Professional Documents
Culture Documents
tm tm
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
IntroductiontoRealtimePublishers
by Don Jones, Series Editor
Forseveralyearsnow,Realtimehasproduceddozensanddozensofhighqualitybooks thatjusthappentobedeliveredinelectronicformatatnocosttoyou,thereader.Weve madethisuniquepublishingmodelworkthroughthegeneroussupportandcooperationof oursponsors,whoagreetobeareachbooksproductionexpensesforthebenefitofour readers. Althoughwevealwaysofferedourpublicationstoyouforfree,dontthinkforamoment thatqualityisanythinglessthanourtoppriority.Myjobistomakesurethatourbooksare asgoodasandinmostcasesbetterthananyprintedbookthatwouldcostyou$40or more.Ourelectronicpublishingmodeloffersseveraladvantagesoverprintedbooks:You receivechaptersliterallyasfastasourauthorsproducethem(hencetherealtimeaspect ofourmodel),andwecanupdatechapterstoreflectthelatestchangesintechnology. Iwanttopointoutthatourbooksarebynomeanspaidadvertisementsorwhitepapers. Wereanindependentpublishingcompany,andanimportantaspectofmyjobistomake surethatourauthorsarefreetovoicetheirexpertiseandopinionswithoutreservationor restriction.Wemaintaincompleteeditorialcontrolofourpublications,andImproudthat weveproducedsomanyqualitybooksoverthepastyears. Iwanttoextendaninvitationtovisitusathttp://nexus.realtimepublishers.com,especially ifyouvereceivedthispublicationfromafriendorcolleague.Wehaveawidevarietyof additionalbooksonarangeoftopics,andyouresuretofindsomethingthatsofinterestto youanditwontcostyouathing.WehopeyoullcontinuetocometoRealtimeforyour educationalneedsfarintothefuture. Untilthen,enjoy. DonJones
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
IntroductiontoRealtimePublishers.................................................................................................................i Chapter1:ANonIntroductiontoActiveDirectory..................................................................................1 ABriefADHistoryandBackground............................................................................................................1 InventoryingYourAD........................................................................................................................................2 ForestsandTrusts..........................................................................................................................................3 DomainsandTrusts.......................................................................................................................................4 DomainControllers........................................................................................................................................6 GlobalCatalogs................................................................................................................................................7 . FSMOs..................................................................................................................................................................8 Containers..........................................................................................................................................................8 Subnets,Sites,andLinks.............................................................................................................................9 . DNS.....................................................................................................................................................................12 WhatsAhead......................................................................................................................................................12 ADTroubleshooting...................................................................................................................................12 ADSecurity.....................................................................................................................................................13 ADAuditing....................................................................................................................................................13 ADBestPractices.........................................................................................................................................13 ADLDS..............................................................................................................................................................13 LetsGetStarted!...............................................................................................................................................13 Chapter2:MonitoringActiveDirectory......................................................................................................14 MonitoringGoals..............................................................................................................................................14 . EventLogs...........................................................................................................................................................15 . SystemMonitor/PerformanceMonitor..................................................................................................21 CommandLineTools......................................................................................................................................25 NetworkMonitor..............................................................................................................................................26 SystemCenterOperationsManager.........................................................................................................29 ii
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
ThirdPartyToolstoConsider....................................................................................................................29 WeaknessesoftheNativeTools............................................................................................................30 WaystoAddressNativeWeaknesses.................................................................................................30 VendorsinthisSpace.................................................................................................................................31 LetsStartTroubleshooting.........................................................................................................................31 . Chapter3:ActiveDirectoryTroubleshooting:ToolsandPractices................................................32 NarrowingDowntheProblemDomain..................................................................................................32 SeansSevenPrinciplesforBetterTroubleshooting....................................................................33 AFlowchartforADTroubleshooting..................................................................................................34 EasyStuff:NetworkIssues...........................................................................................................................35 NameResolutionIssues.................................................................................................................................36 LogSpelunking..................................................................................................................................................37 ADServiceIssues..............................................................................................................................................37 ClientDomainControllerIssues................................................................................................................39 ReplicationIssues.............................................................................................................................................40 ADDatabaseIssues..........................................................................................................................................42 GroupPolicyIssues..........................................................................................................................................43 KerberosIssues.................................................................................................................................................45 ComingUpNext.................................................................................................................................................46 Chapter4:ActiveDirectorySecurity............................................................................................................47 ActiveDirectorySecurityArchitecture...................................................................................................47 Authentication:Kerberos.........................................................................................................................47 Authorization:DACLs................................................................................................................................50 Auditing:SACLs............................................................................................................................................51 Configuration.................................................................................................................................................52 Distributedvs.CentralizedPermissionsManagement....................................................................53 DoItYourselfSecurityReportingandChanges.................................................................................54 iii
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Permissions....................................................................................................................................................55 DirectoryObjects.........................................................................................................................................55 ShouldYouRethinkYourSecurityDesign?...........................................................................................56 ThirdPartySecurityCapabilities..............................................................................................................57 Reporting........................................................................................................................................................57 . PermissionsManagement........................................................................................................................59 DNSSecurity.......................................................................................................................................................60 ComingUpNext.................................................................................................................................................62 Chapter5:ActiveDirectoryAuditing...........................................................................................................63 . GoalsofNativeAuditing................................................................................................................................63 NativeAuditingArchitecture......................................................................................................................63 . CommonBusinessGoalsforAuditing......................................................................................................71 WeaknessesofNativeAuditing..................................................................................................................72 ThirdPartyAuditingCapabilities.............................................................................................................74 ComingUpNext.................................................................................................................................................76 Chapter6:ActiveDirectoryBestPractices................................................................................................77 ShouldYouRethinkYourForestandDomainDesign?....................................................................77 ADDisasterRecovery.....................................................................................................................................78 SingleDomainController.........................................................................................................................78 EntireDomain...............................................................................................................................................79 EntireForest..................................................................................................................................................79 ADRestoresandRecycleBins.....................................................................................................................79 Security.................................................................................................................................................................83 ReplicationTopology......................................................................................................................................83 FSMOPlacement...............................................................................................................................................85 Virtualization......................................................................................................................................................85 OngoingMaintenance.....................................................................................................................................86 iv
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
ComingUpNext.................................................................................................................................................87 Chapter7:ActiveDirectoryLightweightDirectoryServices.............................................................88 WhatIsADLDS?................................................................................................................................................88 Partitions.........................................................................................................................................................89 SynchronizingWithADDS......................................................................................................................90 Replication......................................................................................................................................................90 Authentication..............................................................................................................................................91 WhentoUseADLDS.......................................................................................................................................92 WhenNottoUseADLDS...............................................................................................................................93 TroubleshootingADLDS...............................................................................................................................93 AuditingADLDS................................................................................................................................................93 ComingUpNext.................................................................................................................................................95 Chapter8:AssortedTipsandTricksforActiveDirectoryTroubleshooting...............................96 TroubleshootingFSMORoles......................................................................................................................96 TroubleshootingDomainControllersinGeneral...............................................................................97 TroubleshootingTimeSync.........................................................................................................................98 TroubleshootingKerberos...........................................................................................................................99 TroubleshootingRIDs...................................................................................................................................100 TroubleshootingObjectDeletion............................................................................................................100 . TroubleshootingReplication.....................................................................................................................101 TroubleshootingDNS....................................................................................................................................101 TroubleshootingPermissions...................................................................................................................102 ThanksforReadingandGoodLuck....................................................................................................103 DownloadAdditionaleBooksfromRealtimeNexus!......................................................................103
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Copyright Statement
2011 Realtime Publishers. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtime Publishers (the Materials) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtime Publishers or its web site sponsors. In no event shall Realtime Publishers or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. Realtime Publishers and the Realtime Publishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. If you have any questions about these terms, or if you would like information about licensing materials from Realtime Publishers, please contact us via e-mail at info@realtimepublishers.com.
vi
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Chapter1:ANonIntroductiontoActive Directory
TheworldhasbeenusingActiveDirectory(AD)formorethanadecadenow,sotheres probablylittlepointindoingatraditionalintroductionforthisbook.However,theresstill abitofcontextthatweshouldcoverbeforewegetstarted,andweshoulddefinitelythink aboutADshistoryasitappliestoourtopicsoftroubleshooting,auditing,andbest practices. TherealpointofthischapteristoidentifykeyelementsofADthatyouneedtocompletely inventoryinyourenvironmentbeforeproceedinginthisbook.Muchofthematerialinthe followingchapterswillrefertospecificinfrastructureelements,andwillmake recommendationsbasedonspecificsincommonADenvironmentsandscenarios.Tomake themostofthoserecommendations,youllneedtoknowthespecificsofyourown environmentsothatyouknowexactlywhichrecommendationsapplytoyouanda complete,uptodateinventoryisthebestwaytogainthatfamiliarity.Toconcludethis chapter,Illbrieflyoutlinewhatscomingupinthechaptersahead.
ABriefADHistoryandBackground
ADwasintroducedwithWindows2000Server,andreplacedtheNTDomainServices (NTDS)thathadbeenusedsinceWindowsNT3.1.ADisMicrosoftsfirstrealdirectory; NTDSwasprettymuchjustaflatuseraccountdatabase.ADwasdesignedtobemore scalable,moreefficient,morestandardsbased,andmoremodernthatitspredecessor. However,ADwas(andis)stillbuiltontheWindowsoperatingsystem(OS),andassuch sharessomeoftheOSsparticularpatterns,technologies,eccentricities,andother characteristics. ADalsointegratedasuccessortoMicrosoftsthennascentregistrybasedmanagement tools.KnowntodayasGroupPolicy,thisnewfeatureaddedsignificantrolestothe directorybeyondthenormaloneofauthentication.WithGroupPolicy,youcancentrally defineandassignliterallythousandsofconfigurationsettingstoWindowscomputers(and evennonWindowscomputers,withtherightaddins)belongingtothedomain.
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
WhenADwasintroduced,securityauditingwassomethingthatrelativelyfewcompanies worriedabout.Since2000,numerouslegislativeandindustryregulationsthroughoutthe worldhavemadesecurityandprivacyauditingmuchmorecommonplace,althoughADs nativeauditingcapabilitieshavechangedverylittlethroughoutthattime.Becauseofits centralroleinauthenticationandconfigurationmanagement,ADoccupiesacriticalrolefor securityoperations,management,andreviewwithinorganizations. Wealsohavetorecognizethat,outsidefromgoverningpermissionsonitsownobjects,AD doesntplayacentralroleinauthorization.Thatis,permissionsonthingslikefiles,folders, mailboxes,databases,andsofortharentmanagedwithinAD.Instead,thosepermissions aremanagedattheirpoint,meaningtheyremanagedonyourfileservers,mailservers, databaseservers,andsoforth.Thoseserversmayassignpermissionstoidentitiesthatare authenticatedbyAD,butthoseserverscontrolwhoactuallyhasaccesstowhat.This divisionoflaborbetweenauthenticationandauthorizationmakesforahighlyscalable, robustenvironment,butitalsocreatessignificantchallengeswhenitcomestosecurity managementandauditingbecausetheresnocentralplacetocontrolorreviewallofthose permissions. Overthepastdecade,wevelearnedalotabouthowADshouldbebuiltandmanaged.Gone arethedayswhenconsultantsroutinelystartedanewforestbycreatinganemptyroot domain;alsogonearethedayswhenwebelievedthedomainwastheultimatesecurity boundaryandthatorganizationswouldonlyeverhaveasingleforest.Inadditionto coveringtroubleshootingandauditing,thisbookwillpresentsomeofthecurrentindustry bestpracticesaroundmanagingandarchitectingAD. Wevealsolearnedthat,althoughdifficulttochange,yourADdesignisntnecessarily permanent.ToolsandtechniquesoriginallycreatedtohelpmigratetoADarenowusedto restructureAD,ineffectmigratingtoanewversionofadomainasourbusinesseschange, merge,andevolve.Thisbookdoesntspecificallyfocusonmergersandrestructures,but keepinmindthatthosetechniques(andtoolstosupportthem)areavailableifyoudecide thatadirectoryrestructureisthebestwaytoproceedforyourorganization.
InventoryingYourAD
Beforewegetstarted,itsimportantthatyouhaveanuptodate,accuratepictureofwhat yourdirectorylookslike.Thisdoesntmeanturningtothegiantdirectorydiagramthatyou probablyhavetapedtothewallinyourdatacenterorserverroom,unlessyouvedouble checkedtomakesurethatthingisuptodateandaccurate!Throughoutthisbook,Illbe referringtospecificelementsofyourADinfrastructure,andinsomecases,youmighteven wanttoconsiderimplementingchangestothatinfrastructure.Inordertobestfollowalong, andmakedecisions,youllwanttohaveallofthefollowingelementsinventoried.
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
ForestsandTrusts
Mostorganizationshaverealizedthat,giventhepoweroftheforestlevelEnterprise Adminsgroup,theADforestisinfactthetoplevelsecurityboundary.Manycompanies havemultipleforests,simplybecausetheyhaveresourcesthatcantallbeunderthedirect controlofasinglegroupofadministrators.However,toensuretheabilityforusers,with theappropriatepermissionsofcourse,toaccessresourcesacrossforests,crossforest trustsareusuallydefined.Yourfirstinventoryshouldbetodefinetheforestsinyour organization,determinewhocontrolseachforest,anddocumentthetruststhatexist betweenthoseforests. Crossforesttrustscanbeoneway,meaningthatifForestAtrustsForestB,theconverseis notnecessarilytrueunlessaseparatetrusthasbeenestablishedsothatForestBexplicitly trustsForestA.Twowaytrustsarealsopossible,meaningthatForestAandForestBcan trusteachotherthroughasingletrustconnection.Foresttrustsarealsonontransitive:If ForestAtrustsForestB,andForestBtrustsForestC,thenForestAdoesnottrustForestC unlessaseparate,explicittrustiscreateddirectlybetweenAandC. Whenwetalkabouttrust,weresayingthatthetrustingforestwillacceptuseraccounts fromthetrustedforest.Thatis,ifForestAtrustsForestB,thenuseraccountsfromForestB canbeassignedpermissionsonresourceswithinForestA.Foresttrustsautomatically includeeverydomainwithintheforestsothatifForestAcontainsfivedomains,thenevery oneofthosedomainswouldbeabletoassignpermissionstouseraccountsfromForestB. Eachforestconsistsofarootdomainandmayalsoincludeoneormorechilddomains. Figure1.1showshowyoumightdocumentyourforests.Keyelementsincludemeta directorysynchronizationlinks,foresttrusts,andageneralindicationofwhateachforestis usedfor(suchasforusersorforresources).
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
DomainsandTrusts
Domainsactasakindofsecurityboundary.Althoughsubjecttothemanagementof membersoftheEnterpriseAdminsgroup,andtoadegreetheDomainAdminsoftheforest rootdomain,domainsareotherwiseindependentlymanagedbytheirownDomainAdmins group(orwhatevergroupthosepermissionshavebeenassignedordelegatedto). Accountdomainsarethosethathavebeenconfiguredtocontainuseraccountsbutwhich containnoresourceserverssuchasfileservers.Resourcedomainscontainonlyresources suchasfileservers,anddonotcontainuseraccounts.Neitherofthesedesignationsis strict,andneitherexistswithinADitself.Forexample,anyresourcedomainwillhaveat leastafewadministratoruseraccounts,usergroups,andsoforth.Thetypeofdomain designationisstrictlyahumanconvenience,usedtoorganizedomainsinourminds.Many companiesalsousemixeddomains,inwhichbothuseraccountsandresourcesexist.
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Domainsaretypicallyorganizedintoatree,beginningwiththerootdomainandthen throughdomainsthatareconfiguredaschildrenoftheroot.Domainnamesreflectthis hierarchy:Company.commightbethenameofarootdomain,andWest.Company.com, East.Company.com,andNorth.Company.commightbechilddomains.Withinsuchatree,all domainsautomaticallyestablishatransitiveparentchildtwowaytrust,effectively meaningthateachdomaintrustseachotherdomainwithinthesametree. Forests,asthenameimplies,cancontainmultipledomaintrees.Bydefault,therootofeach treehasatwoway,transitivetrustwiththeforestrootdomain(whichistherootofthe firsttreecreatedwithinthatforest),effectivelymeaningthatalldomainswithinaforest trusteachother.Thatsthemainreasoncompanieshavemultipleforests,becausethefull trustmodelwithinaforestgivestoplevelforestwidecontroltotheforestsEnterprise Adminsgroup. Evenifyourelyentirelyonthesedefaultinterdomaintrusts,itsstillimportantto documentthem,alongwiththedomainsnames.Figure1.2showshowyoumightbuilda domaindiagraminaprogramlikeMicrosoftOfficeVisio.Theemphasisinthisdiagramis onthelogicaldomainstructure.
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
DomainControllers
Domaincontrollers(DCs)arewhatmakeADwork.TheyretheserversthatrunADs services,makingthedirectoryareality.Itsabsolutelycrucial,asyoustartreadingthis book,thatyouknowhowmanyDCsyouhave,wheretheyrelocated,whatdomainstheyre in,andtheirindividualIPaddresses. Inmanyenvironments,DCsalsoprovideotherservices,mostfrequentlyDomainName Service(DNS).OtherrolesheldbyDCsmayincludeWINSandDHCPservices. ADCsmainroleistoprovideauthenticationservicesfordomainusersandforresources withinthedomain.Wetypicallythinkofthisauthenticationstuffashappeningmainly whenusersshowupforworkinthemorningandinmostcases,thatiswhenthebulkof theauthenticationtrafficoccurs.However,asusersattempttoaccessresourcesthroughout theday,theircomputerwillautomaticallycontactaDCtoobtainaKerberosticketforthose resources.Inotherwords,authenticationtrafficcontinuesthroughoutthedayalbeitata somewhatslower,moreevenlydistributedpacethanthemorningrush. Thatmorningrushcanbesignificant:EachuserscomputermustcontactaDCtologitself ontothedomain,andthenagainwhentheuserisreadytologon.Usersalmostalwaysstart thedaywithafewmappeddrives,eachofwhichmayrequireaKerberosticket,andthey usuallyfireupOutlook,requiringyetanotherticket.SomeoftheorganizationsIve consultedwithhaveeachuserinteractingwithaDCmorethanadozentimeseach morning,andthenseveraldozenmoretimesthroughouttheday. WetendtosizeourDCsforthatmorningrush,andthatcapacitygenerallyseesus throughoutthedayevenifwetaketheoddDCofflinemiddayforpatchingorother maintenance. EachDCmaintainsacomplete,read/writecopyoftheentiredirectory(theonlyexception beingnewfangledreadonlydomaincontrollersRODCs,whichasthenameimplies, containonlyareadablecopyofthedirectory).Multimasterreplicationensuresthatany changemadeonanyDCwilleventuallypropagatetoeveryotherDCinthedomain. ReplicationisoftenoneofthetrickiestbitsofAD,andisoneofthethingswetendtospend themosttimemonitoringandtroubleshooting.Notalldomaindataiscreatedequally: Somehighprioritydata,suchasaccountlockouts,replicatealmostimmediately(oratleast asquicklyaspossible),whilelesscriticalinformationcantakemuchlongertomakeitsway throughouttheorganization. Figure1.3showswhataDCinventorymightlooklike.Notetheemphasisonphysical details:IPaddresses,DNSconfiguration,domainmembership,andsoforth.
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
GlobalCatalogs
Aglobalcatalog(GC)isaspecificservicethatcanbeofferedbyaDCinadditiontoitsusual DCduties.TheGCcontainsasubsetofinformationabouteveryobjectinanentireforest, andenablesusersineachdomaintodiscoverinformationfromotherdomainsinthesame forest.EachdomainneedsatleastoneGC;however,giventhepopularityofExchange ServeranditsheavydependenceonGCs(Outlook,forexample,reliesonGCstodoemail addressresolution),itsnotunusualtoseeamajority,orevenall,DCsinadomain configuredasGCservers. MakesureyouknowexactlywhereyourGCsarelocated.Numerousnetworkoperations canbehinderedbyapaucityofGCs,buthavingtoomanyGCscansignificantlyincreasethe replicationburdenonyournetwork. Note InFigure1.3,GCisusedtoindicateDCsthatarealsohostingtheGCserver role. 7
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
FSMOs
Certainoperationswithinadomain,andwithinaforest,needasingleDCtobeincharge.It isabsolutelyessentialformosttroubleshootingprocessesthatyouknowwherethese FlexibleSingleMasterofOperation(FSMO)roleholderssitwithinyourinfrastructure: TheRIDMasterisinchargeofhandingoutRelativeIDs(RIDs)withinasingle domain(andsoyoullhaveoneRIDMasterperdomain).RIDsareusedtouniquely identifynewADobjects,andtheyareassignedinbatchestoDCs.IfaDCrunsoutof RIDsandcantgetmore,thatDCcantcreatenewobjects.Itscommontoputthe RIDMasterroleonaDCthatsusedbyadministratorstocreatenewaccountsso thatthatDCwillalwaysbeabletorequestRIDs. TheInfrastructureMastermaintainssecurityidentifiersforobjectsreferencedin otherdomainstypically,thatmeansupdatinguserandgrouplinks.Youhaveone oftheseperdomain. ThePDCEmulatorprovidesbackwardcompatibilitywiththeoldNTDS,andisthe onlyplacewhereNTDSstylechangescanbemade(anyDCprovidesreadaccessfor NTDSclients).GiventhatNTDSclientsarebecomingextinctinmostorganizations, thePDCEmulator(youllhaveoneineachofyourdomains,bytheway)doesntget usedalotforthatpurpose.Fortunately,ithasafewotherthingstokeepitbusy.For example,passwordchangesprocessedbyotherDCstendtoreplicatetothePDC Emulatorfirst,andthePDCEmulatorservesastheauthoritativetimesourcefor timesynchronizationwithinadomain. EachforestwillcontainasingleSchemaMaster,whichisresponsibleforhandling schemamodificationsfortheforest. EachforestalsohasaDomainNamingMaster,whichkeepstrackofthedomainsin theforest,andwhichisrequiredwhenaddingorremovingdomainstoorfromthe forest.TheDomainNamingMasteralsoplaysaroleinmaintaininggroup membershipacrosstheforest.
Containers
ThelogicalstructureofADisdividedintoasetofhierarchicalcontainers.ADsupportstwo maintypes:containersandorganizationalunits(OUs).Acoupleofbuiltincontainers(such astheUserscontainer)existbydefaultwithinadomain,andyoucancreatealltheOUsthat youwanttohelporganizeyourdomainsobjectsandresources.Again,aninventoryhereis critical,asseveraloperationsmostespeciallyGroupPolicyapplicationworkprimarily basedonthingslikeOUmembership. Figure1.4showsonewayinwhichyoumightdocumentyourOUandcontainerhierarchy. Dependingonthesizeanddepthofyourhierarchy,youcouldalsojustgrabascreenshot fromaprogramlikeActiveDirectoryUsersandComputers. 8
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Subnets,Sites,andLinks
InADterms,asubnetisanentryinthedirectorythatdefinesasinglenetworksubnet,such as192.168.1.0/8.Asiteisacollectionofsubnetsthatallsharelocalareanetwork(LAN) styleconnectivity,typically100Mbpsorfaster.Inotherwords,asiteconsistsofallthe subnetsinagivengeographiclocation. Links,orsitelinks,definethephysicalorlogicalconnectivitybetweensites.ThesetellADs replicationalgorithmswhichDCsareabletophysicallycommunicateacrosswidearea network(WAN)linkssothatreplicateddatacanmakeitswaythroughouttheorganization. Documentingyoursubnets,sites,andlinksisquiteprobablythemostimportantinventory youcanhaveforageographicallydisperseddomain.
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
10
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Figure1.6:Configuringasitelinkbridge. Asyoudocumentyoursites,thinkagainaboutnumbers:Howmanycomputersareineach site?Howmanyusers?Makeanotationofthesenumbers,alongwithanotationofhow manyDCsexistateachsite. Sitesshould,asmuchaspossible,reflectthephysicalrealityofyournetwork;theydont correspondtothelogicalstructureofthedomaininanyway.OnesitemaycontainDCs fromseveraldomainsorforests,andanygivendomainmayeasilyspanmultiplesites. However,sitelinksarekindofapartofthedomainslogicalstructurebecausethoselinks aredefinedwithinthedirectoryitself.Ifyouhavemultipledomains,itsworthbuildinga diagram(likeFigure1.5or1.6)foreachdomaineveniftheylooksubstantiallythesame. Infact,anygroupofdomainsthatspansthesamephysicalsitesshouldhaveidentical lookingsitediagramsbecausethephysicalrealityofyournetworkisntchanging.Going throughtheexerciseofcreatingthediagramswillhelpensurethateachdomainhasits linksandbridgesconfiguredproperly.
11
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
DNS
ThelastcriticalpieceofyourinventoryconsistsofyourDNSservers.Youshouldclearly documentwhereeachserverphysicallysitsandthinkaboutwhichclientsitserves.Most companieshaveatleasttwoDNSservers,althoughhavingmore(anddistributingthem throughoutyournetwork)canprovidebetterDNSperformancetodistantclients.AD absolutelycannotfunctionwithoutDNS,soitsimportantthatbothserversandclients havereadyaccesstoahighperformanceDNSserver.MostADproblemsarerootedinDNS issues,meaningmuchofourtroubleshootingdiscussionwillbeaboutDNS,andthat discussionwillbemoremeaningfulifyoucanquicklylocateyourDNSserversonyour network. Alsotrytomakesomenotationofwhichusers,andhowmanyusers,utilizeeachDNS servereitherasaprimary,secondary,orotherserver.Thatwillhelpgiveyouanata glanceviewofeachDNSserversworkload,andgiveyouanideaofwhichusersarerelying onaparticularserver. PuttingYourInventoryintoVisualForm AtoollikeMicrosoftOfficeVisioisoftenutilizedtocreateADinfrastructure diagrams,oftenshowingboththelogicalstructure(domains,forests,and trusts)andthephysicaltopology(subnets,sites,links,andsoforth).There arealsothirdpartytoolsthatcanautomaticallydiscoveryourinfrastructure elementsandcreatetheappropriatechartsanddiagramsforyou.Thebenefit ofsuchtoolsisthattheyrealwaysrightbecausetheyrereflectingreality notsomeonesmemoryofreality.Theycanusuallycatchchangesandcreate updateddiagramsmuchfasterandmoreaccuratelythanyoucan. Ilovetousethosekindsoftoolsincombinationwithmyownhanddrawn diagrams.Ifthetoolgeneratedpictureofmytopologydoesntmatchmyown picture,IknowIvegotaproblem,andthatcantriggeraninvestigationanda change,ifneeded.
WhatsAhead
Letswrapupthisbriefintroductionwithalookatwhatscomingupinthenextseven chapters.
ADTroubleshooting
Chapters2and3willconcernthemselvesprimarilywithtroubleshooting.InChapter2, wellfocusonthewaysandmeansofmonitoringAD,includingnativeeventlogs,system tools,commandlinetools,networkmonitors,andmore.Illalsopresentdesirable capabilitiesavailableinthirdpartytools(bothfreeandcommercial),withagoalofhelping youtobuildasortofshoppinglistoffeaturesthatmaysupporttroubleshooting,security, auditing,andotherneeds.
12
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
ADSecurity
InChapter4,welldiveintoanddiscussthebasearchitectureforADsecurity.Welllook moreattheissueofdistributedpermissionsmanagement,anddiscusssomeofthe problemsthatitpresentsandsomeoftheadvantagesitoffers.Welllookatsomedoit yourselftoolsforcentralizingpermissionschangesandreporting,andexplorewhetheryou shouldrethinkyourADsecuritydesign.Wellalsolookatthirdpartycapabilitiesthatcan makesecuritymanagementeasier,anddiveintothelittleunderstoodtopicofDNS security.
ADAuditing
Chapter5willcoverauditing,discussingADsnativeauditingarchitectureandlookingat howwellthatarchitecturehelpstomeetmodernauditingrequirements.Illalsopresent capabilitiesthatareofferedbythirdpartytoolsandhowwellthosecanmeettodays businessrequirementsandgoals.
ADBestPractices
Chapter6willbearoundupofbestpracticesforAD,includingaquicklookatwhetheryou shouldreconsideryourcurrentADdomainandforestdesign(and,ifyoudo,howyoucan migratetothatnewdesignwithminimumriskandeffort).Wellalsolookatbestpractices fordisasterrecovery,restoration,security,replication,FSMOplacement,DNSdesign,and more.IllpresentnewideasforvirtualizingyourADinfrastructure,andlookatbest practicesforongoingmaintenance.
ADLDS
Chapter7givesmeanopportunitytocoveradditionalinformation:ADssmallercousin, ActiveDirectoryLightweightDirectoryServices(ADLDS).Welllookatwhatitis,whento useit,whennottouseit,andhowtotroubleshootandauditthisvaluableservice.
LetsGetStarted!
WithyourADinventoryupdatedandinhand,werereadytobegin.Thenextchapterwill introduceyoutothemajorityofthetoolsthatyoullneedtopryvaluableinformationoutof ADsothatyoucanstartassemblingyoursecurityandtroubleshootingutilitybelt.
13
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Chapter2:MonitoringActiveDirectory
ThefactisthatyoucantreallydoanythingwithActiveDirectory(AD)unlessyouhave somewayoffiguringoutwhatsgoingonunderthehood.Thatswhatthischapterwillbe allabout:howtomonitorAD.Ihavetomakeadistinctionbetweenmonitoringand auditing:Monitoring,whichwellcoverhere,isprimarilydonetokeepaneyeon functionalityandperformance,andtosolvefunctionalandperformanceproblemswhen theyarise.Auditingisanactivitydesignedtokeepaneyeonwhatpeoplearedoingwiththe directoryexercisingpermissions,changingtheconfiguration,andsoforth.Wehave chaptersonauditinglinedupforlaterinthisbook.
MonitoringGoals
TherearereallytworeasonstomonitorAD.Thefirstisbecausetheressomekindof problemthatyouretryingtosolve.Inthosecases,youreusuallyinterestedincurrent information,deliveredinrealtime,andyourenotnecessarilyinterestedinstoringthat dataformorethanafewmoments.Thatis,youwanttoseewhatshappeningrightnow. Youalsousuallywanttofocusinonspecificdata,suchasthatrelatedtoreplication,user logonperformance,orwhateveryouretroubleshooting. Thesecondreasontomonitorisfortrendingpurposes.Thatis,yourenotlookingata specificproblembutinsteadcollectingdatasothatyoucanspotpotentialproblems.Youre usuallylookingatamuchbroaderarrayofdatabecauseyoudonthaveanythingspecific thatyouneedtofocuson.Yourealsousuallyinterestedinretainingthatdatafora potentiallylongtimesothatyoucandetecttrends.Forexample,ifuserlogonworkloadis slowlygrowingovertime,storingmonitoringdataandexaminingtrendsperhapsinthe formofchartsallowsyoutospotthatgrowingtrend,anticipatewhatyoumightneedto doaboutit,andgetitdone. Havingthesegoalsinmindaswelookatsomeoftheavailabletoolsisimportant.Some toolsexcelatofferingrealtimedatabutarepooratstoringdatathatwouldprovide trendinginformation.Othertoolsmightbegreatatstoringinformationforlongterm trendingbutarentasgoodatprovidinghighlydetailed,veryspecific,realtime informationfortroubleshootingpurposes.Soaswelookatthesetools,welltrytoidentify whichbitstheyregoodat.
14
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
EventLogs
WindowsnativeeventlogsplayacrucialroleinmonitoringAD.Theeventlogsarent great,buttheyretheplacewhereADsendsadecentamountofdiagnosticandauditing information,soyouhavetogetusedtousingthem. Theresabitofadistinctionthatneedstobemade:TheeventlogisanativeWindowsdata store.TheEventVieweristhenativetoolthatenablesyoutolookattheselogs.Eventlogs themselvesarealsoaccessibletoawidevarietyofothertools,includingWindows PowerShell,WindowsManagementInstrumentation(WMI),andnumerousthirdparty tools.InWindowsServer2008andlater,theselogsViewerisaccessiblethroughthe ServerManagerconsole,whichFigure2.1shows.
Figure2.1:AccessingeventlogsinServerManager.
15
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Therearetwokindsoflogs.TheWindowsLogsarethesamebasiclogsthathavebeen aroundsincethefirstversionofWindowsNT.Ofthese,ActiveDirectory(AD)writes primarilytotheSecuritylog(auditinginformation)andtheSystemlog(diagnostic information).InWindowsServer2008,anewkindoflog,ApplicationsandServicesLogs, wereintroduced.ThesesupplementtheWindowsLogsbygivingeachapplicationthe abilitytocreateandwritetoitsownlogratherthandumpingeverythingintothe Applicationlog,aswasdoneinthepast.Inthesenewlogs,ADcreatesanActiveDirectory WebServiceslog,DFSReplicationlog,DirectoryServicelog,andDNSServerlog. Technically,DFSandDNSarentpartofAD,buttheydointegratewithandsupportAD,so theyreimportanttolookat. WindowsitselfalsocreatesnumerouslogsundertheMicrosoftfolder,asFigure2.1shows: GroupPolicy,DNSClientEvents,andafewothers,allofwhichcanoffercluesintoADs operationandperformance.DontforgetthatclientcomputersplayaroleinAD,aswell. LogsforNTLM,Winlogon,DNSClient,andsoforthcanallprovideusefulinformationwhen youretroubleshootinganADproblem. Althoughtheeventlogscancontainawealthofinformation,theirusefulnesscanbehitor miss.Forexample,theeventthatFigure2.2showsisprettyclear:Smartcardlogonsarent workingbecausethereisntacertificateinstalled.Mydomaindoesntusesmartcard logons,sothisisexpectedanddoesntpresentaproblem.
16
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
17
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
18
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
19
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Figure2.5:Suggestions,notevents. Thereprobablyisntanadministratoralivewhohasntspentasignificantamountoftimein GooglehuntingdownthemeaningbehindandresolutionfordozensofeventIDsover thecourseoftheircareers.Thatrealityhighlightskeyproblemsofthenativeeventlogs: Theyrenotcentralized.Althoughyoucanconfigureeventforwarding,itspretty painfultogetallofyourdomaincontrollerslogsintoasinglelocation.Thatmeans yourdiagnosticinformationisspreadacrossmultipleservers,givingyoumultiple placestosearchwhenyouretryingtosolveaproblem. Theyrenotalwaysveryclear.Confusing,vague,orobtusemessagesarewhatthe eventlogsarefamousfor.AlthoughMicrosofthasgraduallyimprovedthatoverthe yearsinsomeinstances,therearestillplentyofpoorexamplesinthelogs. Theyrefullofnoise.Worse,youcantrelyontheInformation,Warning,and Errortags.Sometimes,anInformationeventwillgiveyoutheclueyouneedto solveaproblem,andWarningeventsasweveseencancontaininformation thatisnottroublerelated. ThenativeViewertoolofferspoorfilteringandsearchingcapabilities,andno correlationcapability.Thatis,itcanthelpyouspotrelatedeventsthatmightpoint toaspecificproblemorsolution. 20
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
SystemMonitor/PerformanceMonitor
AlsolocatedinServerManagerisPerformanceMonitor,thenativeGUIbasedtoolusedto viewWindowsbuiltinperformancecounters.Anydomaincontrollerwillcontain numerouscountersetsrelatedtodirectoryservices,includingseveralDFSrelated categories,DirectoryServices,DNS,andmore.Thesearedesignedtoprovidethefocused, realtimeinformationyouneedwhenyouretroubleshootingspecificproblemstypically, performanceproblems,althoughnotnecessarily.AlthoughPerformanceMonitordoeshave theabilitytocreatelogs,containingperformancedatacollectedoveralongperiodoftime, itsnotagreattoolfordoingso.Moreonthatinabit. Itsdifficulttogiveyouafixedlistofcountersthatyoushouldalwayslookat;anyofthem mightbeusefulwhenyouretroubleshootingaspecificproblem.Thatsaid,thereareafew thatareusefulformonitoringADperformanceingeneral: DRAInboundBytesTotal/Secshowsinboundreplicationtraffic.Ifitszero,theres noreplication,whichisgenerallyaproblemunlessyouhaveonlyonedomain controller. DRAInboundObjectUpdatesRemaininginPacketprovidesthenumberofdirectory objectsthathavebeenreceivedbutnotyetapplied.Thisnumbershouldalwaysbe lowonaverage,althoughitmayspikeasreplicatedobjectsarrive.Ifitremainshigh, yourserverisntprocessingupdatesquickly. DRAOutboundBytesTotal/Secoffersthedatabeingsentfromtheserverdueto replication.Again,unlessyouvegotonlyonedomaincontroller,thiswillrarelybe zeroinanormalenvironment. DRAPendingReplicationSynchronizationshowsthenumberofdirectoryobjects waitingtobesynchronized.Thismayspikebutshouldbelowonaverage. DSThreadsinUseprovidesthenumberofprocessthreadscurrentlyservicing clients.Continuouslyhighnumberssuggestaneedforalargernumberofprocessor corestorunthosethreadsinparallel. KerberosAuthenticationsoffersabasicmeasureofauthenticationworkload. LDAPBindTimeshowsthenumberofmillisecondsthatthelastLDAPbindtookto complete.Thisshouldbelowonaverage;ifitremainshigh,theserverisntkeeping upwithdemand. LDAPClientSessionsisanotherbasicunitofworkloadmeasurement. LDAPSearches/Secoffersanothergoodbasicunitofworkloadmeasurement.
21
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Allofthesecountersbenefitfromtrending,astheyallhelpyouformabasicpictureofhow busyadomaincontrolleris.Inotherwords,itsgreatwhenyoucancapturethiskindof dataonacontinuousbasis,thenviewchartstoseehowitchangesovertime.Performance Monitoritselfisntagreattoolfordoingthatbecauseitsimplywasntdesignedtocollect weeksandweeksworthofdataanddisplayitinanymeaningfulway.However,itcanbe suitableforcollectingdataforshorterperiodsoftimesay,afewhoursthenusingthe collecteddatatogetasenseofyourgeneralworkload. Youllhavetodothatmonitoringoneachdomaincontroller,too,becausetheperformance informationislocaltoeachcomputer.Ideally,eachdomaincontrollersworkloadwillbe roughlyequal.Iftheyrenot,startlookingatthingslikeothertasksthecomputeris performing,orthecomputershardware,toseewhyonedomaincontrollerseemstobe workingharderthanothers. Thiskindofperformancemonitoringisoneofthebiggestmarketsforthirdpartytools, whichwelldiscusstowardtheendofthischapter.Usingthesameunderlyingperformance counters,thirdpartytools(aswellasadditional,commercialtoolsfromMicrosoft)can providebetterperformancedatacollection,storage,trending,andreportingandcaneven doabetterjobofsendingalertswhenperformancedataexceedspresetthresholds.What PerformanceMonitorisgoodatasFigure2.6showsisenablingyoutoquicklyview realtimedatawhenyourefocusingonaspecificproblem.
22
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
23
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
24
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
CommandLineTools
AhostofcommandlinetoolscanhelpdetectADproblemsorprovideinformationneeded tosolvethoseproblems.Thischapterisntintendedtoprovideacomprehensivelistof them,butoneofthemorewellknownandusefulonesincludesRepadmin.Thistoolcanbe usedtocheckreplicationstatusanddiagnosereplicationproblems.Forexample,asFigure 2.9shows,thistoolcanbeusedtocheckadomaincontrollersreplicationneighborsa wayofcheckingonyourenvironmentsreplicationtopology.Youllalsoseeifany replicationattemptswiththoseneighborshavesucceededorfailed.
25
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
NetworkMonitor
YoumightnotordinarilythinkofNetworkMonitororanypacketcapturetool,including WiresharkandothersasawayofmonitoringAD.Infact,withalotofpractice,theycan begreattools.Afterall,muchofwhatADdoesultimatelycomesdowntonetwork communications,andwithapacketcapturetool,youcaneasilyseeexactlywhats transpiringoverthenetwork.Figure2.10illustratesthemaindifficultyinusingthesetools.
26
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
27
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
28
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
SystemCenterOperationsManager
SystemCenterOperationsManagerisMicrosoftscommercialofferingformonitoringboth performanceandfunctionalityinADaswellasinnumerousotherMicrosoftproductsand Windowssubsystems.SCOM,asitsaffectionatelyknown,utilizesbothperformance countersandotherdatafeedsmuchasWindowsnativetoolsdo.WhatsetsSCOMapartare twothings: Dataisstoredforalongperiodoftime,enablingtrendingandotherhistoricaltasks DataiscomparedwithasetofMicrosoftprovidedthresholds,packagedinto ManagementPacks,thattellyouwhendatarepresentsagood,bad,orgoingbad condition
ThatlastbitenablesSCOMtomoreproactivelyalertyoutoperformanceconditionsthat aretrendingbad,andtothenshowyoudetailedrealtimeandhistoricaldatatohelp troubleshoottheproblem.Inmanycases,ManagementPackscanincludeprescriptive adviceforfailureconditions,helpingyoutotroubleshootandsolveproblemsmorerapidly. Asatool,SCOMaddressesmost,ifnotall,oftheweaknessesinthenativeWindowstoolset. Itdoessobyrelyingprimarilyonnativetechnologies,anditdoessoinawaythatoften imposeslessmonitoringoverheadthansomeofthenativetools.HavingSCOMcollect performancedataforamonth,forexample,isaloteasieronthemonitoredserverthan runningPerformanceMonitorcontinuouslyonthatserver.SCOMdoes,however,require itsowninfrastructureofserversandotherdependencies,soitaddssomecomplexityto yourenvironment. Unfortunately,oneofSCOMsgreateststrengthsitsabilitytomonitorawidevarietyof productsandtechnologiesfromasingleconsoleisalsoakindofweaknessbecauseit doesntofferalotoftechnologyspecificfunctionality.Forexample,SCOMisntagreatway toconstructanADreplicationtopologymapbecausethatsaveryADspecificcapability thatwouldntbeusedbyanyotherproduct.Inotherwords,SCOMisabitgeneric.Although itcanprovidegreatinformation,andgoodprescriptiveadvice,itisntnecessarilytheonly toolyoullneedtotroubleshooteveryproblem.SCOMcanalertyoutomosttypesof problems(suchasanunacceptablyhighnumberofreplicationfailures),butitcantalways helpyouvisualizetheunderlyingdatainthemosthelpfulway.
ThirdPartyToolstoConsider
Imnotnormallyafanofpitchingthirdpartyproducts,andImnotreallygoingtodoso here.Thatsaid,weveidentifiedsomeweaknessesinthenativetoolsprovidedwith Windows.SomeofthoseweaknessesareaddressedbySCOM,butbecausethattoolitselfis acommercialaddon(thatis,itdoesntcomefreewithWindows),youoweittoyourselfto considerotheraddoncommercialtoolsthatmightaddressthenativetoolsweaknessesin otherways,orperhapsatadifferentpricepoint.Thatsaid,whataresomeofthe weaknessesthatweretryingtoaddress?
29
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
WeaknessesoftheNativeTools
AlthoughIthinkMicrosofthasprovidedsomegreatunderlyingtechnologiesinthingslike eventlogsandperformancecounters,thetoolstheyprovidetoworkwiththosearepretty basic.Inordertodecideifareplacementtoolissuitable,weneedtoseeifitcancorrect theseweaknesses: NoncentralizedWindowstoolsareperserver,andwhenyouretalkingaboutAD, youretalkingaboutaninherentlydistributedsystemthanfunctionsasasingle, complicatedunit.Weneedtoolsthatcanbringdiagnosticandperformance informationtogetherintoasingleplace. RawdataWindowstoolsreallyjustprovideGUIaccesstounderlyingrawdata, eitherintheformofeventsorperformancecountersorwhatever.Thatsreallysub optimal.WhatwewantissomethingtotranslatethatdataintoEnglish,telluswhat itmeans,andpossiblyprovideintelligencearounditwhichisalotofwhatSCOM offers,really. LimiteddataWindowstoolscollecttheinformationavailabletothemthrough nativediagnosticandperformancetechnologiesandthatsit.Therearecertainly instanceswhenwemightwantmoredata,especiallymorespecificdatathatdeals withADanditsuniqueissues. GenericWindowstoolsareprettygeneric.TheEventViewerandPerformance Monitor,forexample,arentADspecific.ButanADspecifictoolcouldgoalongway inmakingbothmonitoringandtroubleshootingeasierbecauseitcouldpresent informationinaveryADcentricfashion.
WaystoAddressNativeWeaknesses
Thereareafewwaysthatvendorsworktoaddresstheseweaknesses: CentralizationBringingdatatogetherintooneplaceisalmostthefirstthingany vendorseekstoaddresswhenbuildingatoolset.EvenMicrosoftdidthiswithSCOM. IntelligenceTranslatingrawdataintoprocessedinformationtellingusif somethingisgoodorbad,forexampleisonewayatoolcanaddagreatdealof value.Prescriptiveadvice,suchasprovidingadviceonwhataparticulareventID meansandwhattodoaboutit,isalsouseful.Thiskindofbuiltinknowledgebase isamajorsellingpointforsometoolsets. MoredataSometoolseithersupplementorbypassthenativedatastoresand collectmoredetaileddatastraightfromthesource.Thismightinvolvetappinginto LDAPAPIs,ADsinternalAPIs,andsoforth. TaskspecificToolsthatarespecificallydesignedtoaddressADmonitoringcan oftendosoinamuchmorehelpfulwaythanagenerictoolcan.Replicationtopology maps,dataflowdashboards,andsoforthallhelpusfocusonADsspecificissues.
30
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
VendorsinthisSpace
Therearealotofplayersinthisspace.Alotalot.Someofthemajornamesinclude: Quest ManageEngine Microsoft BlackbirdManagementGroup NetIQ IBM NetPro(whichwaspurchasedbyQuest)
LetsStartTroubleshooting
NowthatyouknowhowtokeepaneyeonwhatADisdoing,yourereadytodiveinto troubleshootingthedirectorywhenitisntdoingtherightthing.Inthenextchapter,Ill introduceyoutoastructureddirectorytroubleshootingapproachdevelopedbyDirectory ServicesMVPAwardrecipientSeanDeuby.WelluseSeansapproachasaguidetoward trackingdownproblematicADsubsystemsandsolvingproblems.Atthesametime,Illbe explainingcoretroubleshootingtechniquesthatwillhelpmakeyouamoreefficientand effectivetroubleshooter.
31
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Chapter3:ActiveDirectory Troubleshooting:ToolsandPractices
Forthemostpart,inmostorganizations,ActiveDirectory(AD)justworks.Overthepast 10yearsorso,MicrosofthasimprovedbothADsperformanceanditsstability,tothepoint wherefeworganizationswithawelldesignedADinfrastructureexperiencedaytoday issues.Thatsaid,whenthingsdogowrong,itcanbeprettyscarybecausealotofusdont havedaytodayexperienceintroubleshootingAD.Thegoalofthischapteristoprovidea structuredapproachtotroubleshootingtohelpyouputoutthosefiresfaster. Forthischapter,IllbedrawingalotonthewisdomandexperienceofSeanDeuby,afellow MicrosoftMostValuableProfessionalawardrecipientandarealADtroubleshootingguru. Youmightenjoyreadinghisinfrequentlyupdatedblogat http://www.windowsitpro.com/blogs/ActiveDirectoryTroubleshootingTipsandTricks.aspx. Althoughhedoesntpostalot,whathedoespostisworththetrip.
NarrowingDowntheProblemDomain
HowdoyoufindawolfinSiberia?ItsaquestionIandothershaveusedtokickoffany discussionontroubleshooting.Siberiais,ofcourse,ahugeplace,andfindingaparticular anythingletaloneawolfistough.Theanswertotheriddleisamaximfor troubleshooting: Buildawolfprooffencedownthecenter,andthenlookononesideofthefence. Troubleshootingconsistsmainlyoftests,designedtoseeifaparticularrootcauseis responsibleforyourproblems.Theanswertotheriddleprovidesimportantguidance: Makesureyourtests(thatis,thewolfprooffence)candefinitivelyeliminateoneormore rootcauses(thatis,onewholehalfofSiberia).Dontbotherconductingteststhatcant eliminatearootcause.Forexample,ifausercantlogin,youmightfirstchecktheir physicalnetworkconnection.Doingsodefinitivelyeliminatesapotentialproblem (networkconnectivity)sothatyoucanmoveontootherpossiblerootcauses.Ofcourse, checkingconnectivityonlyeliminatesoneortwopossiblerootcauses;abetterfirsttest wouldeliminateawholehostofthem.Forexample,checkingtoseewhetheradifferent usercouldloginmighteliminatethevastmajorityofpotentialinfrastructureproblems, makingthatabetterwolfprooffence.
32
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
SeansSevenPrinciplesforBetterTroubleshooting
HereswhereIllrepeatexcellentadviceSeanDeubyonceoffered.Followtheseseven principles(whichIllexplainthroughthefilterofmyownexperience)andyoullbeafaster, bettertroubleshooterinanycircumstance. 1. BeLogical.Payattentiontohowyoureattemptingtosolvetheproblem.Beforeyou doanything,askyourself,WhatoutcomedoIexpectfromthis?IfIgetthat outcome,whatdoesitmean?IfIdontgettheexpectedoutcome,whatdoesthat mean?Dontdoanythingunlessyouknowwhy,andunlessyoucanstatewhatthe followupstepwouldbe. 2. RememberOccamsRazor.Simplyput,thesimplestsolutionisoftenthecorrectone. Dontstartrebootingdomaincontrollersuntilyouvecheckedthattheuseristrying thecorrectpassword. 3. WhatChanged?Ifeverythingwasworkingfineanhourago,whatsdifferent?Thisis wherechangeauditingtoolscancomeinhandy.AlthoughIdontspecifically recommendit,IveusedQuestsChangeAuditorforActiveDirectoryinthepast becauseitkeepsaverydetailed,realtimelogofchanges,anditsbeenabighelpin solvingsometrickyissues.Whateverchangedrecentlyisaverylikelycandidatefor beingtherootcauseofyourcurrentwoes. 4. DontMakeAssumptions.Itseasytomakeassumptions,butstickingwithan orderlyeliminationofpossiblecauseswillgetyoutotherootcauseoftheproblem moreconsistently.Forexample,dontassumethatjustbecauseoneusercanlogon thateverythingsokaywiththeinfrastructure;theproblemusermightbehittinga differentdomaincontroller,forexample. 5. ChangeOneThingataTime,andRetest.Youwontgetanywherewithfivepeople attackingtheproblem,eachonechangingthingsastheygo.Youalsowontget anywhereifyourechangingmultiplethingsatonce.Ifthebossistearinghishairout togetthingsfixed,remindhimthatyouhavejustasmuchcapabilitytofurtherbreak thingsifyourenotmethodical. 6. Trust,butVerify,Evidence.Sometimesaninaccurateproblemdescriptioncanget yougoinginthewrongdirectionsoverifyeverything(thisgoesbacktonot makingassumptions,too).Icantlogin!ausercriesoverthephone.Loginto what?youshouldask,beforedivingintoADproblems.Maybetheuseristalking abouttheirGmailaccount. 7. DocumentEverythingYouTry.Especiallyfortoughissues,documentingeverything youtrywillhelpkeepyoufromrepeatingsteps,andwillhelpyoueliminatepossible causesmoreeasily.Itsalsocrucialintheinevitablepostmortem,whereyouand yourcolleagueswilldiscusshowtokeepthisfromhappeningagain,orhowtosolve itmorequicklythenexttime.
33
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
AFlowchartforADTroubleshooting
SeanhasfurtherhelpedbycomingupwithanADtroubleshootingflowchart,whichIll reprintinpiecesthroughoutthischapter.YoushouldcheckSeansblogorWebsite(which isshownatthebottomofthechartpages)forthelatestrevisionoftheflowchart.Seans blogalsooffersafullsizedPDFversion,whichIkeeprightnearmydeskatalltimes.The flowchartstartswiththatisshowninFigure3.1,whichisthecorestartingpointthatgets youofftothedifferentsectionsofthechart.
Figure3.1:StartingpointinADtroubleshooting. Note IstronglyrecommendthatyouheadovertoSeansblogorWebsiteto downloadthePDFversionofthisflowchartforyourself.Youmayfindalater version,whichisgreatitllstillstartoffinbasicallythissameway. Startintheupperleft,withCablepluggedintonetwork?andworkdownfromthere.The basicsthewireportionshouldbethingsyoucanquicklyeliminate,butdonteliminate themwithoutactuallytestingthem.Youmight,forexample,attempttopingaknowngood IPaddressonthenetwork(usinganIPaddresspreventspotentialDNSissuesfrom becominginvolvedatthispoint).Ifthatdoesntwork,youvegotahardwareissueofsome kindtosolve.
34
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
EasyStuff:NetworkIssues
Apingdoes,ofcourse,starttoencroachontheNetworksectionoftheflowchart.Stick withIPaddressestothispointbecausewerenotreadytoinvolveDNSyet.Ifthepingisnt successful,andyouveverifiedthenetworkadapter,cabling,router,andother infrastructurehardware,yourereadytomoveontoFigure3.2,whichistheNetwork Issuesportionoftheflowchart.
35
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
NameResolutionIssues
IfapingtoadifferentintranetsubnetworkedbyIPaddress,itstimetostartpingingby computernametotestnameresolution.Watchthepingcommandsoutputtoseeifit resolvesaserversnametothecorrectIPaddress.Ideally,usethenameofadomain controllerortwobecauseweretestingADproblems.Ifpingdoesntresolvecorrectly,or cantresolveatall,yourereadytomoveintothenameresolutionissues. TheClientDCNameResolutionIssuesflowchartisdesignedforwhenyoure troubleshootingconnectivityfromaclienttoadomaincontroller;ifyouretroubleshooting problemsonaserver,youllskipthisstepandmoveoninthecoreflowchart(Figure3.1).If youareonaclient,theflowchartthatFigure3.3showswillcomeintoplay.
36
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
LogSpelunking
Oncenameresolutionisresolved,orifitisnttheproblem,youhaveabitofcheckingtodo beforeyoumoveon.Specifically,youregoingtohavetolookintheSystemandApplication eventlogsonthedomaincontrollersintheclientslocalsite(orwhateverdomain controlleryourehavingaproblemwith,ifitsjustaspecificone).Ifyoufindanyerrors, youllhavetoresolvethemandtheymaybemorespecifictoWindowsthantoAD.Dont ignoreanything.Infact,thatdontignoreanythingisahugereasonIhatedomain controllersthatdoanythingotherthanrunAD,andperhapsDNSandDHCP.Ioncehada domaincontrollerthatwashavingrealissuestalkingtothenetwork.Therewereabunch ofIISrelatederrorsinthelog,butIignoredthosewhatdoesIIShavetodowith networkingorAD,afterall?Ishouldnthavemadeassumptions:ItturnedoutthatIISwas moreorlessjammingupthenetworkpipe.ShuttingitdownsolvedtheproblemforAD. LogExploring Havingtodigthroughtheeventlogsonmorethanonedomaincontroller heck,evendoingitononeserveristimeconsumingandfrustrating.Thisis wheresomekindoflogconsolidationandanalysistoolcanhelp tremendously.Getallyourlogsintooneplace,andhavesoftwarethatcan prefiltertheevententriestojustthosethatneedyourattention.Software likeMicrosoftSystemCenterOperationsManagercanalsohelpbecauseone ofitsjobsistoscaneventlogsandcalltoyourattentionanyeventsthat requireit. Ifyoudontseeanyerrorsspecifictothedomaincontrollerorcontrollers,youmoveon. Yourelookingfirstforerrorsrelatedtotrusts,andifyoufindany,youllneedtoresolve them.Ifyoudidfinderrorsrelatedtothedomaincontrollerorcontrollers,andyou correctedthembutthatdidntsolvetheproblem,youremovingontoADserviceissues.
ADServiceIssues
Figure3.4containstheADserviceissueportionofthetroubleshootingflowchart.Here, wevemovedintothecomplexpartofADtroubleshooting.First,ofcourse,lookintheevent logforerrorsorwarnings.Dontignoresomethingjustbecauseyoudontunderstandit; youregoingtohavetoamassknowledgeaboutobscureADeventssothatyouknowwhich onescanbesafelyignoredinagivensituation.
37
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
38
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
ClientDomainControllerIssues
Assumingyouresolvedanyclientnameresolutionissuesearlier,ifyourestillhaving problemswiththeclientcommunicatingwiththedomaincontroller,youllmovetothe ClientDCTroubleshootingchart,whichFigure3.5shows.
39
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Thisisalsothepointwhereyouregoingtowantachartofyournetworksothatyoucan confirmwhichdomaincontrollersshouldbeinwhichsites.Youllwantthatcharttoalso listeachsubnetthatbelongstoeachsite.Youhavetoverifythatrealitymatchesthe desiredconfiguration,anddontskipanysteps.Itseemsobvioustoassumethataclient wasgivenaproperaddressbyDHCPandisthereforeinthesamesite;dontevermakethat assumption.Ioncehadaclientthatseemedtobeworkingjustfinebutwasinfacthanging ontoanoutdatedIPaddress,makingtheclientbelieveitwasinadifferentsite.Theway ourLANwasconfigured,theincorrectIPaddresswasstillabletofunction(weusedalotof VLANstuffandIPaddressinggotincrediblyconfusing),buttheclientdidntseeitselfas beinginthepropersitesoitwouldnttalktotherightdomaincontroller.
ReplicationIssues
Iftheflowcharthasgottenyoutothispoint,weredealingwiththepageFigure3.6shows.
Figure3.6:Replicationissues.
40
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
TroubleshootingADreplicationisoftenperceivedasthemostdifficultandmysterious thingyoucandowithAD.Itslikemagic:eitherthetrickworksoritdoesnt,andyoull neverknowwhyeitherway.Iseemorepeoplestrugglewithreplicationissuesthanwith anythingelse,yetreplicationistheonethingthatcancomeupmostfrequently,duein largeparttoitsheavyrelianceonproperconfigurationandtheunderlyingnetwork infrastructure. Seanproposesfourreasons,whichIagreewith,thatmakereplicationtroubleshooting difficultforpeople.Inmywords,theyare: Theyvenotbeentrainedinaformaltroubleshootingmethodology.Moreadmins thanyoumightbelievetendtotroubleshootbyrote,meaningtheytrythesame thingsinthesameordereverytimewhichisgoodwithoutreallyunderstanding whattheyretestingwhichisbad. Theydontapproachtheproblemlogically.Thinkaboutwhatshappening.Doesit makesensetotestnameresolutionbetweentwodomaincontrollerswhenother communicationsbetweenthemseemunhindered? Theydontunderstandhowreplicationworks.This,Ithink,isthebiggestproblem.If youdontunderstandwhatshappeningunderthehood,youhavenomeansof isolatingindividualprocessesorcomponentstotestthem.Ifyoucantdothat,you cantfindtheproblem. Theydontunderstandwhatthetoolsdo.Thisisalsoabigproblembecauseifyou dontreallyknowwhatsbeingtested,youdontknowhowtoeliminatepotential rootcausesfromyourlistofsuspects.
Ultimately,youcantjustruntoolsintheordersomeoneelsehasprescribed.Seanproposes fourstepstohelpproceed;Iprefertolimitthelisttothree: 1. Formahypothesis.Whatdoyouthinktheproblemis?Afirewallrule?IPaddressing problem?DNSproblem?Applywhateverexperienceyouhavetojustpickaproblem thatseemslikely. 2. Predictwhatwillhappen.Inotherwords,ifyouthinkexternalcommunications mightbefailing,youmightpredictthatinternalcommunicationswillbefine. 3. Testyourprediction.Useatooltoseeifyoureright.Ifyouare,youvenarrowedthe problemdomain.Ifyourenot,youformanewhypothesis. Ifyourememberscienceclassfromelementaryschool,youmightrecognizethisasthe scientificmethod,anditworksaswellfortroubleshootingasitdoesforanyscience. Replicationtroubleshootingcannotproceedunlessyouvealreadyresolvednetworking, localonlyissues,andotherproblemsthatprecedethisstepinthecoreflowchart.Once youvedonethat,youllfindyourselfquicklylookingforOSrelatedissuesintheeventlog, thenmoveontotheDcdiagtooltheflowchartprovidesaURLwithadescriptionofthe teststorun.
41
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
ADDatabaseIssues
Next,youllmoveintotroubleshootingtheADdatabase,whichiscoveredintheflowchart thatFigure3.7shows.
Figure3.7:ADdatabasetroubleshooting.
42
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Here,youllprobablybetakingadomaincontrollerofflinesothatyoucanrebootinto DirectoryServicesRestoreMode(DSRM)makesureyouknowtheDSRMpasswordfor whateverdomaincontrolleryouredealingwith.YoulluseNTDSUTILtocheckthefile integrityoftheADdatabaseitselfbecause,atthispoint,werestartingtosuspect corruptionofsomekind.Ifyoufindit,youllbedoingadatabaserestore.Ifyoudonthavea backup,youreprobablylookingatdemotingandrepromotingthedomaincontroller,if notrebuildingtheserveentirely.Sorry. Again,thisiswherethirdpartytoolscanhelp.YoumayhavethoughtthattheADRecycle BinfeatureofWindowsServer2008R2wasagreatfeature,butitisntdesignedtodeal withatotaldatabasefailure.Thirdpartyrecoverytools(whichareavailablefrom numerousvendors)cangetyououtofajamhere.Makesureyourenotusingtooolda backup;ideally,domaincontrollerbackupsshouldntbeolderthanafewdays.Older backupswillrequirethedomaincontrollertoperformalotmorereplicationwhenitcomes backonline,andaveryoldbackupcanreintroducetombstoned(deleted)objectstothe domain,whichwouldbeaBadThing.
GroupPolicyIssues
Ifyouvemadeitthisfar,ADsmostcomplexcomponentsareworking,andyoureonto troubleshootingoneoftheeasierelements.First,recognizethattherearetwobroad classesofproblemwithGroupPolicy:nosettingsfromaGroupPolicyobjectarebeing appliedorthewrongsettingsarebeingapplied.Thischapter,asshownintheflowchartin Figure3.8,isconcernedonlywiththeformer.Ifyouregettingsettingsbutnottheright ones,youneedtodiveintotheGPOs,ResultantSetofPolicy(RSoP),andothertoolsto discoverwherethewrongsettingsarebeingdefined.
43
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Figure3.8:GroupPolicytroubleshooting. TroubleshootingGPOsisprettymuchaboutverifyingtheirconfiguration.Ifauserisnt gettingaspecificGPO,theproblemwillbeduetoreplication,inheritance,asynchronous processing(whichmeanstheyregettingtheGPO,justnotasquicklyasyouexpected),and soforth.GroupPolicyiscomplicated,andknowingallthelittletricksandgotchasiskeyto solvingproblems.IrecommendbuyingJeremyMoskowitzlatestbookonthesubject;hes prettymuchtheindustryexpertonGroupPolicyandhisbookscomeswithgreat explanationsandflowchartstohelpyoutroubleshoottheseproblems. UnravelingwhatschangedisalsotheeasiestwaytofixGPOproblems.Unfortunately, mosttoolsthattrackADconfigurationchangesdonttouchGPOsbecauseGPOsarent storedinADitself.TherearetoolsthatcanplaceGPOsunderversioncontrol,andcanhelp trackthechangesrelatedtoGPOsthatdoliveinAD(suchaswheretheGPOsarelinked). Quest,NetWrix,BlackbirdGroup,andNetIQalloffervarioussolutionsinthesespaces.
44
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
KerberosIssues
Finally,thelastareawellcoverisKerberos.Figure3.9showsthelastpageintheflowchart.
Figure3.9:Kerberosissues. Here,youllneedtoinstallresourcekittools,preferablyKerbtray.exe,sothatyoucangeta peekinsideKerberos.YoullalsoneedastrongunderstandingofhowKerberosworks. Heresabriefbreakdown: Whenyoulogon,yougetaTicketGrantingTicket(TGT)fromyourauthenticating domaincontroller.ThisenablesyoutogetKerberostickets,whichprovideaccessto aspecificserversresources.Eachserveryouaccesswillrequireyoutohaveaticket forthatserver.Soeachtimeyouaccessanewservereveryday,youllhavetofirst contactadomaincontrollertogetthatticket. Ticketvalidityiscontrolledbytimestamps.Everymachineinthedomainneedsto haveroughlythesameideaofwhattimeitis,whichiswhyWindowsautomatically synchronizestimewithinthedomain.Askewofabout5minutesisallowedby default.
45
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Thereareafewotheruncommonissuesalsocoveredbytheflowchart.
ComingUpNext
Withthistroubleshootingguidanceunderyourbelt,itstimetomoveontoournextAD topic:security.Iveseenanincredibleamountofconfusionandmisinformationwithregard toADsecurityoverthepastfewyears,soweregoingtostartbysteppingbacktobasics andlookingatADssecurityarchitecture.WellspelloutADsrealroleinsecuringyour organizationsresources,andlookatreasonsyoumightwanttorethinkyourcurrent securitydesign.WellevenpeekatDNSsecurity.ItsallcomingupinChapter4.
46
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Chapter4:ActiveDirectorySecurity
Inthesecurityworld,AAAisusuallythetermusedtodescribethebroadfunctionalityof security:authentication,authorization,andauditing.ForaWindowscentricnetwork, ActiveDirectory(AD)servesoneofthoseroles:authentication.Internally,ADalsohas authorizationandauditingfunctionality,whichareusedtosecureandmonitorobjects listedwithinthedirectoryitself.Inthischapter,welltalkaboutallofthesefunctions,how ADimplementsthem,andsomeoftheprosandconsofADssecuritymodel.Wellalsolook atreasonsyourownsecuritydesignmightbedueforareview,andpotentiallyaremodel. Thischapterwillalsodiscusssecuritycapabilitiesusuallyacquiredfromthirdparties.I know,itwouldbenicetothinkthatADiscompletelyselfcontainedandcapableofdoing everythingweneedfromasecurityperspective.Inamodernbusinessworld,however, thatsrarelytrue,asweshallsee.
ActiveDirectorySecurityArchitecture
Asmentioned,ADhasaroleineachofthethreemainsecurityfunctions.Letstakeeach oneseparately.
Authentication:Kerberos
MicrosoftadoptedanextendedversionoftheindustrystandardKerberosprotocolforuse withinAD.ComparedwithMicrosoftsolderauthenticationprotocol,NTLM,Kerberos providesdistinctbenefits: Mutualauthentication.Bothsidesofanysecuritytransactionareidentifiedand authenticatedtoeachother.WithNTLM,theclientwasauthenticated,buttheclient wasntabletoverifytheserversidentity. Distributedprocessing.Clientsareresponsibleformaintaining100%ofthe informationneededtoauthenticatethemselvestoaserver;serversmaintain nothing.Thatbehaviorreducesserveroverhead,improvingoverallperformance. Secure.UnlikeNTLM,Kerberosdoesnttransmitanyportionofyourpasswordover thenetworkatanytimenoteveninencryptedform.Thus,passwordsremainabit safer.
47
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
InAD,KerberosreliesonthefactthattheKDCsaroleplayedbydomaincontrollers haveaccesstoahashedversionofeveryuserandcomputerpassword.Theusersand computers,ofcourse,knowtheirpasswords,andthecomputers(whichuserslogonto,of course)knowthesamepasswordhashingalgorithmasthedomaincontrollers.Thissetup enablesthehashedpasswordstobeusedasasymmetricencryptionkey:IftheKDC encryptssomethingwithauserorcomputerpasswordastheencryptionkey,thatuseror computerwillbeabletodecryptitusingthesamehashedpassword. Whenauserlogson,theircomputerontheusersbehalfcontactstheKDCandsendsan authenticationpacket.TheKDCattemptstodecryptitusingtheusershashedpassword, andifthatissuccessful,theKDCcanreadtheauthenticationpacket.TheKDCconstructsa ticketgrantingticket(TGT),encryptingitfirstwithitsownencryptionkey(whichtheuser doesntknow),thenagainwiththeuserskey(whichtheuserdoesknow).Theusers computerstoresthisTGTinaspecialareaofmemorythatisntswappedtodiskatany time,sotheTGTisneverpermanentlystored.TheTGTcontainstheuserssecuritytoken, listingallofthesecurityidentifiers(SIDs)fortheuserandwhatevergroupstheybelongto. Whentheuserneedstoaccessaserver,theircomputerresendstheTGTtoadomain controller.ThedomaincontrollerdecryptstheTGTusingitsprivatekeykeepinmind thattheresnowaytheusercouldhavetamperedwiththeTGTandstillhavethat decryptionworkbecausetheuserdoesnthaveaccesstothedomaincontrollersprivate key.TheKDCcreatesacopyoftheTGTcalledaticket,andencryptsitusingthehashed passwordofwhateverservertheuserisattemptingtoaccess.Thatsencryptedagainusing theuserskey,andsenttotheuser.Theuserthentransmitsthattickettotheserverthey wanttoaccess,alongwitharequestforwhateverresourcetheyneed. Theserverattemptstouseitskeytodecrypttheticket.Ifitsabletodoso,thenseveral thingsareknown: Theserveristheonetheuserintended,becauseifitwerent,itwouldnthavethe keyneededtodecryptandreadtheticket. Theusersidentityisknown,becauseitsincludedinaticketthatonlytheserver couldread. Theusersidentifyistrustedbecausetheticketwasencryptednotbytheuserbut bytheKDC,andinawaythatonlytheKDCandtheservercouldread.
48
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
49
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Figure4.2:TheKerbTrayutility. Thisutilityalsoprovidesaccesstoseveralkeypropertiesofaticket,includingwhetherit canberenewed,whetheritcanbeforwardedbyaservertoanotherserverinordertopass alongausersauthentication,andsoforth. KerberosprimaryweaknessisadependenceontimefortheinitialTGTrequesting authenticator.Inordertopreventsomeonefromcapturinganauthenticatoronthe networkandthenreplayingitatalatertime,Kerberosrequiresauthenticatorstobetime stamped,andwillbydefaultrejectanyauthenticatormorethanafewminutesold.Domain computerssynchronizetheirtimewiththeirauthenticatingdomaincontroller(after authentication),anddomaincontrollerssynchronizewiththedomainsPDCEmulatorrole holder.Withoutthistimesync,computersclockswouldtendtodrift,takingthemoutside thefewminutesKerberoswindowandmakingauthenticationimpossible.
Authorization:DACLs
AsIvealreadymentioned,ADsmainroleisauthentication.However,forinformation suchasusersandcomputers,alongwithconfigurationobjectslikesitesandservices insidethedirectory,ADalsoperformsitsownauthorizationandauditing. EveryADobjectsissecuredwithadiscretionaryaccesslist.DACLsfollowthesamebasic structureasWindowsNTFSfilepermissions.TheDACLconsistsofalistofaccesscontrol entries.EachACEgrantsordeniesspecificpermissiontoasinglesecurityprinciple,which wouldbeauseroragroup.Figure4.3showsaprettytypicalADpermissionsdialog.
50
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Figure4.3:ADpermissionsdialog. AswithNTFSpermissions,objectscanhavedirectlyappliedACEsintheirDACLs,andthey caninheritACEsfromcontainingobjectsDACLs.Inmostdirectoryimplementations,for example,userobjectshavefewornodirectlydefinedACEsbutinsteadinheritalloftheir ACEsfromacontainingorganizationalunit(OU). ACEsactuallyconsistofapermissionsmask(whichdefinesthepermissionstheACEis grantingordenying)andaSID.WhendisplayingACEsinadialogbox,Windowstranslates thoseSIDstouserandgroupnames.Doingsorequiresaquicklookupinthedirectory,soin abusynetwork,itssometimespossibletoseetheSIDsforabriefmomentbeforetheyre replacedwiththelookedupuserorgroupnames. Itsimportanttounderstandthat,inAD,computersarethesamekindofsecurityprinciple asauser,meaningcomputersdonthaveanyspecialpermissions.Forexample,ifaRouting andRemoteAccessServer(RRAS)machineisattemptingtoauthenticateadialinuser,the servermightneedtolookatpropertiesoftheusersADaccounttoseewhethertheuser hasanydialintimerestrictions.Doingsorequiresthattheserverhavepermissiontoread certainattributesoftheusersaccount,whichiswhythedialoginFigure4.2showsthe RASandIASServersusergroupashavingpermissionstotheusersaccountwithout thatpermission,theserverwouldbeunabletoexaminetheusersaccounttodetermine whetherthedialinwastobeallowed.
Auditing:SACLs
AuditingisdefinedinSecurityAccessControlLists(SACLs),whichsimplydefinewhat actions,bywhichusers,willresultinalogentrybeingmadeinWindowssecuritylog.Well coverauditinginmoredetailinthenextchapter.
51
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Configuration
AD,likeanyWindowscomponent,hasitsownconfigurationsettings,manyofwhichcan affectsecurity.Forexample,considerFigure4.4,whichshowstheGroupPolicyObject (GPO)settingsforKerberos.
Figure4.4:KerberossettingsinaGPO. Thesesettingsdefinitelyhaveasecurityimpact:TheycontrolhowlongaKerberosticketis valid,howoftenitcanberenewed,howmuchtimeslipisallowedforclockmissync,and soforth. PartofthechallengewithADisthatsettingslikethesearescatteredallovertheplace. SomeareintheregistryandcanbemodifiedwithaGPO;otherslivewithinADitself,and areaccessedbyvariousconsolesandcommandlinetools.Keepingeverythingstraightcan becomplex;innewerversionsofWindows,MicrosofthasaddedaBestPracticesAnalyzer (BPA),whichhelpsreviewallofthesesettingsandmakerecommendationsabouthowto configurethemforbettersecurity,reliability,performance,andsoforth.Figure4.5shows anexample.
52
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Distributedvs.CentralizedPermissionsManagement
ADplayssuchacentralroleinauthenticationthatitseasytoforgetthatthedirectory reallyhasnorolewhatsoeverinenterprisewideauthorizationorauditing.Inotherwords, thedirectoryknowswhoyouare,butithasnocluewhatyoureallowedtodo. Thisisbothastrengthandabenefit.WithWindowscurrentarchitecture,eachserver maintainsitsownDACLsontheresourcesitcontains,whichmightconsistofdatabases, files,mailboxes,orwhatever.Theresnoneedtobuildtherobustcentralpermissions infrastructurethatwouldberequiredifserversdidntmaintaintheirownDACLs.Thus, thearchitectureisbetterperformingandlowercost.
53
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Unfortunately,Windowsdistributionpermissionsmanagementevolvedwhenthe operatingsystem(OS)wasprimarilyusedbysmallworkgroups,notbymassivecompanies withmillionsofsecurables.Thedisadvantageofthedistributedpermissionsmanagement isthatcertainsecurityquestionssuchas,Whatresourcesdoesthisuserhaveaccessto? areimpracticaltothepointofimpossibility.Theonlywaytoanswerthequestionwouldbe tomanuallyscaneverysingleDACLoneverysingleservertoseewherethatuserora groupheorshewasamemberofappears.Doingthatondemandjustisntfeasible.And thinkaboutit:Whenanewuserstartswithacompany,someoneneedstoknowwhat permissionsheorsheneeds.Theanswerisusually,Oh,givehimthesamepermissionsas soandso,whodoesthesamejob.Theproblemisthattheresnowaytofindoutwhat permissionssoandsohasinthefirstplace! ADsusergroupsdoallowforsomedegreeofcentralizationifanorganizations administratorsarecareful.Inotherwords,ifyouassignpermissionsonlytousergroups (whichisapracticeMicrosoftrecommends),thenyoucancentrallymanagethosegroups membershipwithinAD.However,althoughthispracticemakesiteasiertogiveanewuser thesamepermissionsasthatotherguy,itsstillimpracticaltogetaninventoryofwhat resourcesagivengrouphasaccesstobecauseyoustillhavetoscanalloftheDACLs. Theresalsonowayofenforcingthispractice,andmanyadministratorshaveputouta firebyignoringtheirorganizationsgroupsonlypolicyandapplyinganACEforasingle usertoaDACL.Overtime,theseoneoffquickfixesadduptoanimpossibletomanage permissionssystem. Infact,mostWindowsbasednetworksthatarentusingsomekindofthirdparty permissionsmanagementutilityare,inalllikelihood,managedverypoorlyfroma permissionsperspective.Theytrytodoagoodjobasmuchaspossible,butthewaythe distributedsystemworksissimplystackedagainstthem. Thereare(asIlldiscusslaterinthischapter)thirdpartyutilitiesthatcanprovidethat kindofinventorybuttheydosobyscanningeverysingleDACL.Theyusuallydosoover severaldaysinitially,buildingasearchabledatabaseofpermissions.Agentsinstalledon serverscanthenwatchforpermissionschangesandreportthosedeltastothedatabase, keepingituptodate.
DoItYourselfSecurityReportingandChanges
Securityisoneofthosethingsthatyourealmostconstantlylookingatforonereasonor another.IvealreadymentionedtheBPA,whichisagoodwaytogetabasiclookatyourAD infrastructuressecurity,performance,andotherconfigurationsettings.Withoutspending anymoneyonthirdpartytools,youcandefinitelydosomedecentreporting.
54
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Permissions
Reportingonpermissionsis,frankly,hard,dueentirelytothewaytheyrestoredin Windows.Ifyouwanttobuildyourownpermissionsreportingtool,youregoingtohaveto scanthroughalotofservers.Evenansweringthequestion,WhatresourcescanJillaccess onthissingleserver?canbetimeconsumingbecauseyouhavetoscanthroughevery DACLontheserver.Evenifmostfilesandfoldersinheritsecurityfromatoplevelfolder, youcantassumethattobethecaseyouregoingtohavetocheckeveryfileandfolderto makesure. Forthatreason,Ithinkbuildingyourownpermissionsreportingtoolsissimply impractical.WhatevertoolsyoumayhaveatyourdisposalVBScript,Windows PowerShell,andsofortharegoingtobetooslowtoaccomplishthetaskinany reasonableamountoftime.Sorryitsnotyou,itsWindows.
DirectoryObjects
Reportingondirectoryobjectsdisabledusers,olduseraccounts,lockedoutusers,andso forthiseasiertodoyourself.TheADUsersandComputers(ADUC)consoleprovidesa CustomQueryoptionthatmakesthisprettystraightforward.AsFigure4.6shows,youcan veryeasilycreateaquerythatshowsallusersthathaventloggedonin,say,thelast90 daysagoodstartingpointforastaleaccountsreport.
Figure4.6BuildingacustomADquery.
55
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Figure4.7:CustomreportsinPowerShell.
ShouldYouRethinkYourSecurityDesign?
Giventheextremecomplexityofdealingwithpermissionsonyourown,whilefollowing bestpractices,youmightwanttoconsideraredesignofyourpermissions.Howyou proceeddependsabituponyourgoals. Forexample,manycompaniesarenowmovingortryingtomovetorolebasedsecurity. Theideaisthatyoucreateatoplevelsetofroles,whichcorresponddirectlytojobtitlesor jobresponsibilitieswithinyourorganization.Youdroppeopleintothoseroles,andthey pickupthenecessarypermissions.
56
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Inaverysmall,singledomainenvironmentthathasgooddiscipline,youcanaccomplish thiswithADsdomainusergroups.Inlarger,multidomainenvironments,thatbecomesa lotharder.Groupsareoftenstillusedasanunderthehoodmeansofimplementingroles permissions,butarolewillusuallyberepresentedbymultiplegroupsbecauserolesspan theentireorganization,notjustasingledomainorforest.Itsgenerallyconsidered impossibleoratleastimpracticaltoimplementtruerolebasedpermissionsinacomplex ADenvironmentusingonlyADsnativetools;yougenerallyhavetogowithathirdparty rolebasedmanagementsystemthatoverlaysthenativeADandWindowssecurity. Regardless,mostcompaniestendtogetreallyjitterywhenitcomestoredesigningtheir permissionsarchitecture,mainlybecausedoingsowithoutsomekindofthirdpartytool whichcanbeexpensiveisadauntingtask.Youhavetoinventoryeverything,andfigure outwhatresourcessomeonemightneedaccessto.Itstough.Thirdpartytoolshelp becausetheycanautomatetheprocessatatoplevel,takingmuchofthedrudgeworkand guessworkoutofit.
ThirdPartySecurityCapabilities
ItsarareorganizationthatdoesnthavesomekindofthirdpartyADtoolstosupplement itssecuritymanagement.Themostcommononesfallintothecategoriesofreporting, permissionsmanagement,andauditing;wellsaveauditingforthenextchapterandjust brieflyfocusonthefirsttwo.
Reporting
Thirdpartyreportingtoolsareverycommon,andcanprovidealotofvalue.Figure4.8 illustratesonetool,EnterpriseSecurityReporter,whichisdesignedtoreportonanumber ofsecurityrelatedconcernswithinAD.
57
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
58
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
PermissionsManagement
Thirdpartypermissionsmanagementtoolstypicallyseektoimplementautomatedrole basedpermissionsfornotonlyADbutalsoWindowsfileserversaswellasotherconnected systemslikeExchange,SQLServer,SharePoint,andsoon.Thesesystemsprovidealayeron topofthenativepermissions.Theyusuallystartbyinventoryingexistingpermissionsinto acentraldatabase.Asyoumakechangestothedatabasespermissions,thosechangesare pushedouttotherelevantresourcesnativeDACLs.Figure4.10showsonesuchtool,called ActiveRolesServer.
59
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
DNSSecurity
ThelastthingIllofferinthischapterisanoverviewofDNSSecurity,morecommonly calledDomainNameSystemSecurityExtensionsorsimplyDNSSEC.DNSobviouslyplaysa vitalroleinADsoperation,andsecuringDNSiscrucialtomaintainingADsownsecurity andreliability.
60
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
TheoriginalDNSprotocoldidntincludeanysecurity.MicrosoftsimplementationofDNS, particularlywiththerecommendedADintegratedDNSzones,appliesagooddealof securitybydefault.DynamicDNSrecordsareownedbytheircreatorsandcanonlybe modifiedbythem;otherrecordscanhavesecurityappliedaswell.Theoverallgoalof DNSSECistopreventforgeddatafrombeinginsertedintotheDNSzonedatabase.If someonecoulddoso,theycouldspoofinternalserversandpotentiallygathersensitive informationfromunsuspectingusers.Althoughthemutualauthenticationprovidedbythe Kerberosprotocolcanhelpcurtailthatwithinadomainenvironment,Kerberoscant protectnondomaincomputers,andthosecouldstillbespoofedviaDNS. Essentially,DNSSECworksbydigitallysigningDNSrecordsusingdigitalcertificates. SeveralDNSrecordtypesspecificallysupportthisactivity,includingRRSIG,DNSKEY,DS, NSEC,NSEC3,andNSEC3PARAM.WhenclientsmakeaDNSquery,theDNSreplyincludes notonlythetraditionalA(orAAAA)records,butalsoRRSIGrecordsthatcontainadigital signature.TheclientcanthenusetheDNSserverspublickey(obtainableinaDNSKEY record)toverifythesignature,thereforevalidatingtheAorAAAArecords. RelativelyfeworganizationstodayuseDNSSEC,butWindowsdoessupportit,andhastoa degreesinceWindowsServer2003.FullsupportisinWindowsServer2008R2and Windows7.KeepinmindthatDNSclientsmustbeDNSSECawareinorderforthesecurity featurestobeuseful.NonawareclientscanstilluseaDNSSECenabledDNSserver,but theywillnotbeabletovalidatesignaturesandrecords. WhydontmoreorganizationsuseDNSSEC?Presently,itsnotalwayswellsuitedina dynamicDNSenvironment.Forexample,creatingasignedDNSzonerequiresyoutoexport anactivezone,signitusingacommandlineutility(whichaddstheDNSSECrecordstothe zone),thenloadthenewlysignedzoneastheactivedatabaseinyourDNSserver.Dynamic updatesaredisabled,essentiallytakingawayakeyfeaturethatADreliesupon.Forthat reason,DNSSECismostoftenusedinexternalDNSzones,whichtendtoremainfairly static.Thatsactuallynotabadthing:Inadomainenvironment,DNSissecuredbyADand spoofingofdomainmembersisessentiallymadeimpossiblebyKerberos.Inanondomain environment,whereyoudontneeddynamicDNS,DNSSECismorepracticalandmeetsa need. BeawarethatDNSSECsupportisstillevolving:TheworldsDNSrootzonedoesntyet supportit,nordoesthepopular.COMtopleveldomain.Withoutthatsupport,itspossible tospoofentriesinthosetoplevelzones.Thatsupportiscoming,though.Interimsecurity solutionsareavailableinthemeantime,andyoucanreadaboutthemat http://www.windowsitpro.com/article/dns2/DNSEnhancementsinWindowsServer 2008R2/2.aspx.YoucanreadmoreaboutWindowscurrentDNSSECsupportat http://technet.microsoft.com/enus/library/ee649277(WS.10).aspx.
61
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
ComingUpNext
Securityisonething:Itshowyouprotectyourresources.Inthenextchapter,welllookat auditing,thelastpartoftheAAAacronym,andawaytokeeptrackofhowpeopleare interactingwiththesecuritythatyouvesetup.
62
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Chapter5:ActiveDirectoryAuditing
ThepreviouschapterwasaboutActiveDirectorys(ADs)declarativesecuritythatis, howyoutellthedirectorywhohaspermissiontodowhat.WealsohadalookathowADs securityisdesignedandbuilt,andhowADasanauthenticationmechanisminterfaceswith Windowsnativeauthorizationmechanisms.ThosewerethefirsttwoofthethreeAs,and thethirdoneauditingoraccountingisthefocusofthischapter.
GoalsofNativeAuditing
Auditinghasafairlysimplygoal:Keeptrackofeverythingeveryoneisdoing.Withinthe contextofAD,thatmeanskeepingtrackofallusesofprivilege,suchaschanginggroup membershipsorunlockinguseraccounts.Italsomeanskeepingtrackofaccountactivity, suchassuccessfullogonsandfailedlogons.ExtendingthatscopetoWindows,auditing includeskeepingtrackoffileandfolderaccessaswellaschangestofilepermissions. Yourgoalsforauditingmightdiffersomewhatfromthegoalsoftheoperatingsystems (OSs)auditingarchitecture.KeepinmindthattheauditingsystemusedinWindows includingAD,whichessentiallyjustcopiedthearchitectureofthefilesystemdatesback totheearly1990swhenWindowsNTwasbeingdesignedandwritten.Atthattime, Microsoftcouldnthavepredictedorganizationswiththousandsoffileservers,dozensor hundredsofdomaincontrollers,andthousandsofotherserversrunningExchange,SQL Server,SharePoint,andotherbusinessplatforms.ThefactisthatWindowsnativeauditing architecturedoesntalwaysscalewelltoespeciallylargeenvironments,oreventosome midsizeonesafactwellexplorelaterinthischapter.Soalthoughyoumightwanttoaudit everysingleeventinyourenvironment,actuallydoingsomaycreateperformance challenges,managementchallenges,andevenlogisticalchallenges.Forrightnow,letsjust assumeyourgoalisindeedtoauditeverythingthathappensinyourenvironment,andsee wherethearchitecturetakesus.
NativeAuditingArchitecture
Inthepreviouschapter,youlearnedthatpermissionsareappliedtoaDiscretionaryAccess ControlList(DACL).EachDACLconsistsofoneormoreAccessControlEntries(ACEs),and eachACEgrantsordeniesaspecificsetofpermissionstoasinglesecurityprincipalthat is,auseroragroup.TheDACListheauthorizationpartoftheAAAmodel:ADauthenticates you,andgivesyouasecuritytokencontainingauniqueSecurityIdentifier(SID).ThatSIDis comparedwiththeACEsinaDACLtodetermineyourpermissionsonagivenresources.
63
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Auditingworksinmuchthesameway.ASecurityAuditingControlList(SACL)consistsof oneormoreentries.Eachentrydesignatesaspecificauditingactionforactivities conductedbyasingleuserorgroup.TheSACLisattachedtoaresource,likeafileor directoryobject,andwheneverthespecifiedsecurityprincipalengagesinthespecified activitywiththatresource,theactionislogged.Typically,youhavetheabilitytolog successand/orfailureactions.Thatis,youcanchoosetologanentrywhensomeone successfullyexercisestheirpermissionsorwhentheyattempttodosoandaredenied. Figure5.1showsaSACLconfigurationforAD.Asyoucansee,thisresourcetheDomain Controllersorganizationalunit(OU)isconfiguredtologseveralsuccessactions performedbythespecialEveryonegroup.Thatis,wheneveranyonesuccessfulperforms anyoftheseactions,anauditentrywillbegenerated.
64
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Figure5.2:AfilesystemSACL. Here,youcanchoosetoauditthingslikecreatingfolders,readingattributes,deletingfiles, andsoon.Eachresource,then,canhaveitsownSACL.Inpractice,mostofusassignSACLs atafairlyhighlevelinthehierarchyandletthosesettingspropagatetolowerlevelobjects throughinheritance.Thatway,weonlyhavetomanageSACLsinarelativelysmallnumber ofplaces.ButwestillhavetoconfigureatleastonetoplevelSACLperserver,permajor system.Thatis,eachserverwillneedatoplevelSACLonatleasttherootofeachlogical drive,wellneedaseparateSACLontherootofAD,andsoon. Otherproductsmayormaynotfollowthispattern.ExchangeServer,forexample,usesa similarstructureforitsauditing;SQLServerdoesnot,nordoesSharePoint.Wellstickwith ADandthecoreWindowsOSforthediscussioninthischapter. Onceanauditableactionoccurs,Windowsgeneratesanauditentry.Thesearestoredinthe Securityeventlog,whichFigure5.3shows.Aproblemwiththislogisthateveryauditing eventgoesintoit.Althoughitsnicetohaveeverythinginonebig,centralpile,itcanmake ittoughtopulloutspecificentries.Again,thisreflectsMicrosoftsrelativelylimitedoriginal visionfortheauditingsystem.
65
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Figure5.3:TheSecurityeventlog. EachWindowsservermaintainsitsownindividualSecurityeventlogthatincludes domaincontrollers.AlthoughADsSACLscanbeconfiguredonanydomaincontroller,and willreplicatetoallofthem,onlythedomaincontrollerthatactuallyhandlesagivenaction willcreateanauditentryforit.Theresultisacentrallyconfiguredauditingpolicybuta highlydistributedauditinglog. Figure5.4showswhattheseauditentrieslooklike.Theyrefairlytechnical,andoften includerawSIDsandotherunderthehoodinformation.Thisexampleshowsasuccessful domainlogon,processedusingthenativeKerberosprotocol.Theusernameanddomain havebeenblankedoutforthisexamplebutwouldnormallybepopulatedwhenarealuser logson.
66
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
67
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Figure5.5:Newlogsalongsidetheoldlogs. UnlikeDACLs,SACLsarenotimmediatelyutilizedbytheOS.SACLssimplydesignatewhat actions,whatsecurityprincipals,shouldbeaudited;theauditingsystemitselfmustalsobe turnedoninorderforeventstobewrittentothelogs.Figure5.6showswherethatis usuallyconfiguredinaGroupPolicyobject(GPO). MostorganizationswillconfigureauditingatahighlevelGPO,suchasoneappliedtoall domaincontrollers,oreventoallserversinthedomain.TheGPOpicturedisspecifically settingtheauditpolicy,whichincludesturningonauditingoflogonevents,account managementactivity,accesstoAD,andsoforth.Theauditpolicy,aswellasresource SACLs,mustbothbeconfiguredinordertogeneratethedesiredauditingevents.
68
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Figure5.6:ConfiguringauditinginaGPO. Thisiswhereyouhavetousesomecaution.Youdontwanttoturnonfullboreauditing withoutthinkingabouttheconsequences.Adomaincontrollercangeneratethousandsof logoneventseveryminuteduringthebusymorningloggingonrush,andgeneratingallof thoseeventsrequirescomputingpower.Ifauditingallofthoseeventsistrulya requirement,thenyouregoingtohavetosizeyourdomaincontrollersaccordinglyto handletheload.Thesamegoesforfileservers:Ifafileserverisexpectedtogeneratean eventforeverysuccessfulorfailedfileaccessattempt,itsgoingtoneedtohavethe computingpowernecessarytopullitoff. Generatingthatmuchlogactivitycanalsopoundtheactualeventlogsprettyhard.As Figure5.7shows,youllwanttopairyourauditpolicywithawellplannedeventlogpolicy, settingeventlogssizes,rolloverbehavior,andothersettingstoaccommodatethe workloadyouplanforthemtohandle.
69
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Figure5.7:ConfiguringeventlogsettingsinaGPO. TheSecuritylogwhichiswhereauditingeventsarewrittencanbeespeciallytricky. WiththeApplicationlog,youmightfeelcomfortablesimplyallowingittooverwriteitself whenitgetsfull.FortheSecuritylog,youcantpracticallydothat,oryoudopenupthe doorforauditinginformationtobelost.Instead,youllhavetoconfigureanappropriatelog size,andimplementmaintenanceprocedurestoarchiveandclearthelogonaregular basisperhapsasoftenaseveryevening,dependingupontheloadyoureputtingonthat log. AcommoncriticismofWindowsnativeeventlogsistheirhighlydistributednature.For example,anadministratorcouldmodifyagroupmembershipononedomaincontroller, connecttoaseconddomaincontrollertouseanaccountinthatgroup,andconnecttoa thirddomaincontrollertoresetthegroupmembership.Allthreeactionswouldbelogged inthreedifferentSecurityeventlogs,makingitdifficulttocorrelatethoseindependent eventsintoachainofactivity. Microsoftsinitialsolutiontothisproblem,introducedinWindowsServer2008,iseventlog forwarding.PicturedinFigure5.8,theideaisthatindividualserverscanforwardeventsto acentralserver,whichcollectsalloftheeventsinitsownlog.
70
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
CommonBusinessGoalsforAuditing
Unlikethe1990swhenWindowsNTwasdesigned,mostbusinessestodayaresubjectto somekindofsecuritypolicy.Inmanycases,thatpolicyincorporatesexternalrequirements fromindustryrulesorevenlegislation.Thoserequirementsmayincludeaneedtoaudit everysuccessfulandfailedactionforprettymucheverythingintheenvironmentandthat generatesalotofauditingtraffic. Anothergoalisforthatauditinginformationtobetamperproof,oratleasttamperevident. Inotherwords,thepeoplebeingauditedincludingadministratorsshouldntbeableto removetheirownauditactivityfromtheauditlog.Organizationsalsowanttobeableto search,filter,andreportonthoseevents.Forexample,anauditormightwanttoseeevery auditentrythatcorrespondstoareconfigurationofADsauditpolicy,thenmatcheachof thoseeventstoanapprovedaction.Thatletsanauditorseethattheonlychangesmadeto thedirectorywerethosethathadbeenformallydocumentedandapproved.
71
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
WeaknessesofNativeAuditing
Unfortunately,thenativeauditingsystemdoesnotalwaysholdupwell.Ireallydont regardthisasaweaknessonMicrosoftspartafterall,theirjobisnttoanticipateevery possiblebusinessneed,butratherprovideaplatformonwhichothersoftwarecanbe deployedtomeetspecific,varyingbusinessneeds.Theyvedonethat.Thenativeauditing architectureisbarebones,suitableforthesmallestorganizationsthatarelesslikelytobe abletoaffordaddonsoftwaretomeetspecificbusinessneeds.Thenativesystemisalso closetothreedecadesold,andyoucantalwaysexpectsystemsofthatagetomeetevery possiblemodernrequirement. Goalone,beingabletoauditeverything,iscertainlypossiblewithinWindowsalthough youllneedtoplaylogcapacityandserverperformancearoundthatgoal.Thenativeevent logarchitectureisntasperformancetransparentasitperhapscouldbe,andaskinga servertoaudittensofthousandsofeventsanhourwillcreateanimpactonthatserver. Goaltwoatamperevidentlogiswherethesystemreallyfallsapart.Unfortunately,its justnotfeasibletotakeawayadministratorsabilitytocleartheeventlog.Youcandoit,by carefullytweakingprivileges,creatingdedicatedlogmanagementuseraccounts,andso onbutitscomplex,andmanyorganizationsfinditimpractical. Evenassumingyoudoso,meetingthenextgoalcentralizedreporting,filtering,and alertingisntpractical,either.Eventlogforwarding,evenwhenused,doesntoccurinreal timetherecanbesignificantdelaysineventsbeingforwarded.Evenwhenyoudorelyon eventforwarding,youremassingalogofloginformationintoasingleplace,andrelyingon anextremelyprimitiveeventviewerforqueryingthatlog.Figure5.9showsthefiltering capabilitiesofthenativetool,andtheyreindeedprimitive.
72
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Figure5.9:Nativeeventlogfiltering. Asshown,youcanfilterforspecificeventtypes,andfilterforspecifictextintheevent description,aswellasothercriteria.Buttheresnowaytocorrelatemultiplerelatedevents inachainofactivity,andtheresnoreportingmechanismtospeakof. Asforthefinalgoalofusingtheseeventsfortroubleshootingwell,goodluck.Itscertainly possible,althoughitusuallytakestheformof,seewhatsinthelog,lookuptheeventIDs toseewhattheymean,andfigureoutifthatsrelevanttothecurrentproblem.Itsmuch hardertoaskthenativeeventviewertogiveyou,allchangesmadetoADwithinthepast4 hours.Althoughtherewillbeeventsrelatedtothosechangesprovidedyourauditpolicy iscapturingthemtheeventlogisntreallydesignedtofacilitatechangemanagementor changeauditing.Itisntauditingthechange,perse,itsauditingthefactthatsomeonemade achange. AsFigure5.10shows,WindowsServer2008ADdidstartcapturingbeforeandafter valuesinchanges,makingitabitmoreusableforchangeauditing.However,thefeature stillisntpervasivethroughoutallofAD,andfindingtheactualeventsinamassivelogfile canstillbechallenging.
73
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
ThirdPartyAuditingCapabilities
ThirdpartyauditingtoolstakeseveralapproachestosupplementingWindowsnative capabilities.First,thesetoolsmaydoabetter(andfaster)jobofcollectingeventsfrom multipleserverslogsintoacentrallocation.Often,thatcentrallocationisaSQLServer database,althoughothertoolswillalwaysforwardeventsinrealtimetoanexternal loggingmechanism,suchasasyslogserverasFigure5.11illustrates.
74
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Figure5.11:Forwardingeventstoasyslogserver. TheideaismainlytogettheeventsoutofWindowsasquicklyaspossible,andintosome separatesystemthatcanbesecureddifferentlyfromtheenvironmentseventlogs. Databasesarepopularchoicesbecausetheycanbesecuredandtheynaturallylend themselvestocomplexqueries,andthus,toreportingcapabilities.Infact,manythirdparty auditingtoolscollecteventsinSQLServermainlytoleverageSQLServerReporting Servicesasareportingmechanism. ThirdpartytoolsmayalsotapdirectlyintonativeApplicationProgrammingInterfaces (APIs)tocollectauditinformationinadditionto,orinsteadof,usingthenativeevent logs.TheseAPIsoftenoffermoredetailedinformation,includingbetterbeforeandafter details.Insomecases,usingtheAPIsmayofferabetterperformingwayofcollectingthe information,reducingserverload. Oncetheeventdataiscentrallylocated,thirdpartytoolscankickinwithrealtimealerts, reporting,eventarchiving,analysisandcollation,andmuchmore.Thetrickisingettingthe eventsintoasinglespotthatcanbequeriedquicklyandeffectively.
75
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
ComingUpNext
Inthenextchapter,Illstartsummarizingmanyofthetechniquesandconceptsfromthis andtheprecedingchapters,andpresentingthemtoyouasbestpractices.Wellstartwitha lookatwhen,andwhy,youmightwanttoreconsideryourdirectorysdesignasscarya conceptasthatmightbe!Wellalsolookatbestpracticesfordisasterrecoveryand businesscontinuity,security,replication,FSMOplacement,DNSdesign,andmore.Well wrapwithaconsiderationofvirtualizationbecausethatsalltheragethesedays,and discusshowsuitableADis,orisnt,forlivinginsideavirtualmachine.Illalsothrowin somepracticesforongoingADcareandfeeding,tokeepyourdirectoryhealthyandhappy.
76
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Chapter6:ActiveDirectoryBestPractices
Thischapterisakindofmiscellaneousbestpracticeslist.ThetrickwithADandbest practicesisthattheresneveranyonerightanswerforeveryorganization.Youhaveto tempereverythingwithwhatsrightforyourorganization.Soreally,thischapteris intendedtosimplygiveyouthingstothinkaboutwithinyourenvironment,andideasthat stemfromwhatsworkedwellforotherfolksinsituationsthatmightbesimilartoyour own.
ShouldYouRethinkYourForestandDomainDesign?
Firstofall,stepbackandtakealookatyourdomainandforestdesign.Howperfectisit? ADdesignunfortunatelyhastwoconflictinggoals:OneistosupportyourGroupPolicy deployment,andtheotheristosupportdelegationofpermissions.Forthefirstgoal,you mightorganizeADtoreallyfacilitateusingaminimalnumberofeffectiveGroupPolicy Objects(GPOs),especiallyifyouneeddifferingGPOsettingsforvariouscompany departmentsanddivisions.ThesecondgoalfocusesonwhowillmanageADobjects:Ifyou plantodelegatepermissionstoresetpasswords,forexample,thenorganizingyour directorytogroupthosedelegateduserobjectswillmaketheactualdelegationeasiertoset upandmaintain. KeepinmindthatGroupPolicyistheonethingyouprettymuchcantseparatefromthe directory.Fromasecurityanddelegationperspective,thirdpartytoolscanabstractyour directorydesign.Forexample,manythirdpartyidentityandaccessmanagement(IAM) toolsenableyoutodelegatepermissionoverobjectsthataredistributedthroughoutthe directory.Youessentiallyusethetooltomanagethedelegation,anditdealswithwhatever ugly,underthehoodpermissionsitneedsto.Insomecases,thesetoolsdontactually modifytheunderlyingdirectorypermissionsatall.Instead,theyprovideintool delegation,meaningtheyactasakindofproxymanager,providingdifferentuser interfacesfordelegateduserstoaccomplishtaskslikeresettingpasswordsormodifying useraccounts.Thatkindofabstractioncanletyourunderlyingdirectorystructureconform tootherneedslikethoseofyouGroupPolicydeployment.
77
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Restructuringadomainorforestcanbejustascomplex,risky,andfrustratingasmigrating toADwasinthefirstplace.Themainreasontoconsiderthiskindofprojectisifyour directoryhasgrown,andbeenextended,organicallyovertime.Corporatemergesand acquisitionsareacommonrootcauseofthatkindofgrowth.Youmayalsofindthat whoeveroriginallydesignedthedirectorydidnthaveagoodunderstandingofhowtodo so,orthatthecompanysneedsandoperationshavechangedsincetheoriginaldesignwas putinplace.Inanyevent,rethinkingthedesigncanhaveasignificantpositiveimpacton operations,maintenance,disasterrecovery,andevenonperformanceandusabilitysoits worthatleastconsideringtheproject.Determinewhetherthebusinessbenefitswould outweighthepotentialrisks,andconsiderwaystomitigatethoserisks.Forexample,many thirdpartiesproducemigration/restructuringtoolsthatcanlargelyautomatemuchofthe process,providezeroimpacttestingcapabilities,andevenrollbackmigrationchangesif theyprovetobeproblematic.Thosetoolsobviouslyhaveacost,soyoullhavetoweigh thatcostagainstthebusinessbenefitsandseeifitlookslikeawin.
ADDisasterRecovery
Disasterrecoveryandbusinesscontinuityisalwaysaconcern,soletslookatgeneralbest practicesformakingsurethatyourdirectorycanberecoveredintheeventofafailure. Werenotgoingtolookatthemorecommonlyneededsingleobjectrecoveryjustyet theresasectioninthischapterforthatcomingup.
SingleDomainController
ProbablythemostcommonfailurescenarioinADisthefailureofasingledomain controller,oftenduetoahardwarefailure.Whatdoyoudowhenthishappens?Well,if youvebuiltyourdomaincontrollersproperly,youwontneedtodomuch.Myassumption isthatyourdomaincontrollersaredoingverylittleapartfrombeingdomaincontrollers. TheymayberunningDNS,andiftheyareitshouldbeanADintegratedDNSzone.Ifyou dontuseMicrosoftsDNS,dontputyourDNSserversonyourdomaincontrollers.That way,ifadomaincontrollerfails,youjustrebuildit. Keepinmindthat,inAD,nodomaincontrollerisunique.Theyreallthesame.Ifonefails, itsnobigdealtheothersjustkeepmovingrightalong.Buildareplacementmachine (somethingthatstrivialifyoureusingvirtualmachines),promoteittobeadomain controller,andsitbackandletreplicationtakeover.Inotherwords,youdontbother backingupeverysingledomaincontrollerbecausetheyeachactasbackupsforeachother. Theonlytimethismightnotbeastraightforwardapproachiswhenthefaileddomain controllerisontheothersideofaslowWANlinkfromanyotherdomaincontrollers. WaitingforalargedomaintoreplicateacrosstheWANcanbetimeconsuming.Ifyoudont mindwaiting,itsstillthebestwaytogo.Abouttheonlyotheroptionistokeepabackupof thoseremotedomaincontrollersmakingsureitsnevermorethanafewdaysold.That wayyoucanrestorefromthatbackup,andletamuchlesseramountofreplicationbring thedomaincontrollerbackuptodate.Tapebackupsarefineforthisapproach,andtheyre easyforpeoplewithminimalITskillstooperate,soincaseswhereyoudonthavealotof localexpertisehelpingyouout,itsnotabadapproach.
78
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
EntireDomain
Itsprettyraretoloseanentiredomain.Asitsalmostimpossibletoloseeverysingle domaincontrolleratthesametime,losingthedomainusuallymeanssomevastand tragicadministratorerror.Theonlyresolutionis,ofcourse,tohaveagoodandrecent backup. Again,thisiswhereIfirmlyrejecttapebasedbackupandrecommendrealtimediskbased backupsinstead(readmybook,TheDefinitiveGuidetoWindowsApplicationandServer Backup2.0,fromRealtimePublishers,foranexhaustivetreatmentofthesubject).Areal timediskbasedbackupcangetadomaincontrollerupandrunninginminutesorhours, notdays,andyoulllosenomorethanafewminutesworthofactivityfromthedomain. Diskbasedbackupscanalso(usually,dependingonthevendor)bereplicatedoffsite, makingthemsuitablefortruedisasterrecoverywhereyouvelostanentiredatacenter,or losttheuseofit,duetosomedisastersuchasflood,fire,meteorstrikes,andthelike.
EntireForest
ItisvanishinglyraretoloseanentireADforest.Iwasoncetoldthattherearesomething likelessthanadozendocumented,realworld(thatis,nonlabbased)occurrences.Still, thethreatofwholeforestlossisenoughthatMicrosoftofficiallysupportsforestrecovery, andahandfulofthirdpartyvendorsmakewholeforestrecoveryproducts. IfyoufeelthatlosingyourentireADforestisathreatyoumustbepreparedtoface,take myadviceandbuyaforestrecoveryproductnow(theyrenogoodoncetheforesthas actuallyfailed;theyhavetograbthenecessarybackupsfirst).Recoveringaforestisno trivialtask,andhavingatoolonhandwillgetyoubackupandrunningmorequicklythan thealternative,whichisusuallycontactingMicrosoftproductsupportforassistance.
ADRestoresandRecycleBins
LetsturnbrieflytothesubjectofsingleobjectrecoverywithinAD.PriortoWindows Server2008R2,Microsoftdidnthaveagood,supportedsolutionforADsingleobject recovery.Theirapproachwastotakeadomaincontrolleroffline,putitinDirectory ServicesRecoveryMode,performanauthoritativerestoreofwhateverdirectoryobject(s) youlost,thenbringthedomaincontrollerbackonlineandletitreplicateitschanges.
79
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
LetsbeclearonwhatImeanbysingleobjectrecovery,too:Bringinganentiredeleted objectback,includingallofitsattributes.Youcannotdothisbysimplyuntombstoninga deletedobjectbecausewhenADdeletesandtombstonesanobject,itremovestheobjects attributes. InWindowsServer2008R2,MicrosoftintroducedafeaturecalledtheActiveDirectory RecycleBin,anameofwhichIamnotafan.Thisfeatureisonlyavailablewhentheentire forestisrunningattheWin2008R2functionallevel(meaningeverydomainmustalsobe runningatthislevel),andthefeaturemustbespecificallyturnedonaonetimeaction thatcantbeundone.Figure6.1showsthePowerShellcommandneededtoenablethe feature.
80
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Figure6.2:ViewingtheDeletedObjectscontainer. ToactuallyrestoreanobjectrequirestheuseofratherbyzantineWindowsPowerShell commands;theresnoactualGUIcomponentforworkingwithrecycledADobjects. TheRecycleBinfeatureisalsoabitunintuitive.Forexample,ifyouneedtorestoreanOU anditscontents,itsatwostepprocess:RestoretheOU,thentheobjectsthatusedtolivein it.Someorganizationswillhaveconcernsaboutthatrecycledinformationincluding employeespersonallyidentifiableinformation(PII)persistinginthedirectorypastthe objectsdeletion.Althoughatraditionalbackupwouldalsopersistthatinformation,it doesntdosoliveinthedirectory,andthatmakesadifferencetosomefolks. TheRecycleBinfeatureisalsolimitedtoobjectrestoration;itcantrestoreasingle attributefromanobjectthatmayhavebeenimproperlychanged. SothisnewRecycleBinfeatureis,atbest,abareboneswayofgettingsingleobject recoveryforaverysmallorganizationthatwillnotconsiderthirdpartytools.Me,Imafan ofthirdpartytools.AsingleADdisasterrecoverysolutioncangiveyouatrue,graphical recyclebinwithdraganddroprecoveryandsingleattributerecoveryandwillscaleallthe wayuptocompletedomainorforestrecoveryifnecessary.Everythingbutadomain/forest restorecanbedonewithouttakingadomaincontrolleroffline,helpingeverythingstay productive,andinmostcases,thesetoolsintegrateintothefamiliarActiveDirectoryUsers andComputersconsole,makingthemeveneasierandmoreaccessible.
81
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
YoucouldarguethatMicrosoftshouldbuildthatkindoffunctionalityintothebaseproduct. Maybeso,maybeno:EverythirdpartyrecoverytoolIvelookedatworksslightly differently,andthosedifferencesreflectdifferentcustomerneeds.Microsoftwouldonlybe abletosqueezeusallintothesamefunctionality;asthesituationstands,wecanselect fromwhateversolutionfitsourparticularneedsthebest.Microsoft,asIvesuggestedin earlierchapters,needstodeliveragoodplatformIdontnecessarilythinktheyshould delivereverypossiblepermutationofamanagementtoolthatanorganizationmightneed. ThisIsntRetail Ivemadethisargumentaboutthirdpartytoolsbefore.Toooften,Iseea packagedretailmentalityaroundcomputersoftware.Yougoandbuy MicrosoftOffice,youdontexpecttohavetobuyaddonstomakeitwork. Okay,IgetthatOfficeisanenduserproduct.Mostenduserproductscome complete:Carscomecomplete.Evenkidsgamessometimesshipwith batteriesincluded. Windows,asaserveroperatingsystem(OS),isntapackagedretailenduser product.Itsmorelikeahouse:Thebuilderisgivingyouaplatform,andyou expecttospendmoneyaboveandbeyondthatstructure.Thestructure shouldcomewithgoodplumbing,butyouattachyourownfaucets.The floorsshouldbeflatandsolid,butyoureputtingyourownfurnitureon them. Yes,somebuilderswillthrowinminimalversionsoftheseaddonskitchen appliances,bathroomfixtures,andsoforth.Butthesearealmostalwaysthe bareminimumversions.Theyrerarelythehighend,customstuffyouknow youwant. Sure,youcanbuyahousethatcomeswithallthecustomhighendstuff,but thatslikeworkingwithaMicrosoftVAR.Inadditiontothehomebuilder (Microsoft),youvealsogotadesigner(theVAR)buyingyourcurtains, furniture,andsoforth,andgivingyoutheresultingproductforasingle packageprice.YoucandothatwithWindows:Getthebaseplatformandall thethirdpartytoolsneededtomakeitawesome,allfromonevendor,andall foroneprice.ThatvendorjustisntMicrosoft,becausetheyreinthebusiness ofmakingthebasicstructure,notcustomizingittofiteverypossible businessneed. WhenitcomestoWindowsasaserverOS,youhavetoincludecertainthird partytoolsaspartofthecostofdoingbusiness.ThecostfortheWindows licenseisjustthebeginning:Ifyouhaveauditingneeds,ordisasterrecovery needs,thosearegoingtocostextra.Ifyoureinthetypeofcompanythat doesntliketospendmoneyonextrasanytime,ever,thenyoushouldnt expecttobeabletomeetallofthebusinessneedsallofthetime,either.
82
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Security
Idontactuallyhavealottosayonthetopicofsecuritybestpractices.IthinkMicrosofts BestPracticesAnalyzer(BPAwhichwillbediscussedinthefinalsectionofthischapter) doesagoodjobofcoveringthehighlevelsecuritysettingsinAD;anythingelsereally comesdowntoyourspecificbusinessandoperationalneeds.Doyoudelegatepermissions withinthedirectoryorrelyonamoremonolithicpermissionsstructurewhereDomain Adminsdoallofthework?Neitherapproachiswrong;itsimplydependsonhowyour organizationisstructuredforthatkindofadministration.
ReplicationTopology
Definitelytakethetime,nowandthen,toreviewyourADreplicationtopology.Usingyour sitearchitecture,drawoutapictureofthereplicationtopology,liketheoneinFigure6.3.
83
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Figure6.4:Toolgeneratedactualreplicationtopology. Thegoalshouldbetosimplyensurethatnodomaincontrolleristoomanystepsawayfrom everyotherdomaincontrollersothatreplicationcanquicklygetchangesouttoevery domaincontrollerinaminimumnumberofhops.Atthesametime,youwanttoensure thatthephysicalWANlinkscanhandlethereplicationtrafficyoureputtingonthem.Thats especiallytruewhenyouhavealotofmanuallyconfiguredsitelinkbridges,which deliberatelydoubleupthetrafficonyourWANlinksinanefforttoreducereplication hopsbetweendistantsites. Itsreallyimportantnottorelysolelyonahanddrawndiagramofyourreplication topologybecauseADwontalwaysmaketheexactsamecalculationsasyouaboutwhich domaincontrollersshouldbebridgeheads,anditseasytooverlookthingslikesitelink coststhatmightbemakingADcalculateunexpectedandunwantedtopologies.Getyour handsonsomekindoftoolthatcandrawatopologybasedonwhatADisactuallydoing, andcomparethatwithyourhanddrawnexpectationdiagram.
84
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
FSMOPlacement
RecommendationsonFSMOplacementhavechangedovertheyears; http://support.microsoft.com/kb/223346offersthelatestguidance.Ingeneral,its consideredsafetostackalloftheFSMOrolesontoasingledomaincontroller,provideditis locatedatahubsite(thatis,hasgoodphysicalWANorLANconnectivitytomostother sites).TheonlyexceptionisforenvironmentsthatdonthaveaGlobalCatalog(GC)hosted oneverydomaincontroller;inthosecases,movetheinfrastructuremastertoadomain controllerthatdoesnthosttheGC. SomeFSMOrolesareforestwide:Theschemamasteranddomainnamingmastershould colocatewiththePDCemulatoroftheforestrootdomain.Again,thatdomaincontroller shouldbewellconnectedtotheotherdomaincontrollersintheforest,ideallylocatedata hubsitethathasgoodWANconnectivitytomostothersites.
Virtualization
CanyouvirtualizeyourADinfrastructure?Ofcourseyoucan.Shouldyou?Inaword,yes. Youshould.Thelongtermbenefitsofvirtualizationhavebeenprovedbyscientists:easier workloadmanagement,easierdisasterrecovery,easierscalability,lowerpower requirements,lowercoolingrequirements,lessdatacenterspaceandthelistgoesonand on. Frankly,theresnoreasonnotto.ADworksandplaysquitewellinavirtualenvironment. Infact,withmodernmemoryovercommit,youcanreallyleverageADsuniqueusage patterns.ADgetsbusyandneedsalotofmemoryinthemorningswheneveryoneis loggingon.SocolocateyourADvirtualmachineswithvirtualmachinesthatrunother tasks,suchaslineofbusinessapplications.Aslogontrafficsettles,peoplegrabthebagel, andgettowork,ADvirtualmachineswillneedlessphysicalmemory,andthatcanthenbe devotedtothelineofbusinessvirtualmachines.JustscatteryourADvirtualmachines acrossseveralvirtualizationhostsandyouregolden. AndconsiderinstallingADonServerCore,notthefullinstallofWindows.ServerCorehasa vastlysmallerfootprint,meaningmoreofthevirtualmachinesresourcescangotoAD. ServerCorerequireslessmaintenance(ithasalotfewerpatchesovertimethanthefull install),soyoullspendlesstimemaintainingyourvirtualmachines.ServerCoresdisk footprintissmaller,makingiteasiertomovefromhosttohost.AndServerCorecanstill runallofyourmanagementtools,agents,antimalware,andotherstuff(popularmythsto thecontrary).IfyoureaccustomedtorunningDNS,DHCP,WINS,andotherinfrastructure functionsonyourdomaincontrollerswell,ServerCorerunsthosetoo.Andthoseroles arecompletelymanageableviathesameGUIconsolesyouusetoday:ActiveDirectory UsersandComputers,DNSManagement,andsoon.Youllfindyourselfloggingontothe consoleveryrarely,ifatall(evenServerManagersupportsremoteconnectivityin Win2008R2).
85
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
OngoingMaintenance
Asidefromobjectlevelmaintenanceyouknow,cleaningupdisabledusers,stale computeraccounts,andsoforthwhatkindofongoingmaintenanceshouldyoube performinginAD?Backupsareobviouslyimportant.AsIvementionedalready,my preferenceisforcontinualbackupsmadebyadisktodiskrecoverysystemratherthan tape,butiftapeswhatyouvegot,thenatleastusethat. DiskDiskTape Bytheway,justbecauseIadvocatedisktodiskbackupsdoesntmeanIdont seethevalueoftape,especiallyforgettingacopyofyourbackupssafelyoff site.Mostdisktodisksystemsprovidesupportformakingasecondtape basedbackupforjustthatpurpose.Andbecauseyoureessentiallybacking upthebackup,youcanenjoylongerbackupwindowswithoutaffectingthe productionenvironment. CheckthelogsandmakesurethatbothADandtheFileReplicationService(FRS)arent generatinganythingalarming.Withacontinualmonitoringsolution(likeSystemCenter OperationsManagerorsomethingsimilar),youcansimplyletthesolutionkeeptrackand alertyouiftheresaproblem. AlsokeepaneyeondiskspaceonwhatevervolumecontainstheADdatabases.Again,a monitoringsolutioncanbeusedtoalertyouwhendiskspacegetslow,sothisdoesnthave tobeamanualtask.Youshouldalsohaveaplaninplacetoregularlydefragmentthat logicaldiskthirdpartydefragutilitiescandosocontinuouslyoronaroutine maintenanceschedule,oryoucanusethenativedefragtoolonaregularbasis.Oncea quarterworksformanyofmyconsultingclients. Periodicallyreviewthelogtolookforreplicationproblemsjustbeingproactive,here.A monitoringsolutioncandothisroutinelyandalertyoutoanyproblems,butitsalways goodtojustrunsomeofthereplicationmonitoringtools(discussedinpreviouschapters) tomakesureeverythingisworkingsmoothly. Finally,taketimeeachmonthorsotoruntheBPAmodelforAD(onWin2008R2andlater). YoucandothisinPowerShellorviaServerManager(Figure6.5showswheretofinditin ServerManager).TheBPAisacollectionofMicrosoftguidelinesforproperlyconfiguring ADandotherserverroles;runningthemodelonaregularbasishelpsensurethatyoukeep ADproperlyconfiguredoverthelongtermforbettersecurity,performance,reliability,and soforth.
86
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
ComingUpNext
Inthenextchapter,IwanttotakeasortofintermissionanddiscussActiveDirectory LightweightDirectoryServices,orADLDS.FormerlyknownasActiveDirectory ApplicationMode,orADAM,thistrimmeddownversionofADhasveryspecificuses withinanorganizationandcanhelpsolveveryspecificproblems.Welltalkaboutwhatit is,whentouseit,whennottouseit,andcoversomeofitsuniquetroubleshootingand auditingconcerns.
87
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Chapter7:ActiveDirectoryLightweight DirectoryServices
IntheWindowsServer2003timeframe,MicrosoftintroducedActiveDirectoryApplication Mode,charminglyreferredtoasADAM.Thesedays,ADAMhasgrownupandchangedhis nametoADLDS(orADLDS,ifyouprefer):ActiveDirectoryLightweightDirectoryServices, whichisdistinctfromtheADdirectoryservicethatwereusuallyreferringtowhenwejust sayActiveDirectory.Inthisshortchapter,wellexplorewhatADLDSisallabout,when youshould(andshouldnt)useit,andhowtoperformbasictroubleshootingandauditing withit.
WhatIsADLDS?
Generallyspeaking,ADLDSisthesameasregularADineveryway,exceptADLDSdoesnt performauthenticationforyourentirenetwork.ADLDSispositionedasamodeofAD thatprovidesdirectoryservicespecificallyforapplications.MicrosoftcreatedADLDSin parttoaddressthereticencepeoplehavearoundextendingtheschemaoftheirregular directory.Schemaextensionsare,afterall,permanent,andnobodylikestomakethatkind ofpermanentextensiontothemaindirectory.Whatifyoustopusingtheapplicationaftera fewyears?Itsextensionshangaroundforever.SoADLDSgivesapplicationsaseparate directoryinwhichtostoretheirstuff. ADLDSusestheexactsameprogrammingAPIsasADDS(ActiveDirectoryDomain Services,orthenormalAD),soprogrammersdonthavetotakeanyspecialsteps.ADLDS canoperateentirelyindependentlyoritcanoperatewithreplication.Becauseitisntpart ofyourmaindomain,ADLDSalsogivesyouawayofmoreeasilyandsafelydelegating controloverapplicationsdirectoryuse.SomeonecanbeinchargeofanADLDSinstalland havezerocontroloverthemaindirectory. ADLDSdoesnot,however,haveanyoftheinfrastructurecomponentsofADDS.Itisnta directoryservicefortheWindowsoperatingsystem(OS),soclientscantauthenticatetoit. ADLDScanuseyournormaldomainforauthentication,whichIlldiscussinasecond.Thus, ADLDScanbeapartofyourdomaininmuchthesamewaythatanyapplicationcouldbe. ADLDSdoesnthaveFlexibleSingleMasterOperations(FSMO)rolesormanyoftheother infrastructureelementsweassociatewiththefullADDS.Inaddition,MicrosoftExchange cantutilizeADLDSbecauseADLDSdoesntsupporttheMessageApplication ProgrammingInterface(MAPI)orsupportauthentication.
88
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Partitions
ADLDSconsistsofaconfigurationandschemapartition,muchlikeADDS.Italsoincludes oneormoreapplicationpartitions,whichiswhereapplicationsstoretheirdata.Data,asin ADDS,isstoredasobjects,andtheschemadefineswhichobjectclassesareavailableand whatattributesthoseclassescanuse.JustasinADDS,theconfigurationpartitioncontains theinternalconfigurationsettingsthatmakethesystemwork. WhenyouinstallADLDS,youhavetheoptiontocreateauniqueinstanceorareplicaofan existinginstance,asFigure7.1shows.ReplicasarehowyouprovidescalabilityforADLDS ininstanceswhereasingleservercantkeepupwiththeapplicationsdemands.Youcan replicatetheconfigurationandschemapartitionsofADLDS,andselectspecificapplication partitionstoreplicate.
Figure7.1:CreatingauniqueorreplicaADLDSinstance.
89
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
SynchronizingWithADDS
TosynchronizeADLDSwithanormalADDSdomain,youfirsthavetoexportyour directorysschemaandloaditintoADLDS.Thatway,ADLDScanseeallofyournormal domainsobjects.ADLDSinstallsanADSchemaAnalyzertool,andyoucanuseitsLoad TargetSchemaoption(seeFigure7.2)toloadtheschemafromanexistingdomain controller.
Replication
ADLDSinstancescanreplicatewitheachother.JustasinADDS,replicationinADLDS providesbothfaulttoleranceandloadbalancingfortheservicesprovidedbyADLDS. Beforeconfiguringreplication,itsimportanttoconfiguretheADLDSservicetorununder auseraccount.Inaddition,ensurethatthecomputershostingADLDSareinthesame(or trusted)domains.Eachinstancesserviceshouldberunningunderthesameuseraccount, notthebuiltinNetworkServiceaccount.
90
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
ADLDSreplicatesdatabasedonaconfigurationset.AllADLDSinstancesjoinedtothe sameconfigurationsetwillreplicateacommonconfigurationpartition,acommonschema partition,andwhateverapplicationpartitionsareconfiguredintheconfigurationset.You canveryroughlythinkofaconfigurationsetasadomainfromADDS,meaningthatall theADLDSinstancesinthesameconfigurationsetwillcontainthesamedata.Onetrickis thatanADLDSinstancecancontainapplicationpartitionsbeyondthoseintheconfiguration set.Anyapplicationpartitionsintheconfigurationsetwillbesharedwithallinstances replicatingthatset;anyapplicationpartitionsoutsidetheconfigurationsetwillbeunique totheinstancewheretheylive.AnyADLDSinstancecanparticipateinonlyone configurationsetatatime,soifyouhaveapplicationpartitionsoutsideofaconfiguration set,thosewillnotbereplicated. ADLDSsupportsthesamekindofsiteandsitelinkobjectsasADDS,whichareusedto createandcalculatethereplicationtopology.Ivewrittenaboutreplicationearlierinthis guide,andprettymucheverythingyouknowaboutADreplicationandsitesandsite linksappliestoADLDSaswell.Replicationwithinasitethatis,betweeninstanceson thesamelocalareanetwork(LAN)isautomaticandmoreorlessrealtime.Beyond settingupconfigurationsetstodeterminewhatwillreplicate,youdonthavetodo anything.Betweensites,however,youmustdefinesitelinkobjectssomethingthatyou donthavetodoinADDS.Intersitereplicationalsorequiresyoutosetupthereplication schedule,frequency,andavailabilitysomethingyoucandoinADDS,butwhichmany adminsdontmanuallyconfigure. Note Youcanalsooverridetheautomaticintrasitereplicationsettingstospecifya schedule,frequency,andsoon. Resource MicrosoftprovidesacompleteguidetomanagingADLDSreplication,and configurationsets,athttp://technet.microsoft.com/en us/library/cc816770(WS.10).aspx.
Authentication
ItechnicallyliedaboutADLDSnotdoingauthentication.Whatitcantdoisauthenticatea WindowscomputerinthewaythatADDScan.ADLDScanabsolutelyprovidecustom authenticationforanapplication,andalotofpeopleuseitasthedirectoryfor,say,an extranetWebapplication.Essentially,yourejustusingADLDStostorecustomuserobjects ratherthanstickingthatinformationintoatraditionalrelationaldatabase,whichiswhata lotofdevelopersdo.ADLDSisoptimizedforreadaccess,makingitaveryquickandsimple operationtolookupauser,validatetheirpassword,andsoforth.
91
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
YoullalsoseefolksusingADLDSwhentheyhaveanapplicationthatrequiressimpleLDAP authenticationandthatwantstostoredataintheLDAPdirectorybuttheydontwantthat tobetheirmaindomain.ADLDSdoessupportthefullLDAPprotocol,including authentication,soitcanworkwellinthatinstance.Theapplicationwouldprovideausers X.500DistinguishedName(DN)andpassword.ADLDSsecuritypolicyforpassword complexity,accountlockout,andsoforthareenforcedbythelocalcomputerssecurity policyratherthanaGPO(ADLDSdoesntdoGPOs).However,ifthecomputerisamember ofadomainandaGPOappliestoitthatsetspasswordcomplexityorotheraccountpolicies, thenthosewillobviouslyapplytoADLDSaswell.Unfortunately,LDAPdoestransmit passwordsincleartextifyouarentusingLDAPoverSSL,sobeawareofthatlimitation. ADLDSalsosupportsWindowsprincipalauthentication,alsoknownasSSPI authentication.ThispermitssomeonetousetheirADDSdomainaccounttoauthenticateto anADLDSinstance,ortouselocaluserandgroupaccountscreatedonthemachinehosting ADLDS.Tousedomainaccounts,ADLDSmustbeamemberofthedomain.Inadomain environment,authenticationhappenswiththeKerberosprotocol,providingbetter security,mutualauthentication,andcompleteprotectionofuserspasswords(althoughit canfallbacktoNTLMauthenticationdependingonyourdomainpoliciesforthat). ADLDSalsosupportsproxyauthentication,alsoknownasbindredirection,inwhichusers authenticateusinganADLDSaccount(thatis,auseraccountstoredinADLDS)butcanuse theirADDSdomainpassword.Again,theADLDShostcomputerneedstobeamemberof theADDSdomain,andyoullusuallyneedsomekindofaccountsynchronizationtoollike ForeFrontIdentityManagertosynchronizetheobjectSIDfromADDStothecorresponding ADLDSuseraccounts.ThisusesLDAP,soitsimportanttosetupLDAPoverSSLtosecure thedomainpasswordsonthenetwork. Resource Thereisagreatarticleathttp://technet.microsoft.com/en us/library/cc784622.aspxthatexplainstheseauthenticationoptionsinsome detail,includinginstructionsforsettinguptheoptions.
WhentoUseADLDS
ADLDSisusefulwheneveryouhaveanapplication(otherthanMicrosoftExchangeServer, whichisanotableexception)thatneedstostoredatainADandyoudontwanttoextend theschemaofyourmaindirectoryforthatpurpose.ADLDSisalsoagoodchoiceifyoure developinganapplicationthatwilleventuallyintegratewithADDS.WithADLDS,youcan havealocallyinstalleddirectoryonyourdevelopmentortestingsystems,becauseADLDS canrunonabroaderrangeofOSsanddoesnthavetheextensiveprerequisitesofADDS. Anytimeyoufindyourselfasking,Shouldweextendtheschemaofourdirectory?then youshouldatleastputADLDSonthetableforconsideration,especiallyifyourgutreaction tothatquestionis,NO!!!
92
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
WhenNottoUseADLDS
ADLDSisnotareplacementforADDS.Itcantauthenticateuserstoadomain,anditcant authenticatedomainjoinedcomputers.WindowsmachinescantjoinanADLDSinstance. ADLDSisintendedforuseprimarilybyapplications,ofteninconjunctionwithanormalAD DSdomain.
TroubleshootingADLDS
ThebiggestthingyoullwinduptroubleshootinginADLDSisreplication.Fortunately,its replicationworksexactlylikethatinADDS,sothetroubleshootingsectionsintheearlier chaptersofthisguidestillapply.
AuditingADLDS
ADLDSdoessupportchangeauditing,meaningyoucanhaveaneventwrittentothe Windowseventlogswheneverachangeoccurs.Theseeventsoftenincludeoldandnew valuesforobjectattributechanges,whichcanbeusefulforcreatinganaudittrailfor compliance.ItsthesamefeatureasinADDS,infact,andyouenableitinthesameway. Resource Thearticleathttp://technet.microsoft.com/en us/library/cc731764(WS.10).aspxhasinstructionsforcreatinganaudittrail forcompliance.AlthoughthearticlefocusesonADDS,thecontentappliesto ADLDSaswell. Aswithpasswordpolicyandaccountlockout,theauditpolicycanbeappliedtoanADLDS servereitherthroughitslocalsecuritypolicyorfordomainjoinedcomputersthroughan appropriatelylinkedGPO.AuditingworksjustlikeitdoesinADDS: 4. YoulltypicallyenableauditingthroughaGPO,althoughfornondomainhostsyou candosointhelocalsecuritypolicy. 5. SettheSecurityAccessControlList(SACL)ontheobjectsyouwanttoaudit. 6. TheaccountrunningtheADLDSserviceneedstohavetheGenerateSecurityAudit userprivilegeontheserverswhereADLDSruns.NetworkServiceandLocalSystem havethissetbydefault,butifyourereplicatingaconfigurationsetandusinga domainuseraccount,thenyoullhavetograntthisprivilegetothataccount.
93
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Figure7.3:SettingaSACLinADLDS.
94
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
ComingUpNext
Weredowntothefinalchapterinthisguide,whereIllpresentassortedtipsandtricksfor AD.WellcoverthingslikeFSMOroles,syncing,Kerberos,replication,DNSandtrusts, permissions,communications,GroupPolicy,andmuchmore.
95
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Chapter8:AssortedTipsandTricksfor ActiveDirectoryTroubleshooting
Wereattheendofthisguide,andIfindmyselfleftwithseveralthingsIwishIdmentioned earlierexceptthatthesethingsdontfitneatlyintoanyofthetopicswevealready discussed.Sointhischapter,Illpresenttheseseeminglyrandom,yetcompletelyhelpful, tipsfortroubleshootingvariousaspectsofActiveDirectory(AD).
TroubleshootingFSMORoles
Typically,theresnogoodfixforabrokenFlexibleSingleMasterOperation(FSMO)role youreoftenlefttonicelytransfertheroletoanotherdomaincontrolleror,inaworstcase scenario,seizetheroleonanotherdomaincontroller.Thereare,however,someindications thattellyouaFSMOroleholderisntworkingproperly: Ifyoucantaddnewdomains,theDomainNamingMasterisdown.ThatFSMOcan bedownforageswithoutyourealizingitbecauseyouprobablydontoftenadd domains. Ifusersarechangingtheirpasswordsbutcantlogon,thePDCEmulatoristhelikely cause.ThisFSMOrolealsoplaysapartintimesynchronization. FailureofthePDCEmulatorcanalsoaffectyourabilitytoeditGroupPolicyObjects (GPOs)andpreventyoufromaddingnewdomainstoaforest. Ifyoucantcreatenewdirectoryobjects,youlostyourRIDMasterprobablya whileback,asdomaincontrollersobtainRIDsinblocksandcachethem. Inamultidomainenvironment,afailedInfrastructureMastercanresultin incompletegroupmemberships,meaningusersmaynotbeabletoaccessalloftheir resources. DomainupgradesandschemaextensionscanrelyontheDomainNamingMaster andtheSchemaMaster,dependingonwhatworktheyredoing.
96
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Whateveryoudo,dontforciblyseizeaFSMOrolefromadomaincontrollerunlessyoure takingthatdomaincontrollercompletelyoffline,demotingit(removingAD),andplanning torebuilditbeforeitsreconnectedtothenetwork.ThisisespeciallytrueoftheSchema MasterandDomainNamingMaster:Undernocircumstancesmusttwoserversbelievethey eachholdoneofthoseroles. CheckingyourFSMOsisprettyeasy:UsetheDCDiagtoolonadomaincontrollerineachof yourdomains(itsnotabadideatorunitonseveraldomaincontrollers,indifferentsites, tomakesureyougetthesameresults).ItllcheckyourFSMOsandreportback.Thenext step,ifaFSMOappearstobebroken,istocheckDNS.Really,itseemsliketwothirdsofall ADproblemscanbetracedbacktoaDNSissue.MakesureeachFSMOroleholderis properlyregisteredinDNS,andyoullprobablybefine.
TroubleshootingDomainControllersinGeneral
Domaincontrollers,byandlarge,justwork.Providedeverythingaroundthem replication,timesync,andsoforthisallworking,youlltendtohaveverylittletrouble withtheADdatabaseandservices.Whenyouthinkadomaincontrollerisbroken,startby goingthroughaquickchecklistonconfigurationandsurroundingoperations: Makesurethedomaincontrollerssiteandsubnetconfigurationiscorrect. Makesuretimesyncisworkingandthatthedomaincontrollersclockmatchesthat ofthedomainsPDCEmulator(seethenextsection). Makesurereplicationisworking.Ifadomaincontrollerseemsbroken,either replication,orsomedependencylikethenetworkitself,islikelycausingthe problem. MakesurethedomaincontrollerisproperlyregisteredinDNS,andensurethat clientcomputersandotherdomaincontrollerscanproperlyresolvethedomain controllersDNSrecords. Checkthedomaincontrollerseventlogsforanybadnews,anddealwithwhatever youfind.
97
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
TroubleshootingTimeSync
TimesynchronizationisabsolutelycrucialinAD.Bydefault,authenticationtrafficonly allowsfora5minuteoutofsyncwindow;letanyclientordomaincontrollergetfurther outofsyncthan5minutes,andauthenticationstopsworking.Thesolutiontothisproblem isnottoextendthattimewindow;doingsocreatesahighersecurityriskbecausesomeone canmoreeasilycaptureandreplayauthenticationpacketsagainstyournetwork.Instead, fixthetimesyncproblem. TimesyncishandledbyabackgroundserviceonallWindowscomputers,servers,and clients.Clientcomputersandmemberserverssynctimewiththedomaincontrollerthat authenticatedthemwhentheystarted;domaincontrollerssyncwiththedomaincontroller holdingthePDCEmulatorFSMOrole.ThePDCEmulatorshouldsyncwithanexternal, authoritativetimesource.ThesynctrafficoccursoverUDPport123,soyourfirststepwill betomakesurethatportisopen.Keepinmindthat,bydefault,thePDCEmulatorisnt configuredtosynctime,anditwillrepeatedlylogmessagestothateffectuntilyoudo configureit. ThebesttroubleshootingtoolyouhaveistheW32tmtool,whichmustberunfromthe commandlinebyanadministrator.ThistoolcannotfunctioniftheWindowsTimeService isrunning,sotemporarilystopthatservicebeforerunningW32tm.Besuretorestartthe servicewhenyouredonetroubleshooting.Somespecifictipseachofwhichmustbe completedbyanAdministrator: Runnettime/querysntptochecktimesyncserversondomaincontrollersand workstations Runw32tm/resynctochecksyncwithyourdomaincontroller Runw32tm/monitor/domain:domain_nametocheckthestatusofdomain controllertimesources. Runnettime/domain:domain_name/set/ytotrytosynchronizewiththelocal domaintimesource
Theerrorsgeneratedbythosecommands,ifany,willtellyouwhatneedstobefixed.Also notethattheTimeServicewontalwaysimmediatelycorrectanoutofsynclocalclock:If thelocalclockisfasterthanitstimesourcebutlessthan3minutesoutofsync,theTime Servicewillmerelyslowtheclocksothatiteventuallycomesbackintosync.Whendoing so,theTimeServicewillcheckthetimeaboutevery45minutesuntiltheclockisinsync forthreeconsecutivechecks.Theservicethenresumesitsnormalbehaviorofcheckingthe clockevery8hours. Resource Youcanfindmorestepbysteptipsontroubleshootingtimesyncat http://cainmanor.com/tech/windowstimetroubleshooting/.
98
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
TroubleshootingKerberos
Providedtimesyncisworking,Kerberoswillgenerallyworkasadvertised.Trytoavoid fiddlingwithKerberosconfiguration(whichcanbedonethroughGroupPolicy),as tweakingKerberossettingsincorrectlycanleadtoproblems.MostKerberosissuesstem fromunderlyingDNSornetworkconnectivityissues;startbyassumingthataproblemis withDNSorthenetworkandresolvethoseproblemsfirst. SpecificsymptomsofapossibleKerberosissue: Usersorcomputerscantlogonorcantaccessnetworkresources,andKerberosis theprotocolinuse.Youdohavetocheckthis,assometimesadifferentprotocolcan beusedandtroubleshootingKerberosisjustawasteofyourtime. TheeventlogwillshowerrorsrelatedtoKerberosKeyDistributionCenter(KDC), LocalSecurityAuthorityServer(LsaSrv),orNetLogon(Netlogon)services. FailureeventsintheSecuritylogwillindicatewhichprotocolisbeingused:Enable auditingoffailedlogons,ifyouhaventdoneso,toseeifanyoftheseauditsare logged.Notethatenablingthislevelofauditingcanincreaselogvolume significantly;besuretoturnoffthissettingifitisntnormallyoninyour environment.
99
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
TroubleshootingRIDs
RelativeIdentifiers(RIDs)areusedtoensurethatauniqueIDnumbercanbeassignedto eachdirectoryobjectcreatedbyadomaincontroller.TheRIDMasterFSMORolehandsout uniqueRIDsinbatchestodomaincontrollers;thecontrollerscachethoseRIDsanduse themwhencreatingnewobjects.WhenadomaincontrollerrunsoutofRIDs,itasksthe RIDMasterformore.Earlierinthischapter,Imentionedthataninabilitytocreatenew objectsisasignthattheRIDMasteriseitherbroken,offline,orinaccessibletodomain controllers(inaccessibilityisoftenaDNSissueornetworkinfrastructureproblem). Thereareanumberofeventlogentriesyoucanwatchfor: 16642indicatesthatthedomaincontrollerisoutofRIDs.Itshouldhaverequested more;checktheRIDMasterandrestartthedomaincontroller. 16643indicatesthatthedomaincontrollerhasntgottenapoolofRIDsyetoften becausetheRIDMasterisntaccessible. 16644tellsyouthatthedomainisoutofRIDs.ThisisaBadSituationandshouldnt normallyoccur,eveninhugedomains.ThelimitofRIDsisabitover1billion (1,073,741,825,tobeexact). 16645saysthatthedomaincontrollerjustassigneditslastRIDandcouldntget more.Again,checktheavailabilityof,andconnectivityto,theRIDMaster. 16646indicatesaprocessingproblemwhereadomaincontrollertriedtousean invalidRID.ForcethedomaincontrollertoinvalidateitsRIDpool,whichshould forceittoaskforanewone. 16647meansthedomaincontrollerisrequestinganewRIDpool.Thisisgood. 16648meansadomaincontrollergotanewRIDpoolthisisexcellentnews. 16651meansaRIDpoolrequestfailedBadNews.Thedomaincontrollerwill retrylookforanother16647event.
TroubleshootingObjectDeletion
ItsimportanttounderstandhowobjectdeletionoccursinADsothatyoucantroubleshoot problems: 7. Whenyoudeleteanobject,itisactuallyjustmarkedasdeleted,aprocesscalled tombstoning. 8. Likeanyotherchangetoanobject,thetombstonechangeisreplicated,thus deletingtheobjectonallotherdomaincontrollers. 9. Theolddefaultvaluefortombstonecleanupwas60days;asofWindowsServer 2003,itwassetto180days.Afterthisperiod,eachdomaincontrollerpermanently deletestombstonedobjects.
100
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Mostobjectdeletionissuescanbepreventedbysimplyneverallowinganolderdomain controller,orabackupofone,tobereconnectedtothenetwork.
TroubleshootingReplication
ReplicationisprobablythetrickiestthingtotroubleshootinAD.Beforeyoudivein,Ihave somerecommendationsthatcanmakereplicationlesspronetoproblems: Keepyoursitesandsubnetsuptodate.Thisisreallycrucial,asreplicationrelieson thetopologyofyoursitesandsubnets.AsubnetisasingleIPsubnetClassA,Class B,ClassC,whateveryouuse.Asiteisacollectionofsubnetsthatallexistinthesame LANqualitybandwidththatis,allthesubnetswitha100GbpsorbetterEthernet connection. MakeyoursitelinksreflectyourphysicalWANarchitecture,andavoidcreatingsite bridgelinksunlessyouabsolutelymustdosoinordertospeedreplicationtofar flungsites.Allowingthedirectorytocalculateitsownreplicationtopologybasedon yourphysicalWANisthebestcourseofaction.
TroubleshootingDNS
DNS,asIveindicatedelsewhereinthischapter,turnsouttobetherootcauseforalotof ADtroubles.Infact,IcounselallofmycustomerstogetasolidADspecificDNSmonitoring toolinplacetocontinuouslycheckDNSoperationsandproactivelyalertthemifsomething goeswrong.WhyADspecific?BecauseofthewayinwhichADusesDNS.Atremendous numberofDNSrecordsgetaddedbydomaincontrollers,andamonitoringsolutionthats awareofthosethingscandoabetterjobofmonitoringtheoverallinfrastructure.
101
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Forexample,asolutioncanchecktheADitselftoseewhichdomaincontrollersexist,then verifythateachonehasregisteredalltheproperDNSrecords,andthenverifythatDNSis properlyreturningthoserecords,andthenverifythatthecomputersarereachableusing thedatainthoserecordscoveringtheentireloopofpossibleproblems,essentially.Such monitoringtoolsarenearlyalwayscommercial,meaningyoullhavetopayabitforthem. TherearesomeobviousfirststepstomakingsurethatDNSisworkingproperly.Eachof these,however,requiresthatyouknowwhatDNSshouldbedoing.Whensittingdownata clientcomputer,forexample,youneedtoknowwhichdomaincontrollersitshouldexpect tosee,whatDNSrecordsitshouldexpecttoreceivefromaquery,andsoforth.Allyoucan doisverifythatDNSisreturningwhatyouexpect;ifitdoesnt,youvefoundyourproblem. Ifyoudontknowwhatshouldbehappening,however,youllneverfindtheproblem. Thosefirststeps: CleartheclientDNScachebyrunningipconfig/flush. ChecktheDNScachetomakesureyoudonthaveanystaticrecordsfromahosts file. UseNslookuptoperformthesamequeriesaclientcomputerwould,andverifythe results.Whatyouqueryisgoingtodependonwhatsituationyouretryingto replicate,ofcourse.http://technet.microsoft.com/enus/library/bb726934.aspx hasagreatlistofstartingpoints,particularlywithregardtoimproperDNSserver configuration.
TroubleshootingPermissions
Lastupistheprocessoftroubleshootingpermissions.Thisiswhensomeoneshouldhave permissiontosomethinginADbuttheydontortheopposite,whentheydobut shouldnt.Really,thisisntmuchdifferentthantroubleshootingthesameprobleminthe Windowsfilesystem.Keepinmindthefollowingfacts: Permissionscanbeapplieddirectlyatanorganizationalunit(OU)orcontainer,then inheritedbyobjects. Permissionscanbeapplieddirectlyonanobject.
102
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
AuserseffectivepermissionsarethecombinationofeveryinheritedparentOUpermission plusthepermissionsdirectlyontheobject.ADenypermissionanywhereinthatchainof inheritancewilloverrideanAllowthatoccursanywhereelse.Youcanminimizethe complexityoftroubleshootingbyneverapplyingpermissionsdirectlytoobjectsandby minimizingthenumberofOUsyouapplypermissionsto.Thatway,youhavefewerplaces tolook. TotroubleshootpermissionsinActiveDirectoryUsersandComputers,youllfirstneedto enableAdvancedFeaturesfromtheViewmenu.Otherwise,objectsSecuritytabsarent evenvisible.TellsyouhowmuchMicrosoftthinksyoushouldmesswiththisstuff! OnceontheSecuritytabforanobject,clickAdvanced.ThenusetheEffectivePermissions tab.Thisisprobablytheeasiestwaytoresolvetheinheritanceofpermissionsandseethe final,effectivepermissionsagivenuserhasoveragivenobjectorcontainer.Justselectthe useryouretroubleshooting,thenreviewthepermissions.
ThanksforReadingandGoodLuck
ThanksverymuchforreadingthisDefinitiveGuide.Ihopeyouvefoundhelpfultipsand usefulexplanationsandthatyourereadytogothenexttimeaproblemstrikesyourAD infrastructure.
DownloadAdditionaleBooksfromRealtimeNexus!
RealtimeNexusTheDigitalLibraryprovidesworldclassexpertresourcesthatIT professionalsdependontolearnaboutthenewesttechnologies.IfyoufoundthiseBookto beinformative,weencourageyoutodownloadmoreofourindustryleadingtechnology eBooksandvideoguidesatRealtimeNexus.Pleasevisit http://nexus.realtimepublishers.com.
103