| GOPAS a.s. | [email protected] | ... · Central Database LDAP –Lightweight Directory Access...
Transcript of | GOPAS a.s. | [email protected] | ... · Central Database LDAP –Lightweight Directory Access...
ACTIVE DIRECTORY OVERVIEW
Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CISA |[email protected] | www.sevecek.com |
NETWORK SERVICESActive Directory Troubleshooting
Central Database
LDAP – Lightweight Directory Access Protocol database query language, similar to SQL TCP/UDP 389, SSL TCP 636 Global Catalog (GC) – TCP/UDP 3268, SSL TCP 3269 D/COM Dynamic TCP – Replication, NSPI, SPN Registration,
RODC pass-through domain membership
Kerberos UDP/TCP 88, KPASSWD TCP/UDP 464
Windows NT 4.0 SAM SMB/CIFS TCP 445 (or NetBIOS)
password resets, SAM queries
SMB/DCOM Dynamic TCP Netlogon NTLM pass-through Kerberos PAC validation
Client Port Requirements vs. DCs DNS – UDP 53 (TCP 53 over 512 B of request/response)
Ping – XP/2003 and older
LDAP – UDP 389, TCP 389, TCP 636, TCP 3268, TCP 3269
Kerberos – UDP/TCP 88, UDP/TCP 464
SMB – TCP 445
NTP – UDP 123
DCOM/RPC - TCP 135
Outlook – SAM/Netlogon DCOM (GC)
Server – SAM/Netlogon DCOM (pass-through authentication)
Server – Replication DCOM (dNSHostName, SPN registration)
+ DC-DC NTFRS or DFSR replication DCOM
Incoming trust establishment
DNS
UDP queries in case of forwarders
TCP zone transfer in case of stub zones
LDAP UDP
site location/netlogon anonymous query for domain SID and NetBIOS name
SMB
anonymous secure channel LSASS query
Design Considerations
Distributed system
DCs disconnected for very long times several months
Multimaster replication with some FSMO roles
naming, schema, RID, PDC, infrastructure
Maintain compatibility with forest and domain functionality levels
raising only, lower down to 2008 only
Application LDAP available
Design Considerations
Example: Caribean cruises, DC/IS/Exchange on board with tens of workstations and users, some staff hired during journey. No or bad satelite connectivity only. DCs synced after ship is berthed at main office.
Challenge: Must work independently for long time periods. Different independent cruise-liners/DCs can accomodate changes to user accounts, email addresses, Exchange settings. Cannot afford lost of any one.
Network Interactions(DC Location)
Any DC2000+
Client2000+
LDAPUDP
SRV: Any DC List
Get My Site
DNS
DNS
SRV: My Side DC
My Site DC2000+
Network Interactions(2008/Vista+ DC Location)
Any DC2008+
ClientVista+
LDAPUDP
SRV: Any DC List
Get My Site
DNS
DNS
SRV: My Site DC
Next Closest Site
Close Site DC
2000+My Site DC
2000+
SRV: Close Site
Network Interactions(Join Domain)
DC2000+
Client2000+
KerberosSMB
TGT: User
SAM Interface
TGT: CIFS
Network Interactions(Local Logon)
DC2000+
Client2000+
KerberosLDAPSMB
TGT: User
GPO List
GPO Download
TGS: LDAP, CIFS
Network Interactions (Kerberos Network Logon)
DC2000+
Client2000+
Kerberos
Server2000+
App Traffic
DC2000+
SMBD/COMTGT: User
In-bandTGS: Server
Occasional PAC Validation
TGS: Server
D/COM Dynamic TCP
Network Interactions(NTLM Network Logon)
DC2000+
Client2000+
Server2000+
App Traffic
DC2000+
SMBD/COM
In-bandNTLM
Pass-through NTLM
D/COM Dynamic TCP
Network Interactions (Basic/RDP Logon)
DC2000+
Client2000+
Server2000+
App Traffic
DC2000+
In-bandclear text
KerberosTGT: User
Database
Microsoft JET/ESE engine
JET Blue
common with Microsoft Exchange
used by DHCP, WINS, COM+, WMI, CA, CS, RDS Broker, Windows Search, SCOM agent, …
%WINDIR%\NTDS\NTDS.DIT
ESENTUTL
Opened by LSASS.EXE
Processes and performance on a DC
LSASS LDAP, Kerberos, NTLM, password changes, SID
translation
DNS queries, dynamic update
NTFRS/DFSR GPO changes
SYSTEM SMB server (SYSVOL)
SVCHOST Windows Time Service
ScenariosService Support Notes
multi NIC
not recommended more adapters register into DNSSMB client/server/network-provider issues
DNS recommended
DHCP yes
IAS/NPS yes
RRAS not recommended creates virtual network adapters which register into DNSSMB client/server/network-provider issues
CAAD CS
not recommended cannot rename DCcannot remove ADmoving CA requires keeping the same computer name
IIS not recommended creates user accountsDCPROMO changes some NTFS permissionsIIS 7.0 uses IUSR and IIS_IUSRS which are not available in 2003- domainbasic authentication requires Log on Locally right
ScenariosService Support Notes
TS/RDS no DCPROMO changes some NTFS persmissionsregular users can access the server locally
TS/RDS Licensing
recommended if domain/forest discovery required
WDS yes
WINS not recommended disable NetBIOS at all
RMS not recommended requires IIS
ADFSADFS 2012r2+
not recommendedyes
requires IISdoes not require IIS
SQL no creates user accountsDCPROMO changes some NTFS permissions
Exchange 2000 must2003 no2007+ not recommended
different hardware/memory requirementsrequires IISmust be GC, no failover to other DCscannot be clusteredno role separation
Scenarios
Service Support Notes
Cluster not supported
NLB not supported
Forefront ClientSecurity
no
SharePoint not recommended
requires IISno role separationperformance issues
single-domain forest
recommended forest is a security boundarydelegation can be achieved by OU securitycan be more space consuming but GC contain most attributes usuallye.g.: Outlook/GC/group modification KB306349
single-labelFQDN
discouraged supported, but much limited
Installation
DCPROMO /adv
DCPROMO /unattend:unattend.txt
also installs binaries on 2008 and newer
even when only binaries are installed, Windows Firewall receives also exceptions for AD!
DCPROMO /uninstallbinaries
IFM installation
must be from the same OS version
%systemroot%\debug\dcpromo.log
Lab: Installation
Install IDTT, idtt.local on SRV1
Check services before and after install
Active Directory Domain Services
Security Accounts Manager
Kerberos Key Distribution Center
Netlogon
Check IPv4 and IPv6 DNS settings
Check NETSTAT –ano for opened ports
Lab: Sample data population
Run the populate-ad.bat script
Investigate what changes did it do
DSA.MSC, DSSITE.MSC
do not correct anything even if you find any problems
Installed services
LSASS
Security Accounts Manager
TCP 445SMB + Named Pipes
Kerberos Key Distribution CenterUDP, TCP 88
Kerberos
Active Directory Domain ServicesUDP, TCP 389
LDAP
NTDS.DIT
D/COM Dynamic TCP
Installed services
LSASS
SAM
KDC
NTDS
TCP 445SMB + Named Pipes
UDP, TCP 88Kerberos
UDP, TCP 389, ...LDAP
NT4.0
NTLM Pass-throughPAC validation
Windows 2000+
LDAP/ADSI ClientNTDS Replication
FIM/DRS API Client
Connect to domain
D/COM Dynamic TCP
Restartable AD DS
Windows Server 2008
Active Directory Domain Services service
LSASS.EXE
Can log on DS Restore Mode Admin
HKLM\System\CurrentControlSet\Control\LSA
DsrmAdminLogonBehavior = 1
Netlogon
Active Directory Client
“secure channel” with a selected DC
Site aware DC Locator
Connects computer to domain
Changes computer password
SID/Name translation
On DSs de/registers DC Locator DNS SRVrecords
Uninstallation
DCPROMO
requires working replication connectivity with other DCs
DCPROMO /forceremoval
does not access network at all
can run in DS Restore Mode
NTDSUTIL Metadata Cleanup
Connection
Connect to server srv2.idtt.local
Quit
Select operation target
List sites
Select site 0
List domains in site
Select domain 0
List servers in site
Select server 0
Quit
Remove selected server
Metadata Cleanup
Disabling IPv6
Never uncheck the protocol in NIC properties
Exchange not working
Clients not joning domain
HKLM\System\CurrentControlSet\Services\TCPIPv6\Parameters
DisabledComponents = DWORD = 0x000000FF
Multinetworking
Windows 2008 DC/DNS 2008 does not register DHCP assigned IP addresses anymore!
Still good practice not to use more NICs
Lab: Unattended Installation
Move SRVs to appropriate sites disable the original NIC firs
Set correct DNS client settings Install DCs on the remaining servers
automatically install DNS only on SRV2 dcpromo /unattend:unattend-dc-replica.txt dcpromo /unattend:unattend-dc-child.txt
Wait until DNS _msdcs zone is populated correctly with all the DC GUIDs restart NETLOGONs if you do not want to wait
Initial Replica Source DC
Renaming DC (DFL 2003)
NETDOM COMPUTERNAME /Add
let replicate through the whole forest
NETDOM COMPUTERNAME /MakePrimary
NETDOM COMPUTERNAME /Remove
Renaming domains (FFL 2003)
RENDOM
can rename forest root domain as well
nTDSDSA - msDS-ReplicationEpoch
Exchange server (in)compatibility!
2010 SP1+
SQL server
re-script (update) all logins
Lab: Troubleshoot DNS
On SRV1 open the DNS console
Delete contents of the _msdcs zone
On each DC restart Netlogon service
NET STOP netlogon & NET START netlogon
Restart-Service Netlogon
or NLTEST /DSREGDNS
Confirm the zone got populated correctly
Lab: Troubleshoot replication On SRV1 open DSSITE.MSC Move SRV1 into London site Clear DNS resolver cache
NET STOP dnscache & NET START dnscache
Replicate configuration to all the other DCs Force all the other DCs to Check replication topology Replicate configuration from all the DCs back to
SRV1 Force replication of all the links Check the replication for errors
REPADMIN /replsummary
Initial Synchronization
HKLM\System\CCS\Services\NTDS\ParametersRepl Perform Initial Synchronizations = 0
During startup, DC tries to replicate with at least one partner
Fast startup on isolated network
Loses protection against
USN rollback (restore snapshot/image)
Restore/Seizure of FSMO roles
DNS Best Practice
DC1
DNS
DC2
DNS
ADAD
Lab: DNS Best Practice
Disable IPv6 in registry
disable-ipv6.reg
Reconfigure SRV1 and SRV2 to query DNS mutually as the DNS best practice says
Reconfigure all the other DCs to use SRV1and SRV2 for their client DNS queries
PLANNING
Active Directory Troubleshooting
Maximum number of objects
2 147 483 393
Distinguished Name Tag
internal database identifier per DC
only incremented even when objects are deleted
Means all partitions on all DCs together
Installing new DC starts with DNT=0
can be used to overcome the limit after huge object deletes
cannot install from IFM – reuses DNTs
Maximum number of SIDs
1 073 741 823 (30-bit)
RID Pool limit
Windows 2012
Windows 2008 R2+KB2642658 31-bit
Operational attribute sIDCompatibilityVersion = 1 FFL/DFL invariant
Maximum number of SIDs
Atomic transaction
Should not exceed 5000 changes
Group Limits
Access Token
1025 groups
including local/virtual groups
Group members
up to 5000 on Windows 2000 FFL (recommended limit only due to the atomic transaction size)
no limit (500 million) with FFL 2003+ (linked multivalue replication)
Domain and DC limits
Maximum number of domains
800 with 2000 forest functional level
1200 with 2003+ forest functional level (non-linked multivalue)
Recommended maximum number of DCs
1200 DCs with 2003- domain level (FRS replication)
unlimited with 2008+ domain level and DFSR
Some other limits
Maximum GPOs applied
Each client will process up to 999 GPOs
Maximum number of trust links
Kerberos cannot traverse more than 10 trusts
Attribute limits
limits can be set in schema rangeLower rangeUpper
Unicode String maximum 10 485 552 characters
Octet String (binary data) maximum 10 485 560 bytes
In case of multivalue, every value up to this limit Maximum 800/1200 (non-linked) values per
object single value or every one from multi-value counts
Space consumption
Single attribute overhead ~ 80 B
1024 B binary ~ 1024 + 80 B in DB
1024 characters ~ 2048 B + 80 in DB
Empty user/computer account
3.7 kB (2008 R2 schema 4.5 kB)
Pure OU or a single DNS record
1.2 kB
Exchange
ca 35 own Exchange attributes
ca 1000 bytes overall
~ average 30 B per attribute
The big data
thumbnailPhoto
maximum 30 kB
userCertificate
1500 B
msPKIAccountCredentials
10 kB
What must be fast available
Logins, display names
Passwords
Group membership
DNS records
Email addresses, …
Common frequent modifying operations
Admin induced Create users/groups/computers/DNS
Change group membership
User induced Change password on users/computers
users = 42??, computers = 30
DNS dynamic update default = 14??
lastLogonTimestamp default = 14??
Common modifications example
200 people
200 users = 100x / month pwd+pwdLastSet
200 users = 400x / month lastLogonTimeStamp
200 pc = 200x / month pwd+pwdLastSet
200 pc = 400x / month dns update
= 1100x /month ~= 1.5 / hour
5000 people
~= 40 / hour
ACTIVE DIRECTORY LDS (ADAM)Active Directory Troubleshooting
Application LDAP
Arbitrary port number, can run TLS
Multiple instances and partitions on a single box replication
managed by Active Directory Sites and Services snap-in (requires MS-ADLDS-DisplaySpecifiers.ldf)
Separate schema custom attributes etc.
can use different naming attributes (O=, C=)
Has forest functional level (no DFL) msDS-Behavior-Version
Authentication
LDAP Simple Bind
NLTM/Kerberos for AD principals
Proxy authentication into AD
%systemroot%\ADAM
userProxy.ldf
userProxyFull.ldf
Mapping DNS to X.500
Works for AD DS as well as AD LDS
Client feature of ADSI
accounting.ad.sevecek.com
DC=accounting,DC=ad,DC=sevecek,DC=com
AD DS registers partition names in DNS automatically
For AD LDS you must register DNS name in DNS yourself
AD DS vs. AD LS Sync and Management
adschemaanalyzer
exports AD DS schema into AD LDS
ADAMSync = DirSync
synchronizes objects
MS-AdamSyncConf.xml
PowerShell/VBS/ADSI
LDF/ADSIEdit/DSSITE.MSC