Ondřej Ševeček GOPAS a.s. MCM: Directory Services MVP: Enterprise Security CISA ondrej@sevecek.com www.sevecek.com ACTIVE DIRECTORY OVERVIEW Active Directory Troubleshooting NETWORK SERVICES
Central Database LDAP Lightweight Directory Access Protocol database query language, similar to SQL TCP/UDP 389, SSL TCP 636 Global Catalog (GC) TCP/UDP 3268, SSL TCP 3269 D/COM Dynamic TCP Replication, NSPI, SPN Registration, RODC pass-through domain membership Kerberos UDP/TCP 88, KPASSWD TCP/UDP 464 Windows NT 4.0 SAM SMB/CIFS TCP 445 (or NetBIOS) password resets, SAM queries SMB/DCOM Dynamic TCP Netlogon NTLM pass-through Kerberos PAC validation Client Port Requirements vs. DCs DNS UDP 53 (TCP 53 over 512 B of request/response) Ping XP/2003 and older LDAP UDP 389, TCP 389, TCP 636, TCP 3268, TCP 3269 Kerberos UDP/TCP 88, UDP/TCP 464 SMB TCP 445 NTP UDP 123 Outlook Netlogon DCOM (GC) Server Netlogon DCOM (pass-through authentication) Server Replication DCOM (dnshostname, SPN registration)
Incoming trust establishment DNS UDP queries in case of forwarders TCP zone transfer in case of stub zones LDAP UDP site location/netlogon anonymous query for domain SID and NetBIOS name SMB anonymous secure channel LSASS query Design Considerations Distributed system DCs disconnected for very long times several months Multimaster replication with some FSMO roles Maintain compatibility with forest and domain functionality levels Application LDAP available
Design Considerations Example: Caribean cruises, DC/IS/Exchange on board with tens of workstations and users, some staff hired during journey. No or bad satelite connectivity only. DCs synced after ship is berthed at main office. Challenge: Must work independently for long time periods. Different independent cruiseliners/dcs can accomodate changes to user accounts, email addresses, Exchange settings. Cannot afford lost of any one. Network Interactions (DC Location) SRV: Any DC List Client DNS SRV: My Side DC DNS LDAP UDP Get My Site My Site DC Any DC
Network Interactions (2008/Vista+ DC Location) SRV: Any DC List Client Vista+ DNS SRV: My Site DC SRV: Close Site DNS LDAP UDP Get My Site Next Closest Site Close Site DC My Site DC Any DC 2008+ Network Interactions (Join Domain) Client Kerberos SMB TGT: User TGT: CIFS SAM Interface DC
Network Interactions (Local Logon) Client TGT: User Kerberos LDAP SMB TGS: LDAP, CIFS GPO List GPO Download DC Network Interactions (Kerberos Network Logon) Client App Traffic Server In-band TGS: Server Kerberos TGT: User SMB D/COM Occasional PAC Validation TGS: Server DC DC D/COM Dynamic TCP
Network Interactions (NTLM Network Logon) Client App Traffic Server In-band NTLM SMB D/COM Pass-through NTLM DC DC D/COM Dynamic TCP Network Interactions (Basic/RDP Logon) Client App Traffic Server In-band clear text Kerberos TGT: User DC DC
Database Microsoft JET engine JET Blue common with Microsoft Exchange used by DHCP, WINS, COM+, WMI, CA, CS, RDS Broker, Windows Search %WINDIR%\NTDS\NTDS.DIT ESENTUTL Opened by LSASS.EXE Scenarios Service Support Notes multi NIC DNS DHCP IAS/NPS not recommended recommended yes yes more adapters register into DNS SMB client/server/network-provider issues RRAS not recommended creates virtual network adapters which register into DNS SMB client/server/network-provider issues CA not recommended cannot rename DC cannot remove AD moving CA requires keeping the same computer name IIS not recommended creates user accounts DCPROMO changes some NTFS permissions IIS 7.0 uses IUSR and IIS_IUSRS which are not available in 2003- domain basic authentication requires Log on Locally right
Scenarios Service Support Notes TS/RDS no DCPROMO changes some NTFS persmissions regular users can access the server locally TS/RDS Licensing WDS recommended yes if domain/forest discovery required WINS not recommended disable NetBIOS at all RMS not recommended requires IIS ADFS not recommended requires IIS SQL no creates user accounts DCPROMO changes some NTFS permissions Exchange 2000 must 2003 no 2007+ not recommended different hardware/memory requirements requires IIS must be GC, no failover to other DCs cannot be clustered no role separation Scenarios Service Support Notes Cluster NLB Forefront Client Security SharePoint singledomain forest single-label FQDN not supported not supported no not recommended recommended discouraged requires IIS no role separation performance issues forest is a security boundary delegation can be achieved by OU security can be more space consuming but GC contain most attributes usually e.g.: Outlook/GC/group modification KB306349 supported, but much limited
Installation DCPROMO /adv DCPROMO /unattend:unattend.txt also installs binaries on 2008 and newer even when only binaries are installed, Windows Firewall receives also exceptions for AD! DCPROMO /uninstallbinaries IFM installation must be from the same OS version %systemroot%\debug\dcpromo.log Lab: Installation Install IDTT, idtt.local on SRV1 Check services before and after install Active Directory Domain Services Security Accounts Manager Kerberos Key Distribution Center Netlogon Check IPv4 and IPv6 DNS settings Check NETSTAT ano for opened ports
Lab: Sample data population Run the populate-ad.bat script Investigate what changes did it do DSA.MSC, DSSITE.MSC do not correct anything even if you find any problems Installed services LSASS Security Accounts Manager TCP 445 SMB + Named Pipes D/COM Dynamic TCP Kerberos Key Distribution Center UDP, TCP 88 Kerberos Active Directory Domain Services UDP, TCP 389 LDAP NTDS.DIT
Installed services SAM KDC NTDS LSASS TCP 445 SMB + Named Pipes D/COM Dynamic TCP UDP, TCP 88 Kerberos UDP, TCP 389,... LDAP NT4.0 NTLM Pass-through PAC validation Connect to domain Windows LDAP/ADSI Client NTDS Replication FIM/DRS API Client Restartable AD DS Windows Server 2008 Active Directory Domain Services service LSASS.EXE Can log on DS Restore Mode Admin HKLM\System\CurrentControlSet\Control\LSA DsrmAdminLogonBehavior = 1
Netlogon Active Directory Client secure channel with a selected DC Site aware DC Locator Connects computer to domain Changes computer password SID/Name translation On DSs de/registers DC Locator DNS SRV records Uninstallation DCPROMO requires working replication connectivity with other DCs DCPROMO /forceremoval does not access network at all can run in DS Restore Mode
NTDSUTIL Metadata Cleanup Connection Connect to server srv2.idtt.local Quit Select operation target List sites Select site 0 List domains in site Select domain 0 List servers in site Select server 0 Quit Remove selected server Metadata Cleanup
Disabling IPv6 Never uncheck the protocol in NIC properties Exchange not working Clients not joning domain HKLM\System\CurrentControlSet\Services\T CPIPv6\Parameters DisabledComponents = DWORD = 0x000000FF Multinetworking Windows 2008 DC/DNS 2008 does not register DHCP assigned IP addresses anymore! Still good practice not to use more NICs
Lab: Unattended Installation Move SRVs to appropriate sites disable the original NIC firs Set correct DNS client settings Install DCs on the remaining servers automatically install DNS only on SRV2 dcpromo /unattend:unattend-dc-replica.txt dcpromo /unattend:unattend-dc-child.txt Wait until DNS _msdcs zone is populated correctly with all the DC GUIDs restart NETLOGONs if you do not want to wait Initial Replica Source DC
Renaming DC NETDOM COMPUTERNAME /Add let replicate through the whole forest NETDOM COMPUTERNAME /MakePrimary NETDOM COMPUTERNAME /Remove Renaming domains RENDOM can rename forest root domain as well Exchange server (in)compatibility!
Lab: Troubleshoot DNS On SRV1 open the DNS console Delete contents of the _msdcs zone On each DC restart Netlogon service NET STOP netlogon & NET START netlogon Restart-Service Netlogon or NLTEST /DSREGDNS Confirm the zone got populated correctly Lab: Troubleshoot replication On SRV1 open DSSITE.MSC Move SRV1 into London site Clear DNS resolver cache NET STOP dnscache & NET START dnscache Replicate configuration to all the other DCs Force all the other DCs to Check replication topology Replicate configuration from all the DCs back to SRV1 Force replication of all the links Check the replication for errors REPADMIN /replsummary
Initial Synchronization HKLM\System\CCS\Services\NTDS\Parameters Repl Perform Initial Synchronizations During startup, DC tries to replicate with at least one partner Fast startup on isolated network Loses protection against USN rollback (restore snapshot/image) Restore/Seizure of FSMO roles DNS Best Practice DC1 DC2 AD AD DNS DNS
Lab: DNS Best Practice Disable IPv6 in registry disable-ipv6.reg Reconfigure SRV1 and SRV2 to query DNS mutually as the DNS best practice says Reconfigure all the other DCs to use SRV1 and SRV2 for their client DNS queries Active Directory Troubleshooting PLANNING
Maximum number of objects 2 147 483 393 Distinguished Name Tag internal database identifier per DC only incremented even when objects are deleted Means all partitions on all DCs together Installing new DC starts with DNT=0 can be used to overcome the limit after huge object deletes cannot install from IFM reuses DNTs Maximum number of SIDs 1 073 741 823 (30-bit) RID Pool limit Windows 2012 Windows 2008 R2+KB2642658 31-bit Operational attribute sidcompatibilityversion = 1 FFL/DFL invariant
Maximum number of SIDs Atomic transaction Should not exceed 5000 changes
Group Limits Access Token 1025 groups including local/virtual groups Group members up to 5000 on Windows 2000 FFL (recommended limit only due to the atomic transaction size) no limit (500 million) with FFL 2003+ (linked multivalue replication) Domain and DC limits Maximum number of domains 800 with 2000 forest functional level 1200 with 2003+ forest functional level (non-linked multivalue) Recommended maximum number of DCs 1200 DCs with 2003- domain level (FRS replication) unlimited with 2008+ domain level and DFSR
Some other limits Maximum GPOs applied Each client will process up to 999 GPOs Maximum number of trust links Kerberos cannot traverse more than 10 trusts Attribute limits limits can be set in schema rangelower rangeupper Unicode String maximum 10 485 552 characters Octet String (binary data) maximum 10 485 560 bytes In case of multivalue, every value up to this limit Maximum 800/1200 (non-linked) values per object single value or every one from multi-value counts
Space consumption Single attribute overhead ~ 80 B 1024 B binary ~ 1024 + 80 B in DB 1024 characters ~ 2048 B + 80 in DB Empty user/computer account 3.7 kb Pure OU or a single DNS record 1.2 kb The big data thumbnailphoto maximum 30 kb usercertificate 1500 B mspkiaccountcredentials 10 kb
Common frequent modifying operations Admin induced Create users/groups/computers/dns Change group membership User induced Change password on users/computers users = 42??, computers = 30 DNS dynamic update default = 14?? lastlogontimestamp default = 14?? Common modifications example 200 people 200 users = 100x / month pwd+pwdlastset 200 users = 400x / month lastlogontimestamp 200 pc = 200x / month pwd+pwdlastset 200 pc = 400x / month dns update = 1100x /month ~= 1.5 / hour 5000 people ~= 40 / hour
Active Directory Troubleshooting ACTIVE DIRECTORY LDS (ADAM) Application LDAP Arbitrary port number, can run TLS Multiple instances and partitions on a single box replication managed by Active Directory Sites and Services snapin (requires MS-ADLDS-DisplaySpecifiers.ldf) Separate schema custom attributes etc. can use different naming attributes (O=, C=) Has forest functional level (no DFL) msds-behavior-version
Authentication LDAP Simple Bind NLTM/Kerberos for AD principals Proxy authentication into AD %systemroot%\adam userproxy.ldf userproxyfull.ldf Mapping DNS to X.500 Works for AD DS as well as AD LDS Client feature of ADSI accounting.ad.sevecek.com DC=accounting,DC=ad,DC=sevecek,DC=com AD DS registers partition names in DNS automatically For AD LDS you must register DNS name in DNS yourself
AD DS vs. AD LS Sync and Management adschemaanalyzer exports AD DS schema into AD LDS ADAMSync = DirSync synchronizes objects MS-AdamSyncConf.xml PowerShell/VBS/ADSI LDF/ADSIEdit/DSSITE.MSC