Detect Permission Changes in Active Directory

This articles describes how to track permissions changes in Active Directory.

Overview

Let’s start an article, with a small example :

If some example organization works in three shifts, with different server administrators, and , in meantime permissions on some Active Directory objects, change, overnight, it is the good practice to know which admin ,and when changed it.

For that information, auditing for changes to permissions on Active Directory should be enabled, and in this article, we will explain how to do it successfully.

Enable auditing of Active Directory service changes

The first step is enabling auditing of Active Directory service changes. It has to be done on the domain controller, on a way to change Group policy object, Default Domain Controllers Policy.

The operation should be done from a server, or a workstation with Remote Server Administration Tools (RSAT)  installed.

By opening Group Policy Management, and expanding Active Directory Forest, Domains, and then the Domain Controllers Organizational Unit (OU), access to Default Domain Controllers Policy GPO is granted, and by right-clicking Edit from the menu, Group policy management editor will open.

When in Group Policy Management Editor, navigate to ( and expand policies )  Computer Configuration, then  Windows Settings then  Advanced Policy Configuration and click DS Access.

Among the other subcategories, there will be Audit Directory Service Changes.

In the properties of Audit Directory Service Changes policy, Configure the following audit events option, both checkboxes ( Success and Failure ) should be ticked.

Adding a system access control list (SACL)

Next step is adding a system access control list (SACL) to the domain to audit for modified permissions.

System access control lists ( SACLs) are used for establishing security policies across the system for actions like logging or auditing resource access.

SACL specifies :

  • Which security principals (users, groups, computers) should be audited when accessing the object.
  • Which access events should be audited for these principals
  • Which access events should be audited for these principals
  • Adding system access control list (SACL) is made from Active Directory Users and Computers ( ADUC), by opening View menu, and check Advanced Features ( it has to be activated).

Click Active Directory Domain ( on the left), and select Properties > Security > Advanced, then switch to Auditing tab, and click Add. It will open Auditing Entry tab.

In the Auditing Entry tab, click Select a Principal.

Enter the “everyone” in the object name in the Select User, Computer, Service Account, or Group dialog, and click Ok.

Auditing Entry has to be set to “Sucess” and Applies to option has to be set to “ This object and all descendant objects”.

Under “Permissions” option, only selected option has to be “Modify Permissions”.

Check

And that is it. The only thing left to do is check the changes of permissions.

It can be done in PowerShell by usage of the command

Get-EventLog Security -Newest 10 | Where-Object {$_.EventID -eq 5136} | Format-List

The output should be the formatted list of information about changes ( who made changes on which object, and information about new security descriptor).

How To Generate all Domain Controllers in Active Directory

Here we describe how to generate all Domain Controllers in Active Directory Sites and Services tool.

Active directory Sites and Services can be seen as an administrative tool, used to manage sites and the related components on Microsoft server systems.

It contains is a list of all Domain Controller connected to the system, no matter of number.

In some situations, admins can notice more than one DC listed under NTDS settings.

What are this other DC ’s, and how can they be generated automatically?

KCC

Those DC’s are called KCC’s ( Knowledge Consistency Checker) nominated bridgehead server per site to handle replication between specific sites.

That bridgehead server is then responsible for replicating any changes to all remaining DCs in its site.

In simple words, KCC takes care of replication by generating DC which communicates with other DC’s KCC’S auto-generated domain controllers and takes care of replication.

How to create automatically generated Domain Controllers

There are situations like server moves or adding new organizational Domain Controller when you can get to the situation that Active Directory is not creating ‘Automatically Generated’ connections with root Domain Controller. So, the Domain Controller can be seen, but not on the “real” Domain Controller list.

There is more than one solution, to this problem, we will bring most used and tested ones.

Manually forcing auto generation

The first method, although it can get in “workaround” category, should be manually force of auto-generation. It can be done on a way to right click on the NTDS Settings option, then choose All Tasks and Check Replication Topology in the end. That should force trigger auto-generation of all Domain Controllers, and your Domain Controllers should be visible on the list.

Repadmin

Repadmin Is a command line tool, used for replication problems diagnostic and repair.

It can be used from an elevated command prompt by typing ntdsutil.

By entering command

repadmin / showrepl*

an output is replication state of all DC’s in the system.

By command

Repadmin/replicate

force replication is started, and, considering our article, this command could by forcing replication, generate all Domain Controllers on the Sites and Services list.

Conclusion

It is usually not necessary to create manual connections when the KCC is being used to generate automatic connections. If any conditions change, the KCC automatically reconfigures connections. Adding manual connections when the KCC is employed potentially increases replication traffic and that will conflict with optimal settings set by KCC.

If a connection is not working due to a failed domain controller, the KCC automatically builds temporary connections to other replication sites ( if the damage is not too big ), to ensure that replication occurs. If all the domain controllers in a site are unavailable, the KCC automatically creates replication connections between domain controllers from another site.”

It is not recommended to manually modify this – unless you have a very specific use case.  As long as these records are auto-generated, they can survive a Domain Controller failure as the KCC/ISTG will automatically create a new connection.  However, if you manually create a connection/specify a bridgehead server, if that server goes offline, KCC will not create a new connection and replication between the affected sites will stall.

How to Optimize Your Active Directory for Windows Server 2016

Microsoft Windows Server 2016 is still a valid choise in the market and organizations are already asking their IT experts to evaluate its added value and possible challenges that one may encounter when moving from the current systems to the new server platform. In addition to the features found on Windows Server 2012 and 2012 R2, Windows Server 2016 presents new possibilities and capabilities that are missing on previous Windows Server platforms. Any new Windows Server Operating System that breaks the market gets more attention. Windows Server 2016 had made tremendous improvements to its Active Directory.

The best approach to take before implementing Windows Server 2016 is to test its readiness by looking for ways of minimizing the likely impact of migration. Another way to look at it would be to identify organizational needs and how they can be integrated for future implementations. The reason Administrators would want to try on the Windows Server 2016 Active Directory is to provide an opportunity for growth, offer flexibility, and enhance security setup in the organization.

Why Does Windows Server 2016 Matter

Windows Server 2016 is a representation of combinations from different principles that define computation, identity, management and automation, security and assurance, and storage. All these are broken down into the core elements of the Server Operating System that consists of Visualization, System Administration, Network Management, and Software Defined Network (SDN) technologies, Cloud Integration and Management, Disk Management and Availability. All these are supposed to bring organizations to the future of technology without the need to discard some of the infrastructures being used in the current environment.

Windows Server 2016 is a full-featured server Operating System boasting of solid performance with modern advancements. This new server shares so many similarities with the Data Center edition that incorporates support for Hyper-V containers and new storage features and enhanced security solely to protect virtual machines and network communications that have no trust configured between them.

This article should help you the reader learn more about Windows Server 2016 features, factors to consider before moving from old to a new setup, and how to optimize your Active Directory. More details on how to prepare to move and migrate efficiently by managing the new environment effectively.

Windows Server 2016 New Features

Several features and enhancements form part of this server operating system. Here are some of the highlights:

Temporary Group Membership

This form of membership gives Administrators a way of adding new users to a security group for a limited time. For this feature to work, Windows Server 2016 Active Directory must be operating at the functional level. System Administrators need to know beforehand all the system installation requirements during and after the transition.

Active Directory Federation Service

There are essential changes that come with Microsoft Windows 2016 Server Federation Service:

Conditional Access Control

Active Directory in previous installations had straightforward access controls because the assumption had always been that all users would be logging in from a computer joined to a domain with proper Group Policy Security settings. The conditional access gives users access to resources that have been assigned to them.

In the current technological setup users’, access resources from different types of devices that are not connected to the domain and usually work outside the organizations operating norms. This is a direct call for the improvement of security by introducing a Conditional Access Control Feature enabling administrators to have better controls over users whose requests should be handled on per application basis. For example, administrators may enforce multi-factor authentication when the compliant devices try to access business applications.

Support for Lightweight Directory Access Protocol (LDAP) v3

Another change that has been introduced in line with regard to the Active Directory Federation Systems is the Support for Lightweight Directory Access Protocol. The capability makes it easier to centralize identities across different directories. For example, an organization that uses non-Microsoft directory format for identification and access control can centralize identities to office Azure cloud or Office 365. LDAP v3 making it easier to configure a single sign-on for SaaS applications.

Domain Naming Service (DNS)

Active Directory and DNS go hand in hand because of the dependency of Windows Server systems on DNS. There have been no significant changes in the Windows Server DNS service until the arrival of Windows Server 2016. The following are new features under the DNS:

DNS Policies

The inherent ability to create new DNS policies is said to be the most significant. These policies enable administrators to control the way DNS responds to different queries. Some examples of these policies are load balancing and Blocking of DNS requests coming from IP addresses whose domain have been listed as malicious.

Response Rate Limit

The rate of the server response to DNS queries can now be controlled. This control is designed to help defend against external attacks such as denial of service by limiting the number of times in a second a DNS can respond to a client

Microsoft IP Address Management (Microsoft IPAM)

The most significant improvement to the DNS is in its IP Address Management System that helps in the tracking of IP address usage. The integration of Microsoft IPAM feature on DHCP has been robust while the DNS one is minimal. The introduction of Windows Server 2016 brings in some new changes like DNS management capabilities by recording inventory. The support for multiple Active Directory forests by IPAM is a welcome feature. Supporting multiple forests is only possible if there is already an existing trust between them and that IPAM is installed on each forest.

Migration Considerations

Planning is critical when moving from an earlier Windows Server version to Server 2016. The goal of any migration should be minimizing its impact on business operations. Going ahead with the migration should be an opportunity for administrators to set up a scalable, flexible, compliant, and secure platform.

Understanding the Existing Server Environment.

It is a rookie mistake to jump into implementation without a proper analysis of the current server environment. Assessment at this stage should look at users, groups, distribution lists, applications, folders, and Active Directory. On the business side, there is a workflow, emails, programs, and any infrastructure used that should be assessed before making the big move.

It is also vital that you:

  • Understand what needs to be moved and what is to be left as it is. For example, there is no need of moving inactive accounts and old data that is no longer relevant. All active data stores, mailboxes, and users are part of what you should not leave behind.
  • You will also want to analyze applications, users, and processes that needs access and should be migrated to ensure that the relevant resources are available during and after the transfer.

Improving Active Direct Security and Compliance Settings

Another critical factor to consider during migration is security and delegation by controlling who makes changes to Window Active Directory objects and policies. Most organizations choose to give access to Active Directory objects to solve an immediate problem and never clear the permissions. Proper controls should be in place to manage what can be added to the AD and who should be responsible for making such changes.

Continuous monitoring of activities in the Active Directory to ascertain if they comply with both internal and external performance regulations should be ongoing. Microsoft Windows Server and AD can audit events with visible output and can be implemented quickly in a busy setup. Having a coherent AD audit cluster with analytical capabilities is critical for marking unauthorized changes, spotting inappropriate use of the AD and related resources, tracking users in the entire infrastructure, and give compliance reports to the auditors.

Ensuring Application Compatibility

Before making an effort to initiate migration, make sure that all software and third-party application used on your organization are compatible and can work with Windows Server 2016. All the in-house applications should also be tested to make sure they work correctly in the new environment.

Minimizing Impact on Business

Minimizing in-house software compatibility is one aspect of reducing the cost of migration on the business. As an Administrator, you need to know how the issue of downtime will be handled when moving from legacy to new system. One thing you need to avoid is underestimating the impact of migration on users and operations by failing to analyze all access points. Many such challenges can be avoided by scheduling resource intensive migration tasks during off-peak hours.

Failure to have a smooth transition between legacy and the new system can lead to service disruptions lost productivity and increased the cost of doing business. The co-existence of both the old and the new system is essential in any Active Directory migration because users still need to access resources to ensure continuity. Directory synchronization is important at this stage to make sure that users can access their data.

Restructure the Active Directory

Moving from your legacy system to Windows Server 2016 should be taken seriously and not treated like any other routine IT task. This is an opportunity to restructure your Active Directory to meet its current and future needs. Every time there is a significant system upgrade, changes in organizational models and requirements may have prompted it. Changes in the IT technology is also a major force that influences restructuring of the Active Directory.

Determine the number of domains and forests needed. Examine the need to merge some forests or create new ones. You can also take an opportunity to join new infrastructure to remote offices that may not have been in existence in the legacy system.

Active Directory Management and Recovery

Every IT management faces challenges when managing the Active Directory on a daily basis. The configuration of user properties is time-consuming and error-prone when dealing with a large and a complex Windows Network. Some of these duties have to be performed manually leading repetitive and mundane tasks that end up taking up most the Administrators time. However, when you decide to accomplish the above tasks using Windows Native Tools or the PowerShell means that you must have a deeper understanding of how the Active Directory and its features work.

The use of software to manage the Active Directory repetitive tasks simplifies the process. You can also get detailed reports on tasks and their status. Using software offers solutions that help in the planning and execution of an efficient AD restructuring, which will eventually help you, implement a secure system. Managing AD using a software gives a common console where the management can view and manage Active Directory, users, computers, and groups. Some software’s enable the administration to plan for a secure way of delegating repetitive tasks and perform controlled automation of the Active Directory Structure.

Software Implementation

Two popular software being used in the management of Active Directory optimization tasks are:

  1. ADManager Plus
  2. Quest Software

They both can help in the restructuring and consolidation of Windows Server 2016 in a new environment.

ADManager Plus

The ADManager Plus has additional features such as sending and receiving customized notifications via SMS or emails. The search options make it easier for IT managers to search the directory with ease through its software interface panel. Using the ADManager Plus, the IT department can execute windows optimization tasks with ease in addition to the integration of utilities such as ServiceNow, ServiceDesk, and AdselfService Plus.

Active Directory User Management

ADManager Plus manages thousands of your Active Directory through its interface. This property helps you create and modify users by configuring general attributes, exchange server attributes, and apply exchange policies, terminal service attributes, and remote logon permissions. You can set new users in Office 365 and G suite when creating the new accounts in the Active Directory. You can design templates that can help the help desk team to modify and configure user accounts and properties by a single action.

Active Directory Computer Management

This solution allows for the management of all computer in the existing environment from any location. You can create objects in bulk using CSV templates by modifying group and general attributes of computers, move them between organizational units, and enable/disable them.

Active Directory Group Management

The management of groups is made more flexible using the software modules used in the creation and modification of groups using templates and conduct all configuration attributes in an instant.

Active Directory Contact Management

You can use this software management tool to import and update Activate Directory contacts as a single process. Therefore, this implies that you do not have to select individual contacts for an update.

Active Directory Help Desk Delegation

The ADManager Plus delegation feature can help administrators to create help desk administrators, and delegate desired tasks related to user attributes. The various repetitive management tasks for users, group, computers, and contacts can be delegated using customized account creation templates. The help desk users can share the workload of the administrators which frees them up giving them more time to work on core duties.

Active Directory Reports and Management

The ADManager plus provides information on different objects within the AD which allows for the viewing and analysis of information on its web interface. For example, you can see a list of all inactive users and modify the accountant accordingly.

Quest

Quest software takes a different approach because it deals with preparation, recovery, security and compliance, migration, consolidation, and restructuring.

Preparation

During preparation, Quest helps in the assessment of the existing environment with the enterprise reporter gives a detailed evaluation of the current setup that includes the Active Directory, Windows Server, and SQL Server. During this assessment, Quest can report the number of accounts you have in the Active Directory and isolate the active and the disabled ones. Knowing the exact status of your environment is paramount before the migration begins.

Quest helps discover identities and inventories on application servers that are dependent on the Active Domains that are being moved to enable you to fix or redirect them on the new server.

Migration, Consolidation, and Restructuring

The Migration Manager for Active Directory gives the Zero IMPACT AD restructuring and consolidation. The Migration Manager offers a peaceful coexistence to both the migrated and yet to be migrated by maintaining secure access to workstations and resources.

Secure Copy offers an automated solution for quick migration and restructuring files on the data server by maintaining the security and access points. Its robustness makes the tool to be rated as perfect for planning and verification of successful file transfers.

Migrator for Novell Directory Service (NDS) helps administrators move from Novel eDirectory to Active Directory. The tool also moves all data within Novell and re-assigns permission to new identities in the new server.

Security and Compliance

The change Auditor for Active Directory gives a complete evaluation of all the changes that have taken place in the Active Directory. The evaluation report contains information such as who made the changes, what kind of changes was made, what were the initial and final values before and after adjustment, and the workstation name where the change occurred. The change auditor tool also prevents changes, for example, you can disable the deletion of or transfer of Organization Units and changes that can be made Group Policy Settings.

Access Control

Active Roles modules ensure that security of the AD complies by enabling you to control access by delegating tasks using less privilege. This gives an opportunity to generate access rules based on defined administrative policies and access rights. You can use the Active Roles to bring together user groups and mailboxes as well as changing and removing access rights based on role changes.

Centralized Permission Management

The Security Explorer facilitates the management of Microsoft Dynamic Access Controls (DAC) by enabling administrators to add, remove, restore, backup, and copy permission all on a single console. The tool can make targeted or bulk changes to server emissions made possible by the enhanced by Dynamic Access Control management features such as the ability to grant, revoke, clone, and modify permissions.

Monitoring Users

The InTrust enables the secure collection, storage, and reporting alerts on the data log that complies with both internal and external regulations surrounding policies and security best practice. Using InTrust, you get an insight into user activities by auditing access to critical systems. You can see suspicious Logins in real time.

Management and Recovery

The easiest way the IT administrator can manage user accounts, computers, and objects via the Group Policy. Poor management of the Group Policy Objects (GPO) can cause many damages. For example, if your GPO is assigning proxy settings with wrong proxy values.

GPO Admin will automate Group Policies, and it has a workflow to enable the checking of changes before being approved by the GPOs. When GPO’s are used in the production industry, the management team will be impressed by the reduced tasks as it improves security.

Recovery is a critical process in any organization that runs its system based on Windows Server 2016. You can also recover the wrong entries and accounts that were removed. The Recovery Manager for Active Directory gives access to other features that report on the differences and help restore objects that were changed.

It is important to be prepared in readiness for disaster and data recovery. In case your domain finds itself in the wrong hands, or the entire network setup is corrupted, use the Recovery Manager for Active Directory utility.

Conclusion

Windows Server 2016 has a wealth of new features and capabilities to streamline and improve the management and facilitate better user experience. A successful implementation means that the Active Directory has a sound consolidation process. Administrators who have already tested this Server Operating Services should take advantage of the new capabilities.

The benefits of Active Directory tools and utilities are numerous because they help in setting up a flexible and secure Windows Server 2016 and Active Director that will work for your current and future environment. These utilities help managers who are not well conversant with some IT related Active Directory management tools who need to switch to the new server to comply with regional and international standards.

Microsoft Active Directory Permissions: Best Practices for Data Protection

In this article, we are bringing the best practices for data protection in  The most famous directory service. Microsoft Active Directory Domain Services (AD DS).  

Microsoft Active Directory (AD) is a database that keeps track of all the “objects” in the system – users, computers, security groups, services, etc. In AD DS, at one central location, defining and updating all the rights a particular object has on the network. 

In short lines, the vital part of any Microsoft Server System with the recommended highest rate of security.  

So let’s start with tips and best practices for securing Microsoft Active Directory the best way possible.  

Least-Privilege User Access (LUA)  

The principle of least privilege (PoLP, also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose. (Wikipedia Definition) 

As part of those principles, the recommendation is the usage of LUA : 

LUA is the reverse of administrative privileges for all users, and then scaling back permissions as needed. It’s one of the best tips for keeping your network safe. 

The “hard way” of granting permissions to users. In some way, it is personalized per each user. It’s based to determine needs of all users on network and grant permissions for that needs, no more, no less. 

The process is not easy, it requires a lot of communication and takes a lot of time to configure the system that way. But in a long-term, your system will operate safely and as it should. 

There are variations of this plan, like creating “section groups” with different permissions then placing everyone from the section in it. But that is not personalized setup, and still can offer too much or too little to an individual user.  

Know Your Active Directory Security Model 

Microsoft Active Directory security model, keeps every object stored in an Active Directory, safe and protected. 

That includes domain user and computer accounts, security groups, and group policies. 

It can help administrator determining user access to any object, and gives the option to specify access for groups of users, as part of security management. 

Every single object in Microsoft Active Directory has a security descriptor associated with it. Security descriptor defines the permissions on an object. Of course, all these attributes include the permission set or Access Control. List (ACL), which contain numerous Access Control Entries (ACEs) which allows or denies specified security permissions to some user or security group. 

ACEs can be explicit or inherited; explicit ACEs generally override inherited ACEs. 

And this is just a tip of a Microsoft Active Directory Security Model iceberg. 

The security model is not an easy thing to learn or explain in a single article. Even some experienced administrators have a hard time understanding the full model. So it is advised to any system Administrator to make his/her personal goal gathering knowledge about it as much as possible. 

With a better understanding of it, it can provide better insight into system security functioning and better protection of your organization, and with that better productivity and quality of service. 

A lot more regarding Active Directory Security Model can be found at the following link: 

http://www.paramountdefenses.com/active-directory-security/model.html 

Keep Your Software Up To Date and Secure 

In May 2017, a lot of windows server based system got attacked by WannaCry ransomware worm attack. Even Microsoft has discovered a vulnerability and released a patch, a month before the attack took place, still, a lot of systems haven’t applied it, and got struck by a worm, which intruded system, encrypted data and demanded ransom for it in form of Bitcoin. 

The attack was stopped within a few days of its discovery due to emergency patches released by Microsoft, and the discovery of “kill switch” that prevented infected computers from spreading WannaCry further. 

The consequence of the attack was estimated to more than 200,000 affected computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. 

Experts advise affected users against paying the ransom due to none reports of any data returned after payment and as high revenues would encourage more such attacks. After the attack had subsided, a total of 327 payments totaling $130,634.77 (51.62396539 XBT) had been transferred. 

As all examples, this one is a great opportunity to learn and adopt facts and previous errors so they would not be made again. 

This expensive and very real example shows the importance of software updating and applying official patches to your system software.  

Software without updates applied is unreliable software. Patch or update is made for a reason, and in most cases, it makes security better, and your system less liable for any type of attacks.

For that cases, Microsoft has great sites which can help administrators maintain their systems healthy and protected. It is highly recommended for all admins to monitor TechNet, and Microsoft Secure Blog, to keep up with system software, and security updates. 

It is not only up to administrators, but even their part of the job is also most important,  it is up to organizations to keep their hardware updated too. Even obsolete hardware can make the risk of security breaches high. So realizing that investing in hardware is not thrown money, but it is investing in security and functionality seems like the right way for all organizations. 

Usage of built-in Active Directory Features 

A lot of built-in Active Directory features can help administrators in protecting data and system environment.  None of them are “one program solves all” type of programs or some “big” lifesaving solutions, but correct usage of them can make a risk of potential security breaches lower. 

This is a list of some of the useful built-in features :  

Security Descriptor Propagator –  Compares the permissions on the domain object with the permissions on the domain’s protected user accounts and groups. If it finds any mismatch, it will reset the permissions. 

AdminSDHolder – Ensures enforcement of permissions on protected user accounts and groups, no matter of location on the domain. 

Privileged Identity Management – Allows the administrator to grant temporary rights and permissions to an account to perform any required functions. 

Role-based Access Control– Provides administrator the option of user grouping, and give them access to resources on the domain according to previously defined rules. 

Usage of Isolated workstations managing DCs 

If there is a need for logging on an Active Directory with an elevated account, because of any reason, these operations should always be performed from a special device, preconfigured to reduce the risks associated with everyday tasks.  

Such workstations should be isolated from the internet, and when used, they should be used with Least-Privilege User Access ( Lua) ( described before) principles. 

Those workstations should be completely protected by all kind of security software available. (anti-malware, endpoint firewall and application control). 

DC Workstations should be kept in their own organizational unit so they could have a special group policy set applied ( restricted local logons and other limitations). 

User accounts used on isolated workstations may be Service Desk accounts that have the ability to reset passwords for most of the users in a domain, accounts that are used to administer DNS records and zones, or accounts that are used for configuration management. Secure administrative hosts should be dedicated to administrative functionality, and they should not run software such as email applications, web browsers, or any type of productivity software. 

Conclusion 

In conclusion, security of Microsoft Active Directory is huge, live, topic, and it can be studied and elaborated over and over. The best practices are, with a usage of described tools and techniques, only learning and monitoring, not only your systems but Microsoft news and updates regularly. 

It is a hard job, without long-term solutions. As systems develop and change, so are potential threats and malware, but being server administrator is like that, never-ending process. 

 

 

Prevent Unauthorized Access to Sensitive Data!

  • No more unauthorized access to sensitive data
  • No more unclear permission assignments
  • No more unsafe data
  • No more security leaks

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

Active Directory Authoritative Restore with Windows Server Backup

Overview 

In short lines, an authoritative restore is a Windows Server process of return of a designated deleted Active directory object or container of an object to the state before deletion, at the time when it was backed up. 

An authoritative restore process will replicate the restore object across organization’s domain controllers, but, restore process will increase the Unique Sequence Number (USN) of all attributes on the restored object.  

Because the object will have a much higher Unique Sequence Number, it will replicate across all domain controllers of organization and overwrite anything associated to the previous object. 

In this article, our goal is to describe the procedure and make test example of this process. 

Procedure and Examples 

In an example, hypothetic scenario, it is needed to restore user deleted from Active Directory Users and Computers. 

First thing in the scenario is a restoration from backup. For a backup start, it is needed to restart the domain controller in Directory Recovery Mode (Safe mode). It can be done with a reboot and press key F8 on startup. 

Login is made with local admin, using username.\administrator, and password setter up during domain controller installation for Directory Services Restore Mode ( DSRM ). 

After login, right-click start menu and choose Command Prompt ( Admin ) option. 

When Command Prompt is accessed, following command,  will show available backups:

wbadmin get versions 

Following command (followed by “yes” option ) will start restoration based on the chosen backup entry : 

wbadmin start systemstaterecovery version: (chosen version) 

 And user will be prompted to reboot with “Yes” option. 

After reboot, it is needed to start the Command Prompt (Admin) again, and run ntdsutil command for accessing and managing a Windows Active Directory (AD) database. (Ntdsutil should only be used by experienced administrators and it should be used from an elevated command prompt). 

At ntdsutil prompt, it is needed to enter following commands: 

 activate instance ntds 

And after that : 

authoritative restore 

At authoritative restore prompt terminal, the full path to the object that is wanted to restore should be entered. 

restore object cn=(object name),OU=(organizational unit) ,DC=(domain controller),DC=local 

It is needed to confirm it with “yes”, and restoration will start.  

Exit the authoritative restore with the command:”quit” and ntdsutil with the command: “quit”. 

From Command Prompt terminal, disable safe boot sequence of a server with a command:

bcdedit /deletevalue safeboot 

After reboot and login to the server, a wanted object should be restored in Active Directory. 

 

 

Do you want to prevent unauthorized deletion of directory objects or something similar to this problem?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Windows Server: Clean Up Orphaned Foreign Security Principals

This article will show different ways to clean up orphaned Foreign Security Principals. There are more ways to do it, but before any method described, it is needed to say that if it is possible, clean your “orphaned FSP’s” with GUI method. PowerShell methods are not recommended to users without excellent knowledge of console, due to possible issues that method can cause. 

But first, let’s see overview – What is FSP? 

Overview 

Foreign Security Principals (FSPs) are security principals, created when an object ( user, computer or group) is added to some domain group, but with origins from an external trusted domain. 

FSP is recognized by mark. It is marked with a red curly arrow connected to an icon of object and acts as a pointer. 

Active Directory creates them automatically, after adding security principal from another forest to a group from that domain. 

When security principal, on which FSP is pointing,  is removed, the FSP becomes orphan. Orphan is a term used for FSP’s which have no more principals, FSP is pointing on.   

In the case of the creation of the same principle, old FSP will still be orphaned. New FSP will have different   SID ( security identifier) number, no matter what principle is the same. 

The outcome could be that FSP that is once orphaned, stays orphaned forever until it is removed/cleaned up by the administrator. 

There are two ways of identification and cleaning orphaned FSP. It can be done by GUI ( Graphics User Interface), and by PowerShell console. 

Identification and clean up of orphaned FSP via GUI 

As mentioned before, this is the most recommended way of cleaning orphaned FSP’s. 

In “GUI” way, orphaned FSP can be found in Active Directory Users and Computers console, when advanced features are enabled (If advanced features are not enabled, FSP won’t be seen). They are stored in the ForeignSecurityPrincipals container. Orphaned FSP can be identified through column “Readable Name”. 

If FSP is orphaned, Readable Name column in the console will show up empty. 

They can be cleaned by selection and right-click deletion. 

Cleaning FSP via PowerShell 

For PowerShell cleaning, all FSP objects first have to be listed. 

All FSP’s can be listed by usage of Get-ADObject cmdlet. 

Get-ADObject -Filter {ObjectClass -eq ForeignSecurityPrincipal'} 

When listed, they can be removed by usage of the Translate method, but precaution is advised. There is a possibility, in case of network connectivity issue  FSP’s can be seen as momentarily orphaned, PowerShell method will delete them too, and that can make problems due to SID change.

$ForeignSecurityPrincipalList = Get-ADObject -Filter {ObjectClass eq 
 ‘foreignSecurityPrincipal' }    
foreach($FSP in $ForeignSecurityPrincipalList)  
{      
Try     
 {$null=(New-Object System.Security.Principal.SecurityIdentifier($FSP.objectSid)).Translate([System.Security.Principal.NTAccount])}      
Catch    
  {Remove-ADObject -Identity $FSP}  
} 

Scheduled removal of orphaned FSP 

A task can be scheduled to make removal of orphaned FSP automatic.  

The best way to remove FSP by schedule  is by created script like for example : 

 The fictive company has a monthly turnover of  50 employees. 

A custom script can be made to delete orphaned FSP’s in the time range of 1 month  : 

 

Import-Module -Name OrphanForeignSecurityPrincipals 
$MyCompanyTurnover = 20 
 $OrphanFSPListFilePath ='c:\temp\OFSP.txt' 
$OrphanForeignSecurityPrincipalsList = Get-OrphanForeignSecurityPrincipal TabDelimitedFile $OrphanFSPListFilePath 

If ($OrphanForeignSecurityPrincipalsList) 
 { 
    If ($OrphanForeignSecurityPrincipalsList.Count -gt $MyCompanyTurnover) 
    { 
        $MailParameters = @{ 
            SmtpServer = 'mail.mycompany.com' 
            From       = 'NoReply@mycompany.com' 
            To         = 'Administrator@mycompany.com' 
            Subject    = "Orphan Foreign Security Principals found" 
            Body       = 'Please check attached file.' 
            Attachment = $OrphanFSPListFilePath 
        } 
          Send-MailMessage @MailParameters 
    }    else { 
        Remove-OrphanForeignSecurityPrincipal -TabDelimitedFile $OrphanFSPListFilePath 
    } 
} 

Recovery of deleted FSP 

Deleted orphaned FSP’s can be restored by restoring it from recycle bin if recycle bin feature is activated before deletion is made. 

FSP can be restored via PowerShell cmdlets too : 

An object can be found  with the following cmdlet, and after they are listed, selected orphaned FSP’s can be restored: 

Get-ADObject -Filter 'IsDeleted -eq $TRUE' -IncludeDeletedObjects | Where-Object {$_.DistinguishedName -like "CN=S-*"} 

There is one more way of restoring orphaned Foreign security principals that we need to mention.  

It is the way of following same steps as made before first creation. By adding foreign user/computer/group account into the same groups where it has been before it got orphaned status. This step will create the same Foreign Security principal as it was before, just with different SID number. 

 

Avoid having problems on the FSP or Foreign Security Principals

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Active Directory Design Guide

Companies use the Active Directory Domain Services (AD DS) in a server environment to make the work of network users less complicated and ensure resource sharing and management is secure, scalable, and all objects work as per their respective configurations. A well-designed AD DS can be used to manage the entire network infrastructure including the branch office and multiple forest environment. System Administrators should develop a habit of documenting all aspects of the domain structure and security strategies, as this becomes the new plan for future infrastructure and possible migration.  

The Basics of Active Directory Planning  

When planning for a domain, two things come into play: domain upgrading and domain restructuring. Upgrading your domain is more than just upgrading every domain controller; it involves the upgrading of both the Primary Domain Controller (PDC) and the Backup Domain Controller (BDC). Restructuring involves the creation of a new Active Directory from scratch. Restricting may lead to few but expanded domains. 

Develop a Migration Strategy

Having a migration strategy in place is an integral part of your overall design plan. Migration strategy involves studying the current or proposed configuration details and identifying which aspects of the domain will be migrated. A fall back system also has to be in place to counter any possible failure.  

Working with a Simple Design  

An Active Directory should be flexible in giving you an easy time when designing the forests. Designing a Domain for every department may look desirable in an organization but do not forget the general rule of running fewer but effective domains. An alternative to creating domains for every department is to use the Organizational Units, which are flexible and easy to manage.   

Active Directory Domain Design  

An Active Directory has four main divisions: the forests, the domain, the sites, and the organizational units. The system Administrators should maximize on the potential of these divisions to get the best out of any directory structure. 

When creating your domains, it is recommended that you use domain members who are near each other as possible. This is the best practice because the level of traffic within a domain is higher than you would expect between two different domains. Smaller domains also limit the need for investing in expensive connections to increase bandwidth. Remember to use the Organizational units to delegate Administrative privileges within an Active Directory. 

The Design of Groups and Organizational Units  

Before thinking of how the Groups and Organizational Units will work, System Administrators should know in advance the role of each group or units. The idea is to have a functional Organizational Unit and Groups in a bid to simplify the Active Directory environment. This goes a long way in simplifying management by giving you more control over the Active Directory. An active directory without a logical design of its users may lead to confusion. Here are some of the best practices when designing Organizational Units: 

  • Maintain a simple OU structure  
  • Limit OU nesting to less than 10 layers  
  • Apply Group Policy to groups via the Group Policy Filtering  
  • Do not utilize local groups for permissions in a domain environment 
  • Use local groups in the domain to control access to resources and group similar user groups. 

You can also use hidden OU to prevent viewing or altering in an environment where network application services are shared within departments and with external customers.  

Use Rules for Active Directory Sites  

Using Directory sites is an important element for any Active Directory domain. Sites can be limited to any computer object within a forest. Thus, they can be found across domains and organizational units. Sites are used to impose physical network to facilitate traffic flow. Sites also regulate traffic flowing to slower WAN links within the network; this will effectively increase productivity and serve to reduce costs on connectivity. 

The general good practice when designing sites  

  • Sites should be a reflection of the physical and geographical topology 
  • Every site should have at least one local Domain Controller 
  • Sites should be connected to faster links  
  • Remote clients do not need a dedicated site  
  • Sites are desirable when replication services are needed  
  • Sites can be added, changed, removed, without affecting network operations or configurations 

Active Directory Design Requirements  

Before the deployment of any Active Directory Services, the logical structure that reflects the working environment should be in place. The AD DS logical structure defines directory objects are organized and a method of managing individual accounts and shared resources. When planning for the logical structure, determine the number of forests, domain designs, the Domain Name System infrastructure, and Organizational Units. 

The Design of the Logical Structure should follow the following process 

  • Identification of the technical staff in charge of deployment  
  • Creation of the forest design  
  • Creation of the domain design for each forest  
  • Design a DNS infrastructure to support AD DS for every forest  
  • Design organizational units for delegating administrative tasks for every forest  
  1. Designing the Site Topology 

The site topology of the Active Directory network is a logical representation of the physical network. It has all the information about the AD DS location sites, the site of Domain Controllers, and the site links that support the AD DS replication taking place between sites.  

The site topology design goes through the following process 

  • Gather all network information  
  • Plan where to place the domain controllers  
  • Create the site design  
  • Create the link design  
  • Create the site link bridges

2. Planning for Domain Controller Capacity  

For an efficient output of the AD DS, System Administrators should determine the number of domain controllers for each site. Capacity planning for the domain controllers takes care of all the hardware requirements and avoids incidences of poor performance by the domain controllers 

The process of planning for the domain controller capacity planning involves: 

  • Collect site topology and design information  
  • Determine the number of domain controllers  
  • Create the site design  
  • Assess disk space and memory requirements  
  • Monitor domain controller performance  

Please note that some features can be added to the Domain design by raising the functional levels of the forests.  

Conclusion  

The strategies presented in this guide apply in any server-operating environment. If you are not sure if your environment can meet the minimum system requirements, consult with other professionals on what needs to be done to deploy the AD DS. 

 

Want to have efficient and accurate reports about NTFS permissions on all your folders on your Windows Server Environment?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

How to Optimize Your Active Directory for Windows Server 2016

Microsoft Windows Server 2016 is still new in the market and organizations are already asking their IT experts to evaluate its added value and possible challenges that one may encounter when moving from the current systems to the new server platform. In addition to the features found on Windows Server 2012 and 2012 R2, Windows Server 2016 presents new possibilities and capabilities that are missing on previous Windows Server platforms. Any new Windows Server Operating System that breaks the market gets more attention. Windows Server 2016 had made tremendous improvements to its Active Directory Optimization.

The best approach to take before implementing Windows Server 2016 is to test its readiness by looking for ways of minimizing the likely impact of migration. Another way to look at it would be to identify organizational needs and how they can be integrated for future implementations. The reason Administrators would want to try on the Windows Server 2016 Active Directory Optimization is to provide an opportunity for growth, offer flexibility, and enhance security setup in the organization. Now let us talk about active directory optimization

Why Does Windows Server 2016 Matter

Windows Server 2016 is a representation of combinations from different principles that define computation, identity, management and automation, security and assurance, and storage. All these are broken down into the core elements of the Server Operating System that consists of Visualization, System Administration, Network Management, and Software Defined Network (SDN) technologies, Cloud Integration and Management, Disk Management and Availability. All these are supposed to bring organizations to the future of technology without the need to discard some of the infrastructures being used in the current environment.

Windows Server 2016 is a full-featured server Operating System boasting of solid performance with modern advancements. This new server shares so many similarities with the Data Center edition that incorporates support for Hyper-V containers and new storage features and enhanced security solely to protect virtual machines and network communications that have no trust configured between them.

This article should help you the reader learn more about Windows Server 2016 features, factors to consider before moving from old to a new setup, and how to do Active Directory Optimization. More details on how to prepare to move and migrate efficiently by managing the new environment effectively.

Windows Server 2016 New Features

Several features and enhancements form part of this server operating system. Here are some of the highlights:

Temporary Group Membership

This form of membership gives Administrators a way of adding new users to a security group for a limited time. For this feature to work, Windows Server 2016 Active Directory must be operating at the functional level. System Administrators need to know beforehand all the system installation requirements during and after the transition.

Active Directory Federation Service

There are essential changes that come with Microsoft Windows 2016 Server Federation Service:

Conditional Access Control

Active Directory in previous installations had straightforward access controls because the assumption had always been that all users would be logging in from a computer joined to a domain with proper Group Policy Security settings. The conditional access gives users access to resources that have been assigned to them.

In the current technological setup users’, access resources from different types of devices that are not connected to the domain and usually work outside the organizations operating norms. This is a direct call for the improvement of security by introducing a Conditional Access Control Feature enabling administrators to have better controls over users whose requests should be handled on per application basis. For example, administrators may enforce multi-factor authentication when the compliant devices try to access business applications.

Support for Lightweight Directory Access Protocol (LDAP) v3

Another change that has been introduced in line with regard to the Active Directory Federation Systems is the Support for Lightweight Directory Access Protocol. The capability makes it easier to centralize identities across different directories. For example, an organization that uses non-Microsoft directory format for identification and access control can centralize identities to office Azure cloud or Office 365. LDAP v3 making it easier to configure a single sign-on for SaaS applications.

Domain Naming Service (DNS)

Active Directory and DNS go hand in hand because of the dependency of Windows Server systems on DNS. There have been no significant changes in the Windows Server DNS service until the arrival of Windows Server 2016. The following are new features under the DNS:

1.     DNS Policies

The inherent ability to create new DNS policies is said to be the most significant. These policies enable administrators to control the way DNS responds to different queries. Some examples of these policies are load balancing and Blocking of DNS requests coming from IP addresses whose domain have been listed as malicious.

2.     Response Rate Limit

The rate of the server response to DNS queries can now be controlled. This control is designed to help defend against external attacks such as denial of service by limiting the number of times in a second a DNS can respond to a client

3.     Microsoft IP Address Management (Microsoft IPAM)

The most significant improvement to the DNS is in its IP Address Management System that helps in the tracking of IP address usage. The integration of Microsoft IPAM feature on DHCP has been robust while the DNS one is minimal. The introduction of Windows Server 2016 brings in some new changes like DNS management capabilities by recording inventory. The support for multiple Active Directory forests by IPAM is a welcome feature. Supporting multiple forests is only possible if there is already an existing trust between them and that IPAM is installed on each forest.

Migration Considerations

Planning is critical when moving from an earlier Windows Server version to Server 2016. The goal of any migration should be minimizing its impact on business operations. Going ahead with the migration should be an opportunity for administrators to set up a scalable, flexible, compliant, and secure platform.

1.     Understanding the Existing Server Environment.

It is a rookie mistake to jump into implementation without a proper analysis of the current server environment. Assessment at this stage should look at users, groups, distribution lists, applications, folders, and Active Directory. On the business side, there is a workflow, emails, programs, and any infrastructure used that should be assessed before making the big move.

It is also vital that you:

  • Understand what needs to be moved and what is to be left as it is. For example, there is no need of moving inactive accounts and old data that is no longer relevant. All active data stores, mailboxes, and users are part of what you should not leave behind.
  • You will also want to analyze applications, users, and processes that need access and should be migrated to ensure that the relevant resources are available during and after the transfer.

2.     Improving Active Direct Security and Compliance Settings

Another critical factor to consider during migration is security and delegation by controlling who makes changes to Window Active Directory objects and policies. Most organizations choose to give access to Active Directory objects to solve an immediate problem and never clear the permissions. Proper controls should be in place to manage what can be added to the AD and who should be responsible for making such changes.

Continuous monitoring of activities in the Active Directory to ascertain if they comply with both internal and external performance regulations should be ongoing. Microsoft Windows Server and AD can audit events with visible output and can be implemented quickly in a busy setup. Having a coherent AD audit cluster with analytical capabilities is critical for marking unauthorized changes, spotting inappropriate use of the AD and related resources, tracking users in the entire infrastructure, and give compliance reports to the auditors.

3.     Ensuring Application Compatibility

Before making an effort to initiate migration, make sure that all software and third-party application used on your organization are compatible and can work with Windows Server 2016. All the in-house applications should also be tested to make sure they work correctly in the new environment.

4.     Minimizing Impact on Business

Minimizing in-house software compatibility is one aspect of reducing the cost of migration on the business. As an Administrator, you need to know how the issue of downtime will be handled when moving from legacy to new system. One thing you need to avoid is underestimating the impact of migration on users and operations by failing to analyze all access points. Many such challenges can be avoided by scheduling resource intensive migration tasks during off-peak hours.

Failure to have a smooth transition between legacy and the new system can lead to service disruptions lost productivity and increased the cost of doing business. The co-existence of both the old and the new system is essential in any Active Directory migration because users still need to access resources to ensure continuity. Directory synchronization is important at this stage to make sure that users can access their data.

5.     Restructure the Activate Directory

Moving from your legacy system to Windows Server 2016 should be taken seriously and not treated like any other routine IT task. This is an opportunity to restructure your Active Directory Optimization to meet its current and future needs. Every time there is a significant system upgrade, changes in organizational models and requirements may have prompted it. Changes in the IT technology is also a major force that influences restructuring of the Active Directory.

Determine the number of domains and forests needed. Examine the need to merge some forests or create new ones. You can also take an opportunity to join new infrastructure to remote offices that may not have been in existence in the legacy system.

Active Directory Management and Recovery

Every IT management faces challenges when managing the Active Directory on a daily basis. The configuration of user properties is time-consuming and error-prone when dealing with a large and a complex Windows Network. Some of these duties have to be performed manually leading repetitive and mundane tasks that end up taking up most of the Administrators time. However, when you decide to accomplish the above tasks using Windows Native Tools or the PowerShell means that you must have a deeper understanding of how the Active Directory and its features work.

The use of software to manage the Active Directory repetitive tasks simplifies the process. You can also get detailed reports on tasks and their status. Using software offers solutions that help in the planning and execution of an efficient AD restructuring, which will eventually help you, implement a secure system. Managing AD using software gives a common console where the management can view and manage Active Directory, users, computers, and groups. Some software’s enable the administration to plan for a secure way of delegating repetitive tasks and perform controlled automation of the Active Directory Structure.

Software Implementation

Two popular software being used in the management of Active Directory optimization tasks are:

  1. ADManager Plus
  2. Quest Software

They both can help in the restructuring and consolidation of Windows Server 2016 in a new environment.

1.     ADManager Plus

The ADManager Plus has additional features such as sending and receiving customized notifications via SMS or emails. The search options make it easier for IT managers to search the directory with ease through its software interface panel. Using the ADManager Plus, the IT department can execute windows optimization tasks with ease in addition to the integration of utilities such as ServiceNow, ServiceDesk, and AdselfService Plus.

Active Directory User management

ADManager Plus manages thousands of your Active Directory through its interface. This property helps you create and modify users by configuring general attributes, exchange server attributes, and apply exchange policies, terminal service attributes, and remote login permissions. You can set new users in Office 365 and G suite when creating the new accounts in the Active Directory. You can design templates that can help the help desk team to modify and configure user accounts and properties by a single action.

Active Directory Computer Management

This solution allows for the management of all computer in the existing environment from any location. You can create objects in bulk using CSV templates by modifying group and general attributes of computers, move them between organizational units, and enable/disable them.

Active Directory Group Management

The management of groups is made more flexible using the software modules used in the creation and modification of groups using templates and conduct all configuration attributes in an instant.

Active Directory Contact Management

You can use this software management tool to import and update Activate Directory contacts as a single process. Therefore, this implies that you do not have to select individual contacts for an update.

Active Directory Help Desk Delegation

The ADManager Plus delegation feature can help administrators to create help desk administrators, and delegate desired tasks related to user attributes. The various repetitive management tasks for users, group, computers, and contacts can be delegated using customized account creation templates. The help desk users can share the workload of the administrators which frees them up giving them more time to work on core duties.

Active Directory Optimization Reports and Management

The ADManager plus provides information on different objects within the AD which allows for the viewing and analysis of information on its web interface. For example, you can see a list of all inactive users and modify the accountant accordingly.

2.     Quest

Quest software takes a different approach because it deals with preparation, recovery, security and compliance, migration, consolidation, and restructuring.

Preparation

During preparation, Quest helps in the assessment of the existing environment with the enterprise reporter gives a detailed evaluation of the current setup that includes the Active Directory, Windows Server, and SQL Server. During this assessment, Quest can report the number of accounts you have in the Active Directory and isolate the active and the disabled ones. Knowing the exact status of your environment is paramount before the migration begins.

Quest helps discover identities and inventories on application servers that are dependent on the Active Domains that are being moved to enable you to fix or redirect them on the new server.

Migration, Consolidation, and Restructuring

The Migration Manager for Active Directory gives the Zero IMPACT AD restructuring and consolidation. The Migration Manager offers a peaceful coexistence to both the migrated and yet to be migrated by maintaining secure access to workstations and resources.

Secure Copy offers an automated solution for quick migration and restructuring files on the data server by maintaining the security and access points. Its robustness makes the tool to be rated as perfect for planning and verification of successful file transfers.

Migrator for Novell Directory Service (NDS) helps administrators move from Novel eDirectory to Active Directory. The tool also moves all data within Novell and re-assigns permission to new identities in the new server.

Security and Compliance

The Change Auditor for Active Directory gives a complete evaluation of all the changes that have taken place in the Active Directory Optimization. The evaluation report contains information such as who made the changes, what kind of changes was made, what were the initial and final values before and after adjustment, and the workstation name where the change occurred. The change auditor tool also prevents changes, for example, you can disable the deletion of or transfer of Organization Units and changes that can be made Group Policy Settings.

Access Control

Active Roles modules ensure that security of the AD complies by enabling you to control access by delegating tasks using less privilege. This gives an opportunity to generate access rules based on defined administrative policies and access rights. You can use the Active Roles to bring together user groups and mailboxes as well as changing and removing access rights based on role changes.

Centralized Permission Management

The Security Explorer facilitates the management of Microsoft Dynamic Access Controls (DAC) by enabling administrators to add, remove, restore, backup, and copy permission all on a single console. The tool can make targeted or bulk changes to server emissions made possible by the enhanced by Dynamic Access Control management features such as the ability to grant, revoke, clone, and modify permissions.

Monitoring Users

The InTrust enables the secure collection, storage, and reporting alerts on the data log that complies with both internal and external regulations surrounding policies and security best practice. Using InTrust, you get an insight into user activities by auditing access to critical systems. You can see suspicious Logins in real time.

Management and Recovery

The easiest way the IT administrator can manage user accounts, computers, and objects via the Group Policy. Poor management of the Group Policy Objects (GPO) can cause many damages. For example, if your GPO is assigning proxy settings with wrong proxy values.

GPO Admin will automate Group Policies, and it has a workflow to enable the checking of changes before being approved by the GPOs. When GPO’s are used in the production industry, the management team will be impressed by the reduced tasks as it improves security.

Recovery is a critical process in any organization that runs its system based on Windows Server 2016. You can also recover the wrong entries and accounts that were removed. The Recovery Manager for Active Directory gives access to other features that report on the differences and help restore objects that were changed.

It is important to be prepared in readiness for disaster and data recovery. In case your domain finds itself in the wrong hands, or the entire network setup is corrupted, use the Recovery Manager for Active Directory optimization utility.

Conclusion

Windows Server 2016 has a wealth of new features and capabilities to streamline and improve the management and facilitate better user experience. A successful implementation means that Active Directory Optimization has a sound consolidation process. Administrators who have already tested this Server Operating Services should take advantage of the new capabilities

The benefits of Active Directory optimization tools and utilities are numerous because they help in setting up a flexible and secure Windows Server 2016 and Active Directory that will work for your current and future environment. These utilities help managers who are not well conversant with some IT related Active Directory optimization management tools who need to switch to the new server to comply with regional and international standards.

 

 

Prevent Unauthorized Access to Sensitive Windows Folders!

  • No more unauthorized access to sensitive data
  • No more unclear permission assignments
  • No more unsafe data
  • No more security leaks

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

Overview: How to Troubleshoot Active Directory Replication Issues

Active Directory Replication is more or less the center of all sorts of problems. It is a crucial service and it becomes more complicated when dealing with more than one domain controller.  Issues relating to replication can vary from authentication issues and problems arising when trying to access resources over the network. 

All objects in the Active Directory are replicated between domain controllers so that all partitions are synchronized. A large company with multiple sites means that replication takes place at the local site as well as the other sites to keep all partitions synchronized. This article aims to show you how to troubleshoot Active Directory replication issues. 

Active Directory replication problems come from different sources, some of which are Domain Name System failures, network problems, or security issues. 

Resources Needed to Troubleshoot Active Directory Replication 

Failures coming in and out the active directories due to replication issues lead to many inconsistencies between domain controllers. Such failures lead to systemic failures or inconsistent output. Identifying the main cause of replication failure helps system administrators identify the possible cause and hence elimination of the problem.  One of the commonly used interfaces based replication-monitoring tool is the Active Directory Replication Status Tool. 

Understanding Recommendations from the tool solution 

The red and yellow warning events in the system logs will always point out to the specific cause of replication failure and give the source and destination in the Active Directory. Any steps that are suggested by the warnings should be tried as explained. Other tools such as the Repadmin tool can give more information to help resolve replication issues. 

  • Eliminating Disruptions or Hardware Failures 

Before troubleshooting replication failures, it is important to rule out any issues related to software updates or upgrades, intentional disruptions, software configurations, and hardware failures. 

  • Intentional Disruptions 

Disruptions caused by unavailability (offline state) of a remote domain controller can be corrected by adding the computer as a member server using the Install From Media (IFM) method to configure the Active Directory Domain Services. The Ntdsutil command-line tool can be used to create installation media. 

  • Software Upgrades and Hardware Failures 

Hardware failures can come from failing motherboards or hard drives. Once a hardware problem is identified, system administrators should take immediate action to replace the failing components. Active Directory Replication failures can take place after a planned upgrade. The best way to handle this is through an effective communication plan that prepares people in advance. 

  • Software Configurations 

Some software settings such as the typical windows firewall have port 135 open alongside other advanced security settings. Some firewalls can be configured to allow for replication. 

Responding to Failures Reported on Windows 2000 Server 

Active Directory configured on Windows 2000 Server that has failed beyond the tombstone lifetime should be resolved by: 

  • Moving the server from a corporate to a private network 
  • Removing the Active Directory or Reinstalling the Operating System 
  • Removing its metadata from the Active Directory to hide its objects 

Removing the server metadata ensures that any attempt by the server to revive objects settings after 14 days is impossible. This also helps avert further error logs due to replication attempts with a missing Domain Controller. 

What are the Root Causes of Replication? 

Apart from the already discussed causes leading to replication failures, here are some other reasons. 

Network Connectivity: caused by unavailable network or wrong configurations 

Name Resolutions: Wrong DNS configurations 

Authentication and Authorizations: Aces denied errors every time a domain controller tries to connect for replication 

Directory Database: A slow data store not being able to handle fast transactions that take place within replication timeouts. 

Replication Engine: when replication schedules are short, it will lead to longer queues and large processing which may not be possible within the outbound replication schedule. 

Replication Topology: All domain controllers need to have links linking them to other sites within the Active Directory.  The links should map wide area networks or the virtual private network connections. All objects should be supported by the same site topology within the network to avoid replication failures. 

How do We Fix Replication Problems 

Any of the following approaches can be used to fix Active Directory Replication Issues: 

  • Daily monitoring of the state of replication using the Repadmin.exe to extract daily status updates 
  • Resolving reported replication failures as soon as possible, using steps provided in the event logs. Replication failures resulting from software configurations require un-installation of the software before attempting any other solutions. 
  • If all attempts to resolve replication issues do not work, remove the Active Directory Directory Services from the server and reinstall. 

When an attempt to remove AD DS fails when the server is online, any of the following methods can resolve the issue. 

  • Force the removal of the AD DS from the Directory Restore Mode (DSRM) by cleaning up the server metadata and reinstall the AD DS. 
  • Reinstall Operating system and reconfigure the Domain Controller 

Retrieving Replication Status Using Repadmin 

When everything in the Active Directory is working as intended and produces no errors, then it means the following services are working correctly: 

  • DNS 
  • Remote Procedure Call (RPC) 
  • Network Connectivity 
  • Window Time Service (W32time) 
  • Kerberos Authentication Protocol 

The Repadmin tool is used to study the daily replication activities. The tool is able to access all the replication status of all domain controllers in the forest. The report is relayed in a .CSV format that can be accessed using any spreadsheet reader. 

Generating Repadmin for Domain Controllers in a Spreadsheet.                                 

Using the command prompt as an administrator type the following: 

Repadmin /showrepl * /csv > showrepl.csv 

  • Open Microsoft Excel, navigate to the showrepl.csv, and click open 
  • Hide or delete column A and the Transport Type Column 
  • Select the row below the column heading and click freeze panes by clicking on Freeze Top Row 
  • Select the whole spreadsheet and click filter from the data tab 
  • Click on the down arrow below the source DC column, point to text filters, and select the custom filter. 
  • In the custom AutoFilter box, below show rows where click on does not contain.  On the box next to it, type Del to eliminate results from deleted domain controllers. 
  • Repeat the previous step for the Last Failure Known Column and use does not equal and type 0 
  • Resolve replication issues. 

 Conclusion 

Replication going on smoothly throughout the Active Directory is critical. Poor replication means all manner of problems from authentication to inconsistent results.  The article is supposed to help you check on your system’s replication status and learn how to resolve the common replication errors.  

Protect Yourself and discover all permissions owner on your Windows fileservers!

Pass your next security audit without worrying about security leaks!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

Active Directory Account Lockout: Best Practices

Windows Account Lockout policies are useful when you want to limit the attempts made by people who try to access your network by guessing passwords. The account policy is also good for enforcing strong password policies. When the account lockout policy is in place, it limits the number of times a person can consecutively make login attempts with a set period. However to reduce the frequent calls to the customer desk office you need a lockout policy with increased account lockout duration, decreased lockout threshold, and an increased reset lockout counter. Windows account lockout policies are defined by three independent policies:

  1. Reset account lockout policy
  2. Account lockout duration
  3. Account lockout threshold

Generally, the account lockout policy is configured in the Group Policy Management Console. The path to the console is

Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

This document reviews some of the best practices that can be used to disable a user account if a wrong password is issued within a specified period. Here are some of the best practices as used in a typical windows environment.

1.    Setting the Account Lockout Policy

You need to create a lockout policy GPO that can be edited through the following path:

Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

The default parameters for account lockout duration should be:

  • 1440 minutes for lockout duration
  • 10 invalid logins for account threshold
  • 0 minutes for reset account counter to ensure the account does not unlock itself.

Once the account is locked, the Administrator should determine the lockout period before intervening. Any settings between 1 and 99,999 minutes will automatically unlock the account. The policy must be set to be equal to or greater than reset account lockout counter.

The value for account threshold is the number of attempts an account can sustain when a wrong password is used

The reset counter prompts windows to look for consecutive failed attempts and counterchecks if it needs the reset account lockout after threshold.

2.    Review Account Lockouts

Account lockout investigations will be successful only through capture logs that can be used to trace where the breach is coming from. The administrator can take the following steps:

  • Enable auditing of login events
  • Enable the logging of Netlogon events
  • Kerberos auditing should also be logged.

After looking at the data coming from the enabled features above, analyze security event log files and net login files to find out the origin of the lockouts and why it is taking place. Once you have identified the machine with login errors, analyze its event logs to determine the cause.

3.    Using Account Lockout and Management Tools

Some Microsoft and third-party tools can be used to investigate account lockouts to help determine the cause. These tools send an alert in real time thus giving the help desk an easy time when asked to resolve them.

Netwrix Account Lockout Examiner

This tool helps the system administrator know of an account lockout. This is a freeware that helps identify the root cause of persistent lockouts. System administrators can access the troublesome accounts from the console. This account tool and examiner reduces the strain on the service desk who are alerted even before the user makes the call for help. A working Netwrix Account Lockout Examiner is enough evidence that the Active Directory Account Lockout policy complies with set standards. Netwrix Account Lockout is a tool Administrators can use to identify malicious attacks from viruses leading to multiple lockouts.

The AD Lockouts and Bad Password Detection

The tool is used to track the origin of lockouts in the active directory due to bad password attempts. The utility is useful in large organizations running multiple domains. The system administrator can use the tool to:

  • Search each domain for bad password attempts against a particular account(s)
  • Analyze any events related to failed login attempts on each domain controller by tracing the possible origin of the lockout

Use event logs from every machine in the network to determine if the following common causes of account lockout are present:

  • Mapped drives with open permissions
  • Old and possibly running Login and RDP sessions
  • Tasks and services running on old credentials

Microsoft Account Lockout Status Tools

This account lockout tool is available from Microsoft and can be downloaded to increase the functionality of the Active Directory. Microsoft recommends using this tool alongside the Account Passwords and Policies white paper.

The primary functions of this tool are:

  • Help in the isolation and troubleshooting locked accounts by changing user password on the domain controller. It automatically adds property pages to the user account in the Active Directory Users and Computers management console
  • On the client side, the tool determines what processes or applications are sending the wrong signals or credentials
  • You can use the tool to display account names and age of respective passwords
  • Can be used as a startup script by allowing Kerberos to run on clients using Windows 2000 and later
  • Collects events from event logs of all machines to a central location
  • The tool also identifies all domain controllers involved in a lockout by way of gathering all logs. The output is generated and saved as a .CSV file whose content can be sorted if needed.
  • The lockout tool can be used to extract and display specific entries from the Netlogon log files.

Please Note: Microsoft account lockout status tools should not be used on a server hosting network application and services as it may prevent some critical services from loading.

4.    What are The Causes of Account Lockouts

  • When the port 3389 used by the RDP is open, and brute force applied.
  • Replication in the Active Directory
  • Programs running with cached user credentials
  • Service Accounts with expired or changed passwords
  • Low password threshold settings
  • Shared drive mappings
  • Disconnected terminal sessions
  • Mobile access to the exchange server via IIS
  • User logging on multiple computers
  • Saved account credentials with redundant passwords and usernames.

Conclusion

An account lockout policy is in place to disable users with bad passwords from accessing the system. This policy is enforced after several attempts have been made within a specified period. Using such a policy and with the help of third-party tools and utilities prevent malicious attacks, therefore, reducing successful attacks on your network. The user can access the affected account after the System Administrator has reset the password or after the specified lockout period has lapsed.

 

Protect Yourself and discover all permissions owner on your Windows fileservers!

Pass your next security audit without worrying about security leaks!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!