SysAdmin MAGAZINE

Active Directory
Handy Guides
 Contents SysAdmin Magazine July 2022

SysAdmin Contents
Magazine

71
3 What are FSMO Roles in Active Directory?
July ‘22
№
12 What Is a Global Catalog Server?

16 Active Directory Certificate Services: Risky Settings

SysAdmin Magazine is a free
source of knowledge for IT Pros
and How to Remediate Them
who are eager to keep a tight
grip on network security and do 20 Active Directory Object Recovery Using the Recycle Bin
the job faster.

25 How to: Restore Deleted AD Objects

26 Tool of the Month: Netwrix PolicyPak

The Sysadmin Magazine team

sysadmin.magazine@netwrix.com

2
 Contents
What are FSMO
Roles in Active
Directory?
Kevin Joyce
Senior Technical Product Manager at Netwrix
Active Directory (AD) allows object creations, updates and
deletions to be committed to any authoritative domain
controller (DC). This is possible because every DC (except
read-only DCs) maintains a writable copy of its own domain’s
partition. Once a change has been committed, it is repli-
cated automatically to other DCs through a process called
multi-master replication. This behavior allows most opera-
tions to be processed reliably by multiple domain control-
lers and provides for high levels of redundancy, availability
and accessibility in Active Directory.
An exception applies to certain Active Directory operations
that are sensitive enough that their execution is restricted
to a specific domain controller. Active Directory addresses
3
these situations through a special set of roles. Microsoft
has begun referring to these roles as the operations mas-
ter roles, but they are more commonly referred to by their
original name: flexible single-master operator (FSMO) roles.
What are FSMO Roles?
The 5 FSMO Roles
Active Directory has five FSMO roles:
▪ Schema Master
▪ Domain Naming Master
▪ Infrastructure Master
▪ Relative ID (RID) Master
▪ PDC Emulator
In every forest, there is a single Schema Master and a single
Domain Naming Master. In each domain, there is one Infra-
structure Master, one RID Master and one PDC Emulator.
At any given time, there can be only one DC performing the
functions of each role. Therefore, a single DC could be run-
ning all five FSMO roles; however, in a single-domain envi-
ronment, there can be no more than five servers that run
the roles.
SysAdmin Magazine July 2022
In a multi-domain environment, each domain will have its
own Infrastructure Master, RID Master and PDC Emulator.
When a new domain is added to an existing forest, only
those three domain-level FSMO roles are assigned to the ini-
tial domain controller in the newly created domain; the two
enterprise-level FSMO roles (Schema Master and Domain
Naming Master) already exist in the forest root domain.
Schema Master
Schema Master is an enterprise-level FSMO role; there is
only one Schema Master in an Active Directory forest.
The Schema Master role owner is the only domain con-
troller in an Active Directory forest that contains a writable
schema partition. As a result, the DC that owns the Sche-
ma Master FSMO role must be available to modify its for-
est’s schema. Examples of actions that update the schema
include raising the functional level of the forest and up-
grading the operating system of a DC to a higher version
than currently exists in the forest.
The Schema Master role has little overhead and its loss
can be expected to result in little to no immediate opera-
tional impact. Indeed, unless schema changes are neces-
sary, it can remain offline indefinitely without noticeable
effect. The Schema Master role should be seized only when
the DC that owns the role cannot be brought back online.
 Contents
Bringing the Schema Master role owner back online after
the role has been seized from it can introduce serious data
inconsistency and integrity issues for the forest.
Domain Naming Master
Domain Naming Master is an enterprise-level role; there
is only one Domain Naming Master in an Active Directory
forest.
The Domain Naming Master role owner is the only domain
controller in an Active Directory forest that is capable of
adding new domains and application partitions to the for-
est. Its availability is also necessary to remove existing do-
mains and application partitions from the forest.
The Domain Naming Master role has little overhead and its
loss can be expected to result in little to no operational im-
pact, since the addition and removal of domains and parti-
tions are performed infrequently and are rarely time-criti-
cal operations. Consequently, the Domain Naming Master
role should need to be seized only when the DC that owns
the role cannot be brought back online.
4
SysAdmin Magazine July 2022
RID Master a considerable length of time because of a relatively low
volume of object creation events. Bringing a RID Master
Relative Identifier Master (RID Master) is a domain-level
back online after having seized its role can introduce du-
role; there is one RID Master in each domain in an Active
plicate RIDs into the domain, so this role should be seized
Directory forest.
only if the DC that owns it cannot be brought back online.
The RID Master role owner is responsible for allocating ac-
tive and standby Relative Identifier (RID) pools to DCs in its
domain. RID pools consist of a unique, contiguous range Infrastructure Master
of RIDs, which are used during object creation to generate
Infrastructure Master is a domain-level role; there is one
the new object’s unique Security Identifier (SID). The RID
Infrastructure Master in each domain in an Active Directo-
Master is also responsible for moving objects from one
ry forest.
domain to another within a forest.
The Infrastructure Master synchronizes objects with the
In mature domains, the overhead generated by the RID
global catalog servers. The Infrastructure Master will com-
Master is negligible. Since the primary domain controller
pare its data to a global catalog server’s data and receive
(PDC) in a domain typically receives the most attention
any data not found in its database from the global cata-
from administrators, leaving this role assigned to the do-
log server. If all DCs in a domain are also global catalog
main PDC helps ensure its availability. It is also important
servers, then all DCs will have up-to-date information (as-
to ensure that existing DCs and newly promoted DCs, es-
suming that replication is functional). In such a scenario,
pecially those promoted in remote or staging sites, have
the location of the Infrastructure Master role is irrelevant
network connectivity to the RID Master and are reliably
since it doesn’t have any real work to do.
able to obtain active and standby RID pools.
The Infrastructure Master role owner is also responsible
The loss of a domain’s RID Master will eventually lead to
for managing phantom objects. Phantom objects are used
result in an inability to create new objects in the domain
to track and manage persistent references to deleted ob-
as the RID pools in the remaining DCs are depleted. While
jects and link-valued attributes that refer to objects in an-
it might seem that unavailability of the DC owning the RID
other domain within the forest (e.g., a local-domain securi-
Master role would cause significant operational disruption,
ty group with a member user from another domain).
in mature environments the impact is usually tolerable for
 Contents
The Infrastructure Master may be placed on any domain
controller in a domain unless the Active Directory forest
includes DCs that are not global catalog hosts. In that case,
the Infrastructure Master must be placed on a domain
controller that is not a global catalog host.
The loss of the DC that owns the Infrastructure Master role
is likely to be noticeable only to administrators and can be
tolerated for an extended period. While its absence will
result in the names of cross-domain object links failing to
resolve correctly, the ability to utilize cross-domain group
memberships will not be affected.
PDC Emulator
The Primary Domain Controller Emulator (PDC Emulator
or PDCE) is a domain-level role; there is one PDCE in each
domain in an Active Directory forest.
The PDC Emulator controls authentication within a domain,
whether Kerberos v5 or NTLM. When a user changes their
password, the change is processed by the PDC Emulator.
The PDCE role owner is responsible for several crucial op-
erations:
▪ Backward compatibility. The PDCE mimics the sin-
gle-master behavior of a Windows NT primary domain
controller. To address backward compatibility con-
5
cerns, the PDCE registers as the target DC for legacy ap-
plications that perform writable operations and certain
administrative tools that are unaware of the multi-mas-
ter behavior of Active Directory DCs.
▪ Time synchronization. Each PDCE serves as the mas-
ter time source within its domain. The PDCE in forest
root domain serves as the preferred Network Time
Protocol (NTP) server in the forest. The PDCE in every
other domain within the forest synchronizes its clock to
the forest root PDCE; non-PDCE DCs synchronize their
clocks to their domain’s PDCE; and domain-joined hosts
synchronize their clocks to their preferred DC. One ex-
ample of the importance of time synchronization is Ker-
beros authentication: Kerberos authentication will fail
if the difference between a requesting host’s clock and
the clock of the authenticating DC exceeds the speci-
fied maximum (5 minutes by default); this helps count-
er certain malicious activities, such as replay attacks.
▪ Password update processing. When computer and
user passwords are changed or reset by a non-PDCE do-
main controller, the committed update is immediately
replicated to the domain’s PDCE. If an account attempts
to authenticate against a DC that has not yet received
a recent password change through scheduled replica-
tion, the request is passed to the domain PDCE, which
will process the authentication request and instruct the
requesting DC to either accept or reject it. This behavior
SysAdmin Magazine July 2022
ensures that passwords can reliably be processed even
if recent changes have not fully propagated through
scheduled replication. The PDCE is also responsible for
processing account lockouts, since all failed password
authentications are passed to the PDCE.
▪ Group Policy updates. All Group Policy object (GPO)
updates are committed to the domain PDCE. This pre-
vents versioning conflicts that could occur if a GPO was
modified on two DCs at approximately the same time.
▪ Distributed file system. By default, distributed file sys-
tem (DFS) root servers will periodically request updated
DFS namespace information from the PDCE. While this
behavior can lead to resource bottlenecks, enabling
the Dfsutil.exe Root Scalability parameter will allow DFS
root servers to request updates from the closest DC.
The PDCE should be placed on a highly-accessible, well-con-
nected, high-performance DC. Additionally, the forest root
domain PDC Emulator should be configured with a reliable
external time source.
While the loss of the DC that owns the PDC Emulator role
can be expected to have an immediate and significant im-
pact on operations, the seizure of the PDCE role has fewer
implications to the domain than the seizure of other roles.
Seizure of the PDCE role is a recommended best practice
if the DC that owns that role becomes unavailable due to
an unscheduled outage.
 Contents SysAdmin Magazine July 2022

Identifying Role Owners Transferring FSMO Roles

You can use either the command prompt or PowerShell to FSMO roles often remain assigned to their original domain controllers, but they can be transferred if necessary. Since FSMO
identify FSMO role owners. roles are necessary for certain important operations and they are not redundant, it can be desirable or even necessary to move
FSMO roles from one DC to another.
Command Prompt
One method of transferring a FSMO role is to demote the DC that owns the role, but this is not an optimal strategy. When a
DC is demoted, it will attempt to transfer any FSMO roles it owns to suitable DCs in the same site. Domain-level roles can be
netdom query fsmo /domain:<DomainName>
transferred only to DCs in the same domain, but enterprise-level roles can be transferred to any suitable DC in the forest. While
there are rules that govern how the DC being demoted will decide where to transfer its FSMO roles, there is no way to directly
control where its FSMO roles will be transferred.
PowerShell
The ideal method of moving an FSMO role is to actively transfer it using either the Management Console, PowerShell or ntdsutil.
exe. During a manual transfer, the source DC will synchronize with the target DC before transferring the role.
(Get-ADForest).Domains | `

To transfer an FSMO role, an account must have the following privileges:

ForEach-Object{ Get-ADDomainController
-Server $_ -Filter {OperationMasterRoles To transfer this FSMO The account must be a member of
-like "*"}} | `

Schema Master Schema Admins and Enterprise Admins

Select-Object Domain, HostName, Opera-
tionMasterRoles Domain Naming Master Enterprise Admins

PDCE, RID Master or Infrastructure Master Domain Admins in the domain where the role is being
transferred

6
 Contents SysAdmin Magazine July 2022

Right-click the Active Directory Schema node and select

How to Transfer FSMO Roles using the Management Console Change Active Directory Domain Controller. Choose the
DC that the Schema Master FSMO role will be transferred to
and click OK to bind the Active Directory Schema snap-in to
Transferring the Schema Master Role
that DC. (A warning may appear explaining that the snap-in
The Schema Master role can be transferred using the Active Directory Schema Management snap-in. will not be able to make changes to the schema because it
is not connected to the Schema Master.)
If this snap-in is not among the available Management Console snap-ins, it will need to be registered. To do so, open an elevated
command prompt and enter the command regsvr32 schmmgmt.dll. Right-click the Active Directory Schema node again and select
Operations Master. Then click the Change button to begin
Once the DLL has been registered, run the Management Console as a user who is a member of the Schema Admins group, and add
the transfer of the Schema Master role to the specified DC:
the Active Directory Schema snap-in to the Management Console:

7
 Contents SysAdmin Magazine July 2022

Transferring the Domain Naming Master Role Right-click the Active Directory Domains and Trusts node
and select Change Active Directory Domain Controller.
The Domain Naming Master role can be transferred using the Active Directory Domains and Trusts Management Console snap-in.
Choose the DC that the Domain Naming Master FSMO role
Run the Management Console as a user who is a member of the Enterprise Admins group, and add the Active Directory Domains will be transferred to, and click OK to bind the Active Direc-
and Trusts snap-in to the Management Console: tory Domains and Trusts snap-in to that DC.

Right-click the Active Directory Domains and Trusts node

again and select Operations Master. Click the Change but-
ton to begin the transfer of the Domain Naming Master role
to the selected DC:

8
 Contents SysAdmin Magazine July 2022

Transferring the RID Master, Infrastructure Master or PDC Emulator Role Right-click either the Domain node or the Active Directory
Users and Computers node and select Change Active
The RID Master, Infrastructure Master and PDC Emulator roles can all be transferred using the Active Directory Users and Computers
Directory Domain Controller. Choose the domain
Management Console snap-in.
controller that the FSMO role will be transferred to and click
OK button to bind the Active Directory Users and Computers
Run the Management Console as a user who is a member of the Domain Admins group in the domain where the FSMO roles are
snap-in to that DC.
being transferred and add the Active Directory Users and Computers snap-in to the Management Console:

Right-click the Active Directory Users and Computers node

and click Operations Masters. Then select the appropriate
tab and click Change to begin the transfer of the FSMO role
to the selected DC:

9
 Contents SysAdmin Magazine July 2022

5. At the server connections prompt, type connect to serv- ronment. The reintroduction of a FSMO role owner follow-
How to Transfer FSMO Roles using er <DC> (replacing <DC> with the hostname of the DC ing the seizure of its roles can cause significant damage to

PowerShell that the FSMO role is being transferred to) and press En- the domain or forest. This is especially true of the Schema

ter. This will bind ntdsutil to the specified DC. Master and RID Master roles.

You can transfer FSMO roles using the following PowerShell 6. Type quit and press Enter.
To seize FSMO roles, you can use the Move-ADDirectory-
cmdlet: 7. At the fsmo maintenance prompt, enter the appropriate
ServerOperationMasterRole cmdlet with the Force pa-
command for each FSMO role being transferred:
rameter. The cmdlet will attempt an FSMO role transfer; if
▪ transfer schema master
Move-ADDirectoryServerOperationMas- that attempt fails, it will seize the roles.
▪ transfer naming master
terRole -Identity TargetDC -Operation-
▪ transfer rid master
MasterRole pdcemulator, ridmaster,
▪ transfer infrastructure master
infrastructuremaster, schemamaster, do-
mainnamingmaster
▪ transfer pdc
8. To exit the fsmo maintenance prompt, type quit and
How Netwrix Can Help
press Enter. As we have seen, FSMO roles are important for both
9. To exit the ntdsutil prompt, type quit and press Enter. business continuity and security. Therefore, it’s vital to audit
all changes to your FSMO roles. Netwrix Auditor for Active

How to Transfer FSMO Roles using Directory automates this monitoring and can alert you to

Seizing FSMO Roles

any suspicious change so you can take action before it leads
ntdsutil.exe to downtime or a data breach.

To transfers an FSMO role using ndtsutil.exe, take the fol-
lowing steps:
1. Open an elevated command prompt.
2. Type ntdsutil and press Enter. A new window will open.
3. At the ntdsutil prompt, type roles and press Enter.
4. At the fsmo maintenance prompt, type connections
and press Enter.
Transferring FSMO roles requires that both the source DC
and the target DC be online and functional. If a DC that
owns one or more FSMO roles is lost or will be unavailable
for a significant period, its FSMO roles can be seized, rather
than transferred.
In most cases, FSMO roles should be seized only if the origi-
nal FSMO role owner cannot be brought back into the envi-
However, FSMO roles are just one part of your security
strategy — you need to understand and control what is
happening across your core systems. Netwrix Auditor for
Active Directory goes far beyond protecting FSMO roles and
facilitates strong management and change control across
Active Directory.

10
 Contents SysAdmin Magazine July 2022

By automating Active Directory change tracking and re-

porting, Netwrix Auditor empowers you to reduce security
risks. You can improve your security posture by proactive-
ly identifying and remediating toxic conditions like directly
assigned permissions, before attackers can exploit them
GUIDE
to gain access to your network resources. Moreover, you
can monitor changes and other activity in Active Directory
FREE GUIDE
changes to spot emerging problems and respond to them
promptly — minimizing the impact on business processes,
user productivity and security. Active Directory
Delegated
Permissions Best
Practices
Free Download

11
 Contents
What Is a Global
Catalog Server?
Kevin Joyce
Senior Technical Product Manager at Netwrix
The global catalog is a feature of Active Directory (AD) that
allows a domain controller (DC) to provide information on
any object in the forest, regardless of whether the object
is a member of its domain. Domain controllers with the
global catalog feature enabled are referred to as global
catalog servers.
▪ Object Search. The global catalog makes the directory
Core Functionality
Global catalog servers perform several functions, which are
especially important in a multi-domain forest environment:
▪ Authentication. During an interactive domain logon, a
DC will process the authentication request and provide
authorization information regarding all of the groups the
12
SysAdmin Magazine July 2022
How a Global Catalog Works
user account is a member of, which will be included in
the generated user access token. The DC must access a
global catalog server to obtain the following:
- User principal name resolution. Logon requests
Active Directory Partitions
made using a user principal name (e.g., “user-
To understand how the global catalog works, it is important
name@domain.com”) require a search of the glob-
to first understand a little bit about how the Active
al catalog to identify the distinguished name of the
Directory database is structured. Domain controllers store
associated user object.
the Active Directory database in a single file, NTDS.dit. To
- Universal group membership. Logon requests
simplify administration and facilitate efficient replication,
made in multi-domain environments require the
the database is logically separated into partitions.
use of a global catalog that can check for the exis-
tence of any universal groups and determine if the Every domain controller maintains at least three partitions:
user logging on is a member of any of those groups.
▪ The domain partition contains information about a
Because the global catalog is the only source of uni-
domain’s objects and their attributes. Every DC contains
versal group membership information, access to a
a complete writable replica of its local domain partition.
global catalog server is a requirement for authenti-
▪ The configuration partition contains information
cation in a multi-domain forest.
about the forest’s topology, including domain controllers
and site links. Every DC in a forest maintains a complete
writable replica of the configuration partition.
structure within a forest transparent to users who
perform a search. For example, any global catalog server
▪ The schema partition is a logical extension of the
configuration partition; it contains definitions of every
in a forest is capable of identifying a user object given
object class in the forest and the rules that control the
only the object’s samAccountName. Without a global
creation and manipulation of those objects. Every DC
catalog server, identifying a user object given only its
in a forest maintains a complete replica of the schema
samAccountName could require separate searches of
partition. The schema partition is read-only on every DC
every domain in the forest.
except the DC that owns the Schema Master operations
role for the forest.
 Contents SysAdmin Magazine July 2022

Domain controllers may also maintain application

partitions. These partitions contain information relating
Global Catalog Partitions
to AD-integrated applications and can contain any type of
Consider a forest that consists of three domains, each with one global catalog server, as depicted below:
object except for security principals. Application partitions
have no specific replication requirements; they are not
required to replicate to other domain controllers but can
be configured to replicate to any DC in a forest.

You can identify the partitions present on a DC using the

following PowerShell cmdlet:

Get-ADDomainController -Server <SERVER> |

Select-Object -ExpandProperty Partitions

13
 Contents SysAdmin Magazine July 2022

As explained earlier, every DC maintains a replica of its

local domain partition, the configuration partition and
the schema partition. In a multi-domain forest like this
one, global catalog servers also host an additional set of
read-only partitions, each of which contains a partial, read-
only replica of the domain partition from one of the other
domains in the forest. It is the information in these partial,
read-only partitions that allow global catalog servers to
process authentication and forest-wide search requests in
a multi-domain forest.

The subset of object attributes that are replicated to global

catalog servers is called the Partial Attribute Set (PAS).
The members of the Partial Attribute Set in a domain can
be listed using this PowerShell cmdlet:

Get-ADObject -SearchBase (Get-ADRootDSE).

SchemaNamingContext -LDAPFilter "(isMem-
berOfPartialAttributeSet=TRUE)" -Prop-
erties lDAPDisplayName | Select lDAPDis-
playName

In a single-domain forest, all DCs host the only domain Active Directory takes advantage of this by allowing any domain controller in a single-domain forest to function as a virtual global
partition in the forest; therefore, each one contains a catalog server, regardless of whether it has been configured as a global catalog server. The only limitation is that only DCs config-
record of all of the objects in the forest and can process ured as global catalog servers can respond to queries directed specifically to a global catalog.
authentication and domain service requests.

14
 Contents SysAdmin Magazine July 2022

cate with a global catalog server to process initial logons

Deploying Global Catalog and perform search requests.

Servers It is recommended that all DCs be configured as global

catalog servers unless there is a specific reason to avoid
When a new domain is created, the first DC will be made a GUIDE
doing so.
global catalog server. To configure additional DCs as global
catalog servers, either enable the Global Catalog checkbox
in the server’s NTDS Settings properties in the Active Direc-
tory Sites and Services management console, or use the fol- FREE EBOOK
lowing PowerShell cmdlet:

Set-ADObject -Identity (Get-ADDomainCon-

Active Directory
troller -Server <SERVER>).NTDSSettingsOb-
jectDN -Replace @{options='1'}
Tutorial
Free Download
Each site in the forest should contain at least one global
catalog server to eliminate the need for an authenticating
DC to communicate across the network to retrieve glob-
al catalog information. In situations where it is not feasi-
ble to deploy a global catalog server in a site (such as a
small remote branch office), Universal Group Membership
Caching can reduce authentication-related network traffic
and allow the remote site’s DC to process local site login
requests using cached universal group membership infor-
mation. This feature requires the remote DC to communi-

15
 Contents
Active Directory
Certificate
Services: Risky
Settings and How
to Remediate Them
Joe Dibley
Security Researcher at Netwrix
Active Directory Certificate Services has been around for a
long time, but resources for learning it are not great. As a
result, it often has misconfigurations that are an increasing
vector for attacks. In fact, SpecterOps released a whitepaper
detailing a number of misconfigurations and potential attacks
and providing hardening advice. In this article, I cover several
of the settings that be misconfigured and how to spot them,
offer several options for further hardening security, and
explain how to use a free tool to check your environment.
16
Background
When an authentication-based certificate is issued to an
identity, the certificate can be used to authenticate as the
identity set in the Subject Alternative Name (SAN); this is
usually a UPN or DNS name. The certificate is then used in
lieu of a password for initial authentication. The technical
reference for this initial authentication is RFC4556 if you
want to find out more detail.
Once an authenticated-based certificate has been issued, it
can be used to authenticate as the subject until it is revoked
or expired. This will circumvent incident response plans that
rely on strategies like resetting the user’s password to kick
out an attacker; the attacker can have persistent access to
the account unless the certificates are also revoked.
Risky Template Settings
Here are some of the certificate template settings that can
lead to misconfigurations.
SysAdmin Magazine July 2022
Authentication Based EKUs
First, look for Enhanced Key Usages (EKUs) that enable any
kind of domain-level authentication. Here is a brief list:
•
•
Any Purpose (2.5.29.37.0)
SubCA (None)
• Client Authentication (1.3.6.1.5.5.7.3.2)
• PKINIT Client Authentication (1.3.6.1.5.2.3.4)
• Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
The easiest way to manually find all of your certificate
templates that allow this is to open the Certificate Authority
MMC Snap-in, connect to your Certificate Authority, look
at the Certificate Template section and scan the Intended
Purpose Column for any of these authentication EKUs. For
example, the figure below shows that the Computer, Copy
of Smartcard Logon and both Domain Controller templates
contain at least one of the PKUs.
After you address the templates you find, be sure to keep
in mind that there are ways to abuse normal certificates as
well. For example, PoshADCS’s Get-SmartCardCertificate
function can modify a template, request certificates for it
and then revert the changes to the template.
 Contents SysAdmin Magazine July 2022

Alternatively, you can use a PowerShell command like the

following to get the templates from AD and check whether
the flag is set in the certificate:

Get-ADobject -Filter { ObjectClass -eq

"PKIcertificateTemplate" } -SearchBase
(Get-ADRootDSE).ConfigurationNamingCon-
text -prop * | Select Name, mspki-certifi-
cate-name-flag, @{ Name = "SupplyInRequest"
; Expression = { $_.'mspki-certifi-
“Enrollee Supplies Subject” Flag cate-name-flag' -band 0x00000001 } }

When the flag CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is present in the mspki-certificate-name-flag property, the enrollee of the
certificate can supply their own alternative Subject Name in the certificate signing request. This means that any user who is allowed
to enroll in a certificate with this setting can request a certificate as any user in the network, including a privileged user.

You can check this flag in the Certificate Template console; it’s under the Subject Name tab as the “Supply in the request” radio Further Reducing Risk
option:
In addition to correcting certificate misconfigurations,
consider using the following options to control the issuing
of certificates.

CA Certificate Manager Approval or

Authorized Signatures
First and probably most important, look at the Issuance

17
 Contents SysAdmin Magazine July 2022

Requirements tab on each certificate to see if it requires of users who shouldn’t be able to request certificates; if
you find them, consider revoking their Enroll or AutoEnroll
EDITF_ATTRIBUTESU
BJECTALTNAME2 Registry
approval from the Certificate Authority (CA) manager or
one or more authorized permissions.

Key
Last, check the EDITF_ATTRIBUTESUBJECALTNAME2
registry setting. This setting is one of the most interesting:
If is enabled on the CA, then any authenticated-based
certificate that is issued (including certificates where the
subject is automatically built from Active Directory) can
have user-defined values in the SAN.
Enabling one or both of these settings can greatly reduce
risk by requiring checks before certificates are issued. If you
To check this setting, you can run this command:
are unsure about requiring authorized signatures, at least
require CA certificate manager approval; then every time a
certificate is requested, it will go to the Certificate Authority certutil –getreg policy\EditFlags

for manual review before being issued.

If EDITF_ATTRIBUTESUBJECALTNAME2 is in the output list,

you should remove it using this command:
Enrollment Permissions
Second, look at the enrollment permissions in each certutil -config "CA CONNECTION STRING"
template, which can be found on the Security tab. Many -setreg policy\EditFlags - EDITF_ATTRI-
misconfigurations are critical only when generic principals BUTESUBJECTALTNAME2м
or large groups have these permissions. In particular, check
for Authenticated Users, Domain Users and any large group
Further guidance on this setting can be found here.

18
 Contents SysAdmin Magazine July 2022

Checking for Risky

Settings using PSPKIAudit
The PSPKIAudit tool can help you audit your PKI
infrastructure. To use PSPKIAudit, simply download the
tool from GitHub, import the module and run the Invoke-
PKIAudit command. This will enumerate the Certificate FREE GUIDE
Authority from Active Directory and then query it for some

Active Directory
of the default options.

Below are a couple of screenshots showing the output

of this tool, which reveals a misconfigured certificate and
misconfigurations on the CA. If PSPKIAudit picks up any
Security Best
misconfigurations not covered in this post, check the
SpecterOps paper for remediation advice.
Practices

Free Download

19
 Contents SysAdmin Magazine July 2022

Active Directory Active Directory Object Recovery without the AD Recycle Bin

Object Recovery
In a domain without the AD Recycle Bin, when an Active Directory object is deleted, it becomes a “tombstone.” This object, stripped
of the majority of its attributes, is kept in the partition’s Deleted Objects container for the time period specified in the domain’s

Using the Recycle

tombstoneLifetime. During this period, the object is technically recoverable, but its lost attributes can be generally considered to
be irrecoverable. Once the tombstoneLifetime value is reached, the object is garbage-collected into non-existence. This lifecycle
is illustrated below:

Bin
Kevin Joyce
Senior Technical Product Manager at Netwrix

The Active Directory Recycle Bin facilitates the recovery

of deleted Active Directory objects without requiring res-
toration from backup, restarting Active Directory Domain
Services or rebooting domain controllers (DCs). Let’s re-
view how object recovery works without the Recycle Bin.
Active Directory Object Recovery with the AD Recycle Bin
If the AD Recycle Bin is enabled, when an object in deleted, the majority of its attributes, including its link-valued attributes, are
preserved for a period of time to facilitate restoring the object if needed. During this period, the object is in a deleted object state.
(This time period is defined in the msDS-DeletedObjectLifetime attribute. By default, its value is the value of the tombstoneLifetime
attribute. If the value of the msDS-deletedObjectLifetime attribute is null or the attribute simply doesn’t exist, its value is interpreted
to be the value of the tombstoneLifetime attribute. If there’s also no tombstoneLifetime value, both values default to 60 days.)

20
 Contents SysAdmin Magazine July 2022

Once the object’s time in a deleted object state is up, the object becomes a recycled object. A recycled object looks suspiciously like Here is a user account that I am planning to delete:
a tombstone with an isRecycled attribute slapped on and set to TRUE. Like a tombstone, the majority of its attributes are removed
and it persists in Active Directory for the time period specified by the tombstoneLifetime attribute. Then, it is cleaned up by Active
Directory’s garbage collection.

The lifecycle of an object deleted with the Recycle Bin enabled looks like this:

How Restoring an Object from the Recycle

While the Recycle Bin preserves more object attributes than a tombstone, a restored object is not identical to the original object.
Let’s see how.

21
 Contents SysAdmin Magazine July 2022

Here is the object in the deleted object state in the Recycle Bin: While the majority of the object’s attributes are retained,
there are some important changes:

▪ The object has been moved. The object has been

moved into the partition’s Deleted Objects container.

▪ The object has been renamed. The object’s name has

been updated using the Common-NameADEL:Object-
Guid

▪ The object possesses some new attributes. The

isDeleted attribute has a value of TRUE and the
lastKnownParent attribute is populated. A new
attribute, msDS-LastKnownRDN, is populated with the
object’s last known relative distinguished name (this
attribute allows the Recycle Bin to properly reset an
object’s RDN during its restoration, even if the object’s
renaming resulted in the truncation of the original RDN).

▪ Two attributes have been removed. Two attributes,

objectCategory and sAMAccountType, are always
removed from an object when it is deleted. If the object
is recovered, the objectCategory value is automatically
set to the most specific value in the object’s objectClass
attribute and the sAMAccountType value is calculated
from the value of either the userAccountControl (for
user objects) or groupType attribute (for group objects).

Keen-eyed readers might also notice that the manager and

memberOf attributes are also missing from my screenshot.

22
 Contents SysAdmin Magazine July 2022

They’re actually just hiding. Both these attributes are link-

valued (i.e., they contain references to other objects) and
tool I used (LDP) doesn’t return deactivated links unless
the cleverly-named Return Deactivated Links control has
been set. If I had enabled that control the attributes and
their values would have been visible in my screenshot, but I
would have missed out on this teachable moment.

How to Recover an Object

from the AD Recycle Bin
Prior to Windows Server 2012, restoring an object from the
AD Recycle Bin required using an LDAP tool or PowerShell to
list all deleted objects, sifting through a long list to find the
desired object, and restoring it using another PowerShell
command. It was a good thing the AD Recycle Bin was so
useful because it was not exactly fun to use!

Now, Recycle Bin functionality is available in the Active

Directory Administrative Center: As you can see, you can quickly find the deleted object you’re interested in using the search filters.

To restore an object, simply click Restore in the Tasks list on the right side of the window. Here’s what the restored object looks
like:

23
 Contents SysAdmin Magazine July 2022

▪ Active Directory is going to be a little bigger. After

enabling the AD Recycle Bin, deleted objects will retain
far more of their attributes and persist longer than
tombstones. As a result, Active Directory will likely use a
little more space than it did before.

▪ Enabling the Recycle Bin deletes all tombstones. The

most impactful consequence of enabling the Recycle Bin
is that all tombstone objects in the forest will immediately
cease to exist. Many admins have learned about this
consequence the hard way.

However, these issues do not outweigh the benefits of

enabling the AD Recycle Bin.

How Netwrix Can Help

Drawbacks to the Active Directory Recycle Bin The AD Recycle Bin is a useful tool for recovering recently
deleted objects. For a more comprehensive solution, con-
While the Recycle Bin dramatically simplifies object recovery, we have seen a couple of limitations: Objects are kept for only a fairly
sider Netwrix StealthRECOVER. It provides additional se-
short period of time and some of their attributes are lost. There are a couple of additional drawbacks to the Recycle Bin:
curity by enabling you to restore backed-up objects that
▪ Enabling the Active Directory Recycle Bin involves a schema change. Therefore, once you turn the Recycle Bin on you can’t have exceeded their forest’s mdDS-DeletedObjectLifetime
turn it off without a full-forest recovery. and therefore are no longer recoverable using the AD Re-
cycle Bin.

24
 Contents
How-to for IT Pro
HOW TO: RESTORE DELETED AD OBJECTS
The Active Directory Recycle Bin is disabled by default. In
order to use it to restore deleted objects, you must enable
it. You cannot restore any objects deleted before Recycle
Bin was enabled. Note that Recycle Bin can be enabled only
once without a possibility to disable it afterwards.
Prerequisite: Enable the Recycle Bin
in Active Directory
1. Open the Server Manager management console ->
Click Tools -> Active Directory Administrative Center
(Alternatively: Open the “run” box (click Start -> Run or
use the Win-R keyboard shortcut) -> Type dsac.exe ->
Click OK.)
2. Click on your domain name. In the Tasks pane, click
Enable Recycle Bin.
3. In the confirmation window, click OK.
25
SysAdmin Magazine July 2022
Restore an Object with the Active
Directory Administrative Center
(ACUC)
1. Open the Server Manager management console ->
Click Tools -> Active Directory Administrative Center
(Alternatively: Open the “run” box (click Start -> Run or
use the Win-R keyboard shortcut) -> Type dsac.exe ->
Click OK.) Restore an Object using PowerShell
2. In the left pane of the ADUC,select the domain in Alternatively, you can restore an AD object using the Re-
which the deleted object resided. In the center pane, store-ADObject PowerShell cmdlet:
select the Deleted Objects container:
Get-ADObject -Filter {displayName -eq "userdel tobegone"}
-IncludeDeletedObjects | Restore-ADObject
3. Select the deleted object. Then do one of the following:
• To restore the object to its original container, click
Restore:
 Contents SysAdmin Magazine July 2022

Secure Endpoints and Boost Deploy software and custom OS settings to any Win-
dows endpoint, whether domain-joined, MDM enrolled
TOOL OF THE MONTH
Productivity or virtual

Netwrix PolicyPak enables you to solve your endpoint

management and endpoint protection challenges. The
tool provides a powerful policy creation, management
and deployment framework that extends the policy man-
agement, security, automation and reporting capabilities

Netwrix
of the endpoint management technologies you already
use.

PolicyPak
Prevent users from installing unknown software and
Manage and secure your on-premises, hybrid or remote
Request Demo manage how they use removable storage
desktop environment from a single solution

26
 Contents SysAdmin Magazine July 2022

[On-Demand Webinar]

Active Directory is leveraged by over 90% of enterprises worldwide as the authentication

Active Directory and authorization hub of their IT infrastructure— but its inherent complexity leaves it prone
to misconfigurations that can allow attackers to slip into your network and wreak havoc. To

Masterclass: AD reduce risk, you need to ensure your AD is clean, configured properly, monitored closely and
controlled tightly. Netwrix is eager to help you achieve these goals.

Configuration Strategies ▪ Whether you should upgrade your domain controllers to Windows Server 2019 and beyond
▪ Achieving mission impossible: updating DCs within 48 hours

for Stronger Security ▪ How to disable legacy protocols and outdated compatibility options in Active Directory
▪ How to better secure service accounts with gMSAs and least privilege
▪ The AD Tier Model as a goal and the Protected Users group as an easy fix

Sander Berkouwer Alex McCoy

Enterprise Mobility MVP Security enthusiast/Podcaster Watch Now

27

What did you think
of this issue?
What did you think of this content?
About Netwrix
Netwrix is a software company that enables information security and governance professionals to reclaim control over
sensitive, regulated and business-critical data, regardless of where it resides.
Over 11500 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of
enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and
knowledge workers.

For more information visit www.netwrix.com

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608 Switzerland: +41 43 508 3472 Hong Kong: +852 5808 1306
Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Italy: +39 02 947 53539
Netherlands: +31 858 887 804 France: +33 9 75 18 11 19

Sweden: +46 8 525 03487 Germany: +49 711 899 89 187

565 Metro Place S, Suite 400 1-201-490-8840
Dublin, OH 43017

5 New Street Square +44 (0) 203 588 3023 SOCIAL: netwrix.com/social
London EC4A 3TW