on a single console. The tool can make targeted or bulk changes to server emissions made possible by the enhanced by Dynamic Access Control management features such as the ability to grant, revoke, clone, and modify permissions.

Monitoring Users

The InTrust enables the secure collection, storage, and reporting alerts on the data log that complies with both internal and external regulations surrounding policies and security best practice. Using InTrust, you get an insight into user activities by auditing access to critical systems. You can see suspicious Logins in real time.

Management and Recovery

The easiest way the IT administrator can manage user accounts, computers, and objects via the Group Policy. Poor management of the Group Policy Objects (GPO) can cause many damages. For example, if your GPO is assigning proxy settings with wrong proxy values.

GPO Admin will automate Group Policies, and it has a workflow to enable the checking of changes before being approved by the GPOs. When GPO’s are used in the production industry, the management team will be impressed by the reduced tasks as it improves security.

Recovery is a critical process in any organization that runs its system based on Windows Server 2016. You can also recover the wrong entries and accounts that were removed. The Recovery Manager for Active Directory gives access to other features that report on the differences and help restore objects that were changed.

It is important to be prepared in readiness for disaster and data recovery. In case your domain finds itself in the wrong hands, or the entire network setup is corrupted, use the Recovery Manager for Active Directory optimization utility.


Windows Server 2016 has a wealth of new features and capabilities to streamline and improve the management and facilitate better user experience. A successful implementation means that Active Directory Optimization has a sound consolidation process. Administrators who have already tested this Server Operating Services should take advantage of the new capabilities

The benefits of Active Directory optimization tools and utilities are numerous because they help in setting up a flexible and secure Windows Server 2016 and Active Directory that will work for your current and future environment. These utilities help managers who are not well conversant with some IT related Active Directory optimization management tools who need to switch to the new server to comply with regional and international standards.



Prevent Unauthorized Access to Sensitive Windows Folders!

  • No more unauthorized access to sensitive data
  • No more unclear permission assignments
  • No more unsafe data
  • No more security leaks

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

Overview: How to Troubleshoot Active Directory Replication Issues

Active Directory Replication is more or less the center of all sorts of problems. It is a crucial service and it becomes more complicated when dealing with more than one domain controller.  Issues relating to replication can vary from authentication issues and problems arising when trying to access resources over the network. 

All objects in the Active Directory are replicated between domain controllers so that all partitions are synchronized. A large company with multiple sites means that replication takes place at the local site as well as the other sites to keep all partitions synchronized. This article aims to show you how to troubleshoot Active Directory replication issues. 

Active Directory replication problems come from different sources, some of which are Domain Name System failures, network problems, or security issues. 

Resources Needed to Troubleshoot Active Directory Replication 

Failures coming in and out the active directories due to replication issues lead to many inconsistencies between domain controllers. Such failures lead to systemic failures or inconsistent output. Identifying the main cause of replication failure helps system administrators identify the possible cause and hence elimination of the problem.  One of the commonly used interfaces based replication-monitoring tool is the Active Directory Replication Status Tool. 

Understanding Recommendations from the tool solution 

The red and yellow warning events in the system logs will always point out to the specific cause of replication failure and give the source and destination in the Active Directory. Any steps that are suggested by the warnings should be tried as explained. Other tools such as the Repadmin tool can give more information to help resolve replication issues. 

  • Eliminating Disruptions or Hardware Failures 

Before troubleshooting replication failures, it is important to rule out any issues related to software updates or upgrades, intentional disruptions, software configurations, and hardware failures. 

  • Intentional Disruptions 

Disruptions caused by unavailability (offline state) of a remote domain controller can be corrected by adding the computer as a member server using the Install From Media (IFM) method to configure the Active Directory Domain Services. The Ntdsutil command-line tool can be used to create installation media. 

  • Software Upgrades and Hardware Failures 

Hardware failures can come from failing motherboards or hard drives. Once a hardware problem is identified, system administrators should take immediate action to replace the failing components. Active Directory Replication failures can take place after a planned upgrade. The best way to handle this is through an effective communication plan that prepares people in advance. 

  • Software Configurations 

Some software settings such as the typical windows firewall have port 135 open alongside other advanced security settings. Some firewalls can be configured to allow for replication. 

Responding to Failures Reported on Windows 2000 Server 

Active Directory configured on Windows 2000 Server that has failed beyond the tombstone lifetime should be resolved by: 

  • Moving the server from a corporate to a private network 
  • Removing the Active Directory or Reinstalling the Operating System 
  • Removing its metadata from the Active Directory to hide its objects 

Removing the server metadata ensures that any attempt by the server to revive objects settings after 14 days is impossible. This also helps avert further error logs due to replication attempts with a missing Domain Controller. 

What are the Root Causes of Replication? 

Apart from the already discussed causes leading to replication failures, here are some other reasons. 

Network Connectivity: caused by unavailable network or wrong configurations 

Name Resolutions: Wrong DNS configurations 

Authentication and Authorizations: Aces denied errors every time a domain controller tries to connect for replication 

Directory Database: A slow data store not being able to handle fast transactions that take place within replication timeouts. 

Replication Engine: when replication schedules are short, it will lead to longer queues and large processing which may not be possible within the outbound replication schedule. 

Replication Topology: All domain controllers need to have links linking them to other sites within the Active Directory.  The links should map wide area networks or the virtual private network connections. All objects should be supported by the same site topology within the network to avoid replication failures. 

How do We Fix Replication Problems 

Any of the following approaches can be used to fix Active Directory Replication Issues: 

  • Daily monitoring of the state of replication using the Repadmin.exe to extract daily status updates 
  • Resolving reported replication failures as soon as possible, using steps provided in the event logs. Replication failures resulting from software configurations require un-installation of the software before attempting any other solutions. 
  • If all attempts to resolve replication issues do not work, remove the Active Directory Directory Services from the server and reinstall. 

When an attempt to remove AD DS fails when the server is online, any of the following methods can resolve the issue. 

  • Force the removal of the AD DS from the Directory Restore Mode (DSRM) by cleaning up the server metadata and reinstall the AD DS. 
  • Reinstall Operating system and reconfigure the Domain Controller 

Retrieving Replication Status Using Repadmin 

When everything in the Active Directory is working as intended and produces no errors, then it means the following services are working correctly: 

  • DNS 
  • Remote Procedure Call (RPC) 
  • Network Connectivity 
  • Window Time Service (W32time) 
  • Kerberos Authentication Protocol 

The Repadmin tool is used to study the daily replication activities. The tool is able to access all the replication status of all domain controllers in the forest. The report is relayed in a .CSV format that can be accessed using any spreadsheet reader. 

Generating Repadmin for Domain Controllers in a Spreadsheet.                                 

Using the command prompt as an administrator type the following: 

Repadmin /showrepl * /csv > showrepl.csv 

  • Open Microsoft Excel, navigate to the showrepl.csv, and click open 
  • Hide or delete column A and the Transport Type Column 
  • Select the row below the column heading and click freeze panes by clicking on Freeze Top Row 
  • Select the whole spreadsheet and click filter from the data tab 
  • Click on the down arrow below the source DC column, point to text filters, and select the custom filter. 
  • In the custom AutoFilter box, below show rows where click on does not contain.  On the box next to it, type Del to eliminate results from deleted domain controllers. 
  • Repeat the previous step for the Last Failure Known Column and use does not equal and type 0 
  • Resolve replication issues. 


Replication going on smoothly throughout the Active Directory is critical. Poor replication means all manner of problems from authentication to inconsistent results.  The article is supposed to help you check on your system’s replication status and learn how to resolve the common replication errors.  

Protect Yourself and discover all permissions owner on your Windows fileservers!

Pass your next security audit without worrying about security leaks!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

Active Directory Account Lockout: Best Practices

Windows Account Lockout policies are useful when you want to limit the attempts made by people who try to access your network by guessing passwords. The account policy is also good for enforcing strong password policies. When the account lockout policy is in place, it limits the number of times a person can consecutively make login attempts with a set period. However to reduce the frequent calls to the customer desk office you need a lockout policy with increased account lockout duration, decreased lockout threshold, and an increased reset lockout counter. Windows account lockout policies are defined by three independent policies:

  1. Reset account lockout policy
  2. Account lockout duration
  3. Account lockout threshold

Generally, the account lockout policy is configured in the Group Policy Management Console. The path to the console is

Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

This document reviews some of the best practices that can be used to disable a user account if a wrong password is issued within a specified period. Here are some of the best practices as used in a typical windows environment.

1.    Setting the Account Lockout Policy

You need to create a lockout policy GPO that can be edited through the following path:

Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

The default parameters for account lockout duration should be:

  • 1440 minutes for lockout duration
  • 10 invalid logins for account threshold
  • 0 minutes for reset account counter to ensure the account does not unlock itself.

Once the account is locked, the Administrator should determine the lockout period before intervening. Any settings between 1 and 99,999 minutes will automatically unlock the account. The policy must be set to be equal to or greater than reset account lockout counter.

The value for account threshold is the number of attempts an account can sustain when a wrong password is used

The reset counter prompts windows to look for consecutive failed attempts and counterchecks if it needs the reset account lockout after threshold.

2.    Review Account Lockouts

Account lockout investigations will be successful only through capture logs that can be used to trace where the breach is coming from. The administrator can take the following steps:

  • Enable auditing of login events
  • Enable the logging of Netlogon events
  • Kerberos auditing should also be logged.

After looking at the data coming from the enabled features above, analyze security event log files and net login files to find out the origin of the lockouts and why it is taking place. Once you have identified the machine with login errors, analyze its event logs to determine the cause.

3.    Using Account Lockout and Management Tools

Some Microsoft and third-party tools can be used to investigate account lockouts to help determine the cause. These tools send an alert in real time thus giving the help desk an easy time when asked to resolve them.

Netwrix Account Lockout Examiner

This tool helps the system administrator know of an account lockout. This is a freeware that helps identify the root cause of persistent lockouts. System administrators can access the troublesome accounts from the console. This account tool and examiner reduces the strain on the service desk who are alerted even before the user makes the call for help. A working Netwrix Account Lockout Examiner is enough evidence that the Active Directory Account Lockout policy complies with set standards. Netwrix Account Lockout is a tool Administrators can use to identify malicious attacks from viruses leading to multiple lockouts.

The AD Lockouts and Bad Password Detection

The tool is used to track the origin of lockouts in the active directory due to bad password attempts. The utility is useful in large organizations running multiple domains. The system administrator can use the tool to:

  • Search each domain for bad password attempts against a particular account(s)
  • Analyze any events related to failed login attempts on each domain controller by tracing the possible origin of the lockout

Use event logs from every machine in the network to determine if the following common causes of account lockout are present:

  • Mapped drives with open permissions
  • Old and possibly running Login and RDP sessions
  • Tasks and services running on old credentials

Microsoft Account Lockout Status Tools

This account lockout tool is available from Microsoft and can be downloaded to increase the functionality of the Active Directory. Microsoft recommends using this tool alongside the Account Passwords and Policies white paper.

The primary functions of this tool are:

  • Help in the isolation and troubleshooting locked accounts by changing user password on the domain controller. It automatically adds property pages to the user account in the Active Directory Users and Computers management console
  • On the client side, the tool determines what processes or applications are sending the wrong signals or credentials
  • You can use the tool to display account names and age of respective passwords
  • Can be used as a startup script by allowing Kerberos to run on clients using Windows 2000 and later
  • Collects events from event logs of all machines to a central location
  • The tool also identifies all domain controllers involved in a lockout by way of gathering all logs. The output is generated and saved as a .CSV file whose content can be sorted if needed.
  • The lockout tool can be used to extract and display specific entries from the Netlogon log files.

Please Note: Microsoft account lockout status tools should not be used on a server hosting network application and services as it may prevent some critical services from loading.

4.    What are The Causes of Account Lockouts

  • When the port 3389 used by the RDP is open, and brute force applied.
  • Replication in the Active Directory
  • Programs running with cached user credentials
  • Service Accounts with expired or changed passwords
  • Low password threshold settings
  • Shared drive mappings
  • Disconnected terminal sessions
  • Mobile access to the exchange server via IIS
  • User logging on multiple computers
  • Saved account credentials with redundant passwords and usernames.


An account lockout policy is in place to disable users with bad passwords from accessing the system. This policy is enforced after several attempts have been made within a specified period. Using such a policy and with the help of third-party tools and utilities prevent malicious attacks, therefore, reducing successful attacks on your network. The user can access the affected account after the System Administrator has reset the password or after the specified lockout period has lapsed.


Protect Yourself and discover all permissions owner on your Windows fileservers!

Pass your next security audit without worrying about security leaks!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

What’s New in Windows Server 2016 Federation Services?

The corporate environment requires many collaboration application services to promote a seamless workflow environment. Windows Server 2016 represents major steps towards an environment that supports cloud features and an improved level of security and innovations. Some of the improvements found in Windows Server 2016 include:

  • Active Directory Federation Services (ADFS)
  • Microsoft IP Address Management (IPAM)
  • Conditional Access
  • Temporary group membership

Our main concern will be to highlight the new things Active Directory Federation Services (ADFS) bring into a Windows Server 2016 network environment.

Active Directory Federation Services gives access to single Logons across the entire network on a different application such as Office 365, SaaS applications, and other cloud-based applications.

In general, the IT department can enforce Logons and access controls to both modern and legacy software. The user benefits by accessing a seamless Login using the same account credential and the developers will also have an easy time managing running applications because the authentication process is handled by the federation services.

Here are some of the new features that came with Windows Server 2016 Federation Service:

Eliminate the Use of Passwords on A Private Network

Active Directory Federation Services gives three possibilities for Logons without passwords. This eliminates the risk of the network being compromised by leaked or stolen passwords.

Using Azure Authentication Features

Federation 2016 services are based on Multi-Factor Authentication (MFA) that allows signing in using an Azure MFA code without the need to key in the username and password. The user will be prompted for a username and a one-time password (OTP) code for authentication.

When the MFA code is used as an additional authentication method, the user will be prompted to give the usual authentication credentials and later on prompted for text, OTP, or a voice password before logging in.

Setting a Federation Service to work with Azure MFA is now simple because organizations will implement Azure without the need of having a physical Azure server location. Azure can be configured to work in both local and private networks or be incorporated within an access control policy of the organization.

Allowing Password-less Access

Active Directory Federation Services 2016 uses device configuration capabilities to allow access on network-based devices. Users log in using the devices and its validity tested for attribute changes to maintain the integrity of the device and network security. Use of accepted devices ensures that granted access is granted to specific devices, private network access is only accepted via managed devices, and authentication requires several steps for any non-compliant computer or devices.

Using Windows Hello for Business Credentials

Workstations using the Windows 10 Operating System have an inbuilt Windows Hello and Windows Hello for Business. The credentials used are protected by gestures such as fingerprints, facial recognition, voice recognition, etc. Using the Windows 10 capabilities means that users can sign in to a Federation Server 2016 without the need of a password.

Secure Access to Applications

Windows Server 2016 Federation Services works with the latest modem protocols to offer a better experience to Windows 10, Android, and iOS users.

Some access control policies can be changed without necessarily having the knowledge of the claim rules language. This made it almost impossible to configure and maintain policies. Using Federation Services, one can simply use built-in templates to be applied in common policies such as:

  • Limit access to Local Area Network only
  • Allow everyone to access the server and ask for an MFA from private networks
  • Allow everyone to access the server and ask for an MFA from a specific group

Using templates is recommended because they are easy to customize and add exceptions or additional policies that can be applied to one or many applications.

Allow Logons without Active Directory Lightweight Directory Access Protocol (LDAP) Directories

Most firms use Active Directories alongside third-party directories for Logons. The introduction of Federation Services allows for the authentication of users whose credentials are stored in LDAP. This further helps third-party users whose data are stored in LDAP v3 compliant directories, also works with users in a forest with an Active Directory that has its two-way trust not configured. Users found in Active Directory Lightweight Directory Services are able to sign in.

Flawless Sign-in Experience

All applications using Active Directory Federation Services give users ability to customize Login experience. This is more appropriate for organizations dealing with various companies and brands. In previous editions, there was a common sign-on experience with customization facility available only for a single application. The Windows Server 2016 gives you the ability to customize messages, images, web themes, and logos. Additional customized web pages can be created for every business platform.

Improved Management and System Operations

Streamlined Auditing

Auditing is streamlined in Active Directory Federation Services 2016, unlike the previous versions where every single vent necessitated an event log.

Improved Interoperability with Security Assertion Markup Language (SAML 2.0)

Additional SAML protocols that support trusts importation with multiple entries are found in Active Federation Services 2016. This allows for the configuration of Active Directory to be part of confederations and implementations that conform to the eGov 2.0 standard.

Simple Password Management for Office 365 Users

Active Directory Federation Services enable password configuration that allows sending of password expiry claims within protected applications. For instance, Office 365 users rely on updates implemented via Exchange and Outlook to get notifications on the expiry status of their passwords.

Migration from AD FS Windows Server 2012 to AD FS Windows Server 2016 Made Easier

Previous editions demanded that configurations be exported from the old farm and importing into the new farm. When moving from Windows Server 2012 to Windows Server 2016, adding a new Windows Server 2016 to Windows Server 2012 and eventually adding Windows Server 2012 to the farm by verifying functionalities and removing the old server from the load balancer. The new features are ready to use once Windows Server 2016 is running and upgraded to farm behavior level 2016.


Federation Services help in managing identities across different networks and as such forms the foundation of cybersecurity in the cloud world. With this information, it is time to optimize your Active Directory environment by giving it a new design and restructure it before migrating to the latest Windows Server 2016 Federation Services.




Unauthorized Access to Sensitve Data?

Analyze and Report Data Access on Windows Folders in Under 60 Seconds!


Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Setting Up Active Directory in Windows Server 2016

The latest addition to the Windows Server versions is the Windows Server 2016. Setting up an Active Directory may be something you have already done in the previous versions, but still, getting to know the steps needed to set up an Active Directory role for 2016 is important.

There are two important steps to consider before starting this process. If the Windows Server is to be used in a production environment, the IP addresses should be defined as static. The other thing to keep in mind is to rename the server to a suitable name because renaming the server after the AD has been defined may not be all that easy.

In this article, we will look at:

  • Installing the Active Directory
  • Setting up the Domain Controller

All these two activities need administrative privileges because they are the foundation of user and group management, policy, and security in a typical server environment.

Installing the Active Directory

  1. Click on the Start button then on the Server Manager icon.
  2. The Server Manager dashboard will load, giving access to the roles and features wizard. Click Next to proceed.
  3. Choose the installation type as the default (role-based or feature-based installation).
  4. The next step is to select the Installation Server from the already existing server based on the local server list.
  5. When you click on Next, a pop-up screen will appear. Check the Active Directory Domain Service box. The associated features specific to that role will pop up. Another pop-up wizard will show up that enables you to add the selected role(s).
  6. Click on the add featured followed by Next. The .NET 4.6 features should be checked on the following screen.
  7. On the Active Directory Services screen, click on Next. You will be given an overview of the roles of a Domain Controller and all the services that will be installed. All first Domain Controllers require that a DNS service be set up after this step.
  8. Click on Install to initiate the process.
  9. Once the installation is complete, click on the Promote this Server to a Domain Controller option.
  10. An Active Directory configuration wizard will open up with an option to:
  • Add a Domain Controller to an existing Domain
  • Add a new Domain to an existing Forest
  • Add a new Forest

Setting up the Domain Controller

To set up a new Domain Controller, select the option Add New Forest and type in the root Domain name.

  1. The next screen is for selecting the Domain and Forest functional levels. The Directory Service restore mode password should be entered if the first Domain Controller use Windows Server 2016 as the forest and functional. The DNS option should also be checked alongside the Global Catalog (GC). Click on Next.
  2. When configuring the first DNS server in a new Forest, an error message is bound to pop up. For now, no need to make any modification because the Domain Controller is using the Active Directory integrated DNS. Click on Next.
  3. Click on the NetBIOS Domain name (selected by default) and click on Next. For the NetBIOS name, the default is okay.
  4. Next wizard is the selection of paths in the Active Directory database, Log files folder, and SYSVOL folder. The default values are okay. Click on Next.
  5. Then we have the review wizard that contains all the selected configurations. Review everything and make necessary changes. If no change is needed, you can click on Next.
  6. Pre-requisite checks are needed to make sure everything falls into place. The install button will only be active once the pre-requisite check has passed. If the checks are successful, click on Install.
  7. The server will automatically reboot when the installation has finished.

Once the computer reboots, log in as the Domain administrator and head straight to the Administrative Tools. Open the Active Directory users and computers to confirm successful operation of the Active Directory and the DNS.

Other Things You Need to Know

Setting up Static IP addresses on Windows Server 2016.

  1. Open the Control Panel.
  2. Click on the View Network and Status Tasks found in the Network and Internet applet.
  3. Click on Change Adapter Settings.
  4. Right click on Network Connections and select Properties from the pop-up menu.
  5. Scroll down, select Internet Protocol Version 4 (TCP/IPv4) and click on Properties.
  6. Key in the IP address, the subnet mask, and the default gateway. The preferred and alternate DNS server addresses are also needed. Click OK.
  7. Reboot the server.

The new features made available in Windows Server 2016 should also make system administrators aware of the minimum system requirements to install and configure both Active Directory and Domain Controller.

Here are the minimum software and hardware requirements:


  • A 1.4 GHz 64-bit processor compatible with the x64 instruction set.
  • Support both NX (no execute) and DEP (Data Execution Prevention).
  • Supports second-level address translation such as EPT and NPT.


  • At least 512MB (if you are installing a server with a desktop environment, then a minimum of 2GB is needed).
  • RAM with ECC (error correcting code).

Storage Controllers and Disk Space

  • A computer designed to use the Windows Server 2016 Operating System should have storage adapters compliant with the PCI Express specifications. Hard disks or any permanent form of storage cannot be PATA since Windows Server 2016 does not allow ATA/ PATA/ IDE/ EIDE configurations.
  • Hard disks can have a minimum partition requirement of 32GB.

Network Adapter

  • Any adapter that can use gigabit throughput.
  • A card compliant with PCI Express architecture.
  • A card that supports Pre-Boot Execution Environment (PXE)
  • A network debugging enabled card is desirable, but not a requirement.


Installation of the Active Directory is almost standard across all Windows Server Operating Systems. Some people may use their experience to set up a new Active Directory without putting into focus the minimum hardware and software requirements needed. When handling an installation in an old system, you may be forced to confirm if all the requirements are met.

We hope that you find it helpful to have read this article.




Do you have unclear NTFS Permissions assignments?
Do you have too many special permissions set on your fileservers?
Or blocked NTFS Permission Inheritance?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Windows Server Optimization: Active Directory Auditing – Track User Logons

Tracking user logons gives system administrators an opportunity to identify active and inactive accounts and global access rights that could put the organization information at risk.

Active Directory auditing involves the collection of data on all Active Directory Objects and attributes that are helpful in analyzing and reporting the overall health of the Active Directory.

Audits are performed to secure the Active Directory from attacks and to keep the IT operations running. Tracking User Logons is needed to help in the following operations:

1. Track the logon activity on Domain Controllers.
2. Track user logon activities (logon failures, recent logons, last logon on workstations).
3. Track logon activities on Member Servers and Workstations.
4. Monitor RADIUS logon on computers.

In a busy working environment, Active Directory Auditing helps verify the number of users accessing the Active Directory at any given time, identify remote logon users, determine the peak logon sessions, monitor all critical logons, act on unauthorized attempts and access, and generate backup reports in case of any queries or investigations.

Why Using the Native Active Directory Auditing is Insufficient

1. The day-to-day logon information collected in the server logs may not be friendly to non-technical staff.
2. The logon information requires expertise to understand the specific events correlating to every logon activity.
3. The amount of data collected is voluminous due to the continuous activities on the Domain Controller. Dealing with such huge amount of data is tedious and time consuming.
4. The restrictive nature of the Domain Controllers means access to its logos are limited to specific personnel.
5. The inability of other Non-Administrative staff outside the IT department to access real time logon data also makes the Native Active Directory Auditing out of reach for managers, auditors, human resource staff, etc.

The Solution to Native Active Directory Auditing

The only possible way of tracking real time logon activities on a large scale for auditing is to use a software like Manage Engine ADAudit Plus that details all logon information into a single document that can be shared from a central server console.

The ADAudit Plus tool gives all information relating to successful and failed logon attempts.

Active Directory Logon Auditing

Real time auditing means tracking every logon activity as it happens to the entire Active Directory. The outcome of this audit is listing all logon activities that can be viewed on the central server in an instant.

The logon report contains information on failed logons, Domain Controller logon information, Member Server logon information, Workstation logon, recent and last logon activities.

Active Directory Logon Auditing also helps in reporting on specific logon events by listing all Logon related actions. All this information is presented on a web interface displaying data in statistical format via charts, lists, and graphs. Due to the insufficient nature of Active Directory, using the ADAudit Plus relays more information some of which are explained below:

Logon Activities on Domain Controllers
Domain Controllers from the critical element in Active Directory because all changes taking place in the Active Directory takes place here. Such logons are restricted to network administrators or privileged users. Any attempts by other users should be a wake up call for administrators to take corrective action.

ADAudit Plus give details such as user’s location, time of logon, success or failed logon attempts, and the reason for failure if any.

Tracker User Logon Activities (logon failures, recent logons, last logon on workstations)
Logon failure report gives information on reasons why a failure occurred and the number of failed attempts reported for a particular user. This information could be useful for system administrators on possible external attacks.

Some common reasons for logon attempts could be related to bad name or wrong password. Other reasons such as errors due to time restrictions, replication delays, and different workstation OS version can also be reported.

Reports on user logon give all the information needed for auditing the entire logon history on the server and the clients end. This information is only accessible to specific domain users. User’s logon history is used to draw a logon pattern and used to show system auditors proof of activities on the network.

Recent activities are used by administrators to ascertain whether every past logon was used as intended. An analysis of past logon can be used to measure levels of irregularities. ADAudit Plus gives details of both successful and failed logons alongside reasons for unsuccessful attempts. The unsuccessful logs are used for planning any corrective measures.

The last logon on workstations has all the information on the time of last successful logon attempts. The report of this audit can be used to show absenteeism or availability of a user.

Track Logon Activities on Member Servers and Workstations
Tracking logon activities on member servers and workstations help administrators tracks the logon activities of users with authority to access selected servers and workstations. The type of information displayed here are times of access, location of the user, including the workstation details, successful or failed logins, and the reason behind the logon failure.

Monitor RADIUS Logon on Computers
Users accessing the Domain server from a remote location need to use the Remote Authentication Dial-in User Service (RADIUS). Getting reports on remote users in the form of logon failures, authentication through the Active Directory and logon history. Only RADIUS logon activities running through Network Policy Servers can be reported.


Since the aim of any server optimization is to speed up operations and in the case of logon auditing, speed up reporting. Native Active Directory Auditing may give comprehensive information, but is weighed down by the reporting time.

System administrators should take advantage of Active Directory auditing tools such as ADAudit Plus to help in carrying Active Directory audit. An Active Directory Reporting tool should be able to filter out information by marking out WHEN a change in the Active Directory was made, WHERE the change took place, WHAT is the nature of the change, and WHO is responsible for the change.

All these identifiers in a report are to facilitate easier understanding when reviewing the summarized information.




Do you have unclear NTFS Permissions assignments?
Do you have too many special permissions set on your fileservers?
Or blocked NTFS Permission Inheritance?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!