Manage and Maintain Active Directory Domain Services · Deploying Domain Controllers in Azure IaaS...
Transcript of Manage and Maintain Active Directory Domain Services · Deploying Domain Controllers in Azure IaaS...
Sander BerkouwerCTO at SCCT10-fold Microsoft MVPActive Directory aficionado
Daniel GoaterSystems EngineerNetwrix
Manage and Maintain Active Directory Domain Services
Active Directory 101
Active Directory 101 vs. Exam 70-742
o Implement and manage a certificate authority (CA) hierarchy with AD CS
o Deploy and manage certificates
o Implement and administer Active Directory Federation Services (AD FS)
o Implement and administer Active Directory Rights Management Services (AD RMS)
o Monitor, troubleshoot, and establish business continuity for AD DS services
o Secure AD DS and user accounts
o Manage user settings by using GPOs
o Implement and manage Group Policy
o Configure and manage replication
o Implement AD DS sites
o Implement AD DS in complex environments
o Manage objects in AD DS
o Install and configure Domain Controllers Act
ive
Dir
ect
ory
10
1
Mic
roso
ft e
xam
70
-74
2
Ide
nti
ty w
ith
Win
do
ws
Se
rve
r 2
01
6
o Implement synchronization between AD DS and Azure AD
Agenda
Active Directory Domains and Trusts
Active Directory Sites and Replication
Securing Active Directory
How to determine which changes in your environment merit inspection
with Netwrix Auditor
Active Directory Domains and Trusts
Active Directory Domains
– Administrative boundary
– Group Policy boundary*
– Passwords and Account policies
– Domain DNS Zone replication
Create multiple Domains to:
– Satisfy replication and DNS requirements
– Allow for resource domains
Active Directory Domains vs. Forests
Active Directory Forests
– Security boundary
– Schema and Configuration partitions boundary
– Global Catalog replication
– Forest DNS Zone replication
Create multiple Forests to:
– Satisfy security, schema and perimeter network requirements
– Allow for mergers, acquisitions, etc.
Trusts
Trusts allow for inter-domain and inter-forest authentication and authorization
• 5 Types: Parent-Child, Tree Root, External, Shortcut and Forest trusts
• 2 relationships: One-way and Two-way trusts (basically 2 one-way trusts…)
• 2 scopes: Transitive and non-transitive trusts
A resource domain/forest trusts the account domain/forest
Security considerations
• SID Filtering prevents privilege escalation, based on sIDHistory
• Selective authentication limits authentication to specified resources only
Domain and Forest Functional Levels
New functionality might require an Active Directory functional level
• The Domain Functional Level (DFL) ensures all Domain Controllers run the version indicated by the DFL and
thus support the functionality
• The Forest Functional Level (FFL) ensures all Domains in the forest run the DFL indicated by the FFL and thus
support the functionality
Typical functionality that required raising the DFL/FFL
• Read-only Domain Controllers require the Windows Server 2003 FFL
• The Active Directory Recycle Bin requires the Windows Server 2008 R2 FFL
Best Practices for Multi-Domain environments
Take care of DNS
• Optimize DNS resolution using Conditional Forwarders or Stub zones
• Deploy a GlobalNames DNS zone to get rid of WINS dependencies
Think about the userPrincipalNames
• userPrincipalNames change and might lead to loss of (access to) data in environments with AD FS and cloud
– Align userPrincipalNames with email addresses
Coming from a previous version of Active Directory
Three ways to go to Windows Server 2016 Active Directory:
1. In-place upgrading Domain Controllers
2. Transitioning Domain Controllers
• Add new Windows Server 2016-based Domain Controllers
• Remove previously available Domain Controllers
3. Migrating Active Directory
• Use the Active Directory Migration Tool (ADMT) or 3rd party tooling
– Migrate user objects, groups, computer objects and (g)MSAs
– sIDHistory may be used to keep authorizations alive
• Migrate all objects and leave the old environment completely
Active Directory sites and replication
Active Directory Partitions
There are four partitions in the Active Directory database:
1. Configuration
• Contains the forest-wide information on the AD DS structure
2. Schema
• Contains the forest-wide information on object classes and rules for creating and manipulating objects and attributes
3. Domain
• Contains the object within the Active Directory domain
– Global Catalogs may have multiple domain partitions, where the partition for other domains only contain essential attributes on objects that traverse trusts
4. Application
Components of Active Directory object replication
The Directory Service Agent GUID
• Unique to a Domain Controller
• Persistent over the life of a Domain Controller
• Used in USNs to track Domain Controller’s originating updates
The InvocationID
• Used by DSA to identify a Domain Controller’s instance of the AD database
• Can change over time (e.g. during a DC restore operation)
Update Sequence Number (USN), aka “Logical Clock”
• Used by Domain Controllers to track updates sent and received
• Increases per write transaction, independently on each Domain Controllers
What about Timestamps?
• Conflict Resolution: Check the Stamps, last write wins
• Stamp = Version + Originating Time + Originating DSA
How Active Directory intra-site replication works
Active Directory Site
DC1 DC2
Unique Serial Number
400Unique Serial Number
270
High Watermark Tabel
<InvocationID of DC2>
270
High Watermark Tabel
<InvocationID of DC1>
400
412
412
282283
283
413
System Volume (SYSVOL) Replication
The System Volume share
• contains logon scripts, Group Policy templates, and GPOs
Two replication mechanisms for SYSVOL currently in the wild:
• File Replication Service (FRS)
– Has been around since Windows NT 4
– Primarily used in Windows Server 2003 and older domain structures
• Distributed File System Replication (DFS-R)
– Used in Windows Server 2008 and newer domains
Migrate SYSVOL replication from FRS to DFS Replication
• Raise the domain functional level to Windows Server 2008, and up
Use dfsrmig.exe to perform the migration
Active Directory Sites
Active Directory Sites identify network locations with fast, reliable network connections
• Sites are associated with subnet objects
Sites are used to manage:
• Replication, when Domain Controllers are separated by slow links
• Service localization:
– Domain controller authentication, based on SRV records
– Site-aware services and applications
o Like Distributed File System (DFS) and DNS A/AAA records
Implement additional Active Directory Sites to:
• Overcome a slow or non-existing link in the network
• Provide reliable authentication to users by a Domain Controller in a branch office
• Control replication between Domain Controllers using sitelinks and sitelink costs
• Control Active Directory service localization through DNS SRV records
Components of inter-site replication
Replication schedules and other options are available
• Only replicate during specific time frames
• Compress replication traffic
• Use SMTP instead of IP
Change notifications
PDC Chaining for password change integrity
Inter-site Topology Generator (ISTG)
• Process, activated on one Domain Controller per site
– Creates a view of the replication topology
– Automatically manages site links
– Automatically assigns a bridgehead server per site
• Leverages the intra-site Knowledge Consistency Checker (KCC)
Active Directory Site BActive Directory Site A
Active Directory Sitelink
Replication Schedule
How Active Directory inter-site replication works
DC1 DC2
Unique Serial Number
400Unique Serial Number
270
High Watermark Tabel
<InvocationID of DC2>
270
High Watermark Tabel
<InvocationID of DC1>
400
412
412
282282
DC3
High Watermark Tabel
<InvocationID of DC3>
100
Unique Serial Number
100
High Watermark Tabel
<InvocationID of DC2>
270282
112112
Bridgehead Server Bridgehead Server
Active Directory Sitelinks and Universal Group membership Caching
Site links connect Active Directory sites in scope
• Best Practice: Let the ISTG manage the site links
• Going manually?
– Only include two sites per site link
– Do not disable site link bridging
Universal Group membership Caching
• When no Global Catalog is available in a Site, the sitelink needs to be traversed to gain Universal group memberships.
– Universal Group Membership Caching solves this authentication delay
o May be enabled manually, per Site
o Cached indefinitely, updated every 8 hours (by default)
o May result in security concerns
Monitoring and managing replication
Use repadmin.exe
Use the Active Directory Replication Status Tool
Use System Center Operations Manager (SCOM)
Use Windows PowerShell
Securing Active Directory
Best Practices for Security with Active Directory
Secure Active Directory Domain Controllers
Disable legacy protocols like LM, NTLM and SMB1
Deploy strong authentication
Use (group) Managed Service Accounts
Deploy the Local Administrator Password Solution (LAPS)
Establish the right provisioning and deprovisioning processes
Audit critical object changes
Domain Controllers are prime targets for attacks
Secure Domain Controllers physically
• For kitchen cupboards and storage room scenarios, use RODCs
Deploy BitLocker Drive Encryption and/or Shielded VMs
Treat Domain Controller backups as Domain Controllers
Run the Security Configuration Wizard (SCW)
• Disable unnecessary services
• Block unwanted traffic
• Deploy to all Domain Controllers, based on the configuration of one
The skinny on Read-only Domain Controllers
Requirements:
– One Domain Controller running Windows Server 2008, or up
– Windows Server 2003 Forest Functional Level
Scoping
– Password Replication Policies allows for control of password caching on the Read-only Domain Controller, can be configured domain-wide, or RODC-specific
– Filtered Attribute Set can be used to scope attributes
Implement
– Run adprep.exe /rodcprep
– Install using
• Optionally: Add-ADDSReadOnlyDomainControllerAccount
• Install-ADDSDomainController –ReadOnlyReplica
Deploying Domain Controllers in Azure IaaS
Scenarios in which you might deploy AD DS on an Azure IaaS-based virtual machine:
• Disaster recovery
• Geo-distribution of Domain Controllers
• Isolate applications and services
Considerations during deployment include:
• Allow for multiple networking paths to Azure (VPNs, ExpressRoute, etc.)
• Create separate Active Directory Sites
• Do not provide fixed IP addresses to Domain Controllers in Azure IaaS
• Apply proper DNS
Best Practices for Strong Authentication
Privileged accounts
• Implement smart cards or multi-factor authentication
• Place them in the Protected Users group
– Prevents locally cached credentials, requires Kerberos, limits TGT
• Use Authentication Policies and Authentication Policy silos
– Scope admin accounts to admin workstations and servers only
– Use claims for rich authorization scenarios
Implement fine-grained password and account lockout policies
Implement Single Sign-on
Deploy Windows Hello for Business
Best Practices for Service Accounts
Organizations misuse domain-based user objects to run services
• Of course, they don’t change the passwords, “would break everything”
• No overview of where the user objects are used
• Usually no scoping
Use (group) Managed Service Accounts to run services, instead
• Automatic password management and SPN management
• Automatically scoped
• gMSAs require Windows Server 2012 Domain Controllers
Netwrix Auditor for Active Directory
About Netwrix Corporation
Year of foundation: 2006
Headquarters location: Irvine, California
Global customer base: over 9,000
Recognition: Among the fastest growing
software companies in the US with 140
industry awards from Redmond
Magazine, SC Magazine, Windows IT Pro
and others
Customer support: global 24/5 support
with 97% customer satisfaction
Netwrix Auditor Unified Platform
Netwrix Auditor for Active Directory
Netwrix Auditor for Windows File Servers
Netwrix Auditor for Oracle Database
Netwrix Auditor for Azure AD
Netwrix Auditor for EMC
Netwrix Auditor for SQL Server
Netwrix Auditor for Exchange
Netwrix Auditor for NetApp
Netwrix Auditor for Windows Server
Netwrix Auditor for Office 365
Netwrix Auditor for SharePoint
Netwrix Auditor for VMware
LinuxUnix
Free Add-Ons
Demonstration
Netwrix Auditor
Next Steps
Join us for the next session of the series:
Create and Manage Group Policy
Thursday, 20th September @ 2 pm BST / 3 pm CEST
https://www.netwrix.com/active_directory_101_nemea.html
Watch Paula Januszkewicz’s session at InsomniHack DPAPI and DPAPI-NG: Decrypting All Users’ Secrets and PFX Passwords to understand services and their security problems
Experiment with securing Domain Controllers and Service Accounts in your testlab
Contact Sales to obtain more information netwrix.com/contactsales
Sander BerkouwerCTO at SCCT10-fold Microsoft MVPActive Directory aficionado
Daniel GoaterSystems EngineerNetwrix
Thank you!
Questions?