Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Active Directory Domain Services (AD DS)

Published byGavin Hopkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Microsoft Active Directory Domain Services (AD DS)"— Presentation transcript:

1 Microsoft Active Directory Domain Services (AD DS)
5/17/2018 9:53 PM Microsoft Active Directory Domain Services (AD DS) Kenn West © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Design and common questions regarding setup
Microsoft Ignite 2016 5/17/2018 9:53 PM Design and common questions regarding setup A well-designed Active Directory logical structure provides the following benefits: Simplified management of Microsoft Windows-based networks that contain large numbers of objects A consolidated domain structure and reduced administration costs The ability to delegate administrative control over resources, as appropriate Reduced impact on network bandwidth Simplified resource sharing Optimal search performance Low total cost of ownership OU’s should be configured in a way to allow for information boundary's, ACL’s for things like group policy and filtering like LDAP services or networking equipment advanced feature sets. Split users and groups. Total cost as in not to use to many servers, this can also lead to slow replication times and KCC issues where no one can sign into the domain What is group scope Group scope – Universal Group can include as members… Accounts from any domain within the forest in which this Universal Group resides Global groups from any domain within the forest in which this Universal Group resides Universal groups from any domain within the forest in which this Universal Group resides Group can be assigned permissions in… Any domain or forest Group scope can be converted to… Domain local Global (as long as no other universal groups exist as members) Group scope - Global Accounts from the same domain as the parent global group Global groups from the same domain as the parent global group Member permissions can be assigned in any domain Universal (as long as it is not a member of any other global groups) Group scope - Domain local Accounts from any domain Global groups from any domain Universal groups from any domain Domain local groups but only from the same domain as the parent domain local group Group can be assigned permissions in… Member permissions can be assigned only within the same domain as the parent domain local group Universal (as long as no other domain local groups exist as members) © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 DNS Use the DNS Best Practice Analyzer –
Microsoft Ignite 2016 5/17/2018 9:53 PM DNS Microsoft recommends at least two DC’s at each physical site with DNS All AD joined systems MUST use internal DNS servers Self as primary and as secondary, proper forwarders. If multiple DNS servers in a site set additional servers as primary and itself as secondary or tertiary. It should not point to self as primary due to various DNS islanding and performance issues that can occur.  Multi site configs have it set to use the local DNS at not the DNS from another site if you can, more on this is the sites and services slide. Configure forwards from the ISP first this public as this ensures faster look ups If possible disable NetBIOS, there can be issues some applications so please check on your environment before doing this. But this is one of the easiest and fastest ways to break into a network and steal credentials, reasons why this is a such a problem will be covered later. Unless there is a compelling reason to do otherwise, DNS zones should allow only secure dynamic updates. DNS servers within a domain should not use each other as forwarders. Configure aging and scavenging to avoid stale DNS records. Use the DNS Best Practice Analyzer - Use the DNS Best Practice Analyzer – © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Sites and Services, subnetting and site links
Microsoft Ignite 2016 5/17/2018 9:53 PM Sites and Services, subnetting and site links How a systems finds a DC Client does a DNS search for DC’s in _LDAP._TCP.dc._msdcs.domainname DNS server returns list of DC’s. Client sends an LDAP ping to a DC asking for the site it is in based on the clients IP address - DC returns… The client’s site or the site that’s associated with the subnet that most matches the client’s IP (determined by comparing just the client’s IP to the subnet-to-site table Netlogon builds at startup). The site that the current domain controller is in. A flag (DSClosestFlag=0 or 1) that indicates if the current DC is in the site closest to the client. The client decides whether to use the current DC or to look for a closer option. Client uses the current DC if it’s in the client’s site or in the site closest to the client as indicated by DSClosestFlag reported by the DC. If DSClosestFlag indicates the current DC is not the closest, the client does a site specific DNS query to: _LDAP._TCP.sitename._sites.domainname (_LDAP or whatever service you happen to be looking for) and uses a returned domain controller. sites and services and replication tech, IP addresses per site. What is NTDS settings? he NTDS Settings object stores connection objects, which make replication possible between two or more domain controllers How does a system locate which domain controller to use, Can you configure or speed up replication times Atleast one Global Catalog (GC) needs to be in each site Create an AD deployment plan write it down and stick to it the next guy will be much happier Avoid single points of failure like having 3 Domain Controllers but on a single VMWare Host. In small setups or multiple sites avoid adding extra roles on the primary domain controller for that site. Common issue I see is trying to put SQL. Sharepoint or File Sharing services on that system. This is truly a major security problem as well as backups/restores, performance and goes back to the single point of failure comment before. Simple is often much better than complex © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Microsoft Ignite 2016 5/17/2018 9:53 PM Moving to Distributed File System Replication (DFSR) from File Replication service  (FRS) The following table describes the replication architecture components. Domain controllers use a special shared folder named SYSVOL to replicate logon scripts and Group Policy object files to other domain controllers. FRS removal in server 2016 Depreciated in server 2008 r2 This document assumes that you have a basic knowledge of Active Directory Domain Services (AD DS), FRS, and Distributed File System Replication (DFS Replication). For more information, see Active Directory Domain Services Overview, FRS Overview or Overview of DFS Replication The following table describes the replication architecture components. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Utilities & Tools

7 REPADMIN Performing replications
Microsoft Ignite 2016 5/17/2018 9:53 PM REPADMIN Performing replications Repadmin /syncall /force /Aped - Force all replication repadmin /syncall /APed dc=mydomain,dc=com  - Directory partition repadmin /syncall /APed cn=configuration,dc=mydomain,dc=com  - Configuration Partition repadmin /syncall /APed cn=schema, cn=configuration,dc=mydomain,dc=com  - Schema Partition Other switches and uses Repadmin /kcc – Forces the Knowledge Consistency Checker (KCC) on targeted domain controllers to immediately recalculate Repadmin /queue – shows inbound replication requests Repadmin /replsummary – show inbound or outbound replication times and failures in a summary Repadmin /showrepl – displays replication status Repadmin /syncall – Sync this server to all replication partners Repadmin.exe is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). Repadmin /syncall /force /APed repadmin /syncall /APed dc=mydomain,dc=com  - Directory partition repadmin /syncall /APed cn=configuration,dc=mydomain,dc=com  - Configuration Partition repadmin /syncall /APed cn=schema, cn=configuration,dc=mydomain,dc=com  - Schema Partition Repadmin.exe is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 DCDIAG dcdiag /test:dns /dnsall
Microsoft Ignite 2016 5/17/2018 9:53 PM DCDIAG dcdiag /test:dns /dnsall CheckSecurityErrorReports – checks on the overall health of replication  dcdiag /TEST:NCSecDesc VerifyReplicas Kccevent Frsevent (If using FRS replication) FSMOCheck – Is this DC able to contact another KDC or a Global catalog server (GC) - Can be used with /replsource:DC Starting test: MachineAccount The account DC02 is not trusted for delegation. It cannot replicate. The account DC02 is not a DC account. It cannot replicate. Warning: Attribute userAccountControl of DC02 is: 0x288 = ( HOMEDIR_REQUIRED | ENCRYPTED_TEXT_PASSWORD_ALLOWED | NORMAL_ACCOUNT ) Typical setting for a DC is 0x82000 = ( SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION ) This may be affecting replication? DC02 failed test MachineAccount Could be as simple as you didn’t run with Admin rights! Naming Context Security Descriptors Test Basic diagnostic test /DNSBasic This is a basic diagnostic test, which is performed any time that you perform a DNS test. This test cannot be skipped, regardless of which command line switches are used. Forwarder and root hint test /DNSForwarders This test checks the DNS server’s forwarders and it’s root hints. Delegation test /DNSDelegation This test checks the DNS server’s delegation Dynamic Update Test /DNSDynamicUpdate This test checks to see which portion of the DNS namespace the DNS server is authoritative over. Record Registration Test /DNSRecordRegistration This test verifies that records can be registered on the DNS server. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 NETDOM Find the current FSMO holder Internet -
Microsoft Ignite 2016 5/17/2018 9:53 PM NETDOM Find the current FSMO holder Netdom /query fsmo Internet - “I have seen that before just remove the system and rejoin it to the domain” No we don’t want to do that, what’s worse say your remote and by removing the system you just lost all access, or there is not a local admin account. Also this can create bad objects in AD for the system account and duplicate SID issues Example – Reset the machine trust instead netdom resetpwd /s:DC01.MyDomain.com /ud:DomainAdmin /Pa$$w0rd © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 NTDSUTIL – Metadata Clean Up
Microsoft Ignite 2016 5/17/2018 9:53 PM NTDSUTIL – Metadata Clean Up Source DSA largest delta fails/total %% error DC h:13m:33s / DC m:40s / oldsrv / <1722> The RPC server is unavailable Destination DSA largest delta fails/total %% error DC h:33m:41s 0 / DC m:16s 0 / oldsrv / <1722> The RPC server is unavailable Experienced the following operational errors trying to retrieve replication information: 58 - oldsrv.mydomain.com Ntdsutil metadata cleanup connections connect to server <FSMOHolder> quit select operation target list domains select domain <#> List Sites select site <#> list servers in site select server <#> quit remove selected server quit quit repadmin /syncall /force /APed repadmin /replsummary Ntdsutil ntdsutil metadata cleanup connections connect to server <FSMOHolder> quit select operation target list domains select domain <#> List Sites select site <#> list servers in site select server <#> remove selected server repadmin /replsummary © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 James Comey, Director FBI
5/17/2018 “There are two kinds of big companies, those who’ve been hacked, and those who don’t know they’ve been hacked.” James Comey, Director FBI Since Active Directory is used so widely for secure authentication, here as some updates to Identity security © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

12 Updates to Identity Security
Microsoft Ignite 2016 5/17/2018 9:53 PM Updates to Identity Security Windows Defender Application Guard, coming next year to Windows 10 Enterprise customers. Windows Defender Advanced Threat Protection (WDATP) and Office 365 Advanced Threat Protection (ATP) Enterprise Mobility + Security E5 Microsoft is serious about Identity and security. Microsoft’s Identity platform makes up 500 Million Active Directory Accounts, 375 Hybrid Accounts and 700 Million Azure AD Accounts that signed in last Year. Microsoft is currently spending $1.4 billion a year in security updates Microsoft Identity Manager (MIM) Enhancements to Privileged access management (PAM) Source Microsoft Ignite 2016 Cred Guard - Is powered by virtualization-based security technology and uses isolated containers built directly into the hardware to prevent malicious code from moving across employee devices and the corporate network. WDATP - now share intelligence mutually across both services, helping IT pros to investigate and respond to security threats across Windows 10 and Office 365 more quickly and efficiently. Office 365 Advanced Threat Protection will be extended to Word, Excel, PowerPoint, SharePoint Online and OneDrive for Business. Other enhancements include dynamic delivery, which enables users to receive immediately with a placeholder attachment while the actual attachment undergoes scanning, and URL detonation, which analyzes links in real time to identify unknown malicious URLs. E5 - A new offer that expands security to help the transition to mobility and cloud, will be available starting Oct. 1, The suite includes the new Microsoft Azure Information Protection service to help organizations classify, label and protect sensitive data © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Microsoft Ignite 2016 5/17/2018 9:53 PM
Demo of Credential Guard. For active directory Identities Currently on of the major threats are pass-the-hash, spear phishing, and similar types of attacks. I'm sure you heard of the attacks against Yahoo 500 million accounts taken or others like Target, Sony, LinkedIn, Dropbox, and even voter registration where 200,000 voters had there credentials stolen. All that’s needed is a single cred to launch this type of attack © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Microsoft Ignite 2016 5/17/2018 9:53 PM
Using this tool we can find all accounts on this system, the hacker would then use these to jump systems until they get all passwords needed or all admin accounts hopefully on their parts ones with never expiring passwords as so to use later. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Microsoft Ignite 2016 5/17/2018 9:53 PM Screen shot of cred guard
pass-the-hash, spear phishing, and similar types of attacks © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 AD DS Enhancements Server 2016
Microsoft Ignite 2016 5/17/2018 9:53 PM AD DS Enhancements Server 2016 Microsoft and Docker Inc. are extending their partnership to make the Commercially Supported Docker Engine available to Windows Server 2016 customers at no additional cost © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Time-limited group memberships
5/17/2018 Time-limited group memberships Users can be added to a security group with time-to-live (TTL) When the TTL expires, the user’s membership in that group disappears Kerberos token lifetime will be determined by TTL of the user’s memberships Tickets Granting Tickets (TGT) based on shortest group membership Service ticket (ST) based on TGT and resource local domain group membership Requires new Forest Function Level (FFL) Scavenger thread takes care of cleaning up group memberships Member: <TTL,user-DN> Group User TGT: Shortest group lifetime ST: Shortest of TGT and resource local domain group Admin Groups should be empty – separate admin forests This is now a core part of AD and moving to a JIT – Just In Time Access Users and groups are linked together by what’s called a linked attribute, they are going to add a property for how long is this link valid for – Say for 30 minutes, This is the same for the ticket that gets created. And the ST (service ticket) Its also on the lowest time set This is different than currently solutions as it removes the group as well. This is why they don’t work. Main problem is that this requires Server 2016 Function level. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Just In Time (JIT) forest
Microsoft Ignite 2016 5/17/2018 9:53 PM Just In Time (JIT) forest Create new Server 2016 forest No need to change existing forest Create new Privileged Identity Management (PIM) trust to existing forest Add shadow principals in new forest Shadow group which is new object class created in config NC. Unlike security group, the security identifier (SID) with a domain in another forest Add shadow admin user Remove admins from existing groups PIM system manages TTL groups Workflow to add shadow user to shadow admin group Existing Forest JIT Forest PIM Forest Trust TTL group membership When you log in It creates a JIT ST that contains the SID from the source forest to all access. PIM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Windows Hello For Business
Microsoft Ignite 2016 5/17/2018 9:53 PM Windows Hello For Business Add support to do key based logins Extension of the PKInit protocol between Win10 clients and Win2016 DC 2016 schema required Only available for hybrid organizations (i.e have Azure AD) On-premises only support coming soon Down level DC support available via Certificate based Windows Hello for business for Certificate based Currently requires SCCM for provisioning. Non-SCCM option support coming soon Basically this removes the password so you can use things like Facial recension. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Microsoft Ignite 2016 5/17/2018 9:53 PM Other Enhancements Restrict NTLM usage to specific target services on domain joined devices Limit lifetime during certificate authentication Public Key Cryptography for Initial Authentication (PKINIT) based on standard extension Azure AD Join This years defcon provided hacks to completely strip the security around NTLM. Second point This is different than  [RFC4556] which we know was susceptible to Man in the middle attacks dating back to 2013 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Additional Resources & Questions?
Performance and Reliability Monitoring Getting Started Guide for Windows Server 2008 R2 FRS to DFSR Sysvol Migrations TechNet Virtual Lab: Troubleshooting Active Directory Replication Errors

Download ppt "Microsoft Active Directory Domain Services (AD DS)"

Similar presentations

Service Manager for MSPs

Service Manager for MSPs
Implementing and Administering AD DS Sites and Replication

Implementing and Administering AD DS Sites and Replication
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Module 10: Troubleshooting Active Directory, DNS, and Replication Issues.

Module 10: Troubleshooting Active Directory, DNS, and Replication Issues.
Module 10: Troubleshooting AD DS, DNS, and Replication Issues.

Module 10: Troubleshooting AD DS, DNS, and Replication Issues.
Understanding Active Directory

Understanding Active Directory
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
Understanding Active Directory

Understanding Active Directory
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Understanding Active Directory

Understanding Active Directory
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
Windows Server 2008 R2 Domain Name System Chapter 5.

Windows Server 2008 R2 Domain Name System Chapter 5.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
OVERVIEW OF ACTIVE DIRECTORY

OVERVIEW OF ACTIVE DIRECTORY
Introduction to Active Directory

Introduction to Active Directory
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Microsoft Virtual Academy Chris Oakman | Managing Partner Infrastructure Team | Eastridge Technology Curtis Sawin | Technical Solutions Professional |

Microsoft Virtual Academy Chris Oakman | Managing Partner Infrastructure Team | Eastridge Technology Curtis Sawin | Technical Solutions Professional |
Recording Brief EMS Partner Bootcamp Variables Values Module Title

Recording Brief EMS Partner Bootcamp Variables Values Module Title
Deployment Planning Services

Deployment Planning Services
Deployment Planning Services

Deployment Planning Services

Similar presentations

Ads by Google