How to Audit Active Directory Using ‘Netwrix’

Auditing Active Directory in any environment has become a critical task in the IT department. Small and large organizations are using Windows Active Directory Auditing Software to pass compliance tests and overcome security challenges.

At the heart of a Windows-based Enterprise Network, the mechanisms used by administrators to organize and control the resources and objects in can Active Directory determine how the structural framework, securities, and database operations take place from authentication to authorization.

Therefore, this means that it is important to keep track of all the activities taking place within the Active Directory to make sure network activity is at its best at all times.

Netwrix Auditor for Active Directory gives a report of what is going on inside the Active Directory and Group Policy. The software is supposed to audit the changes made to the directory and Logons credentials to reduce the possible risk of abuse, streamline troubleshooting while at the same time enforcing IT Governance and compliance. Netwrix Auditor can be deployed on the premises, on a Windows Server, or on a Virtual Server.

Getting Started

The installation for the first run needs the configuration of the SQL server instance because of the SQL Server Reporting Services (SSRS) in addition to the database engine. Features such as the .NET Framework 3.5 and above must be installed prior to installing the auditing software. Netwrix Software runs in two modes:

  1. The Administrator console, which configures the auditing environment.
  2. The Auditor client, which handles the query and reporting tool.

The two modes have other nodes within the consoles with specific tasks:

Managed Objects – for defining supported applications.
AuditArchive – connects to the database providing for the long-term audit storage options.
Settings – handles all credentials via SMTP protocols, licenses, and email addresses.

Netwrix Expected Output

Active Directory is the home of several objects that generate many logs, however, after defining what objects to audit in the Netwrix console, here are some of the expected results:

1. Listing all Changes
All changes made in the Active Directory will be detected and information such as WHO, WHAT, WHEN, and WHERE also form part of the report.

Login activities in the critical systems will be reported and all failed and successful attempts will be displayed. The Logon history of any particular user is also available.

2. Current Configuration Reports
The current state of users and groups, including properties such as permissions and other common user settings can be compared against a particularly known standard for consistencies.

The software will also look at the compliance levels of the Active Directory by testing compliance with set standards. Any changes to the audit policy settings or modifications of the group policy are also displayed.

3. Active Directory Risk Assessment
Any risk associated with wrong privilege assessment and management of user account is assessed. This assessment helps in closing security gaps early enough. All the threat patterns are indicated, Netwrix gives you an opportunity to react within minutes of the threat alert.

4. Behavior Anomaly Reporting
Any malicious attempt from insiders and hacked accounts can be detected early enough to help system administrators take action to save critical systems and cloud applications. Any internet searches within the Active Directory can be customized to look like the one on your preferred browser.

Your search history can be saved and retrieved on demand. Low profile threat such as unusual logons such as identity theft can also be reported as a possible threat to the Active Directory.

5. Detailed Reports on All Dashboards
The IT and business users are able to get Active Directory audit reports in the format that they need by sorting, exporting, filtering, drilling, use of web and email subscriptions.

6. Gives Additional Controls
By enforcing effective control permissions, streaming access management through reports of who is supposed to access what resource in the network. The format followed in assigning the rights is also indicated.

7. Interactive User Tracking and Password Expiration Alerts
All inactive user accounts are deactivated as the remaining Active Directory users are given password change alerts before expiration. All issues relating security lockouts can be resolved by analyzing data on the report.

8. Rolling Back Changes
In an event that there is a system breakdown, Netwrix Auditing Software enables the system to revert to changes made when the system was in an OK state without the need of using a backup.

Netwrix Software works in the background and thus, it does not reduce system performance or cause downtime.

Defining Managed Objects

A managed object is the target (AD objects) Netwrix will audit. Things like the details of the database, the scope of the audit and real-time alert settings should be set up when defining objects, after object definition running a data collection job will help to gather the overall overview of the Active Directory.

Viewing Audit Data

The Netwrix auditor home page has several icons that offer a one-click access to many tasks. Upon clicking on the relevant test, a table with results will pop up based on the search criteria. Viewing specific audit outcome that answers pertinent security questions like WHO, WHAT, WHEN, and WHERE system administrators should use the search feature for creating custom queries.

Generating Reports

Netwrix Audit Software runs on top of Windows Server built-in security services. Instead of worrying about how to create queries to generate reports, Netwrix Auditing Software has pre-built reports that cover several aspects of the Active Directory.

The good thing about the pre-built reports is that they have been pre-formatted to comply with known industry standards; therefore passing compliance tests with Netwrix is faster and more accurate. The final report can be exported to other formats such as text, PDF, or HTML.


Many organizations today find themselves subjected to compliance regulation and testing. Auditing changes in the Active Directory are considered a mandatory as part of the organization’s security strategy.

Plenty of tools and packages can help make this work easier with some still facing limitations and others offer a comprehensive outlook when used on a complex network. Netwrix strikes a balance giving almost all the information needed without having to worry too much.

How to Set Up Azure Active Directory Account

Microsoft is always dedicated to ensuring that individuals can access their computers and perform various tasks. The company established the Windows system to enable its users to launch and run various programs.

As such, it is designed to accommodate other minor programs which perform specified tasks, enabling the use of Microsoft and computers become friendly to several users.

This article focuses on Azure Active Directory Connect and its functions. Also, this article will enlighten the user on how to set up Azure AD connect in a computer, or any other device designed to use Windows system to run.

But first, one must understand Azure AD Connect, thereby understand its function. By understanding the primary functions, one will automatically be able to understand the various installation steps and their essentially to smooth running of the program.


Azure AD Connect is one of the main components of Microsoft, dedicated to synchronization of identities data between a device and the entire Microsoft environment. The program is designed to enable the user to configure and deploy the pre-requisites required for connection such as including synchronization and sign on.

Also, it has incorporated functionalities such as Dirsyn and AAD sync which were initially released as individual programs. Once installed by an administrator, the program will install a few essential programs such as .NET Framework and Microsoft Online Service Sign-in assistant, which are necessary for its functioning.

Thereafter, it installs and configures AAD sync, then necessitate sync in the Azure AD tenant. Lastly, it sets up the password harsh sync to create a sign-on option as selected by the administrator.


Azure AD Connect may be installed in two primary ways, custom installation and express installation, depending on the preferences of the user.

Express installation is the default setting found in a newly-acquired program. This form of installation is designed for new users that are not yet conversant with the program. It provides the user with the basic installation tools.

Custom installation, on the other hand, is mainly implemented by users who are accustomed to the program and require certain functions that may not be accessible via express installation. Custom installation enables the user to implement various options that are not readily accommodated by the usual installation.

Express Installation

1. Sign in as the local administrator on the server where you will be installing Azure AD Connect on. The administrator authorizes installation of all programs on the computer. One then allows the installation of the program, particularly on the server that one wishes to be the main sync server.
2. Navigate and locate AzureADConnect.msi then double click on it. This will display a welcome home screen bearing the terms and conditions clause. Check off the Agree option, and select Continue.
3. At the bottom of the window, you’ll be presented with two options: customize and use express setting. Since we are using the Express option, hit the use express setting button.
4. A window will pop up, prompting for the username and password of the global administrator for your company’s Azure AD. Key in the correct details then hit Next.
5. The AD DS screen window will then pop up, prompting for the username and password of the organization’s admin account. For the username text field, enter the domain in either FQDN or NetBIOS format (i.e.\administrator or PNL\administrator). Ensure that every domain present in the next page is verified and once they are, hit Next.
6. Next up with be install screen. Click on install and commence the synchronization process till every element is fully configured. In case there is exchange on-premise, one must enable the Exchange Hybrid Employment. Lastly, click on the Install option and hit Exit once everything is installed.
7. Sign off, then sign back in again prior to using the Synchronization Manager.

Custom Installation

The initial process to custom install this program is not so different from the express installation. A user may opt to use custom install setting when the options provided by the express settings are not satisfactory to the user.

1. Follow steps 1 & 2 for express installation, then for step 3, select the customize option.
2. Proceed to install required components for the optional configurations. There are four options provided on this screen.
a. Password Hash synchronization
b. Passthrough authentication
c. Federation with AD DS
d. Do not configure
For the first three, users have the ability to sign in to Microsoft cloud services, such as Office 365, with the same password they use for signing in to their on-premise accounts. Select your preferred option and proceed to check off the Enable single sign-on box.
3. Next, you’ll see the Connect to Azure AD screen and be prompted for the global Azure AD admins username and password. In case the administrative account has multi-factor authentication enabled, ensure to verify it using a verification code that is sent either via a phone call or message.
4. Once the option is enabled, a connect to directory screen will pop up. Select the Active Directory option and add a forest name necessary credentials.
5. After this, an option for add directory will appear with two choices — create a new account and use an existing account. One then uses the necessary credentials for the account and proceeds to the Azure AD sign-in configuration. All the options presented on this screen must be verified. If not, one would have to verify them then just refresh the screen. Then select a suitable under principal name then click on Next.
6. Other options such as the domain and OU filtering must also be filled. This option allows the user to either synchronize all domains or synchronize only selected domains.
7. Select uniquely the user for the program. There are two options present here — users are represented only once across all directories or the user identities exist across multiple directories. Also, one must select how the users need to be identified.
8. Proceed with synchronization of data for various users and devices then hit Next.
9. An option feature screen will pop up. Select the appropriate options according to the desired preference.
10. Then, an option for available apps within the Azure AD will pop up. Just choose all the suitable apps then hit Next.
11. Select the necessary directory extension, then move on to configure and install the program. Just like for express installation, just put in the proper forest credentials to enable the sign on option.

Best Practices to Secure Active Directory

First of many questions of any server administrator is how to protect and make less vulnerable your Active Directory domain.

In this article, we will bring you the best practices for securing Active Directory domains from any type of attacks and for maximizing your server security.

Account Hierarchy

Hierarchy in every server system is one of the things worth thinking about. All of the users should have their roles and on top of all those roles is Administrator.

Users should not have any more rights than they need. And administrators should use their rights as fitted per situation.

It is recommended for Administrators or other staff with elevated privileges to use two accounts – one for logging in on their workstations when no admin tasks are needed and the other solely for admin work.

The way of account usage will lower the risks of any potential attacks (virus or account hacking).

Group Policies for Restricted Groups

Group policies is an outstanding tool choice for securing pretty much everything. For security practices, especially when users are local administrator of any organization’s computer, Group Policies should be used to keep them local admins, but restrict them from adding new users as admins.

It can be done by creating a “Restricted Group” and applying GPO on that group. You may do this by following these steps:

  • Edit the Group Policy applied to the scope of wanted computers.
  • In the Group Policy Management Editor, create a new Local Group by navigating to:
    • Computer
    • Configuration
    • Preferences
    • Control Panel Settings
    • Local Users and Groups
    • Select Administrator
  • Tick the box that says “Delete all member users” and “Delete all member groups” for all users.
  • Be sure you added back the Domain Admins and Local Admin Groups to prevent restricting yourself. If not, you can use the “Add Local Group Member” option and “BuiltIn\Administrator”.
  • Recommendation: Add DOMAINNAME\Domain Admins. It’s a good practice to have Domain Admin accounts in a local group which can be added through Domain Name variables.

Users can be added as usual and be seated as local admins but they will be restricted by GPO from adding other users as admins.

Server Login Limits

Logging directly to the server should not be common practice to anyone, even Administrators. Most of the administrative operations can be made through remote admin tools so the server can be reachable from a workstation or terminal server.

This can be achieved by applying GPO as following:

  • Access GPO in the console tree, which can be found on the path: Forest name/Domains/Domain name/Group Policy objects.
  • Click add in the Scope tab
  • Type the name of a group that needs security filter in “Enter the object name”.
  • Remove Authenticated Users in the Security Filtering section of the Scope tab.

The settings in a GPO will apply only to users and computers that are contained in the domain, unit, or organizational units where the GPO is linked to.

Domain Controllers Security

Security of servers can be disturbed both via software and hardware.

If the Domain Controller Servers are physical, it is strongly recommended to lock them away so no one can access them. If the Domain Controller Servers are remote, it is recommended to configure them as read-only domain controllers (RODC) and to set up the DCs as Core with GUI. Of course,

it is recommended to apply all practices mentioned as well as closing all unnecessary ports between DC and the workstation.

There are a lot more practices for keeping servers secure and it is a constant, on-going process and admins should always be on the watch. This article gives an overview of some major practices but threats, same as security practices are developing and changing day to day.




Secure Your Windows Folder, too!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

AD Domain Services Overview

A directory in non-technical terms is a hierarchical structure that stores data and objects found within a computer network. An Active Directory is an organizational structure comprising user accounts for authentication, addresses, security groups, group policies, file shares, and physical resources such computers and printers.

All users in an Active Directory must be given permission to access all this information upon request. In this article, we’ll dive deeper and have a glance at what makes up AD Domain services.

Features of an Active Directory

An Active Directory is implemented by building structures that store data based on the logical and hierarchical organization of information. The data stored in the directory has all the information about the Active Directory objects such as network printers, servers, shared volumes, and individual computer accounts.

The basic element of security that is integrated into an Active Directory is implementation of log-on authentication and access controls. Only system administration can use a single network log-on to manage the entire directory and organization in the network.

Active Directory Domain Services uses policy-based administration to make the work of system administrators easier, especially in a more complex network infrastructure. Implementing policy-based authorization revolves around the following settings:

  • Schema
    These sets of rules used to define objects and attributes within the Active Directory. Schemas also define the limits of instances and how they are represented in the directory.
  • Global Catalog
    This catalog has all the information on every object defined in the directory. This enables both users and administrators to locate information even if the data is on a different domain.
  • Query and Index Mechanism
    Query indexing enables users or applications, locate objects and their properties. They come in handy when looking for specific information in the directory structure.
  • Replication Service
    This dedicated service distributes data all over the network. The domain controllers help in the replication process by containing a complete copy of all data and directory information stored in the domain. All changes made in the Active Directory Domain Service are usually replicated to all domain controllers in the domain.
  • Understanding Active Directory Domain Service
    Some of the core concepts within the Active Directory that give a clear understanding of what the Active Directory is are briefly highlighted below:
  1. Active Directory Structure and Storage Technologies
    The Active Directory storage design comprises four features namely:

    1. The Active Directory, domain, and forests. Domain and other organization units define the Active Directory logical structure.
    2. Domain Name Systems (DNS) that is responsible for resolving names for the domain controller to help the Active Directory reflect its organization structure.
    3. A Schema that holds the definitions of all objects stored in the directory.
    4. Data Store that manages the storage and retrieval of data from the domain controllers.
  2. Domain Controller Roles
    A domain controller is a configured Windows server with an Active Directory service installed. The system administrator has the responsibilities of setting up different roles. Any new server configuration is complete when a specific role is assigned to a domain controller by installing Active Directory Domain Service. Within the Active Directory, there are specialized roles that perform specific functions in an Active Directory environment. Such specialized roles include global catalog servers and operations masters.
  3. Active Directory Schema
    This schema defines the blueprint that describes all rules and objects that are stored in the Active Directory and all the attributed related to that particular object. Therefore, an Active Directory Schema defines the content and structure of objects and the attributes used when creating the object.
  1. Understanding Trusts
    Raising the Domain and Forest functional levels means that no forests and domains running earlier versions of operating systems can be integrated into the new level. For example, using a Windows Server 2016 means that you cannot add domain controller or a forest running Windows Server 2008. Each domain functional level has their corresponding enabled feature that also corresponds to the version of the Windows Server Operating System used.
  2. Active Directory Replication Technologies
    The directory replication model uses mechanisms that enable the Active Directory update capabilities. The domain controllers will track changes received and will only implement the updates that have taken place since the last replication. The update tracker has two roles:

    1. Changing what has not been received or need to be replicated at the destination.
    2. Resolving conflicts arising from simultaneous changes to an object.
  3. Active Directory Search and Publication Technologies
    The reason behind having an Active Directory is to enable users, objects, applications, services search, and publish any useful information. Such operations include:

    1. Searching and comparing data.
    2. Finding information relating to available service.

The component used by the Active Directory in its search function is the LDAP (Lightweight Directory Access Protocol) while the one responsible for service publication is the Key Distribution Center.

  1. Understanding Schema
    A Schema is an Active Directory service used to define objects and attributes that are used by the directory service to store data. A combination of complex definitions may be used to define objects that need more complexity. New definitions to the schema can be used to define new objects in the Active Directory. A schema is preferably stored in its own partition within the directory and replicated among all existing domain in the forest.


With so many changes that have taken place in the configuration of Active Directory Domain Services, it is important to note that the article defines the general overview of a functioning Active Directory Domain Service and server role.

An Active Directory network infrastructure provides a centralized storage and management of objects. The system administrator through group policies can manage access and availability of resources securely when sharing network resources.

An Active Directory Domain Service acts as a foundation of windows servers identify and provides a central basis for authentication and authorization for all the server roles in a typical Windows Server Operating System.

Some of the distinct features found in the latest Active Directory configurations include system auditing, password, and account lockout policies, read-only domain controllers, the ability to restart domain services, and an Active Directory Database Mounting Tool.

Performance Tuning for Windows Server Active Directory 2016

The Active Directory is a standardized and central database for Windows Server systems that houses user accounts used for authentication, file shares, printers, computers, and other settings such as security groups. The main purpose of Active Directory is to allow only authorized users to logon to the network and act as a central management for network resources.

Once you have set up a Windows Server in your environment, you might have business requirements that are not supported by your server’s default settings. For instance, you may desire to scale down on your power/energy consumption, maximize your server’s output and have the lowest server latency. It’s for this reason that we must always ensure that our AD is running optimally. And one way to ensure that is by performance tuning.

We are going to give you a few tips on how you can tweak your server settings and scale up your AD’s performance and energy efficiency, especially when you have varied workload.

For performance turning to reap maximum impact, tuning should be centered around server hardware, workload, energy budget, as well as performance objectives of the server. We are going to describe crucial tuning considerations that can yield improved systems’ performance coupled with optimal energy consumption.

We’ll break down each setting and outline its benefits to help you make an informed decision and achieve your goals as far as workload, system’s performance, and energy utilization is concerned.

Hardware Considerations

This encompasses the RAM, Processor, storage, and Network Card.


To increase scalability of the server, the least possible amount of required RAM is calculated as follows:

Current size of database + Total size of SYSVOL + Recommended RAM by OS + Vendor Recommendations

Any additional RAM can be added in anticipation of the database’s growth and workload in the server’s lifetime. For remote sites with few users, these requirements can be relaxed as they will not require much RAM to cache much information to service requests.

In virtualization scenarios, avoid committing too much memory to the host machine. In some cases, memory overcommit happens where more memory is allocated to the guest machines than the underlying host machine. This is not such a big deal, but it becomes a huge mountain if the total size of memory collectively allocated to guest machines exceeds that of the host machine and the host begins paging. Remember, the objective of RAM optimization is to minimize time required going back to the disk.

16GB RAM is a reasonable amount of memory for a physical server. For virtual machines, though, an estimated size of 12GB would be considered decent enough with anticipation of future upgrade and growth of the database and resources.

Cache Memory

This is a type of RAM that is easily and quickly accessible by the microprocessor more than the ordinary RAM. The cache performance of an Active Directory depends on the memory space allocated for caching. Data access done at the memory level is faster than access instructions on physical volumes.

To make this processing highly efficient, more memory must be added to minimize disk input / output requests. The viable option is to have enough RAM installed to handle all operations of the operating system and the installed applications. Therefore, system logs and databases should be placed on separate volumes to offer more flexibility in storage layout.

To improve the I/O request on a hard disk, the Active Directory should implement the following hardware configurations:

  1.     Use of RAID controllers
  2.     Increase the number of disks handling log files
  3.     Support write cache on disk controllers

The subsystem performance of each volume should be reviewed; the idea is to have enough room for sudden changes in load to avoid client request non-responsiveness. Data consistency will only be guaranteed when all changes are written to logs.

Non-critical tasks such as system scans, backups, and activities taking place when the system is not overloaded should be scheduled. Backup procedures and scanning programs with low I/O requests should be used because they reduce competition with critical services in the Active Directory.


To investigate the degree of traffic which should be supported, it’s prudent to make a mention of 2 broad categories of network capacity planning for Active Directory Domain Services.

Firstly, we have replication traffic which passes back and forth across Domain controllers. Then, we have client-to-server network traffic also known as intra-site traffic. Client-server traffic is much simpler to plan for since it involves minimal client requests to the Active Directory in contrast to the huge volumes of data sent back by the Active Directory Domain Services.

A bandwidth of 100Mbps will be adequate in environments serving close to 5,000 users sharing a server. A 1GB Network Card is recommended for environments where users exceed 5,000 per server.

In virtualized environments, the network adapter should be in a position to support the Domain Controller load and the rest of the guests or virtual machines which are sharing the virtual switch which is attached to the physical network card.


Planning storage on the server entails two things: storage size and performance.

For Active Directory, sizing is only a consideration for large environments. This is because even for a 180GB hard drive, SYSVOL and NTDS.DIT can fit quite easily. It’s therefore not prudent to allocate so much disk space in this area.

However, you should ensure that 110% of the NTDS.DIT size is available for defragmentation. From there henceforth, one should plan for growth over a 3-to-5-year lifespan of the Hardware. An estimate of about 300% the size of NTDS.DIT database file will be satisfactory to accommodate growth over time and allow for offline defragmentation.


Processors with limited free cycles increase the wait times leading to execution. Server optimization should ensure that enough room is available to handle workload surges and in the long run minimize response time to client requests. Reducing the workload on the processors involve, selecting the best processors, directing client requests to available processors, and using processor information to gauge system performance.

Performance Tuning

Performance tuning on the Active Directory has two objectives:

  • The optimal configuration and performance of the Active Directory to balance the load efficiently
  • All work sent to the Active Directory have to be efficient

For the objectives above to work, three areas need to be looked at

Capacity Planning

This means having enough number of domains that can handle redundancy and client requests within a short time. All the server hardware must be able to handle existing load. Capacity planning involves scaling up operations across multiple servers. Adding more resources like RAM to the server is essential in preventing possible failures by ensuring that every aspect of the server is working as intended.

A typical capacity planning takes place in three stages:

  1.     Evaluating the existing environment by determining the current challenges.
  2.     Determining the hardware needed according to the findings in the step above.
  3.     Validating the employed system to ensure that it works within the defined specifications.

Server-side Tuning

The domain controllers in the Active Directory are configured to handle loads efficiently. The System Administrator is supposed to balance the demands of individual users against available resources. Add-on products that manage bandwidth and port usage may be implemented to restrict network resource uses.

Active Directory Client/Application Tuning

The Active Directory has to be set up so that the client and application requests use the Active Directory to achieve maximum efficiency.

Domain Controllers and Site Considerations

Placing domain controllers and site considerations revolve around optimization for referrals and optimizations with trusts in mind.

A well-defined site definition is central to the performance of servers. Clients not getting requested services may report poor performance when querying the Active Directory. Since client requests can come from IPv4 or IPv6, an Active Directory is supposed to be configured to get data from IPv6 addresses. By default, the operating system usually picks IPv6 over IPv4 if both are configured to send/receive data.

Most domain controllers use name resolution for reverse lookup when determining the client’s site. When this happens, delays in the thread pool are inevitable leading to unresponsiveness from the domain controller. By optimizing the name resolution framework, quick response is assured from the domain controllers.

An alternative is to locate read/written domain controllers where read-only domain controllers are used. Optimizing this scenario means:

  • Using an application code change to contact writable domain controllers when read-only domain controller would be sufficient.
  • Placing the read/write domain controller at the center of operations to reduce latency.

Optimization for Referrals

Referrals define how Lightweight Direct Access Protocol (LDAP) requests are processed when domain controllers do not have a copy of the requested partition. When the output of a referral request is found, it has the name of the partition, port number, and DNS name.

This information is used by the client to send requests to the server hosting the partition. The recommendation is to make sure that the Active Directory that has the site definitions and domain controllers are in place to reflect the client’s needs. Implementing domain controllers from multiple domains in a single site and relocation the applications may also help fine-tuning the domain controllers.

Optimization with Trusts in Mind

In a domain with multiple forests, trusts have to be defined depending on the domain hierarchy. All secure channels at the root of the forest may be overloaded due to increasing authentication requests between the domain controllers. This will cause delays in far-flung Active Directories and this overload in inter-forest and low-level trust scenarios. Some of the recommendations to help reduce forest trust overload.

  • Using MacConcurrentAPI to help distribute load across a secure channel.
  • Create shortcut links to trusts as needed depending on available load.
  • All domain controllers within a domain should be able to handle name resolutions and communicate trusted domain controllers.
  • All trust should be based on locality considerations.
  • Reduce the chances of running into MaxConcurrentAPI challenges by enabling Kerberos as needed as well as reducing the use of secure channels.

Name resolution taking place over firewalls takes a toll on the system and will, in turn, impact the clients negatively. To overcome this, access to trusted domains need to be optimized through the following steps:

  1.     The WINS and DNS should resolve names within the trusting domain controllers by listing the domains. This step is to counter the problem of static records which tend to cause connectivity problems over time. A manual maintenance of all the forwarders and secondary copies of the resource environment needed by the clients need to be maintained.
  2.     Converging all site names shared between trusted domains reflecting domain controllers that re on the same location by ensuring IP and subnet addresses are linked to sites within the forest.
  3.     Ensure all ports are open and firewalls configured to accommodate all trusts. Closed or restricted ports will lead to several failed communication attempts, forcing the client to experience timeouts and hung threads or applications.
  4.     Domain controllers forming a trusting domain should be installed on the same physical location.

When no domain is specified disabling trust checks on the availability domain, trust checks are recommended.




Do you have unclear NTFS Permissions assignments?
Do you have too many special permissions set on your fileservers?
Or blocked NTFS Permission Inheritance?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Setting Up Honey Pots for Active Directory 

The world of computing is replete with threats which, at any time, can compromise the security of your system. Unauthorized users may try to gain access to client machines and perform malicious activities using existing loopholes. A honey pot is a decoy network. It masquerades itself as a real or genuine network.

Honey Pots are used to trick intruders and give them the impression that they are attacking the right network. The activity of the attacker is then logged and studied. In a nutshell, a honeypot protects your system.

A Honey Pot is a computer system set up to lure would-be attackers and deflect their attempts to gain unauthorized access to the network. It is a system installed on a computer in order to simulate the behavior of the real system. The decoy system is isolated and monitored by system administrators.

Setting Up the Honey Pot Account

Securing an Active Directory is an important organizational policy that helps system auditors track relevant events and changes taking place in the network. Everyday threats are becoming more elusive which calls for the need to have several security measures to better handle threats, including those coming from insider attacks.

One way of implementing this is through the use of Honey Pot accounts to trick the attacker that they have full access to the system.

Within the Active Directory context, a Honey Pot administrator account can be set up because most attackers look for this account. The administrator account gives them the impression of having uncontrolled access to all resources of the Active Directory.

Advanced hackers may not fall for this trick, but using Honey Pots in your network is the best way of detecting malicious activity. System administrators need to realize that Honey Pots are not foolproof because some hackers will immediately know the legitimacy of the Honey Pot account. For the Honey Pot account to thwart the most sophisticated attacks, here is what the administrator needs to do:

  • Renaming the Built-in Administrator Account
    This account has to be renamed and the default decryption removed. Naming the account means creating a username that matches the Active Directory naming conventions.
  • Create Another User Account with Username “Administrator”
    The default description for this account should be “Built-in account for registering the computer/domain”. The idea is to create a proxy Administrator with a similar description to the default account.
  • Enable Auditing
    Auditing for activities such as failed and successful Logon Attempts for the account just created in step two above. The configuration of Auditing may be used alongside a tool that enables searches and alerts whenever this account is accessed. The Microsoft built-in tool may not give details of searches and alerts promptly. Therefore, downloading third-party tools such as the Active Directory Audit Plus can be helpful in monitoring, searching, analyzing, and giving live alerts when a login attempt is made at the Honey Pot account.
  • Monitor the Honey Pot Activities
    Using an appropriate account auditing solution, all live activities on the account should be logged and monitored.

The four steps above should enable the Honey Pot account. It is also a good idea to have logging and monitoring activities on the renamed administrator account. The organization’s security policy should be that the renamed account should not be used unless it is a case of an emergency.

Tracking all Logon activities of all users is important in keeping the system security tight. The two accounts should now give an immediate alert when a Login attempt is made and thus the network is deemed secure and prepared for external intrusions.

Decisions to be Made When Deploying a Honey Pot

Before any consideration is made to deploy a Honey Pot account, here are some of the critical decisions system administrators are faced with:

  1. Reason of the Account
    Two primary reasons determine whether deploying a Honey Pot account is necessary. One of the need for an early security warning, the second reason being for forensic analysis. Honey Pots address both reasons by giving out the information needed for immediate follow-up.
  2. What Needs Protecting
    The most valuable objects in an Active Directory will determine the type of fake account to be used as a Honey Pot. In most cases, Honey Pot accounts are used to mimic web servers, file servers, application servers, database servers, and Logon servers. There is an option of deploying a Honey Pot that mimics open ports or having several ports with each one dedicated to a particular server type.
  3. The Active Directory Interaction Levels
    Three levels of interactions define Honey Pot accounts thus:
  • Low level
  • Medium level
  • High level

The low-level accounts give early warning signs of malicious activities; the medium level accounts may have basic file structures to give the hacker a “true” reflection of the system content, while the high-level accounts may contain a complete copy of the server they emulate.

  1. The Location of the Honey Pot
    Location of the Honey Pot should be near the resources that they are trying to protect. For example, a web server decoy account should share the same IP address where the real server is located.
  2. Real or Emulation Software
    Using real systems is a good idea because it becomes difficult for the most advanced hacker to know if they are dealing with a Honey Pot or not. Using an emulation software means having access to built-in signature detection tool useful for monitoring.
  3. Monitoring and Alert Tools to Use
    A Honey Pot will only be of value when logging takes place. The tool used for monitoring should be able to report on all activities in a real time.
  4. How to Administer the Honey Pot
    Once a Honey Pot account is set up, it should continue running throughout the life of the services it is mimicking. At least one person (or more if necessary) should be given control of the decoy accounts. His responsibility will be the installation, planning, configuration, monitoring, and updating the Honey Pot.

All communications coming through a Honey Pot are considered hostile. Therefore, the system administrators should use all these activities as an insight into the level and types of threats the network is prone to. A Honey Pot account should be treated as an added security setup and not a replacement of security measures already in place.

Active Directory Federation Services in Windows Server 2016 

.When we look at IT businesses today, the most common spoken word is the “cloud”. Cloud computing made a huge impact in a way of functioning and business organization. 

But with more possibilities, usually we get more problems. And one of biggest challenges with doing business in the cloud is security and access control, especially in organizations with the need of extranet access. 

With that in mind, Microsoft has introduced an improvement to the Microsoft Windows Server 2016 system. 

Active Directory Federation Services  (ADFS)  

Active Directory Federation Services (ADFS) provides access control and single sign-in across a wide variety of applications like Office 365, cloud-based SaaS applications, and other applications on the corporate network. 

It enables organizations to provide a sign-in and access control to both modern and legacy applications — on-premises and in the cloud — with the unified set of credentials and policies. 

ADFS was first presented as an additional download in Windows Server 2003 R2 edition. But in the Windows Server 2016 edition, it became one of the most significant components of the system. 

ADFS 2016 has numerous improvements to offer. But the two most important ones are the three new options for signing in without using passwords and support for any LDAPv3 directory. 

Azure Multi-Factor Authentication  

The first option is the use of the Azure Multi-Factor Authentication (MFA) adapter for ADFS. Azure MFA can be configured for intranet or extranet, or as part of any access control policy. 

In the past, the Azure MFA server on premise was the only way of eliminating passwords as authentication methods. Now, with a configuration on the MFA adapter, the primary authentication method is the username and the OTP (One Time Password) code from the Azure Authenticator app. 

With MFA as the additional authentication method, the user provides primary authentication credentials (using Windows Integrated Authentication — username and password, smart card, or user/device certificate), then comes a prompt for text, voice, or OTP based Azure MFA login. 

 Access from Compliant Devices

ADFS 2016 upgraded device registration capabilities and enabled sign-on and access control based on the device compliance status. Sign-in is now possible with device credentials. And if/when device attributes change, compliance is re-evaluated, which brings certainty in enforcing policies. 

This can be allowed by enabling the following policies:  

  • Enable Access only from devices that are managed and/or compliant. 
  • Enable Extranet Access only from devices that are managed and/or compliant.  
  • Multi-factor authentication for computers that are neither managed nor compliant.

Windows Hello for Business  

The Windows Hello for Business (formerly known as Microsoft Passport for Work) feature can replace passwords with strong two-factor authentication that combines an enrolled device with a PIN or biometric (fingerprint or facial recognition) user input to sign in. ADFS 2016 supports this way of authentication and enables user sign-in on all ADFS applications without the need for a password. 

LDAPv3 Support  

Another improvement in ADFS 2016 is support for a combination of Active Directory and third-party directories. With the addition of ADFS support for authenticating users stored in LDAP v3-compliant directories, ADFS can now be used for:  

  • Third party, LDAP v3-compliant directories.
  • Active Directory forests where an Active Directory two-way trust is not configured. 
  • Active Directory Lightweight Directory Services (AD LDS).

New and Improved Migration Procedure 

Earlier, this operation was pretty painful for administrators. It required building completely new parallel server farm and export of configuration from old one which will then be imported into a new one. 

In ADFS 2016, Microsoft took a different approach, and simplified the process by a lot.  

Now, moving from ADFS (on Windows Server 2012 R2) to ADFS 2016 requires adding new Windows Server 2016 to an existing Windows Server 2012 R2 farm. This will completely run as 2012 R2, but with adding more servers to the farm and removing old ones from the load balancer, the system will allow upgrade and usage of new features.  

More Features

Other than these, some more important new options and interesting features of ADFS 2016 are:

  • Supports the latest modern protocols which will provide a better user experience on the most relevant platforms (Windows, iOS, Android).
  • Ability to add industry standard OpenID Connect and OAuth 2.0-based authentication and authorization to applications in development.
  • A way to customize messages, images, logos, and web themes per application.
  • Streamlined auditing for easier administrative management and configuration to participate in confederations such as InCommon Federation and other implementations conforming to the eGov 2.0 standard. 

ADFS 2016 provided the best improvements in the development of the Windows Server systems, especially in the extranet access situation. Most experts agree that listening to user feedback made a significant impact.

New Active Directory Features in Windows Server 2016

Active Directory is an extensively-used service on many enterprise networks. Besides offering authentication and authorisation services in Windows domain-type networks, Active Directory supports several other capabilities, which makes it popular.

Windows Server 2016 Active Directory Improved Features

In Windows Server 2016, the Active Directory Domain Services (AD DS) received some enhancements intended to assist organisations realise optimised performance for their network resources.

In this article, we are going to talk about four significant features improved in AD DS.

Privileged Access Management (PAM)

Microsoft has introduced privileged access management (PAM) feature to assist in safeguarding AD DS from credential theft attacks. Examples of such types of attacks include spear phishing and pass-the-hash.

At its core, PAM depends on the Microsoft Identity Manager (MIM) as well as a domain functional level that is not below Windows Server 2012 R2.

The MIM is important for provisioning what is called the bastion Active Directory forest. Whenever PAM is configured, MIM generates a new Active Directory forest, which is segregated to be accessed by privileged accounts. The created Active Directory environment is freed from any illicit activities.

With the creation of the trusted Active Directory environment, MIM can now determine the assigning of permissions to users.

MIM offers workflows for granting administrative privileges, which is based on the type of requests approved. If users are given extra administrative privileges, they are also given memberships in the shadow security groups found in the created secure forest.

What’s more, membership to the groups is time-bound. MIM has an expiring links feature which allows memberships to be revoked after the allocated time period elapses. Users are given just enough time to complete the allocated administrative duties. This time-controlled membership is defined as a time-to-live variable.

If a user enjoys time-controlled membership in several security groups, Microsoft has included improvements in Kerberos Key Distribution Center (KDC) to take care of such a situation by restricting his or her Kerberos ticket lifetime to the lowest attainable time-to-live value.

Furthermore, PAM also provides improved monitoring tools. As such, it makes it easy to quickly establish the users who requested access permissions, the level of access that was given, and the type of tasks that were completed.

Azure Active Directory Join

With the Azure Active Directory Join feature, you can deploy your identity management tasks to the cloud and benefit from centralised management for your corporate and personal devices.

The main objective of the Azure Active Directory Join is to offer the advantages of an on-premise Active Directory environment without much hassles to the users.

This new feature enables users to access Oxygen Services without the need of a Microsoft account. Oxygen Services, with its various features and settings, will be available on devices that are connected to on-premise Windows domain as well as devices connected to the Azure Active Directory account.

Azure Active Directory Join also allows devices, whether they are corporate-owned or BYOD, to benefit from single-sign on web applications. It also allows those devices to be managed using the Mobile Device Management (MDM) integration tool, even if they are not in the Windows intune tool.

It is also possible to use the feature to configure “Kiosk” mode for shared corporate and personal devices. There are also some developer improvements that enhance the process of creating applications for both enterprise and personal uses.

Microsoft Passport

The use of weak credentials is one of the major security issues facing the IT industry today. Most users do not care about their password security and engage in insecure habits like using the same password in numerous places, using poorly crafted passwords, and using simple passwords that are easy to guess.

Fortunately, Microsoft Passport intends to provide a solution to this issue. It incorporates two-factor authentication techniques that enhance the security of users’ passwords without needing the traditional, complex methods like physical smart cards.

Microsoft Passport is created to work together with Windows Hello (the in-built biometric sign-in for the Windows operating system).

Its two-factor authentication technique utilises the credentials available to the user together with the precise credentials of the device the user is accessing. Every user accessing a device is given a precise authenticator (referred to as hello) or a PIN, which verifies the identity of the user before being allowed access.

Microsoft is calling this new Passport feature “password-less authentication”, which can be deployed to safeguard traditional on-premise Active Directory environments and Azure Active Directory environments.

Additionally, the Passport feature can also be used in FIDO (Fast Identity Online) accounts. With the FIDO capabilities, Passport can be used in extensive array of platforms and devices, eliminating the need to remember multiple passwords.

Deprecated features

There are a few features that are no longer supported in Windows Server 2016. For example, the old File Replication Service (FRS), which was utilised to replicate folder data between servers, has now been exclusively replaced with Distributed File Service (DFS) Replication. DFS is useful in replicating SYSVOL.

Furthermore, the Windows Server 2003 functional levels are not recognised in Windows Server 2016. Consequently, to achieve increased reliability and performance, all domain controllers still depending on Windows Server 2003 are required to be taken out from the domain.

Therefore, it is recommended for companies to increase their functional level to Windows Server 2008 (or even to a higher level). Shifting to the higher functional levels guarantees optimal SYSVOL replication compatibility as well as faster support for enhanced performance.


Each of the above Active Directory features are intended to enhance the experience of the large community of Windows Server 2016 users.

PAM offers a technique for preventing credential theft when data is being exchanged in very sensitive environments.

Azure Active Directory Join functionalities allow users to benefit from the advantages of on-premise Active Directory without much hassles. Microsoft Passport aims to revolutionise the way authentication takes place.

Finally, the deprecated features points to Microsoft’s commitment to eliminate flaws and inconsistencies in Windows Server 2016.

Useful Resources

Here is a guide how to set up Active Directory in Windows Server 2016:



Report NTFS Permissions in 60 Seconds!

Download your Free Edition of the easiest and fastest NTFS Permission Reporter now!