Overview of the Active Directory Domain Services (AD DS)

Microsoft’s Active Directory Domain Services (AD DS) is a core role that allows users to build a scalable and centralized Windows network. 

Furthermore, the AD DS takes care of user logins, security permissions, and other crucial network services.

The AD DS is a function of the Active Directory, which manages users, groups, organizational units, and computers, allowing IT administrators to structure users into logical hierarchical units.

In this article, we’ll cover some AD DS’s basic terminologies, services, and other features.

First, let’s have a look at the Active Directory (AD).

Active Directory

Active Directory is a Microsoft technology that is installed when the Active Directory Domain Services is set up in the Domain Controller.

As the name suggests, the Active Directory is a repository or database that stores objects such as groups, computers, printers, file shares, group policies, and file permissions.

The most crucial role of the Active Directory is to handle user authentication in the domain network. It accomplishes this by allowing only authorized users to log into the network.

Additionally, the AD centralizes security by storing user accounts and their passwords in one location, instead of storing them in client computers.

IT administrators can create and delete users, configure or allow users to change their passwords, and create group policies, which determine how users interact with their PCs in the domain environment.

Without an Active Directory, IT administrators are forced to set up local users on each PC and reset the password for every user on their computers.

The AD DS is the fundamental framework for domain management. Each domain forms part of an Active Directory Forest, which can also comprise of more than one domain arranged into various organizational units.

Categories of Active Directory objects

Active Directory objects can be categorized into two main categories:

  • Container objects: These are objects that contain other objects inside them, such as Forests, Trees, Domains, and organizational units.
  • Leaf Objects: These are objects that do not contain other objects, such as users, printers, and computers.

Key Terminologies of Active Directory Domain Services

  • Schema: This is a set of instructions that govern attributes and objects in the AD DS.
  • Global Catalog: This is a repository of objects contained in the AD. It’s in the Global Catalog that you’ll find users’ details such as names and contacts.
  • Sites: This represent the network topology of a Windows network.
  • Query and Index Mechanism: This feature ensures users can locate each other in the Active Directory. A perfect example is when you start typing a user’s email address in the client’s recipient field and the possible matches are displayed.
  • Lightweight Directory Access Protocol: Commonly abbreviated as LDAP, this protocol enables the Active Directory to communicate with LADP enabled directory services in the network.
  • Replication Service: As the name suggests, replication ensures the Domain Controller is replicated onto another Domain Controller, thereby having the same schema and catalog.

Services provided in the Active Directory Domain Services

The Active Directory provides a myriad of services that fall under the Active Directory Domain Services.

Here is a description of some of the services.

  • Domain Services

The AD DS offers core services such centralization of data and management of communication between users in the domain, search functionality, as well as login authentication.

  • Lightweight Directory Services

This feature supports applications that are directory enabled using the LDAP protocol.

  • Rights Management

Rights management handles information rights. It encrypts and limits the access to personal content such as emails, documents, and other confidential data.

  • Directory Federation Services

DFS provides a single-sign-on functionality that enables secure user authentication, especially when they are interacting with multiple web applications during a single session.

  • Certificate Services

These features allow for the generation, management, and sharing of security certificates. The certificates encrypt data sent over the Internet and guarantee their privacy and confidentiality, thereby averting attempts by hackers to steal the information.

Functions of Domain Controllers with Active Directory Domain Services

A Domain Controller (DC) is a server in the Windows network that allows users to access domain resources. Its main purpose is to authenticate users in a network.

The DC listens to authentication requests from users in the network and verifies them based on their usernames and passwords.

The Domain Controller hosts the Active Directory Domain Services as well as a wide range of other services that complements Active Directory Domain Services.

These services include:

  • NetLogon: It’s a service that runs silently in the background. Its main purpose is to validate users’ login credentials in the domain network. If stopped, many server functions would be adversely affected and users in the domain would be unable to access their accounts. Additionally, any services that depend on it will also fail.
  • Kerberos Key Distribution Center (KDC): KDC is basically a service that issues, validates, and performs encryption of Kerberos tickets. It consists of an Authenticating Server and a Ticket Granting Server (TGS). The service authenticates users when the Kerberos protocol is used. Kerberos is a protocol designed for security and authentication purposes. It provides a mechanism for authenticating users to use the services on a Windows network; for example, accessing a file server while, at the same time, encrypting the connections between clients and servers.
  • W32time service: Also referred to as Windows time, W32time is a service that uses Network Time Protocol (NTP) to synchronize time and date for all computers joined to the Active Directory. The NTP synchronizes all the clocks on the computers in the domain network. For Kerberos to function properly, it demands that date and time for all computers in the network are synchronized.
  • Intersite Messaging (IsmServ). This is a service that allows the exchange of information between computers in a networked environment with Windows servers. This protocol also allows replication between mail sites by employing SMTP over a TCP/IP network.

Conclusion

Active Directory Domain Services is a key feature in a networked Windows environment.

Therefore, understanding how it operates can assist in maintaining the optimal operations of your network.

Do you have any comment or question?

Please post them below.

Protect yourself! Discover all security holes in the folder hierarchy on your Windows fileservers!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

Active Directory Security – Best Practices

Active Directory (AD) is the heart of the Windows Server System. The Active Directory is a repository for essential features and services core to the Windows environment.

It’s in the AD that users, values, groups, organizational units, objects such as printers and computers, and group policies are installed and configured.

Think of the Active Directory as a contact list on your smartphone. The ‘contacts’ app would be the AD, whilst the names would be the ‘objects’, and phone numbers and email addresses would be the values.

IT administrators rely on the AD to structure the organization’s users, groups, and objects in a hierarchical order, as well as configure group policies and settings such as wallpapers and users’ profile pictures.

It’s therefore prudent to ensure the security of your Active Directory.

Why is it crucial to secure the Active Directory?

Since the Active Directory is a critical component in structuring and authorizing users and applications within an organization, it is a potential target for cyber-attacks.

If hackers can penetrate the Active Directory, they can pose an enormous risk. They can access all the user accounts, groups, applications, groups policies, databases, alongside a host of other very crucial information, which should be a reserve of the IT administrators.

If attackers can obtain login credentials, they can penetrate your system and escalate privileges, giving them access to the resources they require.

Without proper security measures and Active Directory audit controls, attackers can easily infiltrate your system and steal valuable information.

It’s therefore important to ensure that security compromises are picked up or detected and remediated in good time before hackers can intrude your system and wreak havoc to your Active Domain Forest, making it very difficult to recover.

Active Directory security vulnerabilities

Let’s now look at some of the potential threats that can leave your AD vulnerable to attacks.

1. Relaxed password policies

A password essentially acts as a lock to your account, keeping outsiders and attackers at bay.

Many users prefer using simple passwords, which can be vulnerable to attacks because of containing few characters, the users’ names or date of birth details, or words that can easily be guessed.

In other cases, users may form a habit of writing down their passwords on a piece of paper, or even sharing them with other users.

Such habits usually leave the users’ accounts vulnerable to hackers through brute force attacks or social engineering attacks.

Password policies in an organization should be stringent and followed to the latter. Strong passwords usually have a combination of uppercase, lowercase, numeric, and special characters, and should be no less than 8-12 characters.

Users should also be encouraged to change their passwords regularly and memorize them, instead of writing them down.

2. Unpatched vulnerabilities in the server

Each successive release of the Windows Server system comes with new security updates and features to address existing vulnerabilities and flaws.

It implies that older versions pose potential security threats that need to be regularly patched with the latest security updates before hackers can exploit the vulnerabilities.

Additionally, all software applications should be regularly updated to fix any security flaws that hackers can leverage.

3. Broad access to the Active Directory Server

Having a long list of Active Directory users who enjoy administrative privileges predisposes your system to privilege abuse, which is a major cause of information leakages.

4. Overreliance on default security settings of the Domain Controller

Most organizations prefer maintaining the default security settings that come with the Windows Server system.

While that may work well, hackers are well acquainted with the default security features and may use that knowledge to infiltrate your system.

It is therefore recommended for IT administrators to make a few tweaks to fortify the security of their Active Directory.

5. Overreliance on Kerberos authentication protocol

An attacker can decrypt data and expose an account’s password where the Kerberos authentication protocol is extensively used.

Active Directory Security Best Practices

After seeing some of the potential vulnerabilities that may expose your Active Directory to security breaches, let’s now focus on some of the best practices you can use to ensure its optimal security.

1. Employ the least privilege administration model

What this means is that all users should login into the system using the least or minimum permissions necessary to execute their tasks.

Additionally, it’s recommended that you should only create two login accounts to the AD: an admin user account and a regular user account. Then, you can use the regular user account for undertaking day-to-day normal tasks, such as browsing the Internet, printing, and so on.

The admin user account should only be used for administrative tasks, such as creating new users, creating groups organizational units, installing roles and features, and configuring the network.

A better option can be to delegate some administration tasks to secondary users. Some of these tasks may include:

  • Managing DHCP and DNS
  • Accessing Active Directory users and computers
  • Managing administration rights on servers and workstations

2. Secure the default domain administrator account

Normally, a built-in domain administrator account is set up by default when a Windows Server system is installed. NOBODY, other than the IT administrator, should know the default built-in administrator’s password.

Additionally, the account should only be used for setting up the domain and for disaster recovery purposes. If there are users that need administrative rights to access the AD or the server, then they should request the IT admin to grant their accounts admin privileges, but not use the built-in account.

In addition, the built-in administrator account should be set up using a very strong password. A minimum password length of 8-12 characters—which includes uppercase, lowercase, numeric, and special characters—is recommended.

3. Maintain constant monitoring of the Active Directory

The active directory needs to be constantly monitored for signs of abnormal or unusual activities.

Some of the events you should pay attention to when monitoring the AD include:

  • Account lockouts
  • The use of administrator accounts
  • A spike in the frequency of incorrect password attempts
  • A rise in the number of locked out accounts
  • Disabled antivirus software
  • Logon and logoff events
  • All activities performed by privileged account users

So, how can you monitor events in the Active Directory?

The best way of monitoring events in the AD is by using a log analyzing software application that generates AD reports.

Some of the best software tools for log analysis include:

4. Enforce complex passwords and passphrases

IT administrators should encourage their users to use passwords with a length of at least 8-12 characters with a combination of uppercase, lowercase, numeric, and special characters.

Moreover, users should be encouraged to use random passphrases as passwords. Also, a strong password policy should include account lockout after 3 failed login attempts.

Here are some good examples of strong passwords:

M@gnum@2030!TkrY

#Pros$YuOT29$7%

5. Delete old and unused AD user accounts

You should develop a procedure for cleaning old and unused user accounts sitting in the AD. Hackers can use such idle accounts to infiltrate your system.

6. Practice patch management and vulnerability scanning

Hackers can leverage known vulnerabilities to breach your system. The earlier these vulnerabilities are discovered, the better.

It is prudent to periodically scan the Domain Controller for any vulnerabilities and update all the software applications. You can also use third-party applications to detect loopholes and vulnerabilities.

Additionally, it’s a good practice to regularly update software applications on your server and fix flaws addressed in the latest versions.

7. Desist from installing additional software or roles on the Domain Controller

To minimize risks of potential attacks, Domain Controllers should have as few software applications as possible.

Attackers can leverage preexisting vulnerabilities in the applications and use the flaws to gain entry and escalate privileges.

It is recommended to use the Windows Server core since it has no GUI and comes with a small footprint. Domain controllers should be kept as lean as possible.

8. Use security groups to determine which users have certain privileges

It is recommended for IT administrators to create custom security groups to determine the users having access rights and special privileges. This should also be documented to keep tabs of the users assigned to different privileges.

Using security groups can assist in managing access privileges and preventing unauthorized access to sensitive data.

Wrapping up

Those are the best practices for maintaining the security of your Active Directory.

Is there something we’ve missed in this article?

Or, do you have a comment or a question?

Please post them below.

Protect yourself and discover all permissions owner on your Windows fileservers!

Pass your next security audit without worrying about security leaks!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

Detect Permission Changes in Active Directory

This articles describes how to track permissions changes in Active Directory.

Overview

Let’s start an article, with a small example :

If some example organization works in three shifts, with different server administrators, and , in meantime permissions on some Active Directory objects, change, overnight, it is the good practice to know which admin ,and when changed it.

For that information, auditing for changes to permissions on Active Directory should be enabled, and in this article, we will explain how to do it successfully.

Enable auditing of Active Directory service changes

The first step is enabling auditing of Active Directory service changes. It has to be done on the domain controller, on a way to change Group policy object, Default Domain Controllers Policy.

The operation should be done from a server, or a workstation with Remote Server Administration Tools (RSAT)  installed.

By opening Group Policy Management, and expanding Active Directory Forest, Domains, and then the Domain Controllers Organizational Unit (OU), access to Default Domain Controllers Policy GPO is granted, and by right-clicking Edit from the menu, Group policy management editor will open.

When in Group Policy Management Editor, navigate to ( and expand policies )  Computer Configuration, then  Windows Settings then  Advanced Policy Configuration and click DS Access.

Among the other subcategories, there will be Audit Directory Service Changes.

In the properties of Audit Directory Service Changes policy, Configure the following audit events option, both checkboxes ( Success and Failure ) should be ticked.

Adding a system access control list (SACL)

Next step is adding a system access control list (SACL) to the domain to audit for modified permissions.

System access control lists ( SACLs) are used for establishing security policies across the system for actions like logging or auditing resource access.

SACL specifies :

  • Which security principals (users, groups, computers) should be audited when accessing the object.
  • Which access events should be audited for these principals
  • Which access events should be audited for these principals
  • Adding system access control list (SACL) is made from Active Directory Users and Computers ( ADUC), by opening View menu, and check Advanced Features ( it has to be activated).

Click Active Directory Domain ( on the left), and select Properties > Security > Advanced, then switch to Auditing tab, and click Add. It will open Auditing Entry tab.

In the Auditing Entry tab, click Select a Principal.

Enter the “everyone” in the object name in the Select User, Computer, Service Account, or Group dialog, and click Ok.

Auditing Entry has to be set to “Sucess” and Applies to option has to be set to “ This object and all descendant objects”.

Under “Permissions” option, only selected option has to be “Modify Permissions”.

Check

And that is it. The only thing left to do is check the changes of permissions.

It can be done in PowerShell by usage of the command

Get-EventLog Security -Newest 10 | Where-Object {$_.EventID -eq 5136} | Format-List

The output should be the formatted list of information about changes ( who made changes on which object, and information about new security descriptor).

How To Generate All Domain Controllers in Active Directory

In this article, we’ll describe how to generate all Domain Controllers in the Active Directory Sites and Services tool.

Active Directory Sites and Services can be seen as an administrative tool used to manage sites and the related components on Microsoft Server systems.

It contains a list of all Domain Controllers (DCs) connected to the system, regardless of their number.

In some situations, admins can notice more than one DC listed under Windows NT Directory Services (NTDS) settings.

What are these other DCs, and how can they be generated automatically?

KCC

Those DCs are called KCCs (Knowledge Consistency Checkers). They are nominated bridgehead servers per site that handle replication tasks between specific sites.

A bridgehead server is responsible for replicating any changes to all remaining DCs in its site.

In simple words, KCCs take care of replication by generating DCs, which communicate with other DCs and KCCs—consequently, the auto-generated domain controllers take care of the replication.

How to create automatically generated Domain Controllers

There are instances, such as during server moves or adding new organizational Domain Controllers, when   Active Directory is unable to create ‘Automatically Generated’ connections with the root Domain Controller.

In such a situation, the Domain Controller can be seen, but not on the “real” Domain Controller list.

There is more than one solution to this problem.

Let’s talk about two of the most used and tested solutions.

1. Manually forcing auto generation

This first method, although it can get in the quick “workaround” category,  involves manually forcing auto-generation.

It can be done by right clicking on the NTDS Settings option and then choosing ‘All Tasks and Check Replication Topology’ in the end.

That should force trigger auto-generation of all Domain Controllers, and your Domain Controllers should now be visible on the list.

2. Repadmin

Repadmin is a command line tool used for diagnosing and repairing replication problems.

It can be used from an elevated command prompt by typing ntdsutil.

Then, entering this command:

repadmin / showrepl*

To create an output that replicates the state of all DCs in the system, enter this command:

Repadmin/replicate

As a result, force replication will be started. This command forces replication and generates all Domain Controllers on the Sites and Services list.

Conclusion

It is usually not necessary to create manual connections when the KCC is being used to generate automatic connections; if any conditions change, the KCC automatically reconfigures the connections.

Adding manual connections when the KCC is employed can potentially increase replication traffic and conflicts with optimal settings stipulated by KCC.

If a connection is not working due to a failed domain controller, the KCC automatically builds temporary connections to other replication sites (if the damage is not too big) to ensure that replication occurs.

If all the domain controllers in a site are unavailable, KCC automatically creates replication connections between domain controllers from another site.

It is not recommended to manually modify this, unless you have a very specific use case.

As long as these records are auto-generated, they can survive a Domain Controller failure, as the KCC/ISTG will automatically create a new connection.

However, if you manually create a connection or specify a bridgehead server, and that server goes offline, KCC will not create a new connection and replication between the affected sites will stall.

How to Optimize Your Active Directory for Windows Server 2016

Microsoft Windows Server 2016 is still a valid choise in the market and organizations are already asking their IT experts to evaluate its added value and possible challenges that one may encounter when moving from the current systems to the new server platform. In addition to the features found on Windows Server 2012 and 2012 R2, Windows Server 2016 presents new possibilities and capabilities that are missing on previous Windows Server platforms. Any new Windows Server Operating System that breaks the market gets more attention. Windows Server 2016 had made tremendous improvements to its Active Directory.

The best approach to take before implementing Windows Server 2016 is to test its readiness by looking for ways of minimizing the likely impact of migration. Another way to look at it would be to identify organizational needs and how they can be integrated for future implementations. The reason Administrators would want to try on the Windows Server 2016 Active Directory is to provide an opportunity for growth, offer flexibility, and enhance security setup in the organization.

Why Does Windows Server 2016 Matter

Windows Server 2016 is a representation of combinations from different principles that define computation, identity, management and automation, security and assurance, and storage. All these are broken down into the core elements of the Server Operating System that consists of Visualization, System Administration, Network Management, and Software Defined Network (SDN) technologies, Cloud Integration and Management, Disk Management and Availability. All these are supposed to bring organizations to the future of technology without the need to discard some of the infrastructures being used in the current environment.

Windows Server 2016 is a full-featured server Operating System boasting of solid performance with modern advancements. This new server shares so many similarities with the Data Center edition that incorporates support for Hyper-V containers and new storage features and enhanced security solely to protect virtual machines and network communications that have no trust configured between them.

This article should help you the reader learn more about Windows Server 2016 features, factors to consider before moving from old to a new setup, and how to optimize your Active Directory. More details on how to prepare to move and migrate efficiently by managing the new environment effectively.

Windows Server 2016 New Features

Several features and enhancements form part of this server operating system. Here are some of the highlights:

Temporary Group Membership

This form of membership gives Administrators a way of adding new users to a security group for a limited time. For this feature to work, Windows Server 2016 Active Directory must be operating at the functional level. System Administrators need to know beforehand all the system installation requirements during and after the transition.

Active Directory Federation Service

There are essential changes that come with Microsoft Windows 2016 Server Federation Service:

Conditional Access Control

Active Directory in previous installations had straightforward access controls because the assumption had always been that all users would be logging in from a computer joined to a domain with proper Group Policy Security settings. The conditional access gives users access to resources that have been assigned to them.

In the current technological setup users’, access resources from different types of devices that are not connected to the domain and usually work outside the organizations operating norms. This is a direct call for the improvement of security by introducing a Conditional Access Control Feature enabling administrators to have better controls over users whose requests should be handled on per application basis. For example, administrators may enforce multi-factor authentication when the compliant devices try to access business applications.

Support for Lightweight Directory Access Protocol (LDAP) v3

Another change that has been introduced in line with regard to the Active Directory Federation Systems is the Support for Lightweight Directory Access Protocol. The capability makes it easier to centralize identities across different directories. For example, an organization that uses non-Microsoft directory format for identification and access control can centralize identities to office Azure cloud or Office 365. LDAP v3 making it easier to configure a single sign-on for SaaS applications.

Domain Naming Service (DNS)

Active Directory and DNS go hand in hand because of the dependency of Windows Server systems on DNS. There have been no significant changes in the Windows Server DNS service until the arrival of Windows Server 2016. The following are new features under the DNS:

DNS Policies

The inherent ability to create new DNS policies is said to be the most significant. These policies enable administrators to control the way DNS responds to different queries. Some examples of these policies are load balancing and Blocking of DNS requests coming from IP addresses whose domain have been listed as malicious.

Response Rate Limit

The rate of the server response to DNS queries can now be controlled. This control is designed to help defend against external attacks such as denial of service by limiting the number of times in a second a DNS can respond to a client

Microsoft IP Address Management (Microsoft IPAM)

The most significant improvement to the DNS is in its IP Address Management System that helps in the tracking of IP address usage. The integration of Microsoft IPAM feature on DHCP has been robust while the DNS one is minimal. The introduction of Windows Server 2016 brings in some new changes like DNS management capabilities by recording inventory. The support for multiple Active Directory forests by IPAM is a welcome feature. Supporting multiple forests is only possible if there is already an existing trust between them and that IPAM is installed on each forest.

Migration Considerations

Planning is critical when moving from an earlier Windows Server version to Server 2016. The goal of any migration should be minimizing its impact on business operations. Going ahead with the migration should be an opportunity for administrators to set up a scalable, flexible, compliant, and secure platform.

Understanding the Existing Server Environment.

It is a rookie mistake to jump into implementation without a proper analysis of the current server environment. Assessment at this stage should look at users, groups, distribution lists, applications, folders, and Active Directory. On the business side, there is a workflow, emails, programs, and any infrastructure used that should be assessed before making the big move.

It is also vital that you:

  • Understand what needs to be moved and what is to be left as it is. For example, there is no need of moving inactive accounts and old data that is no longer relevant. All active data stores, mailboxes, and users are part of what you should not leave behind.
  • You will also want to analyze applications, users, and processes that needs access and should be migrated to ensure that the relevant resources are available during and after the transfer.

Improving Active Direct Security and Compliance Settings

Another critical factor to consider during migration is security and delegation by controlling who makes changes to Window Active Directory objects and policies. Most organizations choose to give access to Active Directory objects to solve an immediate problem and never clear the permissions. Proper controls should be in place to manage what can be added to the AD and who should be responsible for making such changes.

Continuous monitoring of activities in the Active Directory to ascertain if they comply with both internal and external performance regulations should be ongoing. Microsoft Windows Server and AD can audit events with visible output and can be implemented quickly in a busy setup. Having a coherent AD audit cluster with analytical capabilities is critical for marking unauthorized changes, spotting inappropriate use of the AD and related resources, tracking users in the entire infrastructure, and give compliance reports to the auditors.

Ensuring Application Compatibility

Before making an effort to initiate migration, make sure that all software and third-party application used on your organization are compatible and can work with Windows Server 2016. All the in-house applications should also be tested to make sure they work correctly in the new environment.

Minimizing Impact on Business

Minimizing in-house software compatibility is one aspect of reducing the cost of migration on the business. As an Administrator, you need to know how the issue of downtime will be handled when moving from legacy to new system. One thing you need to avoid is underestimating the impact of migration on users and operations by failing to analyze all access points. Many such challenges can be avoided by scheduling resource intensive migration tasks during off-peak hours.

Failure to have a smooth transition between legacy and the new system can lead to service disruptions lost productivity and increased the cost of doing business. The co-existence of both the old and the new system is essential in any Active Directory migration because users still need to access resources to ensure continuity. Directory synchronization is important at this stage to make sure that users can access their data.

Restructure the Active Directory

Moving from your legacy system to Windows Server 2016 should be taken seriously and not treated like any other routine IT task. This is an opportunity to restructure your Active Directory to meet its current and future needs. Every time there is a significant system upgrade, changes in organizational models and requirements may have prompted it. Changes in the IT technology is also a major force that influences restructuring of the Active Directory.

Determine the number of domains and forests needed. Examine the need to merge some forests or create new ones. You can also take an opportunity to join new infrastructure to remote offices that may not have been in existence in the legacy system.

Active Directory Management and Recovery

Every IT management faces challenges when managing the Active Directory on a daily basis. The configuration of user properties is time-consuming and error-prone when dealing with a large and a complex Windows Network. Some of these duties have to be performed manually leading repetitive and mundane tasks that end up taking up most the Administrators time. However, when you decide to accomplish the above tasks using Windows Native Tools or the PowerShell means that you must have a deeper understanding of how the Active Directory and its features work.

The use of software to manage the Active Directory repetitive tasks simplifies the process. You can also get detailed reports on tasks and their status. Using software offers solutions that help in the planning and execution of an efficient AD restructuring, which will eventually help you, implement a secure system. Managing AD using a software gives a common console where the management can view and manage Active Directory, users, computers, and groups. Some software’s enable the administration to plan for a secure way of delegating repetitive tasks and perform controlled automation of the Active Directory Structure.

Software Implementation

Two popular software being used in the management of Active Directory optimization tasks are:

  1. ADManager Plus
  2. Quest Software

They both can help in the restructuring and consolidation of Windows Server 2016 in a new environment.

ADManager Plus

The ADManager Plus has additional features such as sending and receiving customized notifications via SMS or emails. The search options make it easier for IT managers to search the directory with ease through its software interface panel. Using the ADManager Plus, the IT department can execute windows optimization tasks with ease in addition to the integration of utilities such as ServiceNow, ServiceDesk, and AdselfService Plus.

Active Directory User Management

ADManager Plus manages thousands of your Active Directory through its interface. This property helps you create and modify users by configuring general attributes, exchange server attributes, and apply exchange policies, terminal service attributes, and remote logon permissions. You can set new users in Office 365 and G suite when creating the new accounts in the Active Directory. You can design templates that can help the help desk team to modify and configure user accounts and properties by a single action.

Active Directory Computer Management

This solution allows for the management of all computer in the existing environment from any location. You can create objects in bulk using CSV templates by modifying group and general attributes of computers, move them between organizational units, and enable/disable them.

Active Directory Group Management

The management of groups is made more flexible using the software modules used in the creation and modification of groups using templates and conduct all configuration attributes in an instant.

Active Directory Contact Management

You can use this software management tool to import and update Activate Directory contacts as a single process. Therefore, this implies that you do not have to select individual contacts for an update.

Active Directory Help Desk Delegation

The ADManager Plus delegation feature can help administrators to create help desk administrators, and delegate desired tasks related to user attributes. The various repetitive management tasks for users, group, computers, and contacts can be delegated using customized account creation templates. The help desk users can share the workload of the administrators which frees them up giving them more time to work on core duties.

Active Directory Reports and Management

The ADManager plus provides information on different objects within the AD which allows for the viewing and analysis of information on its web interface. For example, you can see a list of all inactive users and modify the accountant accordingly.

Quest

Quest software takes a different approach because it deals with preparation, recovery, security and compliance, migration, consolidation, and restructuring.

Preparation

During preparation, Quest helps in the assessment of the existing environment with the enterprise reporter gives a detailed evaluation of the current setup that includes the Active Directory, Windows Server, and SQL Server. During this assessment, Quest can report the number of accounts you have in the Active Directory and isolate the active and the disabled ones. Knowing the exact status of your environment is paramount before the migration begins.

Quest helps discover identities and inventories on application servers that are dependent on the Active Domains that are being moved to enable you to fix or redirect them on the new server.

Migration, Consolidation, and Restructuring

The Migration Manager for Active Directory gives the Zero IMPACT AD restructuring and consolidation. The Migration Manager offers a peaceful coexistence to both the migrated and yet to be migrated by maintaining secure access to workstations and resources.

Secure Copy offers an automated solution for quick migration and restructuring files on the data server by maintaining the security and access points. Its robustness makes the tool to be rated as perfect for planning and verification of successful file transfers.

Migrator for Novell Directory Service (NDS) helps administrators move from Novel eDirectory to Active Directory. The tool also moves all data within Novell and re-assigns permission to new identities in the new server.

Security and Compliance

The change Auditor for Active Directory gives a complete evaluation of all the changes that have taken place in the Active Directory. The evaluation report contains information such as who made the changes, what kind of changes was made, what were the initial and final values before and after adjustment, and the workstation name where the change occurred. The change auditor tool also prevents changes, for example, you can disable the deletion of or transfer of Organization Units and changes that can be made Group Policy Settings.

Access Control

Active Roles modules ensure that security of the AD complies by enabling you to control access by delegating tasks using less privilege. This gives an opportunity to generate access rules based on defined administrative policies and access rights. You can use the Active Roles to bring together user groups and mailboxes as well as changing and removing access rights based on role changes.

Centralized Permission Management

The Security Explorer facilitates the management of Microsoft Dynamic Access Controls (DAC) by enabling administrators to add, remove, restore, backup, and copy permission all on a single console. The tool can make targeted or bulk changes to server emissions made possible by the enhanced by Dynamic Access Control management features such as the ability to grant, revoke, clone, and modify permissions.

Monitoring Users

The InTrust enables the secure collection, storage, and reporting alerts on the data log that complies with both internal and external regulations surrounding policies and security best practice. Using InTrust, you get an insight into user activities by auditing access to critical systems. You can see suspicious Logins in real time.

Management and Recovery

The easiest way the IT administrator can manage user accounts, computers, and objects via the Group Policy. Poor management of the Group Policy Objects (GPO) can cause many damages. For example, if your GPO is assigning proxy settings with wrong proxy values.

GPO Admin will automate Group Policies, and it has a workflow to enable the checking of changes before being approved by the GPOs. When GPO’s are used in the production industry, the management team will be impressed by the reduced tasks as it improves security.

Recovery is a critical process in any organization that runs its system based on Windows Server 2016. You can also recover the wrong entries and accounts that were removed. The Recovery Manager for Active Directory gives access to other features that report on the differences and help restore objects that were changed.

It is important to be prepared in readiness for disaster and data recovery. In case your domain finds itself in the wrong hands, or the entire network setup is corrupted, use the Recovery Manager for Active Directory utility.

Conclusion

Windows Server 2016 has a wealth of new features and capabilities to streamline and improve the management and facilitate better user experience. A successful implementation means that the Active Directory has a sound consolidation process. Administrators who have already tested this Server Operating Services should take advantage of the new capabilities.

The benefits of Active Directory tools and utilities are numerous because they help in setting up a flexible and secure Windows Server 2016 and Active Director that will work for your current and future environment. These utilities help managers who are not well conversant with some IT related Active Directory management tools who need to switch to the new server to comply with regional and international standards.

Microsoft Active Directory Permissions: Best Practices for Data Protection

In this article, we are bringing the best practices for data protection in  The most famous directory service. Microsoft Active Directory Domain Services (AD DS).  

Microsoft Active Directory (AD) is a database that keeps track of all the “objects” in the system – users, computers, security groups, services, etc. In AD DS, at one central location, defining and updating all the rights a particular object has on the network. 

In short lines, the vital part of any Microsoft Server System with the recommended highest rate of security.  

So let’s start with tips and best practices for securing Microsoft Active Directory the best way possible.  

Least-Privilege User Access (LUA)  

The principle of least privilege (PoLP, also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose. (Wikipedia Definition) 

As part of those principles, the recommendation is the usage of LUA : 

LUA is the reverse of administrative privileges for all users, and then scaling back permissions as needed. It’s one of the best tips for keeping your network safe. 

The “hard way” of granting permissions to users. In some way, it is personalized per each user. It’s based to determine needs of all users on network and grant permissions for that needs, no more, no less. 

The process is not easy, it requires a lot of communication and takes a lot of time to configure the system that way. But in a long-term, your system will operate safely and as it should. 

There are variations of this plan, like creating “section groups” with different permissions then placing everyone from the section in it. But that is not personalized setup, and still can offer too much or too little to an individual user.  

Know Your Active Directory Security Model 

Microsoft Active Directory security model, keeps every object stored in an Active Directory, safe and protected. 

That includes domain user and computer accounts, security groups, and group policies. 

It can help administrator determining user access to any object, and gives the option to specify access for groups of users, as part of security management. 

Every single object in Microsoft Active Directory has a security descriptor associated with it. Security descriptor defines the permissions on an object. Of course, all these attributes include the permission set or Access Control. List (ACL), which contain numerous Access Control Entries (ACEs) which allows or denies specified security permissions to some user or security group. 

ACEs can be explicit or inherited; explicit ACEs generally override inherited ACEs. 

And this is just a tip of a Microsoft Active Directory Security Model iceberg. 

The security model is not an easy thing to learn or explain in a single article. Even some experienced administrators have a hard time understanding the full model. So it is advised to any system Administrator to make his/her personal goal gathering knowledge about it as much as possible. 

With a better understanding of it, it can provide better insight into system security functioning and better protection of your organization, and with that better productivity and quality of service. 

A lot more regarding Active Directory Security Model can be found at the following link: 

http://www.paramountdefenses.com/active-directory-security/model.html 

Keep Your Software Up To Date and Secure 

In May 2017, a lot of windows server based system got attacked by WannaCry ransomware worm attack. Even Microsoft has discovered a vulnerability and released a patch, a month before the attack took place, still, a lot of systems haven’t applied it, and got struck by a worm, which intruded system, encrypted data and demanded ransom for it in form of Bitcoin. 

The attack was stopped within a few days of its discovery due to emergency patches released by Microsoft, and the discovery of “kill switch” that prevented infected computers from spreading WannaCry further. 

The consequence of the attack was estimated to more than 200,000 affected computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. 

Experts advise affected users against paying the ransom due to none reports of any data returned after payment and as high revenues would encourage more such attacks. After the attack had subsided, a total of 327 payments totaling $130,634.77 (51.62396539 XBT) had been transferred. 

As all examples, this one is a great opportunity to learn and adopt facts and previous errors so they would not be made again. 

This expensive and very real example shows the importance of software updating and applying official patches to your system software.  

Software without updates applied is unreliable software. Patch or update is made for a reason, and in most cases, it makes security better, and your system less liable for any type of attacks.

For that cases, Microsoft has great sites which can help administrators maintain their systems healthy and protected. It is highly recommended for all admins to monitor TechNet, and Microsoft Secure Blog, to keep up with system software, and security updates. 

It is not only up to administrators, but even their part of the job is also most important,  it is up to organizations to keep their hardware updated too. Even obsolete hardware can make the risk of security breaches high. So realizing that investing in hardware is not thrown money, but it is investing in security and functionality seems like the right way for all organizations. 

Usage of built-in Active Directory Features 

A lot of built-in Active Directory features can help administrators in protecting data and system environment.  None of them are “one program solves all” type of programs or some “big” lifesaving solutions, but correct usage of them can make a risk of potential security breaches lower. 

This is a list of some of the useful built-in features :  

Security Descriptor Propagator –  Compares the permissions on the domain object with the permissions on the domain’s protected user accounts and groups. If it finds any mismatch, it will reset the permissions. 

AdminSDHolder – Ensures enforcement of permissions on protected user accounts and groups, no matter of location on the domain. 

Privileged Identity Management – Allows the administrator to grant temporary rights and permissions to an account to perform any required functions. 

Role-based Access Control– Provides administrator the option of user grouping, and give them access to resources on the domain according to previously defined rules. 

Usage of Isolated workstations managing DCs 

If there is a need for logging on an Active Directory with an elevated account, because of any reason, these operations should always be performed from a special device, preconfigured to reduce the risks associated with everyday tasks.  

Such workstations should be isolated from the internet, and when used, they should be used with Least-Privilege User Access ( Lua) ( described before) principles. 

Those workstations should be completely protected by all kind of security software available. (anti-malware, endpoint firewall and application control). 

DC Workstations should be kept in their own organizational unit so they could have a special group policy set applied ( restricted local logons and other limitations). 

User accounts used on isolated workstations may be Service Desk accounts that have the ability to reset passwords for most of the users in a domain, accounts that are used to administer DNS records and zones, or accounts that are used for configuration management. Secure administrative hosts should be dedicated to administrative functionality, and they should not run software such as email applications, web browsers, or any type of productivity software. 

Conclusion 

In conclusion, security of Microsoft Active Directory is huge, live, topic, and it can be studied and elaborated over and over. The best practices are, with a usage of described tools and techniques, only learning and monitoring, not only your systems but Microsoft news and updates regularly. 

It is a hard job, without long-term solutions. As systems develop and change, so are potential threats and malware, but being server administrator is like that, never-ending process. 

 

 

Prevent Unauthorized Access to Sensitive Data!

  • No more unauthorized access to sensitive data
  • No more unclear permission assignments
  • No more unsafe data
  • No more security leaks

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

Active Directory Authoritative Restore with Windows Server Backup

Overview 

In short lines, an authoritative restore is a Windows Server process of return of a designated deleted Active directory object or container of an object to the state before deletion, at the time when it was backed up. 

An authoritative restore process will replicate the restore object across organization’s domain controllers, but, restore process will increase the Unique Sequence Number (USN) of all attributes on the restored object.  

Because the object will have a much higher Unique Sequence Number, it will replicate across all domain controllers of organization and overwrite anything associated to the previous object. 

In this article, our goal is to describe the procedure and make test example of this process. 

Procedure and Examples 

In an example, hypothetic scenario, it is needed to restore user deleted from Active Directory Users and Computers. 

First thing in the scenario is a restoration from backup. For a backup start, it is needed to restart the domain controller in Directory Recovery Mode (Safe mode). It can be done with a reboot and press key F8 on startup. 

Login is made with local admin, using username.\administrator, and password setter up during domain controller installation for Directory Services Restore Mode ( DSRM ). 

After login, right-click start menu and choose Command Prompt ( Admin ) option. 

When Command Prompt is accessed, following command,  will show available backups:

wbadmin get versions 

Following command (followed by “yes” option ) will start restoration based on the chosen backup entry : 

wbadmin start systemstaterecovery version: (chosen version) 

 And user will be prompted to reboot with “Yes” option. 

After reboot, it is needed to start the Command Prompt (Admin) again, and run ntdsutil command for accessing and managing a Windows Active Directory (AD) database. (Ntdsutil should only be used by experienced administrators and it should be used from an elevated command prompt). 

At ntdsutil prompt, it is needed to enter following commands: 

 activate instance ntds 

And after that : 

authoritative restore 

At authoritative restore prompt terminal, the full path to the object that is wanted to restore should be entered. 

restore object cn=(object name),OU=(organizational unit) ,DC=(domain controller),DC=local 

It is needed to confirm it with “yes”, and restoration will start.  

Exit the authoritative restore with the command:”quit” and ntdsutil with the command: “quit”. 

From Command Prompt terminal, disable safe boot sequence of a server with a command:

bcdedit /deletevalue safeboot 

After reboot and login to the server, a wanted object should be restored in Active Directory. 

Do you want to prevent unauthorized deletion of directory objects or something similar to this problem?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Windows Server: Clean Up Orphaned Foreign Security Principals

This article will show different ways to clean up orphaned Foreign Security Principals. There are more ways to do it, but before any method described, it is needed to say that if it is possible, clean your “orphaned FSP’s” with GUI method. PowerShell methods are not recommended to users without excellent knowledge of console, due to possible issues that method can cause. 

But first, let’s see overview – What is FSP? 

Overview 

Foreign Security Principals (FSPs) are security principals, created when an object ( user, computer or group) is added to some domain group, but with origins from an external trusted domain. 

FSP is recognized by mark. It is marked with a red curly arrow connected to an icon of object and acts as a pointer. 

Active Directory creates them automatically, after adding security principal from another forest to a group from that domain. 

When security principal, on which FSP is pointing,  is removed, the FSP becomes orphan. Orphan is a term used for FSP’s which have no more principals, FSP is pointing on.   

In the case of the creation of the same principle, old FSP will still be orphaned. New FSP will have different   SID ( security identifier) number, no matter what principle is the same. 

The outcome could be that FSP that is once orphaned, stays orphaned forever until it is removed/cleaned up by the administrator. 

There are two ways of identification and cleaning orphaned FSP. It can be done by GUI ( Graphics User Interface), and by PowerShell console. 

Identification and clean up of orphaned FSP via GUI 

As mentioned before, this is the most recommended way of cleaning orphaned FSP’s. 

In “GUI” way, orphaned FSP can be found in Active Directory Users and Computers console, when advanced features are enabled (If advanced features are not enabled, FSP won’t be seen). They are stored in the ForeignSecurityPrincipals container. Orphaned FSP can be identified through column “Readable Name”. 

If FSP is orphaned, Readable Name column in the console will show up empty. 

They can be cleaned by selection and right-click deletion. 

Cleaning FSP via PowerShell 

For PowerShell cleaning, all FSP objects first have to be listed. 

All FSP’s can be listed by usage of Get-ADObject cmdlet. 

Get-ADObject -Filter {ObjectClass -eq ForeignSecurityPrincipal'} 

When listed, they can be removed by usage of the Translate method, but precaution is advised. There is a possibility, in case of network connectivity issue  FSP’s can be seen as momentarily orphaned, PowerShell method will delete them too, and that can make problems due to SID change.

$ForeignSecurityPrincipalList = Get-ADObject -Filter {ObjectClass eq 
 ‘foreignSecurityPrincipal' }    
foreach($FSP in $ForeignSecurityPrincipalList)  
{      
Try     
 {$null=(New-Object System.Security.Principal.SecurityIdentifier($FSP.objectSid)).Translate([System.Security.Principal.NTAccount])}      
Catch    
  {Remove-ADObject -Identity $FSP}  
} 

Scheduled removal of orphaned FSP 

A task can be scheduled to make removal of orphaned FSP automatic.  

The best way to remove FSP by schedule  is by created script like for example : 

 The fictive company has a monthly turnover of  50 employees. 

A custom script can be made to delete orphaned FSP’s in the time range of 1 month  : 

 

Import-Module -Name OrphanForeignSecurityPrincipals 
$MyCompanyTurnover = 20 
 $OrphanFSPListFilePath ='c:\temp\OFSP.txt' 
$OrphanForeignSecurityPrincipalsList = Get-OrphanForeignSecurityPrincipal TabDelimitedFile $OrphanFSPListFilePath 

If ($OrphanForeignSecurityPrincipalsList) 
 { 
    If ($OrphanForeignSecurityPrincipalsList.Count -gt $MyCompanyTurnover) 
    { 
        $MailParameters = @{ 
            SmtpServer = 'mail.mycompany.com' 
            From       = 'NoReply@mycompany.com' 
            To         = 'Administrator@mycompany.com' 
            Subject    = "Orphan Foreign Security Principals found" 
            Body       = 'Please check attached file.' 
            Attachment = $OrphanFSPListFilePath 
        } 
          Send-MailMessage @MailParameters 
    }    else { 
        Remove-OrphanForeignSecurityPrincipal -TabDelimitedFile $OrphanFSPListFilePath 
    } 
} 

Recovery of deleted FSP 

Deleted orphaned FSP’s can be restored by restoring it from recycle bin if recycle bin feature is activated before deletion is made. 

FSP can be restored via PowerShell cmdlets too : 

An object can be found  with the following cmdlet, and after they are listed, selected orphaned FSP’s can be restored: 

Get-ADObject -Filter 'IsDeleted -eq $TRUE' -IncludeDeletedObjects | Where-Object {$_.DistinguishedName -like "CN=S-*"} 

There is one more way of restoring orphaned Foreign security principals that we need to mention.  

It is the way of following same steps as made before first creation. By adding foreign user/computer/group account into the same groups where it has been before it got orphaned status. This step will create the same Foreign Security principal as it was before, just with different SID number. 

 

Avoid having problems on the FSP or Foreign Security Principals

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Active Directory Design Guide

Companies use the Active Directory Domain Services (AD DS) in a server environment to make the work of network users less complicated and ensure resource sharing and management is secure, scalable, and all objects work as per their respective configurations. A well-designed AD DS can be used to manage the entire network infrastructure including the branch office and multiple forest environment. System Administrators should develop a habit of documenting all aspects of the domain structure and security strategies, as this becomes the new plan for future infrastructure and possible migration.  

The Basics of Active Directory Planning  

When planning for a domain, two things come into play: domain upgrading and domain restructuring. Upgrading your domain is more than just upgrading every domain controller; it involves the upgrading of both the Primary Domain Controller (PDC) and the Backup Domain Controller (BDC). Restructuring involves the creation of a new Active Directory from scratch. Restricting may lead to few but expanded domains. 

Develop a Migration Strategy

Having a migration strategy in place is an integral part of your overall design plan. Migration strategy involves studying the current or proposed configuration details and identifying which aspects of the domain will be migrated. A fall back system also has to be in place to counter any possible failure.  

Working with a Simple Design  

An Active Directory should be flexible in giving you an easy time when designing the forests. Designing a Domain for every department may look desirable in an organization but do not forget the general rule of running fewer but effective domains. An alternative to creating domains for every department is to use the Organizational Units, which are flexible and easy to manage.   

Active Directory Domain Design  

An Active Directory has four main divisions: the forests, the domain, the sites, and the organizational units. The system Administrators should maximize on the potential of these divisions to get the best out of any directory structure. 

When creating your domains, it is recommended that you use domain members who are near each other as possible. This is the best practice because the level of traffic within a domain is higher than you would expect between two different domains. Smaller domains also limit the need for investing in expensive connections to increase bandwidth. Remember to use the Organizational units to delegate Administrative privileges within an Active Directory. 

The Design of Groups and Organizational Units  

Before thinking of how the Groups and Organizational Units will work, System Administrators should know in advance the role of each group or units. The idea is to have a functional Organizational Unit and Groups in a bid to simplify the Active Directory environment. This goes a long way in simplifying management by giving you more control over the Active Directory. An active directory without a logical design of its users may lead to confusion. Here are some of the best practices when designing Organizational Units: 

  • Maintain a simple OU structure  
  • Limit OU nesting to less than 10 layers  
  • Apply Group Policy to groups via the Group Policy Filtering  
  • Do not utilize local groups for permissions in a domain environment 
  • Use local groups in the domain to control access to resources and group similar user groups. 

You can also use hidden OU to prevent viewing or altering in an environment where network application services are shared within departments and with external customers.  

Use Rules for Active Directory Sites  

Using Directory sites is an important element for any Active Directory domain. Sites can be limited to any computer object within a forest. Thus, they can be found across domains and organizational units. Sites are used to impose physical network to facilitate traffic flow. Sites also regulate traffic flowing to slower WAN links within the network; this will effectively increase productivity and serve to reduce costs on connectivity. 

The general good practice when designing sites  

  • Sites should be a reflection of the physical and geographical topology 
  • Every site should have at least one local Domain Controller 
  • Sites should be connected to faster links  
  • Remote clients do not need a dedicated site  
  • Sites are desirable when replication services are needed  
  • Sites can be added, changed, removed, without affecting network operations or configurations 

Active Directory Design Requirements  

Before the deployment of any Active Directory Services, the logical structure that reflects the working environment should be in place. The AD DS logical structure defines directory objects are organized and a method of managing individual accounts and shared resources. When planning for the logical structure, determine the number of forests, domain designs, the Domain Name System infrastructure, and Organizational Units. 

The Design of the Logical Structure should follow the following process 

  • Identification of the technical staff in charge of deployment  
  • Creation of the forest design  
  • Creation of the domain design for each forest  
  • Design a DNS infrastructure to support AD DS for every forest  
  • Design organizational units for delegating administrative tasks for every forest  
  1. Designing the Site Topology 

The site topology of the Active Directory network is a logical representation of the physical network. It has all the information about the AD DS location sites, the site of Domain Controllers, and the site links that support the AD DS replication taking place between sites.  

The site topology design goes through the following process 

  • Gather all network information  
  • Plan where to place the domain controllers  
  • Create the site design  
  • Create the link design  
  • Create the site link bridges

2. Planning for Domain Controller Capacity  

For an efficient output of the AD DS, System Administrators should determine the number of domain controllers for each site. Capacity planning for the domain controllers takes care of all the hardware requirements and avoids incidences of poor performance by the domain controllers 

The process of planning for the domain controller capacity planning involves: 

  • Collect site topology and design information  
  • Determine the number of domain controllers  
  • Create the site design  
  • Assess disk space and memory requirements  
  • Monitor domain controller performance  

Please note that some features can be added to the Domain design by raising the functional levels of the forests.  

Conclusion  

The strategies presented in this guide apply in any server-operating environment. If you are not sure if your environment can meet the minimum system requirements, consult with other professionals on what needs to be done to deploy the AD DS. 

 

Want to have efficient and accurate reports about NTFS permissions on all your folders on your Windows Server Environment?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

How to Optimize Your Active Directory for Windows Server 2016

Microsoft Windows Server 2016 is still new in the market and organizations are already asking their IT experts to evaluate its added value and possible challenges that one may encounter when moving from the current systems to the new server platform. In addition to the features found on Windows Server 2012 and 2012 R2, Windows Server 2016 presents new possibilities and capabilities that are missing on previous Windows Server platforms. Any new Windows Server Operating System that breaks the market gets more attention. Windows Server 2016 had made tremendous improvements to its Active Directory Optimization.

The best approach to take before implementing Windows Server 2016 is to test its readiness by looking for ways of minimizing the likely impact of migration. Another way to look at it would be to identify organizational needs and how they can be integrated for future implementations. The reason Administrators would want to try on the Windows Server 2016 Active Directory Optimization is to provide an opportunity for growth, offer flexibility, and enhance security setup in the organization. Now let us talk about active directory optimization

Why Does Windows Server 2016 Matter

Windows Server 2016 is a representation of combinations from different principles that define computation, identity, management and automation, security and assurance, and storage. All these are broken down into the core elements of the Server Operating System that consists of Visualization, System Administration, Network Management, and Software Defined Network (SDN) technologies, Cloud Integration and Management, Disk Management and Availability. All these are supposed to bring organizations to the future of technology without the need to discard some of the infrastructures being used in the current environment.

Windows Server 2016 is a full-featured server Operating System boasting of solid performance with modern advancements. This new server shares so many similarities with the Data Center edition that incorporates support for Hyper-V containers and new storage features and enhanced security solely to protect virtual machines and network communications that have no trust configured between them.

This article should help you the reader learn more about Windows Server 2016 features, factors to consider before moving from old to a new setup, and how to do Active Directory Optimization. More details on how to prepare to move and migrate efficiently by managing the new environment effectively.

Windows Server 2016 New Features

Several features and enhancements form part of this server operating system. Here are some of the highlights:

Temporary Group Membership

This form of membership gives Administrators a way of adding new users to a security group for a limited time. For this feature to work, Windows Server 2016 Active Directory must be operating at the functional level. System Administrators need to know beforehand all the system installation requirements during and after the transition.

Active Directory Federation Service

There are essential changes that come with Microsoft Windows 2016 Server Federation Service:

Conditional Access Control

Active Directory in previous installations had straightforward access controls because the assumption had always been that all users would be logging in from a computer joined to a domain with proper Group Policy Security settings. The conditional access gives users access to resources that have been assigned to them.

In the current technological setup users’, access resources from different types of devices that are not connected to the domain and usually work outside the organizations operating norms. This is a direct call for the improvement of security by introducing a Conditional Access Control Feature enabling administrators to have better controls over users whose requests should be handled on per application basis. For example, administrators may enforce multi-factor authentication when the compliant devices try to access business applications.

Support for Lightweight Directory Access Protocol (LDAP) v3

Another change that has been introduced in line with regard to the Active Directory Federation Systems is the Support for Lightweight Directory Access Protocol. The capability makes it easier to centralize identities across different directories. For example, an organization that uses non-Microsoft directory format for identification and access control can centralize identities to office Azure cloud or Office 365. LDAP v3 making it easier to configure a single sign-on for SaaS applications.

Domain Naming Service (DNS)

Active Directory and DNS go hand in hand because of the dependency of Windows Server systems on DNS. There have been no significant changes in the Windows Server DNS service until the arrival of Windows Server 2016. The following are new features under the DNS:

1.     DNS Policies

The inherent ability to create new DNS policies is said to be the most significant. These policies enable administrators to control the way DNS responds to different queries. Some examples of these policies are load balancing and Blocking of DNS requests coming from IP addresses whose domain have been listed as malicious.

2.     Response Rate Limit

The rate of the server response to DNS queries can now be controlled. This control is designed to help defend against external attacks such as denial of service by limiting the number of times in a second a DNS can respond to a client

3.     Microsoft IP Address Management (Microsoft IPAM)

The most significant improvement to the DNS is in its IP Address Management System that helps in the tracking of IP address usage. The integration of Microsoft IPAM feature on DHCP has been robust while the DNS one is minimal. The introduction of Windows Server 2016 brings in some new changes like DNS management capabilities by recording inventory. The support for multiple Active Directory forests by IPAM is a welcome feature. Supporting multiple forests is only possible if there is already an existing trust between them and that IPAM is installed on each forest.

Migration Considerations

Planning is critical when moving from an earlier Windows Server version to Server 2016. The goal of any migration should be minimizing its impact on business operations. Going ahead with the migration should be an opportunity for administrators to set up a scalable, flexible, compliant, and secure platform.

1.     Understanding the Existing Server Environment.

It is a rookie mistake to jump into implementation without a proper analysis of the current server environment. Assessment at this stage should look at users, groups, distribution lists, applications, folders, and Active Directory. On the business side, there is a workflow, emails, programs, and any infrastructure used that should be assessed before making the big move.

It is also vital that you:

  • Understand what needs to be moved and what is to be left as it is. For example, there is no need of moving inactive accounts and old data that is no longer relevant. All active data stores, mailboxes, and users are part of what you should not leave behind.
  • You will also want to analyze applications, users, and processes that need access and should be migrated to ensure that the relevant resources are available during and after the transfer.

2.     Improving Active Direct Security and Compliance Settings

Another critical factor to consider during migration is security and delegation by controlling who makes changes to Window Active Directory objects and policies. Most organizations choose to give access to Active Directory objects to solve an immediate problem and never clear the permissions. Proper controls should be in place to manage what can be added to the AD and who should be responsible for making such changes.

Continuous monitoring of activities in the Active Directory to ascertain if they comply with both internal and external performance regulations should be ongoing. Microsoft Windows Server and AD can audit events with visible output and can be implemented quickly in a busy setup. Having a coherent AD audit cluster with analytical capabilities is critical for marking unauthorized changes, spotting inappropriate use of the AD and related resources, tracking users in the entire infrastructure, and give compliance reports to the auditors.

3.     Ensuring Application Compatibility

Before making an effort to initiate migration, make sure that all software and third-party application used on your organization are compatible and can work with Windows Server 2016. All the in-house applications should also be tested to make sure they work correctly in the new environment.

4.     Minimizing Impact on Business

Minimizing in-house software compatibility is one aspect of reducing the cost of migration on the business. As an Administrator, you need to know how the issue of downtime will be handled when moving from legacy to new system. One thing you need to avoid is underestimating the impact of migration on users and operations by failing to analyze all access points. Many such challenges can be avoided by scheduling resource intensive migration tasks during off-peak hours.

Failure to have a smooth transition between legacy and the new system can lead to service disruptions lost productivity and increased the cost of doing business. The co-existence of both the old and the new system is essential in any Active Directory migration because users still need to access resources to ensure continuity. Directory synchronization is important at this stage to make sure that users can access their data.

5.     Restructure the Activate Directory

Moving from your legacy system to Windows Server 2016 should be taken seriously and not treated like any other routine IT task. This is an opportunity to restructure your Active Directory Optimization to meet its current and future needs. Every time there is a significant system upgrade, changes in organizational models and requirements may have prompted it. Changes in the IT technology is also a major force that influences restructuring of the Active Directory.

Determine the number of domains and forests needed. Examine the need to merge some forests or create new ones. You can also take an opportunity to join new infrastructure to remote offices that may not have been in existence in the legacy system.

Active Directory Management and Recovery

Every IT management faces challenges when managing the Active Directory on a daily basis. The configuration of user properties is time-consuming and error-prone when dealing with a large and a complex Windows Network. Some of these duties have to be performed manually leading repetitive and mundane tasks that end up taking up most of the Administrators time. However, when you decide to accomplish the above tasks using Windows Native Tools or the PowerShell means that you must have a deeper understanding of how the Active Directory and its features work.

The use of software to manage the Active Directory repetitive tasks simplifies the process. You can also get detailed reports on tasks and their status. Using software offers solutions that help in the planning and execution of an efficient AD restructuring, which will eventually help you, implement a secure system. Managing AD using software gives a common console where the management can view and manage Active Directory, users, computers, and groups. Some software’s enable the administration to plan for a secure way of delegating repetitive tasks and perform controlled automation of the Active Directory Structure.

Software Implementation

Two popular software being used in the management of Active Directory optimization tasks are:

  1. ADManager Plus
  2. Quest Software

They both can help in the restructuring and consolidation of Windows Server 2016 in a new environment.

1.     ADManager Plus

The ADManager Plus has additional features such as sending and receiving customized notifications via SMS or emails. The search options make it easier for IT managers to search the directory with ease through its software interface panel. Using the ADManager Plus, the IT department can execute windows optimization tasks with ease in addition to the integration of utilities such as ServiceNow, ServiceDesk, and AdselfService Plus.

Active Directory User management

ADManager Plus manages thousands of your Active Directory through its interface. This property helps you create and modify users by configuring general attributes, exchange server attributes, and apply exchange policies, terminal service attributes, and remote login permissions. You can set new users in Office 365 and G suite when creating the new accounts in the Active Directory. You can design templates that can help the help desk team to modify and configure user accounts and properties by a single action.

Active Directory Computer Management

This solution allows for the management of all computer in the existing environment from any location. You can create objects in bulk using CSV templates by modifying group and general attributes of computers, move them between organizational units, and enable/disable them.

Active Directory Group Management

The management of groups is made more flexible using the software modules used in the creation and modification of groups using templates and conduct all configuration attributes in an instant.

Active Directory Contact Management

You can use this software management tool to import and update Activate Directory contacts as a single process. Therefore, this implies that you do not have to select individual contacts for an update.

Active Directory Help Desk Delegation

The ADManager Plus delegation feature can help administrators to create help desk administrators, and delegate desired tasks related to user attributes. The various repetitive management tasks for users, group, computers, and contacts can be delegated using customized account creation templates. The help desk users can share the workload of the administrators which frees them up giving them more time to work on core duties.

Active Directory Optimization Reports and Management

The ADManager plus provides information on different objects within the AD which allows for the viewing and analysis of information on its web interface. For example, you can see a list of all inactive users and modify the accountant accordingly.

2.     Quest

Quest software takes a different approach because it deals with preparation, recovery, security and compliance, migration, consolidation, and restructuring.

Preparation

During preparation, Quest helps in the assessment of the existing environment with the enterprise reporter gives a detailed evaluation of the current setup that includes the Active Directory, Windows Server, and SQL Server. During this assessment, Quest can report the number of accounts you have in the Active Directory and isolate the active and the disabled ones. Knowing the exact status of your environment is paramount before the migration begins.

Quest helps discover identities and inventories on application servers that are dependent on the Active Domains that are being moved to enable you to fix or redirect them on the new server.

Migration, Consolidation, and Restructuring

The Migration Manager for Active Directory gives the Zero IMPACT AD restructuring and consolidation. The Migration Manager offers a peaceful coexistence to both the migrated and yet to be migrated by maintaining secure access to workstations and resources.

Secure Copy offers an automated solution for quick migration and restructuring files on the data server by maintaining the security and access points. Its robustness makes the tool to be rated as perfect for planning and verification of successful file transfers.

Migrator for Novell Directory Service (NDS) helps administrators move from Novel eDirectory to Active Directory. The tool also moves all data within Novell and re-assigns permission to new identities in the new server.

Security and Compliance

The Change Auditor for Active Directory gives a complete evaluation of all the changes that have taken place in the Active Directory Optimization. The evaluation report contains information such as who made the changes, what kind of changes was made, what were the initial and final values before and after adjustment, and the workstation name where the change occurred. The change auditor tool also prevents changes, for example, you can disable the deletion of or transfer of Organization Units and changes that can be made Group Policy Settings.

Access Control

Active Roles modules ensure that security of the AD complies by enabling you to control access by delegating tasks using less privilege. This gives an opportunity to generate access rules based on defined administrative policies and access rights. You can use the Active Roles to bring together user groups and mailboxes as well as changing and removing access rights based on role changes.

Centralized Permission Management

The Security Explorer facilitates the management of Microsoft Dynamic Access Controls (DAC) by enabling administrators to add, remove, restore, backup, and copy permission all on a single console. The tool can make targeted or bulk changes to server emissions made possible by the enhanced by Dynamic Access Control management features such as the ability to grant, revoke, clone, and modify permissions.

Monitoring Users

The InTrust enables the secure collection, storage, and reporting alerts on the data log that complies with both internal and external regulations surrounding policies and security best practice. Using InTrust, you get an insight into user activities by auditing access to critical systems. You can see suspicious Logins in real time.

Management and Recovery

The easiest way the IT administrator can manage user accounts, computers, and objects via the Group Policy. Poor management of the Group Policy Objects (GPO) can cause many damages. For example, if your GPO is assigning proxy settings with wrong proxy values.

GPO Admin will automate Group Policies, and it has a workflow to enable the checking of changes before being approved by the GPOs. When GPO’s are used in the production industry, the management team will be impressed by the reduced tasks as it improves security.

Recovery is a critical process in any organization that runs its system based on Windows Server 2016. You can also recover the wrong entries and accounts that were removed. The Recovery Manager for Active Directory gives access to other features that report on the differences and help restore objects that were changed.

It is important to be prepared in readiness for disaster and data recovery. In case your domain finds itself in the wrong hands, or the entire network setup is corrupted, use the Recovery Manager for Active Directory optimization utility.

Conclusion

Windows Server 2016 has a wealth of new features and capabilities to streamline and improve the management and facilitate better user experience. A successful implementation means that Active Directory Optimization has a sound consolidation process. Administrators who have already tested this Server Operating Services should take advantage of the new capabilities

The benefits of Active Directory optimization tools and utilities are numerous because they help in setting up a flexible and secure Windows Server 2016 and Active Directory that will work for your current and future environment. These utilities help managers who are not well conversant with some IT related Active Directory optimization management tools who need to switch to the new server to comply with regional and international standards.

 

 

Prevent Unauthorized Access to Sensitive Windows Folders!

  • No more unauthorized access to sensitive data
  • No more unclear permission assignments
  • No more unsafe data
  • No more security leaks

Get your free trial of the easiest and fastest NTFS Permission Reporter now!