Overview: How to Troubleshoot Active Directory Replication Issues

Active Directory Replication is more or less the center of all sorts of problems. It is a crucial service and it becomes more complicated when dealing with more than one domain controller.  Issues relating to replication can vary from authentication issues and problems arising when trying to access resources over the network. 

All objects in the Active Directory are replicated between domain controllers so that all partitions are synchronized. A large company with multiple sites means that replication takes place at the local site as well as the other sites to keep all partitions synchronized. This article aims to show you how to troubleshoot Active Directory replication issues. 

Active Directory replication problems come from different sources, some of which are Domain Name System failures, network problems, or security issues. 

Resources Needed to Troubleshoot Active Directory Replication 

Failures coming in and out the active directories due to replication issues lead to many inconsistencies between domain controllers. Such failures lead to systemic failures or inconsistent output. Identifying the main cause of replication failure helps system administrators identify the possible cause and hence elimination of the problem.  One of the commonly used interfaces based replication-monitoring tool is the Active Directory Replication Status Tool. 

Understanding Recommendations from the tool solution 

The red and yellow warning events in the system logs will always point out to the specific cause of replication failure and give the source and destination in the Active Directory. Any steps that are suggested by the warnings should be tried as explained. Other tools such as the Repadmin tool can give more information to help resolve replication issues. 

  • Eliminating Disruptions or Hardware Failures 

Before troubleshooting replication failures, it is important to rule out any issues related to software updates or upgrades, intentional disruptions, software configurations, and hardware failures. 

  • Intentional Disruptions 

Disruptions caused by unavailability (offline state) of a remote domain controller can be corrected by adding the computer as a member server using the Install From Media (IFM) method to configure the Active Directory Domain Services. The Ntdsutil command-line tool can be used to create installation media. 

  • Software Upgrades and Hardware Failures 

Hardware failures can come from failing motherboards or hard drives. Once a hardware problem is identified, system administrators should take immediate action to replace the failing components. Active Directory Replication failures can take place after a planned upgrade. The best way to handle this is through an effective communication plan that prepares people in advance. 

  • Software Configurations 

Some software settings such as the typical windows firewall have port 135 open alongside other advanced security settings. Some firewalls can be configured to allow for replication. 

Responding to Failures Reported on Windows 2000 Server 

Active Directory configured on Windows 2000 Server that has failed beyond the tombstone lifetime should be resolved by: 

  • Moving the server from a corporate to a private network 
  • Removing the Active Directory or Reinstalling the Operating System 
  • Removing its metadata from the Active Directory to hide its objects 

Removing the server metadata ensures that any attempt by the server to revive objects settings after 14 days is impossible. This also helps avert further error logs due to replication attempts with a missing Domain Controller. 

What are the Root Causes of Replication? 

Apart from the already discussed causes leading to replication failures, here are some other reasons. 

Network Connectivity: caused by unavailable network or wrong configurations 

Name Resolutions: Wrong DNS configurations 

Authentication and Authorizations: Aces denied errors every time a domain controller tries to connect for replication 

Directory Database: A slow data store not being able to handle fast transactions that take place within replication timeouts. 

Replication Engine: when replication schedules are short, it will lead to longer queues and large processing which may not be possible within the outbound replication schedule. 

Replication Topology: All domain controllers need to have links linking them to other sites within the Active Directory.  The links should map wide area networks or the virtual private network connections. All objects should be supported by the same site topology within the network to avoid replication failures. 

How do We Fix Replication Problems 

Any of the following approaches can be used to fix Active Directory Replication Issues: 

  • Daily monitoring of the state of replication using the Repadmin.exe to extract daily status updates 
  • Resolving reported replication failures as soon as possible, using steps provided in the event logs. Replication failures resulting from software configurations require un-installation of the software before attempting any other solutions. 
  • If all attempts to resolve replication issues do not work, remove the Active Directory Directory Services from the server and reinstall. 

When an attempt to remove AD DS fails when the server is online, any of the following methods can resolve the issue. 

  • Force the removal of the AD DS from the Directory Restore Mode (DSRM) by cleaning up the server metadata and reinstall the AD DS. 
  • Reinstall Operating system and reconfigure the Domain Controller 

Retrieving Replication Status Using Repadmin 

When everything in the Active Directory is working as intended and produces no errors, then it means the following services are working correctly: 

  • DNS 
  • Remote Procedure Call (RPC) 
  • Network Connectivity 
  • Window Time Service (W32time) 
  • Kerberos Authentication Protocol 

The Repadmin tool is used to study the daily replication activities. The tool is able to access all the replication status of all domain controllers in the forest. The report is relayed in a .CSV format that can be accessed using any spreadsheet reader. 

Generating Repadmin for Domain Controllers in a Spreadsheet.                                 

Using the command prompt as an administrator type the following: 

Repadmin /showrepl * /csv > showrepl.csv 

  • Open Microsoft Excel, navigate to the showrepl.csv, and click open 
  • Hide or delete column A and the Transport Type Column 
  • Select the row below the column heading and click freeze panes by clicking on Freeze Top Row 
  • Select the whole spreadsheet and click filter from the data tab 
  • Click on the down arrow below the source DC column, point to text filters, and select the custom filter. 
  • In the custom AutoFilter box, below show rows where click on does not contain.  On the box next to it, type Del to eliminate results from deleted domain controllers. 
  • Repeat the previous step for the Last Failure Known Column and use does not equal and type 0 
  • Resolve replication issues. 

 Conclusion 

Replication going on smoothly throughout the Active Directory is critical. Poor replication means all manner of problems from authentication to inconsistent results.  The article is supposed to help you check on your system’s replication status and learn how to resolve the common replication errors.  

Protect Yourself and discover all permissions owner on your Windows fileservers!

Pass your next security audit without worrying about security leaks!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

What’s New in Windows Server 2016 Federation Services?

The corporate environment requires many collaboration application services to promote a seamless workflow environment. Windows Server 2016 represents major steps towards an environment that supports cloud features and an improved level of security and innovations. Some of the improvements found in Windows Server 2016 include:

  • Active Directory Federation Services (ADFS)
  • Microsoft IP Address Management (IPAM)
  • Conditional Access
  • Temporary group membership

Our main concern will be to highlight the new things Active Directory Federation Services (ADFS) bring into a Windows Server 2016 network environment.

Active Directory Federation Services gives access to single Logons across the entire network on a different application such as Office 365, SaaS applications, and other cloud-based applications.

In general, the IT department can enforce Logons and access controls to both modern and legacy software. The user benefits by accessing a seamless Login using the same account credential and the developers will also have an easy time managing running applications because the authentication process is handled by the federation services.

Here are some of the new features that came with Windows Server 2016 Federation Service:

Eliminate the Use of Passwords on A Private Network

Active Directory Federation Services gives three possibilities for Logons without passwords. This eliminates the risk of the network being compromised by leaked or stolen passwords.

Using Azure Authentication Features

Federation 2016 services are based on Multi-Factor Authentication (MFA) that allows signing in using an Azure MFA code without the need to key in the username and password. The user will be prompted for a username and a one-time password (OTP) code for authentication.

When the MFA code is used as an additional authentication method, the user will be prompted to give the usual authentication credentials and later on prompted for text, OTP, or a voice password before logging in.

Setting a Federation Service to work with Azure MFA is now simple because organizations will implement Azure without the need of having a physical Azure server location. Azure can be configured to work in both local and private networks or be incorporated within an access control policy of the organization.

Allowing Password-less Access

Active Directory Federation Services 2016 uses device configuration capabilities to allow access on network-based devices. Users log in using the devices and its validity tested for attribute changes to maintain the integrity of the device and network security. Use of accepted devices ensures that granted access is granted to specific devices, private network access is only accepted via managed devices, and authentication requires several steps for any non-compliant computer or devices.

Using Windows Hello for Business Credentials

Workstations using the Windows 10 Operating System have an inbuilt Windows Hello and Windows Hello for Business. The credentials used are protected by gestures such as fingerprints, facial recognition, voice recognition, etc. Using the Windows 10 capabilities means that users can sign in to a Federation Server 2016 without the need of a password.

Secure Access to Applications

Windows Server 2016 Federation Services works with the latest modem protocols to offer a better experience to Windows 10, Android, and iOS users.

Some access control policies can be changed without necessarily having the knowledge of the claim rules language. This made it almost impossible to configure and maintain policies. Using Federation Services, one can simply use built-in templates to be applied in common policies such as:

  • Limit access to Local Area Network only
  • Allow everyone to access the server and ask for an MFA from private networks
  • Allow everyone to access the server and ask for an MFA from a specific group

Using templates is recommended because they are easy to customize and add exceptions or additional policies that can be applied to one or many applications.

Allow Logons without Active Directory Lightweight Directory Access Protocol (LDAP) Directories

Most firms use Active Directories alongside third-party directories for Logons. The introduction of Federation Services allows for the authentication of users whose credentials are stored in LDAP. This further helps third-party users whose data are stored in LDAP v3 compliant directories, also works with users in a forest with an Active Directory that has its two-way trust not configured. Users found in Active Directory Lightweight Directory Services are able to sign in.

Flawless Sign-in Experience

All applications using Active Directory Federation Services give users ability to customize Login experience. This is more appropriate for organizations dealing with various companies and brands. In previous editions, there was a common sign-on experience with customization facility available only for a single application. The Windows Server 2016 gives you the ability to customize messages, images, web themes, and logos. Additional customized web pages can be created for every business platform.

Improved Management and System Operations

Streamlined Auditing

Auditing is streamlined in Active Directory Federation Services 2016, unlike the previous versions where every single vent necessitated an event log.

Improved Interoperability with Security Assertion Markup Language (SAML 2.0)

Additional SAML protocols that support trusts importation with multiple entries are found in Active Federation Services 2016. This allows for the configuration of Active Directory to be part of confederations and implementations that conform to the eGov 2.0 standard.

Simple Password Management for Office 365 Users

Active Directory Federation Services enable password configuration that allows sending of password expiry claims within protected applications. For instance, Office 365 users rely on updates implemented via Exchange and Outlook to get notifications on the expiry status of their passwords.

Migration from AD FS Windows Server 2012 to AD FS Windows Server 2016 Made Easier

Previous editions demanded that configurations be exported from the old farm and importing into the new farm. When moving from Windows Server 2012 to Windows Server 2016, adding a new Windows Server 2016 to Windows Server 2012 and eventually adding Windows Server 2012 to the farm by verifying functionalities and removing the old server from the load balancer. The new features are ready to use once Windows Server 2016 is running and upgraded to farm behavior level 2016.

Conclusion

Federation Services help in managing identities across different networks and as such forms the foundation of cybersecurity in the cloud world. With this information, it is time to optimize your Active Directory environment by giving it a new design and restructure it before migrating to the latest Windows Server 2016 Federation Services.

 

 

 

Unauthorized Access to Sensitve Data?

Analyze and Report Data Access on Windows Folders in Under 60 Seconds!

 

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Setting Up Active Directory in Windows Server 2016

The latest addition to the Windows Server versions is the Windows Server 2016. Setting up an Active Directory may be something you have already done in the previous versions, but still, getting to know the steps needed to set up an Active Directory role for 2016 is important.

There are two important steps to consider before starting this process. If the Windows Server is to be used in a production environment, the IP addresses should be defined as static. The other thing to keep in mind is to rename the server to a suitable name because renaming the server after the AD has been defined may not be all that easy.

In this article, we will look at:

  • Installing the Active Directory
  • Setting up the Domain Controller

All these two activities need administrative privileges because they are the foundation of user and group management, policy, and security in a typical server environment.

Installing the Active Directory

  1. Click on the Start button then on the Server Manager icon.
  2. The Server Manager dashboard will load, giving access to the roles and features wizard. Click Next to proceed.
  3. Choose the installation type as the default (role-based or feature-based installation).
  4. The next step is to select the Installation Server from the already existing server based on the local server list.
  5. When you click on Next, a pop-up screen will appear. Check the Active Directory Domain Service box. The associated features specific to that role will pop up. Another pop-up wizard will show up that enables you to add the selected role(s).
  6. Click on the add featured followed by Next. The .NET 4.6 features should be checked on the following screen.
  7. On the Active Directory Services screen, click on Next. You will be given an overview of the roles of a Domain Controller and all the services that will be installed. All first Domain Controllers require that a DNS service be set up after this step.
  8. Click on Install to initiate the process.
  9. Once the installation is complete, click on the Promote this Server to a Domain Controller option.
  10. An Active Directory configuration wizard will open up with an option to:
  • Add a Domain Controller to an existing Domain
  • Add a new Domain to an existing Forest
  • Add a new Forest

Setting up the Domain Controller

To set up a new Domain Controller, select the option Add New Forest and type in the root Domain name.

  1. The next screen is for selecting the Domain and Forest functional levels. The Directory Service restore mode password should be entered if the first Domain Controller use Windows Server 2016 as the forest and functional. The DNS option should also be checked alongside the Global Catalog (GC). Click on Next.
  2. When configuring the first DNS server in a new Forest, an error message is bound to pop up. For now, no need to make any modification because the Domain Controller is using the Active Directory integrated DNS. Click on Next.
  3. Click on the NetBIOS Domain name (selected by default) and click on Next. For the NetBIOS name, the default is okay.
  4. Next wizard is the selection of paths in the Active Directory database, Log files folder, and SYSVOL folder. The default values are okay. Click on Next.
  5. Then we have the review wizard that contains all the selected configurations. Review everything and make necessary changes. If no change is needed, you can click on Next.
  6. Pre-requisite checks are needed to make sure everything falls into place. The install button will only be active once the pre-requisite check has passed. If the checks are successful, click on Install.
  7. The server will automatically reboot when the installation has finished.

Once the computer reboots, log in as the Domain administrator and head straight to the Administrative Tools. Open the Active Directory users and computers to confirm successful operation of the Active Directory and the DNS.

Other Things You Need to Know

Setting up Static IP addresses on Windows Server 2016.

  1. Open the Control Panel.
  2. Click on the View Network and Status Tasks found in the Network and Internet applet.
  3. Click on Change Adapter Settings.
  4. Right click on Network Connections and select Properties from the pop-up menu.
  5. Scroll down, select Internet Protocol Version 4 (TCP/IPv4) and click on Properties.
  6. Key in the IP address, the subnet mask, and the default gateway. The preferred and alternate DNS server addresses are also needed. Click OK.
  7. Reboot the server.

The new features made available in Windows Server 2016 should also make system administrators aware of the minimum system requirements to install and configure both Active Directory and Domain Controller.

Here are the minimum software and hardware requirements:

Processor

  • A 1.4 GHz 64-bit processor compatible with the x64 instruction set.
  • Support both NX (no execute) and DEP (Data Execution Prevention).
  • Supports second-level address translation such as EPT and NPT.

RAM

  • At least 512MB (if you are installing a server with a desktop environment, then a minimum of 2GB is needed).
  • RAM with ECC (error correcting code).

Storage Controllers and Disk Space

  • A computer designed to use the Windows Server 2016 Operating System should have storage adapters compliant with the PCI Express specifications. Hard disks or any permanent form of storage cannot be PATA since Windows Server 2016 does not allow ATA/ PATA/ IDE/ EIDE configurations.
  • Hard disks can have a minimum partition requirement of 32GB.

Network Adapter

  • Any adapter that can use gigabit throughput.
  • A card compliant with PCI Express architecture.
  • A card that supports Pre-Boot Execution Environment (PXE)
  • A network debugging enabled card is desirable, but not a requirement.

Conclusion

Installation of the Active Directory is almost standard across all Windows Server Operating Systems. Some people may use their experience to set up a new Active Directory without putting into focus the minimum hardware and software requirements needed. When handling an installation in an old system, you may be forced to confirm if all the requirements are met.

We hope that you find it helpful to have read this article.

 

 

 

Do you have unclear NTFS Permissions assignments?
Do you have too many special permissions set on your fileservers?
Or blocked NTFS Permission Inheritance?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Windows Server Optimization: Active Directory Auditing – Track User Logons

Tracking user logons gives system administrators an opportunity to identify active and inactive accounts and global access rights that could put the organization information at risk.

Active Directory auditing involves the collection of data on all Active Directory Objects and attributes that are helpful in analyzing and reporting the overall health of the Active Directory.

Audits are performed to secure the Active Directory from attacks and to keep the IT operations running. Tracking User Logons is needed to help in the following operations:

1. Track the logon activity on Domain Controllers.
2. Track user logon activities (logon failures, recent logons, last logon on workstations).
3. Track logon activities on Member Servers and Workstations.
4. Monitor RADIUS logon on computers.

In a busy working environment, Active Directory Auditing helps verify the number of users accessing the Active Directory at any given time, identify remote logon users, determine the peak logon sessions, monitor all critical logons, act on unauthorized attempts and access, and generate backup reports in case of any queries or investigations.

Why Using the Native Active Directory Auditing is Insufficient

1. The day-to-day logon information collected in the server logs may not be friendly to non-technical staff.
2. The logon information requires expertise to understand the specific events correlating to every logon activity.
3. The amount of data collected is voluminous due to the continuous activities on the Domain Controller. Dealing with such huge amount of data is tedious and time consuming.
4. The restrictive nature of the Domain Controllers means access to its logos are limited to specific personnel.
5. The inability of other Non-Administrative staff outside the IT department to access real time logon data also makes the Native Active Directory Auditing out of reach for managers, auditors, human resource staff, etc.

The Solution to Native Active Directory Auditing

The only possible way of tracking real time logon activities on a large scale for auditing is to use a software like Manage Engine ADAudit Plus that details all logon information into a single document that can be shared from a central server console.

The ADAudit Plus tool gives all information relating to successful and failed logon attempts.

Active Directory Logon Auditing

Real time auditing means tracking every logon activity as it happens to the entire Active Directory. The outcome of this audit is listing all logon activities that can be viewed on the central server in an instant.

The logon report contains information on failed logons, Domain Controller logon information, Member Server logon information, Workstation logon, recent and last logon activities.

Active Directory Logon Auditing also helps in reporting on specific logon events by listing all Logon related actions. All this information is presented on a web interface displaying data in statistical format via charts, lists, and graphs. Due to the insufficient nature of Active Directory, using the ADAudit Plus relays more information some of which are explained below:

Logon Activities on Domain Controllers
Domain Controllers from the critical element in Active Directory because all changes taking place in the Active Directory takes place here. Such logons are restricted to network administrators or privileged users. Any attempts by other users should be a wake up call for administrators to take corrective action.

ADAudit Plus give details such as user’s location, time of logon, success or failed logon attempts, and the reason for failure if any.

Tracker User Logon Activities (logon failures, recent logons, last logon on workstations)
Logon failure report gives information on reasons why a failure occurred and the number of failed attempts reported for a particular user. This information could be useful for system administrators on possible external attacks.

Some common reasons for logon attempts could be related to bad name or wrong password. Other reasons such as errors due to time restrictions, replication delays, and different workstation OS version can also be reported.

Reports on user logon give all the information needed for auditing the entire logon history on the server and the clients end. This information is only accessible to specific domain users. User’s logon history is used to draw a logon pattern and used to show system auditors proof of activities on the network.

Recent activities are used by administrators to ascertain whether every past logon was used as intended. An analysis of past logon can be used to measure levels of irregularities. ADAudit Plus gives details of both successful and failed logons alongside reasons for unsuccessful attempts. The unsuccessful logs are used for planning any corrective measures.

The last logon on workstations has all the information on the time of last successful logon attempts. The report of this audit can be used to show absenteeism or availability of a user.

Track Logon Activities on Member Servers and Workstations
Tracking logon activities on member servers and workstations help administrators tracks the logon activities of users with authority to access selected servers and workstations. The type of information displayed here are times of access, location of the user, including the workstation details, successful or failed logins, and the reason behind the logon failure.

Monitor RADIUS Logon on Computers
Users accessing the Domain server from a remote location need to use the Remote Authentication Dial-in User Service (RADIUS). Getting reports on remote users in the form of logon failures, authentication through the Active Directory and logon history. Only RADIUS logon activities running through Network Policy Servers can be reported.

Conclusion

Since the aim of any server optimization is to speed up operations and in the case of logon auditing, speed up reporting. Native Active Directory Auditing may give comprehensive information, but is weighed down by the reporting time.

System administrators should take advantage of Active Directory auditing tools such as ADAudit Plus to help in carrying Active Directory audit. An Active Directory Reporting tool should be able to filter out information by marking out WHEN a change in the Active Directory was made, WHERE the change took place, WHAT is the nature of the change, and WHO is responsible for the change.

All these identifiers in a report are to facilitate easier understanding when reviewing the summarized information.

 

 

 

Do you have unclear NTFS Permissions assignments?
Do you have too many special permissions set on your fileservers?
Or blocked NTFS Permission Inheritance?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

How to Audit Active Directory Using ‘Netwrix’

Auditing Active Directory in any environment has become a critical task in the IT department. Small and large organizations are using Windows Active Directory Auditing Software to pass compliance tests and overcome security challenges.

At the heart of a Windows-based Enterprise Network, the mechanisms used by administrators to organize and control the resources and objects in can Active Directory determine how the structural framework, securities, and database operations take place from authentication to authorization.

Therefore, this means that it is important to keep track of all the activities taking place within the Active Directory to make sure network activity is at its best at all times.

Netwrix Auditor for Active Directory gives a report of what is going on inside the Active Directory and Group Policy. The software is supposed to audit the changes made to the directory and Logons credentials to reduce the possible risk of abuse, streamline troubleshooting while at the same time enforcing IT Governance and compliance. Netwrix Auditor can be deployed on the premises, on a Windows Server, or on a Virtual Server.

Getting Started

The installation for the first run needs the configuration of the SQL server instance because of the SQL Server Reporting Services (SSRS) in addition to the database engine. Features such as the .NET Framework 3.5 and above must be installed prior to installing the auditing software. Netwrix Software runs in two modes:

  1. The Administrator console, which configures the auditing environment.
  2. The Auditor client, which handles the query and reporting tool.

The two modes have other nodes within the consoles with specific tasks:

Managed Objects – for defining supported applications.
AuditArchive – connects to the database providing for the long-term audit storage options.
Settings – handles all credentials via SMTP protocols, licenses, and email addresses.

Netwrix Expected Output

Active Directory is the home of several objects that generate many logs, however, after defining what objects to audit in the Netwrix console, here are some of the expected results:

1. Listing all Changes
All changes made in the Active Directory will be detected and information such as WHO, WHAT, WHEN, and WHERE also form part of the report.

Login activities in the critical systems will be reported and all failed and successful attempts will be displayed. The Logon history of any particular user is also available.

2. Current Configuration Reports
The current state of users and groups, including properties such as permissions and other common user settings can be compared against a particularly known standard for consistencies.

The software will also look at the compliance levels of the Active Directory by testing compliance with set standards. Any changes to the audit policy settings or modifications of the group policy are also displayed.

3. Active Directory Risk Assessment
Any risk associated with wrong privilege assessment and management of user account is assessed. This assessment helps in closing security gaps early enough. All the threat patterns are indicated, Netwrix gives you an opportunity to react within minutes of the threat alert.

4. Behavior Anomaly Reporting
Any malicious attempt from insiders and hacked accounts can be detected early enough to help system administrators take action to save critical systems and cloud applications. Any internet searches within the Active Directory can be customized to look like the one on your preferred browser.

Your search history can be saved and retrieved on demand. Low profile threat such as unusual logons such as identity theft can also be reported as a possible threat to the Active Directory.

5. Detailed Reports on All Dashboards
The IT and business users are able to get Active Directory audit reports in the format that they need by sorting, exporting, filtering, drilling, use of web and email subscriptions.

6. Gives Additional Controls
By enforcing effective control permissions, streaming access management through reports of who is supposed to access what resource in the network. The format followed in assigning the rights is also indicated.

7. Interactive User Tracking and Password Expiration Alerts
All inactive user accounts are deactivated as the remaining Active Directory users are given password change alerts before expiration. All issues relating security lockouts can be resolved by analyzing data on the report.

8. Rolling Back Changes
In an event that there is a system breakdown, Netwrix Auditing Software enables the system to revert to changes made when the system was in an OK state without the need of using a backup.

Netwrix Software works in the background and thus, it does not reduce system performance or cause downtime.

Defining Managed Objects

A managed object is the target (AD objects) Netwrix will audit. Things like the details of the database, the scope of the audit and real-time alert settings should be set up when defining objects, after object definition running a data collection job will help to gather the overall overview of the Active Directory.

Viewing Audit Data

The Netwrix auditor home page has several icons that offer a one-click access to many tasks. Upon clicking on the relevant test, a table with results will pop up based on the search criteria. Viewing specific audit outcome that answers pertinent security questions like WHO, WHAT, WHEN, and WHERE system administrators should use the search feature for creating custom queries.

Generating Reports

Netwrix Audit Software runs on top of Windows Server built-in security services. Instead of worrying about how to create queries to generate reports, Netwrix Auditing Software has pre-built reports that cover several aspects of the Active Directory.

The good thing about the pre-built reports is that they have been pre-formatted to comply with known industry standards; therefore passing compliance tests with Netwrix is faster and more accurate. The final report can be exported to other formats such as text, PDF, or HTML.

Conclusion

Many organizations today find themselves subjected to compliance regulation and testing. Auditing changes in the Active Directory are considered a mandatory as part of the organization’s security strategy.

Plenty of tools and packages can help make this work easier with some still facing limitations and others offer a comprehensive outlook when used on a complex network. Netwrix strikes a balance giving almost all the information needed without having to worry too much.

How to Set Up Azure Active Directory Account

Microsoft is always dedicated to ensuring that individuals can access their computers and perform various tasks. The company established the Windows system to enable its users to launch and run various programs.

As such, it is designed to accommodate other minor programs which perform specified tasks, enabling the use of Microsoft and computers become friendly to several users.

This article focuses on Azure Active Directory Connect and its functions. Also, this article will enlighten the user on how to set up Azure AD connect in a computer, or any other device designed to use Windows system to run.

But first, one must understand Azure AD Connect, thereby understand its function. By understanding the primary functions, one will automatically be able to understand the various installation steps and their essentially to smooth running of the program.

BACKGROUND

Azure AD Connect is one of the main components of Microsoft, dedicated to synchronization of identities data between a device and the entire Microsoft environment. The program is designed to enable the user to configure and deploy the pre-requisites required for connection such as including synchronization and sign on.

Also, it has incorporated functionalities such as Dirsyn and AAD sync which were initially released as individual programs. Once installed by an administrator, the program will install a few essential programs such as .NET Framework and Microsoft Online Service Sign-in assistant, which are necessary for its functioning.

Thereafter, it installs and configures AAD sync, then necessitate sync in the Azure AD tenant. Lastly, it sets up the password harsh sync to create a sign-on option as selected by the administrator.

MODES OF INSTALLATION

Azure AD Connect may be installed in two primary ways, custom installation and express installation, depending on the preferences of the user.

Express installation is the default setting found in a newly-acquired program. This form of installation is designed for new users that are not yet conversant with the program. It provides the user with the basic installation tools.

Custom installation, on the other hand, is mainly implemented by users who are accustomed to the program and require certain functions that may not be accessible via express installation. Custom installation enables the user to implement various options that are not readily accommodated by the usual installation.

Express Installation

1. Sign in as the local administrator on the server where you will be installing Azure AD Connect on. The administrator authorizes installation of all programs on the computer. One then allows the installation of the program, particularly on the server that one wishes to be the main sync server.
2. Navigate and locate AzureADConnect.msi then double click on it. This will display a welcome home screen bearing the terms and conditions clause. Check off the Agree option, and select Continue.
3. At the bottom of the window, you’ll be presented with two options: customize and use express setting. Since we are using the Express option, hit the use express setting button.
4. A window will pop up, prompting for the username and password of the global administrator for your company’s Azure AD. Key in the correct details then hit Next.
5. The AD DS screen window will then pop up, prompting for the username and password of the organization’s admin account. For the username text field, enter the domain in either FQDN or NetBIOS format (i.e. pnl.co.uk\administrator or PNL\administrator). Ensure that every domain present in the next page is verified and once they are, hit Next.
6. Next up with be install screen. Click on install and commence the synchronization process till every element is fully configured. In case there is exchange on-premise, one must enable the Exchange Hybrid Employment. Lastly, click on the Install option and hit Exit once everything is installed.
7. Sign off, then sign back in again prior to using the Synchronization Manager.

Custom Installation

The initial process to custom install this program is not so different from the express installation. A user may opt to use custom install setting when the options provided by the express settings are not satisfactory to the user.

1. Follow steps 1 & 2 for express installation, then for step 3, select the customize option.
2. Proceed to install required components for the optional configurations. There are four options provided on this screen.
a. Password Hash synchronization
b. Passthrough authentication
c. Federation with AD DS
d. Do not configure
For the first three, users have the ability to sign in to Microsoft cloud services, such as Office 365, with the same password they use for signing in to their on-premise accounts. Select your preferred option and proceed to check off the Enable single sign-on box.
3. Next, you’ll see the Connect to Azure AD screen and be prompted for the global Azure AD admins username and password. In case the administrative account has multi-factor authentication enabled, ensure to verify it using a verification code that is sent either via a phone call or message.
4. Once the option is enabled, a connect to directory screen will pop up. Select the Active Directory option and add a forest name necessary credentials.
5. After this, an option for add directory will appear with two choices — create a new account and use an existing account. One then uses the necessary credentials for the account and proceeds to the Azure AD sign-in configuration. All the options presented on this screen must be verified. If not, one would have to verify them then just refresh the screen. Then select a suitable under principal name then click on Next.
6. Other options such as the domain and OU filtering must also be filled. This option allows the user to either synchronize all domains or synchronize only selected domains.
7. Select uniquely the user for the program. There are two options present here — users are represented only once across all directories or the user identities exist across multiple directories. Also, one must select how the users need to be identified.
8. Proceed with synchronization of data for various users and devices then hit Next.
9. An option feature screen will pop up. Select the appropriate options according to the desired preference.
10. Then, an option for available apps within the Azure AD will pop up. Just choose all the suitable apps then hit Next.
11. Select the necessary directory extension, then move on to configure and install the program. Just like for express installation, just put in the proper forest credentials to enable the sign on option.

Best Practices to Secure Active Directory

First of many questions of any server administrator is how to protect and make less vulnerable your Active Directory domain.

In this article, we will bring you the best practices for securing Active Directory domains from any type of attacks and for maximizing your server security.

Account Hierarchy

Hierarchy in every server system is one of the things worth thinking about. All of the users should have their roles and on top of all those roles is Administrator.

Users should not have any more rights than they need. And administrators should use their rights as fitted per situation.

It is recommended for Administrators or other staff with elevated privileges to use two accounts – one for logging in on their workstations when no admin tasks are needed and the other solely for admin work.

The way of account usage will lower the risks of any potential attacks (virus or account hacking).

Group Policies for Restricted Groups

Group policies is an outstanding tool choice for securing pretty much everything. For security practices, especially when users are local administrator of any organization’s computer, Group Policies should be used to keep them local admins, but restrict them from adding new users as admins.

It can be done by creating a “Restricted Group” and applying GPO on that group. You may do this by following these steps:

  • Edit the Group Policy applied to the scope of wanted computers.
  • In the Group Policy Management Editor, create a new Local Group by navigating to:
    • Computer
    • Configuration
    • Preferences
    • Control Panel Settings
    • Local Users and Groups
    • Select Administrator
  • Tick the box that says “Delete all member users” and “Delete all member groups” for all users.
  • Be sure you added back the Domain Admins and Local Admin Groups to prevent restricting yourself. If not, you can use the “Add Local Group Member” option and “BuiltIn\Administrator”.
  • Recommendation: Add DOMAINNAME\Domain Admins. It’s a good practice to have Domain Admin accounts in a local group which can be added through Domain Name variables.

Users can be added as usual and be seated as local admins but they will be restricted by GPO from adding other users as admins.

Server Login Limits

Logging directly to the server should not be common practice to anyone, even Administrators. Most of the administrative operations can be made through remote admin tools so the server can be reachable from a workstation or terminal server.

This can be achieved by applying GPO as following:

  • Access GPO in the console tree, which can be found on the path: Forest name/Domains/Domain name/Group Policy objects.
  • Click add in the Scope tab
  • Type the name of a group that needs security filter in “Enter the object name”.
  • Remove Authenticated Users in the Security Filtering section of the Scope tab.

The settings in a GPO will apply only to users and computers that are contained in the domain, unit, or organizational units where the GPO is linked to.

Domain Controllers Security

Security of servers can be disturbed both via software and hardware.

If the Domain Controller Servers are physical, it is strongly recommended to lock them away so no one can access them. If the Domain Controller Servers are remote, it is recommended to configure them as read-only domain controllers (RODC) and to set up the DCs as Core with GUI. Of course,

it is recommended to apply all practices mentioned as well as closing all unnecessary ports between DC and the workstation.

There are a lot more practices for keeping servers secure and it is a constant, on-going process and admins should always be on the watch. This article gives an overview of some major practices but threats, same as security practices are developing and changing day to day.

 

 

 

Secure Your Windows Folder, too!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

Active Directory Domain Services Overview

Active Directory (AD) is a Microsoft-developed technology that consists of a set of processes for managing domains centrally, managing access privileges to networked resources, and managing other directory-related identity-based services. 

While AD consists of multiple directory services, the one that performs the core activities is Active Directory Domain Services (usually abbreviated as AD DS). Essentially, AD DS keeps information about the resources in the domain, authenticates their permissions, and determines their access rights. 

In this article, we’ll give an overview about the AD Domain Services.

Advantages of AD DS

The Active Directory Domain Services offer a wide range of advantages to the management of computing resources.

Here are some of them:

  • A directory is often implemented by building structures that store data based on the logical and hierarchical organization of information. The data stored in the directory usually has all the information about the various Active Directory objects, such as network printers, servers, shared volumes, and individual computer accounts. Consequently, this allows for data to be organized based on the users’ needs and preferences. 
  • AD DS provides multi-master replication and multi-master authentication capabilities. This allows an administrator to manage the entire directory from any location on the network.
  • AD DS comes with built-in redundancy capabilities. As such, if the performance of one Domain Controller (DC) fails, another DC takes over the load.
  • AD DS uses policy-based administration to make the work of system administrators easy, especially in a complex network infrastructure. Every access to network resources occurs through AD DS, which ensures the access rights are managed centrally. 

Common terminologies and concepts in AD DS

Let’s define some terminologies and concepts that are commonly used in Active Directory Domain Services.

  • Schema: It is a set of rules used to define objects and attributes within the directory. Schemas also define the limits on instances and how they are represented in the directory. A schema is preferably stored in its own partition within the directory and replicated among all existing domains in the forest.
  • Global Catalog: It contains all the information about every object defined in the directory, enabling both users and administrators to locate directory information easily—even if the data is on a different domain.
  • Query and Index Mechanism: Query indexing enables users and applications to locate objects and their properties within the directory. This feature comes in handy when looking for specific information in the directory structure.
  • Replication Service: This dedicated service distributes data all over the network; it’s what ensures that every DC contains the same Schema and Global Catalog. All changes made in the Active Directory Domain Services are usually replicated to every DC in the domain. The DCs usually track any changes made and only implement the updates that have taken place since the last replication. The update tracker has two roles: first, it changes what has not been received or need to be replicated at the destination; second, it resolves conflicts arising from simultaneous changes to an object.
  • Lightweight Directory Access Protocol (LDAP): It’s the protocol responsible for providing a common language for interaction between clients and servers across platforms. 

Role of Domain Controllers with AD DS

The servers running the Active Directory Domain Services are called Domain Controllers (DC). Every DC responds to requests for authentication and stores the AD Domain Services data.

Furthermore, the DCs host other essential services, which are complementary to the functions of the AD Domain Services.

Here are some of them:

  • NetLogon: A service that incessantly runs in the background to authenticate users and other services available in a domain. 
  • Kerberos Key Distribution Center (KDC): A service that validates the Kerberos tickets that the Active Directory Domain Services utilize for authentication. 
  • Intersite Messaging (IsmServ): A service that enables Domain Controllers to interact with one another for replication and site-routing purposes.

Every Active Directory should have at least a single DC. The Domain Controllers serve as containers for the domains. Furthermore, every domain is a component of an Active Directory forest, which consists of at least a single domain that is categorized in organizational units.

It’s the Active Directory Domain Services that manage trusts amongst various domains, allowing users to be granted access rights and communication privileges. So, while AD DS is the basis for domain management, DC is the computer that is used to access the Active Directory. 

Conclusion

An Active Directory network infrastructure provides a centralized storage and management of objects. It allows the system administrator, through group policies, to manage the access and availability of shared network resources securely.

An Active Directory Domain Service acts as a foundation for identifying users and also provides a central basis for authenticating and authorizing all the server roles in a typical Windows Server Operating System.

Some of the distinct features found in the latest Active Directory configurations include system auditing, password and account lockout policies, read-only domain controllers, ability to restart domain services, and an Active Directory Database Mounting Tool.

Performance Tuning for Windows Server Active Directory 2016

The Active Directory is a standardized and central database for Windows Server systems that houses user accounts used for authentication, file shares, printers, computers, and other settings such as security groups. The main purpose of Active Directory is to allow only authorized users to logon to the network and act as a central management for network resources.

Once you have set up a Windows Server in your environment, you might have business requirements that are not supported by your server’s default settings. For instance, you may desire to scale down on your power/energy consumption, maximize your server’s output and have the lowest server latency. It’s for this reason that we must always ensure that our AD is running optimally. And one way to ensure that is by performance tuning.

We are going to give you a few tips on how you can tweak your server settings and scale up your AD’s performance and energy efficiency, especially when you have varied workload.

For performance turning to reap maximum impact, tuning should be centered around server hardware, workload, energy budget, as well as performance objectives of the server. We are going to describe crucial tuning considerations that can yield improved systems’ performance coupled with optimal energy consumption.

We’ll break down each setting and outline its benefits to help you make an informed decision and achieve your goals as far as workload, system’s performance, and energy utilization is concerned.

Hardware Considerations

This encompasses the RAM, Processor, storage, and Network Card.

RAM

To increase scalability of the server, the least possible amount of required RAM is calculated as follows:

Current size of database + Total size of SYSVOL + Recommended RAM by OS + Vendor Recommendations

Any additional RAM can be added in anticipation of the database’s growth and workload in the server’s lifetime. For remote sites with few users, these requirements can be relaxed as they will not require much RAM to cache much information to service requests.

In virtualization scenarios, avoid committing too much memory to the host machine. In some cases, memory overcommit happens where more memory is allocated to the guest machines than the underlying host machine. This is not such a big deal, but it becomes a huge mountain if the total size of memory collectively allocated to guest machines exceeds that of the host machine and the host begins paging. Remember, the objective of RAM optimization is to minimize time required going back to the disk.

16GB RAM is a reasonable amount of memory for a physical server. For virtual machines, though, an estimated size of 12GB would be considered decent enough with anticipation of future upgrade and growth of the database and resources.

Cache Memory

This is a type of RAM that is easily and quickly accessible by the microprocessor more than the ordinary RAM. The cache performance of an Active Directory depends on the memory space allocated for caching. Data access done at the memory level is faster than access instructions on physical volumes.

To make this processing highly efficient, more memory must be added to minimize disk input / output requests. The viable option is to have enough RAM installed to handle all operations of the operating system and the installed applications. Therefore, system logs and databases should be placed on separate volumes to offer more flexibility in storage layout.

To improve the I/O request on a hard disk, the Active Directory should implement the following hardware configurations:

  1.     Use of RAID controllers
  2.     Increase the number of disks handling log files
  3.     Support write cache on disk controllers

The subsystem performance of each volume should be reviewed; the idea is to have enough room for sudden changes in load to avoid client request non-responsiveness. Data consistency will only be guaranteed when all changes are written to logs.

Non-critical tasks such as system scans, backups, and activities taking place when the system is not overloaded should be scheduled. Backup procedures and scanning programs with low I/O requests should be used because they reduce competition with critical services in the Active Directory.

Network

To investigate the degree of traffic which should be supported, it’s prudent to make a mention of 2 broad categories of network capacity planning for Active Directory Domain Services.

Firstly, we have replication traffic which passes back and forth across Domain controllers. Then, we have client-to-server network traffic also known as intra-site traffic. Client-server traffic is much simpler to plan for since it involves minimal client requests to the Active Directory in contrast to the huge volumes of data sent back by the Active Directory Domain Services.

A bandwidth of 100Mbps will be adequate in environments serving close to 5,000 users sharing a server. A 1GB Network Card is recommended for environments where users exceed 5,000 per server.

In virtualized environments, the network adapter should be in a position to support the Domain Controller load and the rest of the guests or virtual machines which are sharing the virtual switch which is attached to the physical network card.

Storage

Planning storage on the server entails two things: storage size and performance.

For Active Directory, sizing is only a consideration for large environments. This is because even for a 180GB hard drive, SYSVOL and NTDS.DIT can fit quite easily. It’s therefore not prudent to allocate so much disk space in this area.

However, you should ensure that 110% of the NTDS.DIT size is available for defragmentation. From there henceforth, one should plan for growth over a 3-to-5-year lifespan of the Hardware. An estimate of about 300% the size of NTDS.DIT database file will be satisfactory to accommodate growth over time and allow for offline defragmentation.

Processors

Processors with limited free cycles increase the wait times leading to execution. Server optimization should ensure that enough room is available to handle workload surges and in the long run minimize response time to client requests. Reducing the workload on the processors involve, selecting the best processors, directing client requests to available processors, and using processor information to gauge system performance.

Performance Tuning

Performance tuning on the Active Directory has two objectives:

  • The optimal configuration and performance of the Active Directory to balance the load efficiently
  • All work sent to the Active Directory have to be efficient

For the objectives above to work, three areas need to be looked at

Capacity Planning

This means having enough number of domains that can handle redundancy and client requests within a short time. All the server hardware must be able to handle existing load. Capacity planning involves scaling up operations across multiple servers. Adding more resources like RAM to the server is essential in preventing possible failures by ensuring that every aspect of the server is working as intended.

A typical capacity planning takes place in three stages:

  1.     Evaluating the existing environment by determining the current challenges.
  2.     Determining the hardware needed according to the findings in the step above.
  3.     Validating the employed system to ensure that it works within the defined specifications.

Server-side Tuning

The domain controllers in the Active Directory are configured to handle loads efficiently. The System Administrator is supposed to balance the demands of individual users against available resources. Add-on products that manage bandwidth and port usage may be implemented to restrict network resource uses.

Active Directory Client/Application Tuning

The Active Directory has to be set up so that the client and application requests use the Active Directory to achieve maximum efficiency.

Domain Controllers and Site Considerations

Placing domain controllers and site considerations revolve around optimization for referrals and optimizations with trusts in mind.

A well-defined site definition is central to the performance of servers. Clients not getting requested services may report poor performance when querying the Active Directory. Since client requests can come from IPv4 or IPv6, an Active Directory is supposed to be configured to get data from IPv6 addresses. By default, the operating system usually picks IPv6 over IPv4 if both are configured to send/receive data.

Most domain controllers use name resolution for reverse lookup when determining the client’s site. When this happens, delays in the thread pool are inevitable leading to unresponsiveness from the domain controller. By optimizing the name resolution framework, quick response is assured from the domain controllers.

An alternative is to locate read/written domain controllers where read-only domain controllers are used. Optimizing this scenario means:

  • Using an application code change to contact writable domain controllers when read-only domain controller would be sufficient.
  • Placing the read/write domain controller at the center of operations to reduce latency.

Optimization for Referrals

Referrals define how Lightweight Direct Access Protocol (LDAP) requests are processed when domain controllers do not have a copy of the requested partition. When the output of a referral request is found, it has the name of the partition, port number, and DNS name.

This information is used by the client to send requests to the server hosting the partition. The recommendation is to make sure that the Active Directory that has the site definitions and domain controllers are in place to reflect the client’s needs. Implementing domain controllers from multiple domains in a single site and relocation the applications may also help fine-tuning the domain controllers.

Optimization with Trusts in Mind

In a domain with multiple forests, trusts have to be defined depending on the domain hierarchy. All secure channels at the root of the forest may be overloaded due to increasing authentication requests between the domain controllers. This will cause delays in far-flung Active Directories and this overload in inter-forest and low-level trust scenarios. Some of the recommendations to help reduce forest trust overload.

  • Using MacConcurrentAPI to help distribute load across a secure channel.
  • Create shortcut links to trusts as needed depending on available load.
  • All domain controllers within a domain should be able to handle name resolutions and communicate trusted domain controllers.
  • All trust should be based on locality considerations.
  • Reduce the chances of running into MaxConcurrentAPI challenges by enabling Kerberos as needed as well as reducing the use of secure channels.

Name resolution taking place over firewalls takes a toll on the system and will, in turn, impact the clients negatively. To overcome this, access to trusted domains need to be optimized through the following steps:

  1.     The WINS and DNS should resolve names within the trusting domain controllers by listing the domains. This step is to counter the problem of static records which tend to cause connectivity problems over time. A manual maintenance of all the forwarders and secondary copies of the resource environment needed by the clients need to be maintained.
  2.     Converging all site names shared between trusted domains reflecting domain controllers that re on the same location by ensuring IP and subnet addresses are linked to sites within the forest.
  3.     Ensure all ports are open and firewalls configured to accommodate all trusts. Closed or restricted ports will lead to several failed communication attempts, forcing the client to experience timeouts and hung threads or applications.
  4.     Domain controllers forming a trusting domain should be installed on the same physical location.

When no domain is specified disabling trust checks on the availability domain, trust checks are recommended.

 

 

 

Do you have unclear NTFS Permissions assignments?
Do you have too many special permissions set on your fileservers?
Or blocked NTFS Permission Inheritance?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!