Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Active Directory Client Interactions
Central Database LDAP – Lightweight Directory Access Protocol database query language, similar to SQL TCP/UDP 389, SSL TCP 636 Global Catalog (GC) – TCP/UDP 3268, SSL TCP 3269 D/COM Dynamic TCP – Replication Kerberos UDP/TCP 88 Windows NT 4.0 SAM SMB/CIFS TCP 445 (or NetBIOS) password resets, SAM queries SMB/DCOM Dynamic TCP NTLM pass-through Kerberos PAC validation
Design Considerations Distributed system DCs disconnected for very long times several months Multimaster replication with some FSMO roles
Design Considerations Example: Caribean cruises, DC/IS/Exchange on board with tens of workstations and users, some staff hired during journey. No or bad satelite connectivity only. DCs synced after ship is berthed at main office. Challenge: Must work independently for long time periods. Different independent cruise- liners/DCs can accomodate changes to user accounts, addresses, Exchange settings. Cannot afford lost of any one.
Database Microsoft JET engine JET Blue common with Microsoft Exchange used by DHCP, WINS, COM+, WMI, CA, CS, RDS Broker %WINDIR%\NTDS\NTDS.DIT ESENTUTL Opened by LSASS.EXE
Installed services LSASS Security Accounts Manager TCP 445 SMB + Named Pipes Kerberos Key Distribution Center UDP, TCP 88 Kerberos Active Directory Domain Services UDP, TCP 389,... LDAP NTDS.DIT D/COM Dynamic TCP
Network Interactions (DC Location) Any DC Client LDAP UDP SRV: Any DC List Get My Site DNS SRV: My Side DC My Site DC 2000+
Network Interactions (2008/Vista+ DC Location) Any DC Client Vista+ LDAP UDP SRV: Any DC List Get My Site DNS SRV: My Site DC Next Closest Site Close Site DC My Site DC SRV: Close Site
Network Interactions (Join Domain) DC Client Kerberos SMB TGT: User SAM Interface TGT: CIFS
Network Interactions (Local Logon) DC Client Kerberos LDAP SMB TGT: User GPO List GPO Download TGS: LDAP, CIFS
Network Interactions (Kerberos Network Logon) DC Client Kerberos Server App Traffic DC SMB D/COM TGT: User In-band TGS: Server Occasional PAC Validation TGS: Server D/COM Dynamic TCP
Network Interactions (NTLM Network Logon) DC Client Server App Traffic DC SMB D/COM In-band NTLM Pass-through NTLM D/COM Dynamic TCP
Network Interactions (Basic/RDP Logon) DC Client Server App Traffic DC In-band clear text Kerberos TGT: User
Active Directory Replication
Attribute Types string, integer, datetime, boolean, binary DN reference multivalue up to 5000 items linked multivalue unlimited, requires 2003 Forest Level backlink memberOf computed primaryGroupToken, tokenGroups, lastLogonTimestamp write/only attributes unicodePwd
Group membership Sales CN=Kamil,OU=London,DC=... CN=Judith,OU=Paris,DC=... CN=Victor,OU=London,DC=... CN=Stan,OU=London,DC=... member Judith CN=Sales,OU=Groups,DC=... CN=IS Access,OU=Groups,DC=... memberOf Link Backlink
(Not)replicated attributes Not replicated logonCount badPasswordCount badPasswordTime lastLogon lastLogoff Replicated pwdLastSet lockoutTime lastLogonTimestamp (since 2003)
Logon timestamps (2003 DFL) Client DC lastLogon11:38 lastLogon9:00 lastLogon- lastLogonTimestamp11:00 lastLogonTimestamp11:00 lastLogonTimestamp11:00
lastLogonTimestamp Requires 2003 domain level Updated only once per 14-random(5) days DC=idtt,DC=local msDS-LogonTimeSyncInterval 1+ – minimum without randomization 5+ – randomization starts 14 – the default ...
Password changes Password Change Immediate Replication password hash Normal replication DC PDC Client
Password changes Client DC PDC pwdLastSet
Authentication failures DC PDC pwd1 DC pwd1 Client
Authentication failures DC PDC pwd1 DC pwd2 Client pwd2
Authentication failures Client PDC pwd2 DC pwd2 DC pwd1
Authentication failures ClientDC badPasswordCount3 2 PDC badPasswordCount7 lockoutTime DC badPasswordCount2
Active Directory Client Interactions
Client Applications Kerberos and NTLM authentication Secure Channel password changes, NTLM pass-through, Kerberos PAC validation Group Policy client DFS client Certificate Autoenrollment client
Client Applications NPS (IAS), RRAS, TMG (ISA), RD Gateway (TS Gateway) group membership, Dial-In tab RD Host (Terminal Server) Remote Control tab etc., Licensing servers DHCP Server authorization IIS account and group membership for SSL certificate authentication WDS computer MAC addresses or GUIDs
Connection Properties Bandwidth (Mbps) forget about this Latency (ms) round-trip-time (RTT) SMB, D/COM, SQL Packet Loss (per sec., per Mb) packet loss rate (PLR) VPN such as PPTP, SSTP, IP-HTTPS
Timeouts DNS primary DNS = 1 sec. secondary DNSs = 2 sec. ARP ms 1000 ms LDAP UDP Site Location 600 ms TCP SYN = 21 sec. (3x retransmission) PSH/ACK = 93 sec. (5x retransmission)
Basic DC location Know the DNS name of the domain Query general DNS DC SRV records _ldap._tcp.dc._msdcs.idtt.local Ping DC Windows LDAP UDP (ping) DC to get the client’s site/close site
DNS Domain Location Makes use of DNS round robin Site unaware lookup NSLOOKUP SET Q=SRV _ldap._tcp.dc._msdcs.idtt.local Site specific lookup NSLOOKUP SET Q=SRV _ldap._tcp.Paris._sites.dc._msdcs.idtt.local
London x.x Site Example – Single Site DC1DC2DC3 Client DC4 DC5
Paris x.x London x.x Site Example – Multihomed DC (DNS Bitmask Ordering) DC1DC2DC3 Client DC4 DC5
Berlin x.x Paris x.x Roma x.x London x.x Site Awareness DC1DC2DC3 DC4 DC5 DC6 Client where I am?AnonymousLDAPUDP
General Operation Use DNS to find generic DC list Ping selected DC Windows Anonymous LDAP (UDP) to determine site DC defines site from the request source IP address (NAT?) Use DNS to find close DC in site Ping or LDAP UDP to determine availability
DC Locator NetLogon Service nltest /sc_query:idtt no network access nltest /sc_verify:idtt tries to authenticate with the DC nltest /sc_reset:idtt always performs new DNS lookup nltest /dsgetsite anonymous query against selected DC
DFS Client (MUP) Multiple UNC provider (MUP) driver Determines its own DFS server referrals obtains the list of DFS root servers from AD using the default DC from Netlogon SYSVOL may be accessed from a different DC DFSUTIL /PKTINFO Windows Server 2003/Windows XP DFSUTIL CACHE REFERRAL Windows Server 2008/Windows Vista
Paris x.x Cyprus x.x Roma x.x London x.x Site Example – Empty Site DC1DC2DC3 DC4DC5 DC6 DC7 Berlin x.x Client DC4DC5
Automatic Site Coverage Each DC registers itself for its neighboring empty sites HKLM\System\CurrentControlSet\Services\N etlogon AutoSiteCoverage = DWORD = 1/0 GPO: Sites Covered by the DC Locator DNS SRV Records
Active Directory Troubleshooting
Paris x.x Cyprus x.x Roma x.x London x.x Site Example – Out of Site DC1DC2DC3 DC4DC5 DC6 DC7 Berlin x.x Client
Out-of-site clients
Limiting generic DC list Limit creation of generic DC DNS records GPO: Computer Configuration – Administrative Templates – System – Netlogon – DC Locator DNS Records DC Locator DNS Records not Registered Ldap, Kdc
DC Stickiness When one close selected, client sticks to it even when moved into a different site must reset secure channel Force rediscovery interval GPO Vista+ hotfix for Windows XP also registry value ForceRediscoveryInterval
Paris x.x Cyprus x.x Roma x.x London x.x Site Example – Moving Client DC1DC2DC3 DC4DC5 DC6 DC7 Berlin x.x Client DC4DC5 previously in Paris
Active Directory Troubleshooting
Berlin x.x Paris x.x Cyprus x.x Roma x.x London x.x Site Example – Failed DC DC1DC2DC3 DC4 DC5 DC6 DC7 Client
Non-close Site DC Close site client’s site next closest site if enabled If there is not DC available in the close site, rediscovery every 15 minutes HKLM\System\CurrentControlSet\Services\Netlog on\Parameters CloseSiteTimeout = REG_DWORD = x seconds
Paris x.x Cyprus x.x Roma x.x London x.x Site Example – Close Site DC1DC2DC3 DC4DC5 DC6 DC7 Berlin x.x Client
Try Next Closest Site First get any DC name from DNS Second query the DC for clients site name returns the clients site plus the closest site (determined by the DC) Then query DNS for DCs in its current site and then tries to use the DCs If none responds, the client queries DNS for its next closest site and tries to use the found DCs
Try Next Closest Site Does not consider RODC sites by default Can be change in registry NextClosestSiteFilter Windows cannot return the next closest site information problem if the hit “any DC” is Windows it is then going to be used regardless of its site
Client Rules Recap Windows In current site In any site Windows Vista+ with Next closest site In current site In the closest site In any site If the client is out of any site, find any dc consider creating subnets for VPNs etc.
Active Directory Client Interactions
Site Link Design
Site Link Design (Better?) London Olomouc Roma Cyprus Paris Berlin
Site Link Design (Worse?) Olomouc Roma Cyprus Paris Berlin London
Active Directory Client Interactions
DNS Integration Clients find DCs by domain/site name DCs find replication partners according to their GUID Netlogon de/registers locator records DNS stores its data in domain partition DomainDnsZones application partition ForestDnsZones application partition
Netlogon de/registration Netlogon registers its own records at startup and deregisters them at shutdown requires DNS registration enabled on at least one network adapter %windir%\System32\Config\netlogon.dns It does not touch others’ records Autosite coverage turned on by default
AD Integrated Zones Offer Secure Dynamic Update Timestamping trimmed to whole hour Aging and scavenging records deleted by default between days of their age
DNS Application Partitions Domain partition CN=MicrosoftDNS,CN=System,DC=... DomainDnsZones replicated to all DNS Server which are also DCs for the domain ForestDnsZones replicated to all DNS Server which are also DCs for the forest
Secure Dynamic Update Client side feature DHCP Client on Windows DNS Client on Windows Vista+ DNS Server must be on DC to authenticate clients with Kerberos All Authenticated Users can create new records When a record is created, only the creator/owner can modify/update it
Secure Dynamic Update Updates done regularly by clients every hour by default Default TTL is 20 minutes Disable DHCP dynamic updates insecure!
Dynamic Update Primary DNS Secondary DNS Client DNS SOA Update
Adjust A/PTR Record TTL
Dynamic Update and Replication DNS AD DNS 0 sec sec. 0-3 min. schedule
Dynamic Update and Replication
Dynamic DNS Update on RODC Each writable DC returns itself as a primary DNS RODC returns either (random) writable DC as the primary DNS
Dynamic DNS Update on RODC DNS ADRODC R/O DNS 0 sec. Client SOA Upd 1 2
Dynamic DNS Update on RODC DNS ADRODC R/O DNS 0 sec. 0-3 min. Client replicateSingleObject 0 sec.
Time stamping/Aging Record Created timestamp trimmed to whole hour No-refresh period starts by default 7 days timestamp does not change if the record does not change Refresh period follows by default next 7 days timestamp gets updated at the first update
Scavenging Server wide configuration Should be done by only one DNS Server as best practice By default ocurres only once per 7 days
DNS Aging and Scavenging per-zone setting implemented by all DNS servers timestamp updates only during the refresh interval limits replication traffic
DNS Aging and Scavenging per-server setting should be done only by one of the DNS servers
DNS Aging and Scavenging
DNS Best Practice DC1 DNS DC2 DNS AD
DNS Waiting for AD
DNS Best-Practice Reasons Faster boot time without errors and timeouts Deregistration at shutdown is recorded in live DNS Server would have problems replicate if sent into shutting-down DC
Client DNS balancing Clients do not balance DNS servers queries/updates use the first one always if possible DHCP server does not use round robin Configuration must be done “manually” manual on servers more DHCP scopes for clients
Client DNS non-balancing Always alternate DNS server IP addresses
Client DNS non-balancing DNS1 DNS2 Client1 DNS1 DNS2 Client2 DNS1 DNS2 Client3 DNS1 DNS2
DNS Client Settings HKLM\System\CurrentControlSet\Services\Tc pip\Parameters Timetouts DNSQueryTimeouts Disjoint namespace on multihomed machines DisjointNameSpace PrioritizeRecordData GPO – DNS Suffix appending on Vista+
DNS Server UDP Pool After applying KB , DNS Server reserves 2500 UDP ports HKLM\System\CurrentControlSet\Services\D NS\Parameters SocketPoolSize = DWORD = 2500 DNSCMD /Config /SocketPoolSize 2500
DNS Cache Pollution server: idtt.com authoritative DNS server question: test.idtt.com, type A answer: no records authority answer: idtt.com SOA idtt.com NS ns37.domaincontrol.com ns37.domaincontrol.com A
Active Directory Troubleshooting
General Best Practice Create and assign subnets for any possible client IP Limit the general (site unaware) DNS registration of DCs Enable Try next closest site and Force rediscovery options Enable DNS Aging and Scavenging Alter clients’ DNS settings to rotate the DNS server addresses
Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |