WINDOWS SERVER 2022: ACTIVE DIRECTORY BACKUP AND RESTORE

/0 Comments/in , , /by

Microsoft’s Active Directory is one of the most widely used directory services. This service is an excellent way to manage small to enterprise-scale organizations.
Ensuring that you have a working backup is vital to business continuity.

Let’s discuss a basic example of backing up and restoring.

To be able to follow along with this, you will need to have a Windows server with Active Directory already set up. Please refer to our guide here.
A second hard drive attached to the machine is also required.

Windows Server Backup

Windows Server Backup is free with Windows Server and will be used for this example. The general ideas of the solution would be the same even if other backup software were used.

Installing Windows Server Backup

Open the Server Manager, select Manage and then Add Roles and Features.

When the wizard opens, click Next.

Select the radio button for Role-based or feature-based installation and click Next.

If only one server exists, the correct one will already be selected.
If there is more than one server, ensure the correct one is selected.
Click Next.

No changes need to be made to the server roles page; click Next.

On the features page, scroll down and select Windows Server Backup.

Once the tick mark shows in the box, click Next.

As this is a test environment, the option to restart automatically was selected.
Note: Use automatic restart with caution in a production environment.

If the automatic restart was selected, select Yes and then click Next.

The Windows Server Backup feature will now install.

Windows Server Backup: Once-off

Once the installation has been completed, there are multiple ways to open Windows Server Backup.
The application can be found on the start menu, in the Tools list in Server Manager, and via the command line.

Once open, select Local Backup on the left.

Once loaded, select Backup Once on the right.

In the backup wizard, ensure Different options are selected and click Next.

Select the Custom radio button and click Next.

Click Add Items

Tick the box next to System state and click Ok.

For the destination, select Local drives and click Next.

The wizard should automatically select the second hard drive.
Should this not occur, select the correct drive from the drop-down list and click Next.

The wizard will confirm that only the system state is to be backed up. Click Backup.

The backup will run. Once completed, click Close.

The one-off backup is now complete.

Windows Server Backup: Scheduled

In the Windows Server Backup client, select Backup Schedule on the right-hand side.

When the wizard opens, click Next.

In this example, we will select a Full server backup and click Next.

For our lab, one daily backup is sufficient.
Select a suitable time for the backup to run and click Next.

To back up to the second hard drive, select Back up to a hard disk and click Next.

Click the option to Show All Available Disks.

Tick the box next to the disk where the backup will run and click Ok.

Once back at the disk selection, ensure the box is ticked next to the disk and click Next.

As this is a complete system backup, Windows will need confirmation to remove the drive so backups can be added.

Note that Windows will prompt you to format the disk. Click Yes.

Click Finish to create the scheduled backup.

Note: Once-off backups and scheduled backups cannot reside on the same drive.

Active Directory Restore

In our example, we’ve created a user account. This user account was then erroneously deleted.
Note: For this example, we will restore from the system state backup above.

As visible in the below screenshot, the user is no longer visible.

To restore our missing user, we must restart our Domain Controller in safe mode.
Open the run command, type MSConfig, and click Ok.

When the System Configuration opens, select the Boot tab.
On the boot page, tick the box next to Safe boot and ensure the Active Directory repair radio button is ticked, then click Ok.

Click Restart

After restarting into safe mode, only some of the domain services are running.
If you try to log in with a domain account, it will fail with the below error.
Click Ok.

Select Other user on the lower left of the login screen.

Log in to the server with the local administrator account from server installation.
Login requires the format of .\admin_account_name (the .\ changes log-in from the domain to the local computer).

To confirm that the server has started in Safe mode, note the text in the four corners.

To restore the deleted user account, open Windows Server Backup.

Once open, select Local Backup on the left-hand side and choose Recover on the right-hand side.

When the wizard opens, select This server and click Next.

Select an appropriate backup to restore from and click Next.

Select System state and click Next.

Select the radio button to restore to the Original location, tick the box to perform an authoritative restore, and click Next.

Click Ok on the warning.

Confirm that the wizard will restore the system state and click Recover.

The wizard will warn against canceling or pausing the recovery; confirm by clicking Yes.

The recovery process will take some time to complete.

Once complete, the wizard will offer a restart option.
Do not select this.
Open the run command again, enter MSConfig and click Ok.

Navigate to the Boot tab again.
Untick the box next to Safe boot and click Ok.

Select Restart.

After restarting, log in again with a domain administrator account, not the local administrator account used during the previous restore steps.

After login, a message will prompt that the recovery has been completed successfully.
Hit Enter to continue.

To confirm that the restore was successful, navigate to the Active Directory Users and Computers.

When opening the Users, we can see that the user account has been restored.

Conclusion

The ability to back up and restore Active Directory is crucial to any disaster recovery plan. Ensure that backups are created regularly. Restores should also be tested regularly to ensure no corruption.
Wherever possible, have multiple domain controllers running to minimize downtime in the event of failure.

WINDOWS SERVER 2022: INSTALLING ACTIVE DIRECTORY

/0 Comments/in , , /by

Microsoft’s Active Directory (AD) offers many global corporations an enterprise-grade Single Sign-On environment.
Knowing how to configure this on the latest version of Windows Server will always benefit any IT professional.
In this article, we will discuss the initial setup of Active Directory.

Note 1: This was set up in a test environment; please always be cautious while working in a production environment.
Note 2: IP addresses listed are from the test environment; please ensure to match your environment.

Prerequisites

Processor

A 1.4 GHz 64-bit processor compatible with the x64 instruction set.
Support NX (no execution) and DEP (Data Execution Prevention).
Supports second-level address translation such as EPT and NPT.

RAM

At least 512MB (if a server with a desktop environment is installed, a minimum of 2GB is needed).
RAM with error-correcting code (ECC).

Storage

PCI Express storage adapter.
Hard disks can have a minimum partition requirement of 32GB.

Network

Any adapter that can use gigabit throughput.
PCI Express compliant adapter.
A card that supports a Pre-Boot Execution Environment (PXE).
A network debugging-enabled card is desirable but not a requirement.

Installation

To install Active Directory, Server 2022 must be installed and fully updated.

After the updates are installed, open the Server Manager application.
Once open, select the Ethernet connection so a static IP address relevant to the environment can be set.


Select the Ethernet adapter and open the Properties.
Under properties, select the TCP/IPv4 and click Properties.

Select the radio button to Use the following IP address.
Specify a free IP address in the network, as well as the subnet mask and correct default gateway, and click OK

Next, select the computer name under the Server Manager to change it.
The server will need a valid name before installing Active Directory.

On the System Properties window that opens, select Change.

Create a meaningful name for the server in our example DC1 and click OK.

Click Ok to acknowledge that the computer needs to be restarted.

Click Restart Now

After restart, the new IP address and computer name are visible when checking the Server Manager.

In the Server Manager, select Manage, and then Add Roles and Features

The wizard will give basic information; click Next.

Select Role-based or feature-based installation and click Next.

Should there be multiple servers in the environment, ensure the correct server is selected and click Next.
Should there only be one server, the above can be ignored. Just click Next.

On the server roles list, select Active Directory Domain Services.

Leave the tick box ticked to Include management tools, and click Add Features.

Active Directory Domain Services will now be ticked. Click Next.

For the Features, click Next with no changes.

The Active Directory Domain Services will make some suggestions that are very important for production environments, namely:
Install a minimum of two domain controllers so users can log in even if there is a server outage.
A Microsoft DNS server must be set up in the network.
Click Next.

Ticking the option to restart automatically for test environments will speed up the installation process. This should be used with caution for production environments.
Click Install.
If the option to restart was selected, click Yes to allow the automatic restart.

Installation of the Active Directory Domain Services will now run.

Once completed, select the option to Promote this server to a domain controller.

As this is a new domain, we will create a new forest.
For the root domain name, it is best to use a subdomain of an existing public FQDN (Fully Qualified Domain Name).
For example, adtest.foldersecurityviewer.com.
Should you not have a public domain, replacing the .com on the end with .local will work for test domains.

When setting up the domain controller for the first time, certain decisions will need to be made.
Forest Functional Level is the minimum Operating System version for all servers in all sub-domains.
Domain Functional Level could be set higher than the Forest level, but not lower.

Conclusion

We hope that this guide will help you on your journey to Active Directory setup and administration.

Active Directory – An Introduction

/0 Comments/in /by

During the Active Directory Domain Services (AD DS) installation, the Windows server is set up as a Domain Controller (DC).
The Domain Controller is a database of all objects for the network/domain.
This database will allow only authorized objects such as users, computers, or printers to connect and access resources.
The administration is eased as users are managed centrally instead of managing logins on individual computers.
The top level of an Active Directory network is called a Forest.
This forest can consist of multiple sub-domains that, while separate, can interact with each other should the administrator choose.

Active Directory Domain Services (AD DS)

Microsoft’s Active Directory Domain Services (AD DS) is a sub-feature of Active Directory that allows administrators to build a centralized and scalable Windows network. These networks are based on logical and hierarchical structures.
Active Directory Domain Services (AD DS) manages critical network functions such as:

  • Users
  • User logins
  • Computers
  • Security permissions
  • Organizational units
  • Printers

Let’s discuss some basic features and terminologies.

Active Directory Objects

There are two main object categories within Active Directory.

Container: These can group other objects inside, for example, an organizational unit that groups user accounts together
Leaf: These cannot contain other objects inside, for example, a user account

Active Directory Terminology

Schema: This is a set of instructions that govern attributes and objects in the AD DS.
Global Catalog: This is a repository of objects contained in the AD. In the Global Catalog, you’ll find users’ details, such as names and contacts.
Sites: This represents the network topology of a Windows network.
Query and Index Mechanism: This feature ensures users can locate each other in the Active Directory. A perfect example is when you start typing a user’s email address in the client’s recipient field, and the possible matches are displayed.
Lightweight Directory Access Protocol: Commonly abbreviated as LDAP, this protocol enables the Active Directory to communicate with LDAP-enabled directory services in the network.
Replication Service: As the name suggests, replication ensures the Domain Controller is replicated onto another Domain Controller, thereby having the same schema and catalog.

Active Directory Services

Active Directory offers a long list of services. Some of the most used features are:

Domain Services: The AD DS offers core services such as centralization of data and management of communication between users in the domain, search functionality, and login authentication.

Lightweight Directory Services: This feature supports applications that are directory enabled using the LDAP protocol.
Rights Management: Rights management handles information rights. It encrypts and limits access to personal content such as emails, documents, and other confidential data.
Directory Federation Services: DFS provides a single-sign-on functionality that enables secure user authentication, especially when interacting with multiple web applications during a single session.
Certificate Services: These features allow for the generation, management, and sharing of security certificates. The certificates encrypt data sent over the Internet and guarantee their privacy and confidentiality, thereby averting attempts by hackers to steal the information.

Active Directory Domain Controller Functions

Domain Controllers, or DCs for short, are the servers that host the Active Directory database.
Their primary role is to authenticate user requests based on their username and password and the appropriate permissions they have been assigned.
The Domain Controller (DC) also hosts a variety of services that complement the authentication, such as:
NetLogon: This service runs silently in the background. Its primary purpose is to validate users’ login credentials in the domain network. If stopped, many server functions would be adversely affected, and domain users could not access their accounts.
Kerberos Key Distribution Center (KDC): KDC is a service that issues, validates, and performs encryption of Kerberos tickets. It consists of an Authenticating Server and a Ticket Granting Server (TGS). The service authenticates users when the Kerberos protocol is used. Kerberos is a protocol designed for security and authentication purposes. It provides a mechanism for establishing users to use the services on a Windows network; for example, accessing a file server while, at the same time, encrypting the connections between clients and servers.
W32time service: Also referred to as Windows time, W32time is a service that uses Network Time Protocol (NTP) to synchronize time and date for all computers joined to the Active Directory. The NTP synchronizes all the clocks on the computers in the domain network. For Kerberos to function correctly demands that the date and time for all computers in the network are synchronized.
Intersite Messaging (IsmServ): This service allows the exchange of information between computers in a networked environment with Windows servers. This protocol provides replication between mail sites by employing SMTP over a TCP/IP network.

Conclusion

Active Directory is a key component for wide-scale Windows networks.
Understanding how it works can assist in maintaining an optimal network.

Overview of the Active Directory Domain Services (AD DS)

/0 Comments/in /by

Microsoft’s Active Directory Domain Services (AD DS) is a core role that allows users to build a scalable and centralized Windows network. 

Furthermore, the AD DS takes care of user logins, security permissions, and other crucial network services.

The AD DS is a function of the Active Directory, which manages users, groups, organizational units, and computers, allowing IT administrators to structure users into logical hierarchical units.

In this article, we’ll cover some AD DS’s basic terminologies, services, and other features.

First, let’s have a look at the Active Directory (AD).

Active Directory

Active Directory is a Microsoft technology that is installed when the Active Directory Domain Services is set up in the Domain Controller.

As the name suggests, the Active Directory is a repository or database that stores objects such as groups, computers, printers, file shares, group policies, and file permissions.

The most crucial role of the Active Directory is to handle user authentication in the domain network. It accomplishes this by allowing only authorized users to log into the network.

Additionally, the AD centralizes security by storing user accounts and their passwords in one location, instead of storing them in client computers.

IT administrators can create and delete users, configure or allow users to change their passwords, and create group policies, which determine how users interact with their PCs in the domain environment.

Without an Active Directory, IT administrators are forced to set up local users on each PC and reset the password for every user on their computers.

The AD DS is the fundamental framework for domain management. Each domain forms part of an Active Directory Forest, which can also comprise of more than one domain arranged into various organizational units.

Categories of Active Directory objects

Active Directory objects can be categorized into two main categories:

  • Container objects: These are objects that contain other objects inside them, such as Forests, Trees, Domains, and organizational units.
  • Leaf Objects: These are objects that do not contain other objects, such as users, printers, and computers.

Key Terminologies of Active Directory Domain Services

  • Schema: This is a set of instructions that govern attributes and objects in the AD DS.
  • Global Catalog: This is a repository of objects contained in the AD. It’s in the Global Catalog that you’ll find users’ details such as names and contacts.
  • Sites: This represent the network topology of a Windows network.
  • Query and Index Mechanism: This feature ensures users can locate each other in the Active Directory. A perfect example is when you start typing a user’s email address in the client’s recipient field and the possible matches are displayed.
  • Lightweight Directory Access Protocol: Commonly abbreviated as LDAP, this protocol enables the Active Directory to communicate with LADP enabled directory services in the network.
  • Replication Service: As the name suggests, replication ensures the Domain Controller is replicated onto another Domain Controller, thereby having the same schema and catalog.

Services provided in the Active Directory Domain Services

The Active Directory provides a myriad of services that fall under the Active Directory Domain Services.

Here is a description of some of the services.

  • Domain Services

The AD DS offers core services such centralization of data and management of communication between users in the domain, search functionality, as well as login authentication.

  • Lightweight Directory Services

This feature supports applications that are directory enabled using the LDAP protocol.

  • Rights Management

Rights management handles information rights. It encrypts and limits the access to personal content such as emails, documents, and other confidential data.

  • Directory Federation Services

DFS provides a single-sign-on functionality that enables secure user authentication, especially when they are interacting with multiple web applications during a single session.

  • Certificate Services

These features allow for the generation, management, and sharing of security certificates. The certificates encrypt data sent over the Internet and guarantee their privacy and confidentiality, thereby averting attempts by hackers to steal the information.

Functions of Domain Controllers with Active Directory Domain Services

A Domain Controller (DC) is a server in the Windows network that allows users to access domain resources. Its main purpose is to authenticate users in a network.

The DC listens to authentication requests from users in the network and verifies them based on their usernames and passwords.

The Domain Controller hosts the Active Directory Domain Services as well as a wide range of other services that complements Active Directory Domain Services.

These services include:

  • NetLogon: It’s a service that runs silently in the background. Its main purpose is to validate users’ login credentials in the domain network. If stopped, many server functions would be adversely affected and users in the domain would be unable to access their accounts. Additionally, any services that depend on it will also fail.
  • Kerberos Key Distribution Center (KDC): KDC is basically a service that issues, validates, and performs encryption of Kerberos tickets. It consists of an Authenticating Server and a Ticket Granting Server (TGS). The service authenticates users when the Kerberos protocol is used. Kerberos is a protocol designed for security and authentication purposes. It provides a mechanism for authenticating users to use the services on a Windows network; for example, accessing a file server while, at the same time, encrypting the connections between clients and servers.
  • W32time service: Also referred to as Windows time, W32time is a service that uses Network Time Protocol (NTP) to synchronize time and date for all computers joined to the Active Directory. The NTP synchronizes all the clocks on the computers in the domain network. For Kerberos to function properly, it demands that date and time for all computers in the network are synchronized.
  • Intersite Messaging (IsmServ). This is a service that allows the exchange of information between computers in a networked environment with Windows servers. This protocol also allows replication between mail sites by employing SMTP over a TCP/IP network.

Conclusion

Active Directory Domain Services is a key feature in a networked Windows environment.

Therefore, understanding how it operates can assist in maintaining the optimal operations of your network.

Do you have any comment or question?

Please post them below.

Protect yourself! Discover all security holes in the folder hierarchy on your Windows fileservers!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

Active Directory Security – Best Practices

/0 Comments/in /by

Active Directory (AD) is the heart of the Windows Server System. The Active Directory is a repository for essential features and services core to the Windows environment.

It’s in the AD that users, values, groups, organizational units, objects such as printers and computers, and group policies are installed and configured.

Think of the Active Directory as a contact list on your smartphone. The ‘contacts’ app would be the AD, whilst the names would be the ‘objects’, and phone numbers and email addresses would be the values.

IT administrators rely on the AD to structure the organization’s users, groups, and objects in a hierarchical order, as well as configure group policies and settings such as wallpapers and users’ profile pictures.

It’s therefore prudent to ensure the security of your Active Directory.

Why is it crucial to secure the Active Directory?

Since the Active Directory is a critical component in structuring and authorizing users and applications within an organization, it is a potential target for cyber-attacks.

If hackers can penetrate the Active Directory, they can pose an enormous risk. They can access all the user accounts, groups, applications, groups policies, databases, alongside a host of other very crucial information, which should be a reserve of the IT administrators.

If attackers can obtain login credentials, they can penetrate your system and escalate privileges, giving them access to the resources they require.

Without proper security measures and Active Directory audit controls, attackers can easily infiltrate your system and steal valuable information.

It’s therefore important to ensure that security compromises are picked up or detected and remediated in good time before hackers can intrude your system and wreak havoc to your Active Domain Forest, making it very difficult to recover.

Active Directory security vulnerabilities

Let’s now look at some of the potential threats that can leave your AD vulnerable to attacks.

1. Relaxed password policies

A password essentially acts as a lock to your account, keeping outsiders and attackers at bay.

Many users prefer using simple passwords, which can be vulnerable to attacks because of containing few characters, the users’ names or date of birth details, or words that can easily be guessed.

In other cases, users may form a habit of writing down their passwords on a piece of paper, or even sharing them with other users.

Such habits usually leave the users’ accounts vulnerable to hackers through brute force attacks or social engineering attacks.

Password policies in an organization should be stringent and followed to the latter. Strong passwords usually have a combination of uppercase, lowercase, numeric, and special characters, and should be no less than 8-12 characters.

Users should also be encouraged to change their passwords regularly and memorize them, instead of writing them down.

2. Unpatched vulnerabilities in the server

Each successive release of the Windows Server system comes with new security updates and features to address existing vulnerabilities and flaws.

It implies that older versions pose potential security threats that need to be regularly patched with the latest security updates before hackers can exploit the vulnerabilities.

Additionally, all software applications should be regularly updated to fix any security flaws that hackers can leverage.

3. Broad access to the Active Directory Server

Having a long list of Active Directory users who enjoy administrative privileges predisposes your system to privilege abuse, which is a major cause of information leakages.

4. Overreliance on default security settings of the Domain Controller

Most organizations prefer maintaining the default security settings that come with the Windows Server system.

While that may work well, hackers are well acquainted with the default security features and may use that knowledge to infiltrate your system.

It is therefore recommended for IT administrators to make a few tweaks to fortify the security of their Active Directory.

5. Overreliance on Kerberos authentication protocol

An attacker can decrypt data and expose an account’s password where the Kerberos authentication protocol is extensively used.

Active Directory Security Best Practices

After seeing some of the potential vulnerabilities that may expose your Active Directory to security breaches, let’s now focus on some of the best practices you can use to ensure its optimal security.

1. Employ the least privilege administration model

What this means is that all users should login into the system using the least or minimum permissions necessary to execute their tasks.

Additionally, it’s recommended that you should only create two login accounts to the AD: an admin user account and a regular user account. Then, you can use the regular user account for undertaking day-to-day normal tasks, such as browsing the Internet, printing, and so on.

The admin user account should only be used for administrative tasks, such as creating new users, creating groups organizational units, installing roles and features, and configuring the network.

A better option can be to delegate some administration tasks to secondary users. Some of these tasks may include:

  • Managing DHCP and DNS
  • Accessing Active Directory users and computers
  • Managing administration rights on servers and workstations

2. Secure the default domain administrator account

Normally, a built-in domain administrator account is set up by default when a Windows Server system is installed. NOBODY, other than the IT administrator, should know the default built-in administrator’s password.

Additionally, the account should only be used for setting up the domain and for disaster recovery purposes. If there are users that need administrative rights to access the AD or the server, then they should request the IT admin to grant their accounts admin privileges, but not use the built-in account.

In addition, the built-in administrator account should be set up using a very strong password. A minimum password length of 8-12 characters—which includes uppercase, lowercase, numeric, and special characters—is recommended.

3. Maintain constant monitoring of the Active Directory

The active directory needs to be constantly monitored for signs of abnormal or unusual activities.

Some of the events you should pay attention to when monitoring the AD include:

  • Account lockouts
  • The use of administrator accounts
  • A spike in the frequency of incorrect password attempts
  • A rise in the number of locked out accounts
  • Disabled antivirus software
  • Logon and logoff events
  • All activities performed by privileged account users

So, how can you monitor events in the Active Directory?

The best way of monitoring events in the AD is by using a log analyzing software application that generates AD reports.

Some of the best software tools for log analysis include:

4. Enforce complex passwords and passphrases

IT administrators should encourage their users to use passwords with a length of at least 8-12 characters with a combination of uppercase, lowercase, numeric, and special characters.

Moreover, users should be encouraged to use random passphrases as passwords. Also, a strong password policy should include account lockout after 3 failed login attempts.

Here are some good examples of strong passwords:

M@gnum@2030!TkrY

#Pros$YuOT29$7%

5. Delete old and unused AD user accounts

You should develop a procedure for cleaning old and unused user accounts sitting in the AD. Hackers can use such idle accounts to infiltrate your system.

6. Practice patch management and vulnerability scanning

Hackers can leverage known vulnerabilities to breach your system. The earlier these vulnerabilities are discovered, the better.

It is prudent to periodically scan the Domain Controller for any vulnerabilities and update all the software applications. You can also use third-party applications to detect loopholes and vulnerabilities.

Additionally, it’s a good practice to regularly update software applications on your server and fix flaws addressed in the latest versions.

7. Desist from installing additional software or roles on the Domain Controller

To minimize risks of potential attacks, Domain Controllers should have as few software applications as possible.

Attackers can leverage preexisting vulnerabilities in the applications and use the flaws to gain entry and escalate privileges.

It is recommended to use the Windows Server core since it has no GUI and comes with a small footprint. Domain controllers should be kept as lean as possible.

8. Use security groups to determine which users have certain privileges

It is recommended for IT administrators to create custom security groups to determine the users having access rights and special privileges. This should also be documented to keep tabs of the users assigned to different privileges.

Using security groups can assist in managing access privileges and preventing unauthorized access to sensitive data.

Wrapping up

Those are the best practices for maintaining the security of your Active Directory.

Is there something we’ve missed in this article?

Or, do you have a comment or a question?

Please post them below.

Protect yourself and discover all permissions owner on your Windows fileservers!

Pass your next security audit without worrying about security leaks!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

Detect Permission Changes in Active Directory

/0 Comments/in , /by

This articles describes how to track permissions changes in Active Directory.

Overview

Let’s start an article, with a small example :

If some example organization works in three shifts, with different server administrators, and , in meantime permissions on some Active Directory objects, change, overnight, it is the good practice to know which admin ,and when changed it.

For that information, auditing for changes to permissions on Active Directory should be enabled, and in this article, we will explain how to do it successfully.

Enable auditing of Active Directory service changes

The first step is enabling auditing of Active Directory service changes. It has to be done on the domain controller, on a way to change Group policy object, Default Domain Controllers Policy.

The operation should be done from a server, or a workstation with Remote Server Administration Tools (RSAT)  installed.

By opening Group Policy Management, and expanding Active Directory Forest, Domains, and then the Domain Controllers Organizational Unit (OU), access to Default Domain Controllers Policy GPO is granted, and by right-clicking Edit from the menu, Group policy management editor will open.

When in Group Policy Management Editor, navigate to ( and expand policies )  Computer Configuration, then  Windows Settings then  Advanced Policy Configuration and click DS Access.

Among the other subcategories, there will be Audit Directory Service Changes.

In the properties of Audit Directory Service Changes policy, Configure the following audit events option, both checkboxes ( Success and Failure ) should be ticked.

Adding a system access control list (SACL)

Next step is adding a system access control list (SACL) to the domain to audit for modified permissions.

System access control lists ( SACLs) are used for establishing security policies across the system for actions like logging or auditing resource access.

SACL specifies :

  • Which security principals (users, groups, computers) should be audited when accessing the object.
  • Which access events should be audited for these principals
  • Which access events should be audited for these principals
  • Adding system access control list (SACL) is made from Active Directory Users and Computers ( ADUC), by opening View menu, and check Advanced Features ( it has to be activated).

Click Active Directory Domain ( on the left), and select Properties > Security > Advanced, then switch to Auditing tab, and click Add. It will open Auditing Entry tab.

In the Auditing Entry tab, click Select a Principal.

Enter the “everyone” in the object name in the Select User, Computer, Service Account, or Group dialog, and click Ok.

Auditing Entry has to be set to “Sucess” and Applies to option has to be set to “ This object and all descendant objects”.

Under “Permissions” option, only selected option has to be “Modify Permissions”.

Check

And that is it. The only thing left to do is check the changes of permissions.

It can be done in PowerShell by usage of the command

Get-EventLog Security -Newest 10 | Where-Object {$_.EventID -eq 5136} | Format-List

The output should be the formatted list of information about changes ( who made changes on which object, and information about new security descriptor).

How To Generate All Domain Controllers in Active Directory

/0 Comments/in , /by

In this article, we’ll describe how to generate all Domain Controllers in the Active Directory Sites and Services tool.

Active Directory Sites and Services can be seen as an administrative tool used to manage sites and the related components on Microsoft Server systems.

It contains a list of all Domain Controllers (DCs) connected to the system, regardless of their number.

In some situations, admins can notice more than one DC listed under Windows NT Directory Services (NTDS) settings.

What are these other DCs, and how can they be generated automatically?

KCC

Those DCs are called KCCs (Knowledge Consistency Checkers). They are nominated bridgehead servers per site that handle replication tasks between specific sites.

A bridgehead server is responsible for replicating any changes to all remaining DCs in its site.

In simple words, KCCs take care of replication by generating DCs, which communicate with other DCs and KCCs—consequently, the auto-generated domain controllers take care of the replication.

How to create automatically generated Domain Controllers

There are instances, such as during server moves or adding new organizational Domain Controllers, when   Active Directory is unable to create ‘Automatically Generated’ connections with the root Domain Controller.

In such a situation, the Domain Controller can be seen, but not on the “real” Domain Controller list.

There is more than one solution to this problem.

Let’s talk about two of the most used and tested solutions.

1. Manually forcing auto generation

This first method, although it can get in the quick “workaround” category,  involves manually forcing auto-generation.

It can be done by right clicking on the NTDS Settings option and then choosing ‘All Tasks and Check Replication Topology’ in the end.

That should force trigger auto-generation of all Domain Controllers, and your Domain Controllers should now be visible on the list.

2. Repadmin

Repadmin is a command line tool used for diagnosing and repairing replication problems.

It can be used from an elevated command prompt by typing ntdsutil.

Then, entering this command:

repadmin / showrepl*

To create an output that replicates the state of all DCs in the system, enter this command:

Repadmin/replicate

As a result, force replication will be started. This command forces replication and generates all Domain Controllers on the Sites and Services list.

Conclusion

It is usually not necessary to create manual connections when the KCC is being used to generate automatic connections; if any conditions change, the KCC automatically reconfigures the connections.

Adding manual connections when the KCC is employed can potentially increase replication traffic and conflicts with optimal settings stipulated by KCC.

If a connection is not working due to a failed domain controller, the KCC automatically builds temporary connections to other replication sites (if the damage is not too big) to ensure that replication occurs.

If all the domain controllers in a site are unavailable, KCC automatically creates replication connections between domain controllers from another site.

It is not recommended to manually modify this, unless you have a very specific use case.

As long as these records are auto-generated, they can survive a Domain Controller failure, as the KCC/ISTG will automatically create a new connection.

However, if you manually create a connection or specify a bridgehead server, and that server goes offline, KCC will not create a new connection and replication between the affected sites will stall.

How to Optimize Your Active Directory for Windows Server 2016

/0 Comments/in , /by

Microsoft Windows Server 2016 is still a valid choise in the market and organizations are already asking their IT experts to evaluate its added value and possible challenges that one may encounter when moving from the current systems to the new server platform. In addition to the features found on Windows Server 2012 and 2012 R2, Windows Server 2016 presents new possibilities and capabilities that are missing on previous Windows Server platforms. Any new Windows Server Operating System that breaks the market gets more attention. Windows Server 2016 had made tremendous improvements to its Active Directory.

The best approach to take before implementing Windows Server 2016 is to test its readiness by looking for ways of minimizing the likely impact of migration. Another way to look at it would be to identify organizational needs and how they can be integrated for future implementations. The reason Administrators would want to try on the Windows Server 2016 Active Directory is to provide an opportunity for growth, offer flexibility, and enhance security setup in the organization.

Why Does Windows Server 2016 Matter

Windows Server 2016 is a representation of combinations from different principles that define computation, identity, management and automation, security and assurance, and storage. All these are broken down into the core elements of the Server Operating System that consists of Visualization, System Administration, Network Management, and Software Defined Network (SDN) technologies, Cloud Integration and Management, Disk Management and Availability. All these are supposed to bring organizations to the future of technology without the need to discard some of the infrastructures being used in the current environment.

Windows Server 2016 is a full-featured server Operating System boasting of solid performance with modern advancements. This new server shares so many similarities with the Data Center edition that incorporates support for Hyper-V containers and new storage features and enhanced security solely to protect virtual machines and network communications that have no trust configured between them.

This article should help you the reader learn more about Windows Server 2016 features, factors to consider before moving from old to a new setup, and how to optimize your Active Directory. More details on how to prepare to move and migrate efficiently by managing the new environment effectively.

Windows Server 2016 New Features

Several features and enhancements form part of this server operating system. Here are some of the highlights:

Temporary Group Membership

This form of membership gives Administrators a way of adding new users to a security group for a limited time. For this feature to work, Windows Server 2016 Active Directory must be operating at the functional level. System Administrators need to know beforehand all the system installation requirements during and after the transition.

Active Directory Federation Service

There are essential changes that come with Microsoft Windows 2016 Server Federation Service:

Conditional Access Control

Active Directory in previous installations had straightforward access controls because the assumption had always been that all users would be logging in from a computer joined to a domain with proper Group Policy Security settings. The conditional access gives users access to resources that have been assigned to them.

In the current technological setup users’, access resources from different types of devices that are not connected to the domain and usually work outside the organizations operating norms. This is a direct call for the improvement of security by introducing a Conditional Access Control Feature enabling administrators to have better controls over users whose requests should be handled on per application basis. For example, administrators may enforce multi-factor authentication when the compliant devices try to access business applications.

Support for Lightweight Directory Access Protocol (LDAP) v3

Another change that has been introduced in line with regard to the Active Directory Federation Systems is the Support for Lightweight Directory Access Protocol. The capability makes it easier to centralize identities across different directories. For example, an organization that uses non-Microsoft directory format for identification and access control can centralize identities to office Azure cloud or Office 365. LDAP v3 making it easier to configure a single sign-on for SaaS applications.

Domain Naming Service (DNS)

Active Directory and DNS go hand in hand because of the dependency of Windows Server systems on DNS. There have been no significant changes in the Windows Server DNS service until the arrival of Windows Server 2016. The following are new features under the DNS:

DNS Policies

The inherent ability to create new DNS policies is said to be the most significant. These policies enable administrators to control the way DNS responds to different queries. Some examples of these policies are load balancing and Blocking of DNS requests coming from IP addresses whose domain have been listed as malicious.

Response Rate Limit

The rate of the server response to DNS queries can now be controlled. This control is designed to help defend against external attacks such as denial of service by limiting the number of times in a second a DNS can respond to a client

Microsoft IP Address Management (Microsoft IPAM)

The most significant improvement to the DNS is in its IP Address Management System that helps in the tracking of IP address usage. The integration of Microsoft IPAM feature on DHCP has been robust while the DNS one is minimal. The introduction of Windows Server 2016 brings in some new changes like DNS management capabilities by recording inventory. The support for multiple Active Directory forests by IPAM is a welcome feature. Supporting multiple forests is only possible if there is already an existing trust between them and that IPAM is installed on each forest.

Migration Considerations

Planning is critical when moving from an earlier Windows Server version to Server 2016. The goal of any migration should be minimizing its impact on business operations. Going ahead with the migration should be an opportunity for administrators to set up a scalable, flexible, compliant, and secure platform.

Understanding the Existing Server Environment.

It is a rookie mistake to jump into implementation without a proper analysis of the current server environment. Assessment at this stage should look at users, groups, distribution lists, applications, folders, and Active Directory. On the business side, there is a workflow, emails, programs, and any infrastructure used that should be assessed before making the big move.

It is also vital that you:

  • Understand what needs to be moved and what is to be left as it is. For example, there is no need of moving inactive accounts and old data that is no longer relevant. All active data stores, mailboxes, and users are part of what you should not leave behind.
  • You will also want to analyze applications, users, and processes that needs access and should be migrated to ensure that the relevant resources are available during and after the transfer.

Improving Active Direct Security and Compliance Settings

Another critical factor to consider during migration is security and delegation by controlling who makes changes to Window Active Directory objects and policies. Most organizations choose to give access to Active Directory objects to solve an immediate problem and never clear the permissions. Proper controls should be in place to manage what can be added to the AD and who should be responsible for making such changes.

Continuous monitoring of activities in the Active Directory to ascertain if they comply with both internal and external performance regulations should be ongoing. Microsoft Windows Server and AD can audit events with visible output and can be implemented quickly in a busy setup. Having a coherent AD audit cluster with analytical capabilities is critical for marking unauthorized changes, spotting inappropriate use of the AD and related resources, tracking users in the entire infrastructure, and give compliance reports to the auditors.

Ensuring Application Compatibility

Before making an effort to initiate migration, make sure that all software and third-party application used on your organization are compatible and can work with Windows Server 2016. All the in-house applications should also be tested to make sure they work correctly in the new environment.

Minimizing Impact on Business

Minimizing in-house software compatibility is one aspect of reducing the cost of migration on the business. As an Administrator, you need to know how the issue of downtime will be handled when moving from legacy to new system. One thing you need to avoid is underestimating the impact of migration on users and operations by failing to analyze all access points. Many such challenges can be avoided by scheduling resource intensive migration tasks during off-peak hours.

Failure to have a smooth transition between legacy and the new system can lead to service disruptions lost productivity and increased the cost of doing business. The co-existence of both the old and the new system is essential in any Active Directory migration because users still need to access resources to ensure continuity. Directory synchronization is important at this stage to make sure that users can access their data.

Restructure the Active Directory

Moving from your legacy system to Windows Server 2016 should be taken seriously and not treated like any other routine IT task. This is an opportunity to restructure your Active Directory to meet its current and future needs. Every time there is a significant system upgrade, changes in organizational models and requirements may have prompted it. Changes in the IT technology is also a major force that influences restructuring of the Active Directory.

Determine the number of domains and forests needed. Examine the need to merge some forests or create new ones. You can also take an opportunity to join new infrastructure to remote offices that may not have been in existence in the legacy system.

Active Directory Management and Recovery

Every IT management faces challenges when managing the Active Directory on a daily basis. The configuration of user properties is time-consuming and error-prone when dealing with a large and a complex Windows Network. Some of these duties have to be performed manually leading repetitive and mundane tasks that end up taking up most the Administrators time. However, when you decide to accomplish the above tasks using Windows Native Tools or the PowerShell means that you must have a deeper understanding of how the Active Directory and its features work.

The use of software to manage the Active Directory repetitive tasks simplifies the process. You can also get detailed reports on tasks and their status. Using software offers solutions that help in the planning and execution of an efficient AD restructuring, which will eventually help you, implement a secure system. Managing AD using a software gives a common console where the management can view and manage Active Directory, users, computers, and groups. Some software’s enable the administration to plan for a secure way of delegating repetitive tasks and perform controlled automation of the Active Directory Structure.

Software Implementation

Two popular software being used in the management of Active Directory optimization tasks are:

  1. ADManager Plus
  2. Quest Software

They both can help in the restructuring and consolidation of Windows Server 2016 in a new environment.

ADManager Plus

The ADManager Plus has additional features such as sending and receiving customized notifications via SMS or emails. The search options make it easier for IT managers to search the directory with ease through its software interface panel. Using the ADManager Plus, the IT department can execute windows optimization tasks with ease in addition to the integration of utilities such as ServiceNow, ServiceDesk, and AdselfService Plus.

Active Directory User Management

ADManager Plus manages thousands of your Active Directory through its interface. This property helps you create and modify users by configuring general attributes, exchange server attributes, and apply exchange policies, terminal service attributes, and remote logon permissions. You can set new users in Office 365 and G suite when creating the new accounts in the Active Directory. You can design templates that can help the help desk team to modify and configure user accounts and properties by a single action.

Active Directory Computer Management

This solution allows for the management of all computer in the existing environment from any location. You can create objects in bulk using CSV templates by modifying group and general attributes of computers, move them between organizational units, and enable/disable them.

Active Directory Group Management

The management of groups is made more flexible using the software modules used in the creation and modification of groups using templates and conduct all configuration attributes in an instant.

Active Directory Contact Management

You can use this software management tool to import and update Activate Directory contacts as a single process. Therefore, this implies that you do not have to select individual contacts for an update.

Active Directory Help Desk Delegation

The ADManager Plus delegation feature can help administrators to create help desk administrators, and delegate desired tasks related to user attributes. The various repetitive management tasks for users, group, computers, and contacts can be delegated using customized account creation templates. The help desk users can share the workload of the administrators which frees them up giving them more time to work on core duties.

Active Directory Reports and Management

The ADManager plus provides information on different objects within the AD which allows for the viewing and analysis of information on its web interface. For example, you can see a list of all inactive users and modify the accountant accordingly.

Quest

Quest software takes a different approach because it deals with preparation, recovery, security and compliance, migration, consolidation, and restructuring.

Preparation

During preparation, Quest helps in the assessment of the existing environment with the enterprise reporter gives a detailed evaluation of the current setup that includes the Active Directory, Windows Server, and SQL Server. During this assessment, Quest can report the number of accounts you have in the Active Directory and isolate the active and the disabled ones. Knowing the exact status of your environment is paramount before the migration begins.

Quest helps discover identities and inventories on application servers that are dependent on the Active Domains that are being moved to enable you to fix or redirect them on the new server.

Migration, Consolidation, and Restructuring

The Migration Manager for Active Directory gives the Zero IMPACT AD restructuring and consolidation. The Migration Manager offers a peaceful coexistence to both the migrated and yet to be migrated by maintaining secure access to workstations and resources.

Secure Copy offers an automated solution for quick migration and restructuring files on the data server by maintaining the security and access points. Its robustness makes the tool to be rated as perfect for planning and verification of successful file transfers.

Migrator for Novell Directory Service (NDS) helps administrators move from Novel eDirectory to Active Directory. The tool also moves all data within Novell and re-assigns permission to new identities in the new server.

Security and Compliance

The change Auditor for Active Directory gives a complete evaluation of all the changes that have taken place in the Active Directory. The evaluation report contains information such as who made the changes, what kind of changes was made, what were the initial and final values before and after adjustment, and the workstation name where the change occurred. The change auditor tool also prevents changes, for example, you can disable the deletion of or transfer of Organization Units and changes that can be made Group Policy Settings.

Access Control

Active Roles modules ensure that security of the AD complies by enabling you to control access by delegating tasks using less privilege. This gives an opportunity to generate access rules based on defined administrative policies and access rights. You can use the Active Roles to bring together user groups and mailboxes as well as changing and removing access rights based on role changes.

Centralized Permission Management

The Security Explorer facilitates the management of Microsoft Dynamic Access Controls (DAC) by enabling administrators to add, remove, restore, backup, and copy permission all on a single console. The tool can make targeted or bulk changes to server emissions made possible by the enhanced by Dynamic Access Control management features such as the ability to grant, revoke, clone, and modify permissions.

Monitoring Users

The InTrust enables the secure collection, storage, and reporting alerts on the data log that complies with both internal and external regulations surrounding policies and security best practice. Using InTrust, you get an insight into user activities by auditing access to critical systems. You can see suspicious Logins in real time.

Management and Recovery

The easiest way the IT administrator can manage user accounts, computers, and objects via the Group Policy. Poor management of the Group Policy Objects (GPO) can cause many damages. For example, if your GPO is assigning proxy settings with wrong proxy values.

GPO Admin will automate Group Policies, and it has a workflow to enable the checking of changes before being approved by the GPOs. When GPO’s are used in the production industry, the management team will be impressed by the reduced tasks as it improves security.

Recovery is a critical process in any organization that runs its system based on Windows Server 2016. You can also recover the wrong entries and accounts that were removed. The Recovery Manager for Active Directory gives access to other features that report on the differences and help restore objects that were changed.

It is important to be prepared in readiness for disaster and data recovery. In case your domain finds itself in the wrong hands, or the entire network setup is corrupted, use the Recovery Manager for Active Directory utility.

Conclusion

Windows Server 2016 has a wealth of new features and capabilities to streamline and improve the management and facilitate better user experience. A successful implementation means that the Active Directory has a sound consolidation process. Administrators who have already tested this Server Operating Services should take advantage of the new capabilities.

The benefits of Active Directory tools and utilities are numerous because they help in setting up a flexible and secure Windows Server 2016 and Active Director that will work for your current and future environment. These utilities help managers who are not well conversant with some IT related Active Directory management tools who need to switch to the new server to comply with regional and international standards.

Microsoft Active Directory Permissions: Best Practices for Data Protection

/0 Comments/in , /by

In this article, we are bringing the best practices for data protection in  The most famous directory service. Microsoft Active Directory Domain Services (AD DS).  

Microsoft Active Directory (AD) is a database that keeps track of all the “objects” in the system – users, computers, security groups, services, etc. In AD DS, at one central location, defining and updating all the rights a particular object has on the network. 

In short lines, the vital part of any Microsoft Server System with the recommended highest rate of security.  

So let’s start with tips and best practices for securing Microsoft Active Directory the best way possible.  

Least-Privilege User Access (LUA)  

The principle of least privilege (PoLP, also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose. (Wikipedia Definition) 

As part of those principles, the recommendation is the usage of LUA : 

LUA is the reverse of administrative privileges for all users, and then scaling back permissions as needed. It’s one of the best tips for keeping your network safe. 

The “hard way” of granting permissions to users. In some way, it is personalized per each user. It’s based to determine needs of all users on network and grant permissions for that needs, no more, no less. 

The process is not easy, it requires a lot of communication and takes a lot of time to configure the system that way. But in a long-term, your system will operate safely and as it should. 

There are variations of this plan, like creating “section groups” with different permissions then placing everyone from the section in it. But that is not personalized setup, and still can offer too much or too little to an individual user.  

Know Your Active Directory Security Model 

Microsoft Active Directory security model, keeps every object stored in an Active Directory, safe and protected. 

That includes domain user and computer accounts, security groups, and group policies. 

It can help administrator determining user access to any object, and gives the option to specify access for groups of users, as part of security management. 

Every single object in Microsoft Active Directory has a security descriptor associated with it. Security descriptor defines the permissions on an object. Of course, all these attributes include the permission set or Access Control. List (ACL), which contain numerous Access Control Entries (ACEs) which allows or denies specified security permissions to some user or security group. 

ACEs can be explicit or inherited; explicit ACEs generally override inherited ACEs. 

And this is just a tip of a Microsoft Active Directory Security Model iceberg. 

The security model is not an easy thing to learn or explain in a single article. Even some experienced administrators have a hard time understanding the full model. So it is advised to any system Administrator to make his/her personal goal gathering knowledge about it as much as possible. 

With a better understanding of it, it can provide better insight into system security functioning and better protection of your organization, and with that better productivity and quality of service. 

A lot more regarding Active Directory Security Model can be found at the following link: 

http://www.paramountdefenses.com/active-directory-security/model.html 

Keep Your Software Up To Date and Secure 

In May 2017, a lot of windows server based system got attacked by WannaCry ransomware worm attack. Even Microsoft has discovered a vulnerability and released a patch, a month before the attack took place, still, a lot of systems haven’t applied it, and got struck by a worm, which intruded system, encrypted data and demanded ransom for it in form of Bitcoin. 

The attack was stopped within a few days of its discovery due to emergency patches released by Microsoft, and the discovery of “kill switch” that prevented infected computers from spreading WannaCry further. 

The consequence of the attack was estimated to more than 200,000 affected computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. 

Experts advise affected users against paying the ransom due to none reports of any data returned after payment and as high revenues would encourage more such attacks. After the attack had subsided, a total of 327 payments totaling $130,634.77 (51.62396539 XBT) had been transferred. 

As all examples, this one is a great opportunity to learn and adopt facts and previous errors so they would not be made again. 

This expensive and very real example shows the importance of software updating and applying official patches to your system software.  

Software without updates applied is unreliable software. Patch or update is made for a reason, and in most cases, it makes security better, and your system less liable for any type of attacks.

For that cases, Microsoft has great sites which can help administrators maintain their systems healthy and protected. It is highly recommended for all admins to monitor TechNet, and Microsoft Secure Blog, to keep up with system software, and security updates. 

It is not only up to administrators, but even their part of the job is also most important,  it is up to organizations to keep their hardware updated too. Even obsolete hardware can make the risk of security breaches high. So realizing that investing in hardware is not thrown money, but it is investing in security and functionality seems like the right way for all organizations. 

Usage of built-in Active Directory Features 

A lot of built-in Active Directory features can help administrators in protecting data and system environment.  None of them are “one program solves all” type of programs or some “big” lifesaving solutions, but correct usage of them can make a risk of potential security breaches lower. 

This is a list of some of the useful built-in features :  

Security Descriptor Propagator –  Compares the permissions on the domain object with the permissions on the domain’s protected user accounts and groups. If it finds any mismatch, it will reset the permissions. 

AdminSDHolder – Ensures enforcement of permissions on protected user accounts and groups, no matter of location on the domain. 

Privileged Identity Management – Allows the administrator to grant temporary rights and permissions to an account to perform any required functions. 

Role-based Access Control– Provides administrator the option of user grouping, and give them access to resources on the domain according to previously defined rules. 

Usage of Isolated workstations managing DCs 

If there is a need for logging on an Active Directory with an elevated account, because of any reason, these operations should always be performed from a special device, preconfigured to reduce the risks associated with everyday tasks.  

Such workstations should be isolated from the internet, and when used, they should be used with Least-Privilege User Access ( Lua) ( described before) principles. 

Those workstations should be completely protected by all kind of security software available. (anti-malware, endpoint firewall and application control). 

DC Workstations should be kept in their own organizational unit so they could have a special group policy set applied ( restricted local logons and other limitations). 

User accounts used on isolated workstations may be Service Desk accounts that have the ability to reset passwords for most of the users in a domain, accounts that are used to administer DNS records and zones, or accounts that are used for configuration management. Secure administrative hosts should be dedicated to administrative functionality, and they should not run software such as email applications, web browsers, or any type of productivity software. 

Conclusion 

In conclusion, security of Microsoft Active Directory is huge, live, topic, and it can be studied and elaborated over and over. The best practices are, with a usage of described tools and techniques, only learning and monitoring, not only your systems but Microsoft news and updates regularly. 

It is a hard job, without long-term solutions. As systems develop and change, so are potential threats and malware, but being server administrator is like that, never-ending process. 

 

 

Prevent Unauthorized Access to Sensitive Data!

  • No more unauthorized access to sensitive data
  • No more unclear permission assignments
  • No more unsafe data
  • No more security leaks

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

Active Directory Authoritative Restore with Windows Server Backup

/0 Comments/in , /by

Overview 

In short lines, an authoritative restore is a Windows Server process of return of a designated deleted Active directory object or container of an object to the state before deletion, at the time when it was backed up. 

An authoritative restore process will replicate the restore object across organization’s domain controllers, but, restore process will increase the Unique Sequence Number (USN) of all attributes on the restored object.  

Because the object will have a much higher Unique Sequence Number, it will replicate across all domain controllers of organization and overwrite anything associated to the previous object. 

In this article, our goal is to describe the procedure and make test example of this process. 

Procedure and Examples 

In an example, hypothetic scenario, it is needed to restore user deleted from Active Directory Users and Computers. 

First thing in the scenario is a restoration from backup. For a backup start, it is needed to restart the domain controller in Directory Recovery Mode (Safe mode). It can be done with a reboot and press key F8 on startup. 

Login is made with local admin, using username.\administrator, and password setter up during domain controller installation for Directory Services Restore Mode ( DSRM ). 

After login, right-click start menu and choose Command Prompt ( Admin ) option. 

When Command Prompt is accessed, following command,  will show available backups:

wbadmin get versions 

Following command (followed by “yes” option ) will start restoration based on the chosen backup entry : 

wbadmin start systemstaterecovery version: (chosen version) 

 And user will be prompted to reboot with “Yes” option. 

After reboot, it is needed to start the Command Prompt (Admin) again, and run ntdsutil command for accessing and managing a Windows Active Directory (AD) database. (Ntdsutil should only be used by experienced administrators and it should be used from an elevated command prompt). 

At ntdsutil prompt, it is needed to enter following commands: 

 activate instance ntds 

And after that : 

authoritative restore 

At authoritative restore prompt terminal, the full path to the object that is wanted to restore should be entered. 

restore object cn=(object name),OU=(organizational unit) ,DC=(domain controller),DC=local 

It is needed to confirm it with “yes”, and restoration will start.  

Exit the authoritative restore with the command:”quit” and ntdsutil with the command: “quit”. 

From Command Prompt terminal, disable safe boot sequence of a server with a command:

bcdedit /deletevalue safeboot 

After reboot and login to the server, a wanted object should be restored in Active Directory. 

Do you want to prevent unauthorized deletion of directory objects or something similar to this problem?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!