ACTIVE DIRECTORY OVERVIEW

Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CISA |ondrej@sevecek.com | www.sevecek.com |

NETWORK SERVICESActive Directory Troubleshooting

Central Database

LDAP – Lightweight Directory Access Protocol database query language, similar to SQL TCP/UDP 389, SSL TCP 636 Global Catalog (GC) – TCP/UDP 3268, SSL TCP 3269 D/COM Dynamic TCP – Replication, NSPI, SPN Registration,

RODC pass-through domain membership

Kerberos UDP/TCP 88, KPASSWD TCP/UDP 464

Windows NT 4.0 SAM SMB/CIFS TCP 445 (or NetBIOS)

password resets, SAM queries

SMB/DCOM Dynamic TCP Netlogon NTLM pass-through Kerberos PAC validation

Client Port Requirements vs. DCs DNS – UDP 53 (TCP 53 over 512 B of request/response)

Ping – XP/2003 and older

LDAP – UDP 389, TCP 389, TCP 636, TCP 3268, TCP 3269

Kerberos – UDP/TCP 88, UDP/TCP 464

SMB – TCP 445

NTP – UDP 123

DCOM/RPC - TCP 135

Outlook – SAM/Netlogon DCOM (GC)

Server – SAM/Netlogon DCOM (pass-through authentication)

Server – Replication DCOM (dNSHostName, SPN registration)

+ DC-DC NTFRS or DFSR replication DCOM

Incoming trust establishment

DNS

UDP queries in case of forwarders

TCP zone transfer in case of stub zones

LDAP UDP

site location/netlogon anonymous query for domain SID and NetBIOS name

SMB

anonymous secure channel LSASS query

Design Considerations

Distributed system

DCs disconnected for very long times several months

Multimaster replication with some FSMO roles

naming, schema, RID, PDC, infrastructure

Maintain compatibility with forest and domain functionality levels

raising only, lower down to 2008 only

Application LDAP available

Design Considerations

Example: Caribean cruises, DC/IS/Exchange on board with tens of workstations and users, some staff hired during journey. No or bad satelite connectivity only. DCs synced after ship is berthed at main office.

Challenge: Must work independently for long time periods. Different independent cruise-liners/DCs can accomodate changes to user accounts, email addresses, Exchange settings. Cannot afford lost of any one.

Network Interactions(DC Location)

Any DC2000+

Client2000+

LDAPUDP

SRV: Any DC List

Get My Site

DNS

DNS

SRV: My Side DC

My Site DC2000+

Network Interactions(2008/Vista+ DC Location)

Any DC2008+

ClientVista+

LDAPUDP

SRV: Any DC List

Get My Site

DNS

DNS

SRV: My Site DC

Next Closest Site

Close Site DC

2000+My Site DC

2000+

SRV: Close Site

Network Interactions(Join Domain)

DC2000+

Client2000+

KerberosSMB

TGT: User

SAM Interface

TGT: CIFS

Network Interactions(Local Logon)

DC2000+

Client2000+

KerberosLDAPSMB

TGT: User

GPO List

GPO Download

TGS: LDAP, CIFS

Network Interactions (Kerberos Network Logon)

DC2000+

Client2000+

Kerberos

Server2000+

App Traffic

DC2000+

SMBD/COMTGT: User

In-bandTGS: Server

Occasional PAC Validation

TGS: Server

D/COM Dynamic TCP

Network Interactions(NTLM Network Logon)

DC2000+

Client2000+

Server2000+

App Traffic

DC2000+

SMBD/COM

In-bandNTLM

Pass-through NTLM

D/COM Dynamic TCP

Network Interactions (Basic/RDP Logon)

DC2000+

Client2000+

Server2000+

App Traffic

DC2000+

In-bandclear text

KerberosTGT: User

Database

Microsoft JET/ESE engine

JET Blue

common with Microsoft Exchange

used by DHCP, WINS, COM+, WMI, CA, CS, RDS Broker, Windows Search, SCOM agent, …

%WINDIR%\NTDS\NTDS.DIT

ESENTUTL

Opened by LSASS.EXE

Processes and performance on a DC

LSASS LDAP, Kerberos, NTLM, password changes, SID

translation

DNS queries, dynamic update

NTFRS/DFSR GPO changes

SYSTEM SMB server (SYSVOL)

SVCHOST Windows Time Service

ScenariosService Support Notes

multi NIC

not recommended more adapters register into DNSSMB client/server/network-provider issues

DNS recommended

DHCP yes

IAS/NPS yes

RRAS not recommended creates virtual network adapters which register into DNSSMB client/server/network-provider issues

CAAD CS

not recommended cannot rename DCcannot remove ADmoving CA requires keeping the same computer name

IIS not recommended creates user accountsDCPROMO changes some NTFS permissionsIIS 7.0 uses IUSR and IIS_IUSRS which are not available in 2003- domainbasic authentication requires Log on Locally right

ScenariosService Support Notes

TS/RDS no DCPROMO changes some NTFS persmissionsregular users can access the server locally

TS/RDS Licensing

recommended if domain/forest discovery required

WDS yes

WINS not recommended disable NetBIOS at all

RMS not recommended requires IIS

ADFSADFS 2012r2+

not recommendedyes

requires IISdoes not require IIS

SQL no creates user accountsDCPROMO changes some NTFS permissions

Exchange 2000 must2003 no2007+ not recommended

different hardware/memory requirementsrequires IISmust be GC, no failover to other DCscannot be clusteredno role separation

Scenarios

Service Support Notes

Cluster not supported

NLB not supported

Forefront ClientSecurity

no

SharePoint not recommended

requires IISno role separationperformance issues

single-domain forest

recommended forest is a security boundarydelegation can be achieved by OU securitycan be more space consuming but GC contain most attributes usuallye.g.: Outlook/GC/group modification KB306349

single-labelFQDN

discouraged supported, but much limited

Installation

DCPROMO /adv

DCPROMO /unattend:unattend.txt

also installs binaries on 2008 and newer

even when only binaries are installed, Windows Firewall receives also exceptions for AD!

DCPROMO /uninstallbinaries

IFM installation

must be from the same OS version

%systemroot%\debug\dcpromo.log

Lab: Installation

Install IDTT, idtt.local on SRV1

Check services before and after install

Active Directory Domain Services

Security Accounts Manager

Kerberos Key Distribution Center

Netlogon

Check IPv4 and IPv6 DNS settings

Check NETSTAT –ano for opened ports

Lab: Sample data population

Run the populate-ad.bat script

Investigate what changes did it do

DSA.MSC, DSSITE.MSC

do not correct anything even if you find any problems

Installed services

LSASS

Security Accounts Manager

TCP 445SMB + Named Pipes

Kerberos Key Distribution CenterUDP, TCP 88

Kerberos

Active Directory Domain ServicesUDP, TCP 389

LDAP

NTDS.DIT

D/COM Dynamic TCP

Installed services

LSASS

SAM

KDC

NTDS

TCP 445SMB + Named Pipes

UDP, TCP 88Kerberos

UDP, TCP 389, ...LDAP

NT4.0

NTLM Pass-throughPAC validation

Windows 2000+

LDAP/ADSI ClientNTDS Replication

FIM/DRS API Client

Connect to domain

D/COM Dynamic TCP

Restartable AD DS

Windows Server 2008

Active Directory Domain Services service

LSASS.EXE

Can log on DS Restore Mode Admin

HKLM\System\CurrentControlSet\Control\LSA

DsrmAdminLogonBehavior = 1

Netlogon

Active Directory Client

“secure channel” with a selected DC

Site aware DC Locator

Connects computer to domain

Changes computer password

SID/Name translation

On DSs de/registers DC Locator DNS SRVrecords

Uninstallation

DCPROMO

requires working replication connectivity with other DCs

DCPROMO /forceremoval

does not access network at all

can run in DS Restore Mode

NTDSUTIL Metadata Cleanup

Connection

Connect to server srv2.idtt.local

Quit

Select operation target

List sites

Select site 0

List domains in site

Select domain 0

List servers in site

Select server 0

Quit

Remove selected server

Metadata Cleanup

Disabling IPv6

Never uncheck the protocol in NIC properties

Exchange not working

Clients not joning domain

HKLM\System\CurrentControlSet\Services\TCPIPv6\Parameters

DisabledComponents = DWORD = 0x000000FF

Multinetworking

Windows 2008 DC/DNS 2008 does not register DHCP assigned IP addresses anymore!

Still good practice not to use more NICs

Lab: Unattended Installation

Move SRVs to appropriate sites disable the original NIC firs

Set correct DNS client settings Install DCs on the remaining servers

automatically install DNS only on SRV2 dcpromo /unattend:unattend-dc-replica.txt dcpromo /unattend:unattend-dc-child.txt

Wait until DNS _msdcs zone is populated correctly with all the DC GUIDs restart NETLOGONs if you do not want to wait

Initial Replica Source DC

Renaming DC (DFL 2003)

NETDOM COMPUTERNAME /Add

let replicate through the whole forest

NETDOM COMPUTERNAME /MakePrimary

NETDOM COMPUTERNAME /Remove

Renaming domains (FFL 2003)

RENDOM

can rename forest root domain as well

nTDSDSA - msDS-ReplicationEpoch

Exchange server (in)compatibility!

2010 SP1+

SQL server

re-script (update) all logins

Lab: Troubleshoot DNS

On SRV1 open the DNS console

Delete contents of the _msdcs zone

On each DC restart Netlogon service

NET STOP netlogon & NET START netlogon

Restart-Service Netlogon

or NLTEST /DSREGDNS

Confirm the zone got populated correctly

Lab: Troubleshoot replication On SRV1 open DSSITE.MSC Move SRV1 into London site Clear DNS resolver cache

NET STOP dnscache & NET START dnscache

Replicate configuration to all the other DCs Force all the other DCs to Check replication topology Replicate configuration from all the DCs back to

SRV1 Force replication of all the links Check the replication for errors

REPADMIN /replsummary

Initial Synchronization

HKLM\System\CCS\Services\NTDS\ParametersRepl Perform Initial Synchronizations = 0

During startup, DC tries to replicate with at least one partner

Fast startup on isolated network

Loses protection against

USN rollback (restore snapshot/image)

Restore/Seizure of FSMO roles

DNS Best Practice

DC1

DNS

DC2

DNS

ADAD

Lab: DNS Best Practice

Disable IPv6 in registry

disable-ipv6.reg

Reconfigure SRV1 and SRV2 to query DNS mutually as the DNS best practice says

Reconfigure all the other DCs to use SRV1and SRV2 for their client DNS queries

PLANNING

Active Directory Troubleshooting

Maximum number of objects

2 147 483 393

Distinguished Name Tag

internal database identifier per DC

only incremented even when objects are deleted

Means all partitions on all DCs together

Installing new DC starts with DNT=0

can be used to overcome the limit after huge object deletes

cannot install from IFM – reuses DNTs

Maximum number of SIDs

1 073 741 823 (30-bit)

RID Pool limit

Windows 2012

Windows 2008 R2+KB2642658 31-bit

Operational attribute sIDCompatibilityVersion = 1 FFL/DFL invariant

Maximum number of SIDs

Atomic transaction

Should not exceed 5000 changes

Group Limits

Access Token

1025 groups

including local/virtual groups

Group members

up to 5000 on Windows 2000 FFL (recommended limit only due to the atomic transaction size)

no limit (500 million) with FFL 2003+ (linked multivalue replication)

Domain and DC limits

Maximum number of domains

800 with 2000 forest functional level

1200 with 2003+ forest functional level (non-linked multivalue)

Recommended maximum number of DCs

1200 DCs with 2003- domain level (FRS replication)

unlimited with 2008+ domain level and DFSR

Some other limits

Maximum GPOs applied

Each client will process up to 999 GPOs

Maximum number of trust links

Kerberos cannot traverse more than 10 trusts

Attribute limits

limits can be set in schema rangeLower rangeUpper

Unicode String maximum 10 485 552 characters

Octet String (binary data) maximum 10 485 560 bytes

In case of multivalue, every value up to this limit Maximum 800/1200 (non-linked) values per

object single value or every one from multi-value counts

Space consumption

Single attribute overhead ~ 80 B

1024 B binary ~ 1024 + 80 B in DB

1024 characters ~ 2048 B + 80 in DB

Empty user/computer account

3.7 kB (2008 R2 schema 4.5 kB)

Pure OU or a single DNS record

1.2 kB

Exchange

ca 35 own Exchange attributes

ca 1000 bytes overall

~ average 30 B per attribute

The big data

thumbnailPhoto

maximum 30 kB

userCertificate

1500 B

msPKIAccountCredentials

10 kB

What must be fast available

Logins, display names

Passwords

Group membership

DNS records

Email addresses, …

Common frequent modifying operations

Admin induced Create users/groups/computers/DNS

Change group membership

User induced Change password on users/computers

users = 42??, computers = 30

DNS dynamic update default = 14??

lastLogonTimestamp default = 14??

Common modifications example

200 people

200 users = 100x / month pwd+pwdLastSet

200 users = 400x / month lastLogonTimeStamp

200 pc = 200x / month pwd+pwdLastSet

200 pc = 400x / month dns update

= 1100x /month ~= 1.5 / hour

5000 people

~= 40 / hour

ACTIVE DIRECTORY LDS (ADAM)Active Directory Troubleshooting

Application LDAP

Arbitrary port number, can run TLS

Multiple instances and partitions on a single box replication

managed by Active Directory Sites and Services snap-in (requires MS-ADLDS-DisplaySpecifiers.ldf)

Separate schema custom attributes etc.

can use different naming attributes (O=, C=)

Has forest functional level (no DFL) msDS-Behavior-Version

Authentication

LDAP Simple Bind

NLTM/Kerberos for AD principals

Proxy authentication into AD

%systemroot%\ADAM

userProxy.ldf

userProxyFull.ldf

Mapping DNS to X.500

Works for AD DS as well as AD LDS

Client feature of ADSI

accounting.ad.sevecek.com

DC=accounting,DC=ad,DC=sevecek,DC=com

AD DS registers partition names in DNS automatically

For AD LDS you must register DNS name in DNS yourself

AD DS vs. AD LS Sync and Management

adschemaanalyzer

exports AD DS schema into AD LDS

ADAMSync = DirSync

synchronizes objects

MS-AdamSyncConf.xml

PowerShell/VBS/ADSI

LDF/ADSIEdit/DSSITE.MSC