Reliability Workbook for Active Directory Domain Services

Document version: 1.0

Published: January 2010

Overview

Task List Columns

Feedback

Reliability Workbook for Active Directory Domain Services

Reliability is the state in which a service and all the components it depends on are behaving as desired within acceptable limits. This task list provides a schedule of proactive health monitoring and maintenance tasks to review and adapt to your individual requirements. For further instructions about the configuration and use of this task list, see the Administrator's Guide to Reliability Workbooks at www.microsoft.com/mof.

Health Attribute: A group of requirements for a healthy system. Health Area: A category of health action.Health Requirement: A requirement in a particular health control area that drives monitoring activity, which ensures continued component health.

Monitoring Task: An action that involves observing trends and paying attention to warning levels and error alerts. These alerts will trigger maintenance tasks.

Maintenance Task: Regularly scheduled or trend-driven work that ensures the continued health of the component.

Monitoring Parameter: The picture of health for a component. These conditions are determined by your organization's requirements and may vary according to factors such as the component's importance to the business, the size of the organization, or staffing constraints.

Owner: Person with the responsibility to ensure that a task is done. The owner can complete the task, automate it, or delegate it and confirm that the work has been done.

Notes: Additional information relating to this item.

Please direct questions and comments about this guide to [email protected].

Note Although many of the monitoring and maintenance tasks in this guide can be performed manually, best practice is to use automated methods because of the frequency and complexity of the individual tasks.

mailto:[email protected]

Monitoring Activities

Title Health attribute Health areaSecurity Authentication

Security Authentication


Security

Security

Security

Verify that all accounts with Remote Access Service access are appropriate.

Verify that all accounts with Terminal Services access are appropriate.

Check for a high number of locked-out, disabled, or expired accounts.

Verify that upcoming certificate renewals are in the schedule.

Certificate Maintenance

Verify that expiration dates for domain controller certificates have been set.


Monitor for network authentication requests by malicious users who are located in a trusted forest network and have administrative credentials.

Domain and Forest Trust Management

Security

Confirm that Group Policy has not been misconfigured. Security Group Policy

Verify that share permissions are set appropriately. Security Share Permissions

Verify that shared folders are required. Security Shared Folders

Security NTFS Permissions

Security Group Policy




Verify that NTFS file system permissions are set appropriately on all shared folders and content in shared folders.

Verify that all security settings available via Group Policy objects are managed centrally by policies.

Verify that all user account passwords are configured to meet minimum length and complexity requirements.





Review LanManager compatibility settings. Security Authentication


Security

Check the replication provider. Availability Replication

Check the password policy for the Maximum Password Age setting.

Check the password policy for the Minimum Password Age setting.

Check the password policy for the Minimum Password Length setting.

Verify that the Account Lockout policy meets minimum organizational security policy requirements.

Review the LanManager authentication protocol hash storage settings.

Verify that all domain controllers are in the Domain Controllers organizational unit.

Domain Controller Security

Check the partner replication count. Availability Replication

Check replication latency. Availability Replication

Verify that the appropriate replication service is running. Availability Replication

Availability Replication

Test the availability of each domain controller. Security

Back up system state on each domain controller. Continuity Backup and Restore

Verify that critical volumes are backed up. Continuity Backup and Restore

Verify the full server backup. Continuity Backup and Restore

Continuity Backup and Restore

Verify that the Kerberos Key Distribution Center service is running.

The System Volume share

Verify the authoritative restore of Active Directory Domain Services.


Check for changes in administrative authority. Appropriate Use

Appropriate Use

Appropriate use Domain Controller

Check for dormant user accounts. Appropriate Use User Accounts

Appropriate Use

Verify that user rights are assigned to groups, not users. Appropriate Use User Rights

Performance

Verify the non-authoritative restore of Active Directory Domain Services.

Administrative Authority

Look for non-standard grants of Write access to Active Directory Domain Services (AD DS) and AD DS objects.


Check for dangerous or unnecessary services that are not disabled.

Audit the membership of all domain groups that grant administrative privileges—for example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operators.


Monitor each domain controller for general responsiveness.

Authentication Response Time

Performance General Response

Performance

Verify that operations masters are responsive. Performance Operations Masters

Verify that the domain controller is advertising. Performance Domain Controller

Check for the latest service pack and security updates. Patching

Verify that the Windows Time service is running. Integrity

Availability

Security

Monitor the responsiveness of Active Directory Domain Services to a Lightweight Directory Access Protocol request.

Measure the time required to perform a global catalog search.

Global Catalog Search Response

Updates and Configuration

Windows Time Service

Monitor database and log file size as well as the available free space on the associated disk volumes.

Active Directory Domain Services Database

Check the Active Directory Domain Services domain functional level.

Active Directory Domain Services Functional Level

Security

Availability DNS SRV Records

Security

Security

Security

Security


Check for Windows Firewall rules. Appropriate Use Domain Controller

Check the Active Directory Domain Services forest functional level.


Verify that all Domain Name System (DNS) service records are registered in DNS for each domain controller and appropriate service.

Verify that anonymous access to shares, the Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.

Anonymous Connections

Verify membership in the Pre-Windows Compatible Access group.


Ensure that no standard users can read key properties for administrative groups and users.

Lightweight Directory Access Protocol Access to Active Directory Domain Services

Verify that Encrypting File System is not enabled for domain controllers.

Encrypting File System

Verify that no user accounts have the Password Never Expires property configured.


Verify that audit policy settings are configured properly. Security Auditing


Verify that the logon banner is displayed during logon. Security Authentication

Verify that Group Policy objects are backed up. Continuity Backup and Restore

Appropriate Use

Continuity Domain Controllers

Security

Appropriate Use

Check for changes in administrative authority for Group Policy management.

Verify that the name of the last user who logged on does not appear during logon.

Ensure that administrator-level accounts have dual accounts or use User Account Control.


Ensure that the crash dump file is configured to meet company requirements.

Ensure that Domain Name System servers that support Active Directory Domain Services (AD DS) are all AD DS integrated.

Domain Name System

Ensure that the correct security is in place for all Domain Host Configuration Protocol services running on domain controllers.

Domain Host Configuration Protocol

Continuity Replication

Continuity

Continuity

Continuity

Ensure that all domain controllers are in the appropriate site based on IP address.

Ensure that the design of the location of global catalog servers is appropriate for the number of users, applications, and other criteria for logging on and accessing information in the global catalog.

Global Catalog Location

Ensure that the design of the location of Domain Name System (DNS) servers is appropriate for the number of users, applications, and other criteria for logging on and accessing information on the DNS servers.

Domain Name System Location

Ensure that the design of the location of domain controllers is appropriate for the number of users, applications, and other criteria for logging on and accessing information on domain controllers.

Domain Controller Location

Health requirement Monitoring task Monitoring parameter FrequencyRemote access Daily

Daily

Current accounts Daily

Current certificates Weekly

Current certificates Weekly

Secure trusting forest Daily

Verify that all accounts with Remote Access Service access are appropriate.

Remote Access Service account access is limited to those deemed appropriate per company policy.

Terminal Services/Remote Desktop

Verify that all accounts with Terminal Services access are appropriate.

Terminal Services account access is limited to those deemed appropriate per company policy.

Check for a high number of locked-out, disabled, or expired accounts.

No more than n number of anomalous accounts

Verify that upcoming certificate renewals are in the schedule.

Certificates are valid for one month past the current date.

Verify that expiration dates for domain controller certificates have been set.

The expiration date is in the future.


Security ID filtering on all trusts by default


Monthly

Monthly

Monthly

Semi-annually

All settings are confirmed. Daily

Strong passwords Monthly


Security ID filtering on all trusts by default

Group Policy is working as expected.

Confirm that Group Policy has not been misconfigured.

No Override is disabled for all Active Directory Domain Services nodes (domain and all organizational units), and Block Policy Inheritance is not configured for Group Policy objects.

Shares are safe from unauthorized users.

Verify that share permissions are set appropriately.

The most restrictive permissions are applied.

Limit the number of shared folders.

Verify that shared folders are required.

The list of shared folders should meet the minimum shared folders required for each server.

NTFS file system permissions should protect shared folders and all content from unauthorized users.

Verify that NTFS file system permissions are set appropriately on all shared folders and content in shared folders.

The most restrictive permissions are applied.

The server is configured to a standard security policy.

Verify that all security settings are managed centrally by policies.

Verify that all user account passwords are configured to meet minimum length and complexity requirements.

Password length and complexity are established (specifics per company policy).

Maximum password age Monthly

Minimum password age Monthly

Minimum password length Monthly

Account Lockout policy Account Lockout policy settings Monthly

Monthly

LanManager hash storage settings Monthly

Monthly

Weekly

Check the password policy for the Maximum Password Age setting.

The Maximum Password Age is set between 30 and 120 days per organization policy.

Check the password policy for the Minimum Password Age setting.

The Minimum Password Age is set to a minimum of one day or per organization policy.

Check the password policy for the Minimum Password Length setting.

The Minimum Password Length is set to a minimum of 7–14 days or per organization policy.

Verify that the Account Lockout policy meets the minimum organization security policy requirements.

LanManager authentication protocol

Review LanManager compatibility settings.

LMCompatibilityLEvel setting

LanManager authentication protocol hash storage

Review the LanManager authentication protocol hash storage settings.

All domain controllers receive the same Group Policy objects.

Verify that all domain controllers are in the Domain Controllers organizational unit.

No domain controllers are outside the Domain Controllers organizational unit.

Replication links between domain controllers and replication partners are healthy.

Check the replication provider.

ModifiedNumConsecutiveSyncFailures is <2 days old; TimeOfLastSyncSuccess is <14 days old

Daily

Check replication latency. Daily

Daily

Updated domain controllers Daily

Daily

Domain controller backup Daily

Critical volumes are backed up. Completed Daily

The server is backed up. Completed Weekly

Completed

Domain controllers within a forest are able to replicate with each other.

Check the partner replication count.

The domain controller always has at least one outbound connection; the domain controller has at least one connection to another site; the domain controller does not have more than a specified number of connections.

Changes are properly replicated across the forest.

Convergence latency is within the desired maximum determined time.


Verify that the appropriate replication service is running.

NT File Replication Service and/or Distributed File System Replication is running.

Verify that the Kerberos Key Distribution Center service is running.

The Kerberos Key Distribution Center service is running.

The System Volume share is accessible on every domain controller.

Test the availability of each domain controller.

The System Volume share can be accessed on each domain controller from across the network.

Back up system state on each domain controller.

System state has been backed up within the past 24 hours.

Verify that critical volumes are backed up.

Verify the full server backup.

Active Directory Domain Services is authoritatively restored.

Verify the authoritative restore of Active Directory Domain Services.

Every three backups

Completed

No change Daily

No change Daily

Daily

Daily

Apply least privilege. Daily

Monthly

Expected response time Less than one second Daily

Active Directory Domain Services is non-authoritatively restored.

Verify the non-authoritative restore of Active Directory Domain Services.

Every three backups

Appropriately assigned authority

Check for changes in administrative authority.


Look for non-standard grants of Write access.

Domain controllers are free of dangerous services.

Check for dangerous or unnecessary services that are not disabled.

Dangerous or unnecessary services are disabled.

The network is free of unauthorized users.

Check for dormant User accounts.

User accounts are disabled when a personnel change is entered in the Human Resources system.


Audit the membership of all domain groups that grant administrative privileges—for example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operators.


Verify that user rights are not assigned to users.

Only administrators should have user rights assigned.

Monitor each domain controller for responsiveness.

Less than one second Daily

Response time is <5 seconds. Daily

Operations masters are available.

Daily

Completed Daily

Daily

Every 15 minutes

Existing domain functional level Once

Active Directory Domain Services is responsive.

Monitor the responsiveness of Active Directory Domain Services to a Lightweight Directory Access Protocol request.

The Active Directory Domain Services global catalog is responsive.

Measure the time required to perform a global catalog search.

Operations masters are responsive.

Verify that operations masters are responsive.

Every five minutes

The domain controller is advertising.

Verify that the domain controller is advertising.

The domain controller locator is working.

The system is up to date with the latest service pack and security updates.

Check for the latest service pack and security updates.

Domain controllers on the network are in time synchronization with each other.

Verify that the Windows Time service is running.

The primary domain controller is synching with a valid external time source/MaxPosPhaseCorrection and MaxPosPhaseCorrection should not be <48 hours but >1 hour.

Verify that the Windows Time service is running.

Adequate free space in database

Monitor database and log file size as well as available free space on the associated disk volumes.

At least 20% of the current database is available.

Ensure that the functional level of the domain is at the highest level possible.

Check the Active Directory Domain Services domain functional level.

Existing forest functional level Once

Daily

Deny anonymous access. Monthly

Deny anonymous access. Monthly

Monthly

Monthly

Monthly

Daily

Ensure that the functional level of the forest is at the highest level possible.

Check the Active Directory Domain Services forest functional level.

Domain controller services are available.

Verify that all Domain Name System (DNS) service records are in DNS for each domain controller and appropriate service.

The Domain Name System service records exist.

Verify that anonymous access to shares, the Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.

Check anonymous connection parameters.



Deny Read access to key security groups and users for standard users.

Ensure that no standard users can read key properties for administrative groups and users.

Verify Lightweight Directory Access Protocol access to Active Directory Domain Services.

Ensure that Encrypting File System is disabled for domain controllers.

Verify that Encrypting File System is not enabled for domain controllers.

Check whether files can be encrypted.

Ensure that user account passwords expire.

Verify that no user accounts have the Password Never Expires property configured.

Check all user accounts for the Password Never Expires property configuration.

Domain controllers are free of dangerous network access.

Check for Windows Firewall rules.

Dangerous or unnecessary network access protocols/applications are denied.

Daily

Daily

Restrict access to user names. Daily

Daily

Completed Daily

Daily

Configure the crash dump file. Verify crash dump settings. Daily

Monthly

Monthly


Check for changes in administrative authority for Group Policy management.

Group Policy Management Console delegation is set correctly.

Appropriately assigned audit policy

Verify that audit policy settings are configured properly.

Check audit policy settings for success and/or failure.

Verify that the name of the last user who logged on does not appear during logon.

Check whether the last user name is displayed at logon.

Display the company logon banner.

Verify that the logon banner is displayed during logon.

Verify that the logon banner is displayed at logon.

Group Policy objects are backed up.

Verify that Group Policy objects are backed up.

Appropriate logon access privilege level

Ensure that administrator-level accounts have dual accounts or use User Account Control.

Require least-privilege access for administrators.

Ensure that the crash dump file is configured to meet company requirements.

Active Directory–integrated Domain Name System

Ensure that Domain Name System servers that support Active Directory Domain Services (AD DS) are all AD DS integrated.

Verify the configuration and location of Domain Name System.

Domain Host Configuration Protocol services are running on domain controllers.

Ensure that the correct security is in place for all Domain Host Configuration Protocol services running on domain controllers.

Verify membership in the DNSUpdateProxy group

Site configuration Monthly

Monthly

Monthly

Monthly

Ensure that all domain controllers are in the appropriate site based on IP address.

Verify domain controller locations in sites.

Global catalog servers must be available.

Ensure that the design of the location of global catalog servers is appropriate for the number of users, applications, and other criteria for logging on and accessing information in the global catalog.

Verify the number of global catalog servers in each physical location.

Domain Name System servers must be available.

Ensure that the design of the location of Domain Name System (DNS) servers is appropriate for the number of users, applications, and other criteria for logging on and accessing information on the DNS servers.

Verify the number of Domain Name System servers in each physical location.

Domain controllers must be available.

Ensure that the design of the location of domain controllers is appropriate for the number of users, applications, and other criteria for logging on and accessing information on domain controllers.

Verify the number of domain controllers in each physical location.

Owner Manual AutomationOperator

Perfmon

Operator Perfmon

Operator

Lockoutstatus.exe

Operator

Operator

Operator Firewall logs

Verify under Permissions for Remote Access Service (RAS) and Internet Authentication Service servers in the Active Directory Servers and Computers snap-in.

Microsoft System Center Operations Manager can audit Remote Access Service access.

Verify group membership for RAS access.

Verify under the User account properties and the Remote Desktop group and that the Terminal Server has the correct user right for Allow Logon Through Terminal Services configured.

Verify group membership for Remote Access Service access.

Verify that the Account Lockout Duration policy setting in Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy matches the policy.

Microsoft System Center Operations Manager can audit for anomalous accounts.

Active Directory Users and Computers saved queries

Use the Certificate Request Wizard in the Microsoft Management Console Certificates snap-in.

Use Microsoft Certificate Lifecycle Manager 2007 or Microsoft Forefront Identity Manager 2010.

Use the Certificate Request Wizard in the Microsoft Management Console Certificates snap-in.

Use Microsoft Certificate Lifecycle Manager 2007

Certificate Authority Monitor and Microsoft System Center Operations Manager

Automate this process by using Desired Configuration Management Packs or by analyzing the results of Gpresult.

Operator

Netmon

Operator

GPOTool.exe

Operator Windows PowerShell scripts

Operator Computer Management Script to enumerate shares

Operator

Operator

Operator

Automate this process by using Desired Configuration Management Packs or by analyzing the results of Gpresult.

Check Group Policy settings in the Group Policy Management Console.

Use Windows PowerShell scripts in the Windows Server 2008 R2 and Windows 7 release of the Group Policy management tools. If possible, install and use Microsoft Advanced Group Policy Management.

Use Computer Management or Server Manager to verify.

Review of access control lists on the Security tab.

Access control lists (ACLs) in a script; Group Policy object to establish ACLs

Use Gpresult to confirm security settings.

Automated by using Desired Configuration Management Packs or by analyzing the results of Gpresult.

Verify Group Policy password settings using Secpol.msc on a domain controller.

Audit the Group Policy password policy with Microsoft System Center Operations Manager.

Operator Secpol.msc on a domain controller



Operator Secpol.msc

Operator Secpol.msc

Operator Secpol.msc

Operator Active Directory Users and Computers Script

Dsquery

Operator

Microsoft System Center Operations Manager audits the Group Policy password policy.

Microsoft System Center Operations Manager





Monitor the event logs for event ID 13508 and event ID 13509, which may point to File Replication Service replication issues. Also, use Repladmin/Showrepl to find replication partners and issues.

Operator Use Repadmin.

Operator Use Repadmin.

Operator Windows PowerShell script


Operator

Operator Verify backup logs.

Verify backup logs.

Verify backup logs.

NTdsutil.exe

Use Computer Management or Server Manager.


Ping command

Configure auditing and verify using Event Viewer.


Backup operator




Backup operator

NTdsutil.exe

Operator

Operator




Active Directory Users and Computers Event Viewer

Operator Secpol.msc

Operator

Backup operator

Active Directory Domain Services delegation of authority, Dsacls.exe


Active Directory Domain Services delegation of authority, Dsacls.exe



Custom Lightweight Directory Access Protocol query, saved query using Active Directory Users and Computers.

Custom Lightweight Directory Access Protocol query

Ping command Microsoft System Center Operations Manager

Operator

Operator

Operator

Operator

Operator


Operator System Monitor

Operator Active Directory Users and Computers Windows PowerShell script



Windows Server Update Services, Microsoft Baseline Security Analyzer

Microsoft System Center Configuration Manager

Verify these registry settings using the Registry Editor.



Operator Active Directory Domains and Trusts Windows PowerShell script

Operator

Operator Secpol.msc Windows PowerShell script


Operator Dsacls.exe

Operator

Operator

Operator Server Manager

DNS Admin tool, Nslookup, Dnscmd.exe

Group Policy object report of the Default Domain policy through Group Policy Management Console, Secpol.msc

Active Directory Users and Computers user properties, saved queries, custom Lightweight Directory Access Protocol query

Operator





Operator System properties Drwtsn32

Operator DNS Admin tool, Dnscmd.exe

Operator Active Directory Users and Computers

Group Policy Management Console Delegation tab, Advanced Group Policy Management

Secpol.msc, manual check after pressing CTRL+ALT+DEL

Secpol.msc, manual check after pressing CTRL+ALT+DEL

Backup operator

Group Policy Management Console, Event Viewer operational log for Group Policy

Scheduled Task using Group Policy Management Console scripts

Operator Dsquery.exe

Operator

Operator DNS Admin tool

Operator

Notes

Consult the Microsoft Identity and Access Management Series Solution Accelerator.

Look for global settings here, not detailed settings within Group Policy Management Console. This is only to make sure that the Group Policy object application is not effected incorrectly.

Verify that share permissions set are not too weak. NTFS file system permissions should control access, not share permissions.

Make sure that any shares created are really needed.

Ensure that all legacy LanManager protocols are removed and disabled.

Ensure that all legacy LanManager protocols are removed and disabled.

Ensure that replication between domain controllers is configured and available.

Make sure that all domain controllers can replicate to other domain controllers, that none is orphaned, and that the topology is efficient.

Make sure the domain controllers are online and that the System Volume share is working.

Confirm for each domain controller.

Make sure that the key domain groups that have admin authority are not modified incorrectly.

Make sure delegation was not granted to update (write) to Active Directory Domain Services objects incorrectly.

User rights should be to groups, not to users. If to a user, it Is difficult to alter when a user no longer needs the user right.

This can possibly grant anonymous access.

This provides the highest level of Domain Name System security in Active Directory Domain Services.

Maintenance Activities

Title Health attribute Health areaSecurity Authentication


Remove locked-out, disabled, or expired accounts. Security Authentication

Security

Ensure that certificates are renewed. Security

Security


Review the Remote Access Service account access policy, and update it to meet security policies.

Review User account properties, and update the Remote Desktop group to meet security policies.

Review the Active Directory Domain Services Expiration Dates policy.



Deny network authentication requests by malicious users who are located in a trusted forest network and have administrative credentials.


No Override is disabled for all Active Directory Domain Services nodes (domains and all organizational units), and Block Policy Inheritance is not configured for Group Policy objects.

Security Share Permissions

Remove shared folders that are no longer required. Security Shared Folders

Security





Ensure that the most restrictive permissions are applied.

Verify and ensure that NTFS file system permissions are set appropriately on all shared folders and content in shared folders.

NTFS File System Permissions

Change any security settings not set to the standard security policy.

Review the password policy for password length and complexity settings, and ensure that the policy matches company security requirements.

Review the password policy for the Maximum Password Age setting, and ensure that the setting matches organizational security requirements.

Review the password policy for the Minimum Password Age setting, and ensure that the setting matches organizational security requirements.





Review the certificate renewal policy. Security

Security


Review the password policy for the Minimum Password Length setting, and ensure that the setting matches organizational security requirements.

Review the Account Lockout policy, and ensure that it meets minimum organizational security policy requirements.

Review LanManager compatibility settings, and ensure that they meet minimum organizational security policy requirements.

Review LanManager authentication protocol hash storage settings, and ensure that they meet minimum organizational security policy requirements.


Ensure that all domain controllers are in the Domain Controllers organizational unit.

Domain Controller Security

Restore replication links between domain controllers and replication partners.





Schedule tests on each domain controller. Availability Sysvol Share

Schedule a backup. Continuity Backup and Restore





Remove excess replication connections between domain controllers in different sites.

Verify that the replication intervals of site links between domain controllers in different sites meet company requirements.

Restart the appropriate replication service, if required.

Restart the Kerberos Key Distribution Center service, if required.

Schedule an authoritative restore of Active Directory Domain Services.

Ensure that a test restoration is scheduled and verified.


Schedule a test for a non-authoritative restore. Continuity Backup and Restore

Schedule a test for an authoritative restore. Continuity Backup and Restore

Appropriate use

Remove non-standard grants of Write access. Appropriate use

Appropriate use Domain Controller

Remove dormant user accounts. Appropriate use User Accounts

Appropriate Use

Remove user rights where they are assigned to users. Appropriate Use User Rights

Schedule a non-authoritative restore of Active Directory Domain Services.

Remove inappropriately assigned administrative authority.



Remove dangerous or unnecessary services that are not disabled.

Ensure that the membership of all domain groups that grant administrative privileges—for example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operators—meets least-privilege requirements.


Troubleshoot slow response times. Performance

Performance General Response

Troubleshoot global catalog nonresponsiveness. Performance

Troubleshoot operations master nonresponsiveness. Performance Operations Masters

Performance Domain Controller

Patching

Privacy Account Permissions

Integrity Windows Time Service

Availability

Security

Authentication Response Time

Troubleshoot Active Directory Domain Services nonresponsiveness.

Global Catalog Search Response

Troubleshoot why a domain controller is not advertising.

Ensure that the latest service pack and security updates are scheduled.

Updates and Configuration

Change any user account permissions that have been set to Read access by default.

Synch domain controllers running the primary domain controller emulator with a valid external time source, if required.

Address the need for more available free space on the associated disk volumes.

Active Directory Domain Services Database

Verify the domain functional level and adjust it according to company requirements.


Security

Availability DNS SRV Records

Security

Security

Security

Security Encrypting File System

Verify the forest functional level and adjust it according to company requirements.


Verify that all Domain Name System (DNS) service records are in DNS for each domain controller and appropriate service, and update them when needed.

Ensure that anonymous access to shares, the Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.




Ensure that no standard users can read key properties for administrative groups and users; deny access, if necessary.

Lightweight Directory Access Protocol Access to Active Directory Domain Services

Verify that Encrypting File System is not enabled for domain controllers; disable, if necessary.


Appropriate Use Domain Controller


Security Auditing



Verify that no user accounts have the Password never expires property configured; remove this setting, if necessary.

Check for Windows Firewall rules, and configure additional rules where appropriate.

Check for changes in administrative authority for Group Policy management; modify security to meet company security requirements.

Verify that audit policy settings are configured properly; modify audit policy settings to meet company security requirements.

Verify that the name of the last user who logged on does not appear during logon; configure this setting not to show the name if it is displayed.

Verify that the logon banner is displayed during logon; configure it not to appear if it is displayed.

Appropriate Use

Continuity Domain Controllers

Security Domain Name System

Appropriate use

Continuity Replication

Continuity Global Catalog Location

Ensure that accounts with administrator-level privilege have dual accounts or use User Account Control.


Ensure that the crash dump file is configured to meet organizational requirements; modify settings to meet organizational security requirements.

Ensure that all Domain Name System (DNS) servers that support Active Directory Domain Services are Active Directory–integrated; configure only Active Directory–integrated DNS servers when appropriate.

Ensure that the correct security is in place for all Dynamic Host Configuration Protocol services running on domain controllers; modify DNSUpdateProxy group membership where appropriate.

Dynamic Host Configuration Protocol

Ensure that all domain controllers are in the appropriate site based on IP address; modify site membership where appropriate.

Add global catalog servers to physical locations when required.

Continuity

Continuity

Add Domain Name System servers to physical locations when required.

Domain Name System Server Location

Add domain controllers to physical locations when required.

Domain Controller Location

Health requirement Maintenance task Frequency OwnerRemote access Monthly Operator

Monthly Operator

Current accounts Daily Operator

Current certificates Monthly Operator

Current certificates Weekly Operator


Daily Operator

Review the Remote Access Service account access policy, and update it to meet security policies.

Terminal Services/Remote Desktop

Review User account properties, and update the Remote Desktop group to meet security policies.

Remove locked-out, disabled, or expired accounts.

Review the Active Directory Domain Services Expiration Dates policy.

Ensure that certificates are renewed.

Deny network authentication requests by malicious users who are located in a trusted forest network and have administrative credentials.

Backup operator

Group Policy is working as expected.

No Override is disabled for all Active Directory Domain Services nodes (domains and all organizational units), and Block Policy Inheritance is not configured for Group Policy objects.

Monthly Operator

Monthly Operator

Semiannually Operator

Daily Operator

Strong passwords Monthly Operator

Maximum Password Age Monthly Operator

Minimum Password Age Monthly Operator

Shares are safe from unauthorized users.


Limit the number of shared folders.

Remove shared folders that are no longer required.

NTFS file system permissions should protect shared folders and all content from unauthorized users.

Verify and ensure that NTFS file system permissions are set appropriately on all shared folders and content in shared folders.

Servers are configured to the standard security policy.

Change any security settings not set to the standard security policy.

Review the password policy for password length and complexity settings, and ensure that the policy matches company security requirements.

Review the password policy for the Maximum Password Age setting, and ensure that the setting matches organizational security requirements.

Review the password policy for the Minimum Password Age setting, and ensure that the setting matches organizational security requirements.

Minimum Password Length Monthly Operator

Account Lockout policy Monthly Operator

Monthly Operator

Monthly Operator

Current certificates Monthly Operator

Monthly Operator

As needed Operator

Review the password policy for the Minimum Password Length setting, and ensure that the setting matches organizational security requirements.

Review the Account Lockout policy, and ensure that it meets minimum organizational security policy requirements.

LanManager authentication protocol

Review LanManager compatibility settings, and ensure that they meet minimum organizational security policy requirements.

LanManager authentication protocol hash storage

Review LanManager authentication protocol hash storage settings, and ensure that they meet minimum organizational security policy requirements.

Review the certificate renewal policy.

All domain controllers receive the same Group Policy objects.

Ensure that all domain controllers are in the Domain Controllers organizational unit.

Healthy replication links are established between domain controllers and replication partners.

Restore replication links between domain controllers and replication partners.

As needed Operator

Daily Operator

As needed Operator

Updated domain controllers As needed Operator

Daily Operator

Domain controller backup Schedule a backup. Daily

Schedule a backup. Daily

Servers are backed up. Schedule a backup. Weekly

Monthly

Domain controllers within a forest are able to replicate with each other.

Remove excess replication connections between domain controllers in different sites.


Verify that the replication intervals of site links between domain controllers in different sites meet company requirements.


Restart the appropriate replication service, if required.

Restart the Kerberos Key Distribution Center service, if required.

The System Volume share is accessible on every domain controller.

Schedule tests on each domain controller.

Backup operator

Critical volumes are backed up.

Backup operator

Backup operator

Active Directory Domain Services is authoritatively restored.

Schedule an authoritative restore of Active Directory Domain Services.

Every three backups

Backup operator

Restore Active Directory Domain Services from system state, critical-volumes, or a full server backup.

Ensure that a test restoration is scheduled and verified.

Backup operator

Tied to restore

Effective authoritative restore Tied to restore

As needed Operator

As needed Operator

As needed Operator

As needed Operator

As needed Operator

As needed Operator

Active Directory Domain Services is non-authoritatively restored.

Schedule a non-authoritative restore of Active Directory Domain Services.

Every three backups

Backup operator

Effective non-authoritative restore

Schedule a test for a non-authoritative restore.

Backup operator

Schedule a test for an authoritative restore.

Backup operator


Remove inappropriately assigned administrative authority.


Remove non-standard grants of Write access.

Domain controllers are free of dangerous services.


The network is free of unauthorized users.

Remove dormant user accounts.


Ensure that the membership of all domain groups that grant administrative privileges—for example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operators—meets least-privilege requirements.


Remove user rights where they are assigned to users.

Expected response time As needed Operator

As needed Operator

As needed Operator

As needed Operator

As needed Operator

Daily Operator

User information is private. As needed Operator

As needed Operator

As needed Operator

Once Operator

Troubleshoot slow response times.

Active Directory Domain Services is responsive.

Troubleshoot Active Directory Domain Services nonresponsiveness.

The Active Directory Domain Services global catalog is responsive.

Troubleshoot global catalog nonresponsiveness.

Operations masters are responsive.

Troubleshoot operations master nonresponsiveness.

The domain controller is advertising.

Troubleshoot why a domain controller is not advertising.

The system is up to date with the latest service pack and security updates.


Change any user account permissions that have been set to Read access by default.

Domain controllers on the network are in time synchronization with each other.

Synch domain controllers running the primary domain controller emulator with a valid external time source, if required.

Adequate free space in the database

Address the need for more available free space on the associated disk volumes.

Ensure that the functional level of the domain is at the highest level possible.

Verify the domain functional level and adjust it according to company requirements.

Once Operator

Daily Operator

Deny anonymous access. Monthly Operator

Deny anonymous access. Monthly Operator

Monthly Operator

Monthly Operator

Ensure that the functional level of the forest is at the highest level possible.

Verify the forest functional level and adjust it according to company requirements.

Domain controller services are available.

Verify that all Domain Name System (DNS) service records are in DNS for each domain controller and appropriate service, and update them when needed.

Ensure that anonymous access to shares, the Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.


Deny Read access to key security groups and users for standard users.

Ensure that no standard users can read key properties for administrative groups and users; deny access, if necessary.

Ensure that Encrypting File System is disabled for domain controllers.

Verify that Encrypting File System is not enabled for domain controllers; disable, if necessary.

Daily Operator

Daily Operator

Daily Operator

Restrict access to user names. Daily Operator

Daily Operator

Ensure that user account passwords expire.

Verify that no user accounts have the Password never expires property configured; remove this setting, if necessary.

Domain controllers are free of dangerous network access.

Check for Windows Firewall rules, and configure additional rules where appropriate.


Check for changes in administrative authority for Group Policy management; modify security to meet company security requirements.

Appropriately assigned audit policies

Verify that audit policy settings are configured properly; modify audit policy settings to meet company security requirements.

Verify that the name of the last user who logged on does not appear during logon; configure this setting not to show the name if it is displayed.

Display the company logon banner.

Verify that the logon banner is displayed during logon; configure it not to appear if it is displayed.

Daily Operator

Configure the crash dump file. Daily Operator

Monthly Operator

Monthly Operator

Site configuration Daily Operator

Monthly Operator

Appropriate logon access privilege level

Ensure that accounts with administrator-level privilege have dual accounts or use User Account Control.

Ensure that the crash dump file is configured to meet organizational requirements; modify settings to meet organizational security requirements.

Active Directory–integrated Domain Name System

Ensure that all Domain Name System (DNS) servers that support Active Directory Domain Services are Active Directory–integrated; configure only Active Directory–integrated DNS servers when appropriate.

Dynamic Host Configuration Protocol service running on a domain controller

Ensure that the correct security is in place for all Dynamic Host Configuration Protocol services running on domain controllers; modify DNSUpdateProxy group membership where appropriate.

Ensure that all domain controllers are in the appropriate site based on IP address; modify site membership where appropriate.

Global catalog servers must be available.

Add global catalog servers to physical locations when required.

Monthly Operator

Monthly Operator

Domain Name System servers must be available.

Add Domain Name System servers to physical locations when required.

Domain controllers must be available.

Add domain controllers to physical locations when required.

Manual AutomationRead written Remote Access Service access policies, and match them with the permissions in place.

Review using the TripWire Compliance Management Pack for Microsoft System Center Operations Manager.

Review User account properties, and update the Remote Desktop group to meet security policies; Dsmod.exe; Dsquery.exe.

Use User Manager or Active Directory Users and Computers to remove invalid accounts.

Use Microsoft System Center Configuration Manager.

Use the Certificate Request Wizard in the Certificates console.

Use Microsoft Certificate Lifecycle Manager 2007.

Use the Certificate Request Wizard in the Certificates console.

Use Microsoft Certificate Lifecycle Manager 2007.

Exercise access control to manage user access to shared resources in Active Directory Users and Computers.

Apply Windows Service Hardening in Windows Server 2008 R2.

Verify and modify in Group Policy Management Console.

Group Policy preferences

Windows Explorer Group Policy

Windows Explorer Group Policy

Group Policy

Group Policy

Group Policy

Use the Configure Your Server Wizard to configure settings.

Windows Explorer or Computer Management

Group Policy Management Console, Secpol.msc



Group Policy

Group Policy

Group Policy

Group Policy





Active Directory Users and Computers, Dsquery.exe

Repladmin, Active Directory Sites and Services

Wbadmin Wbadmin

Wbadmin Wbadmin

Wbadmin Wbadmin

Ntdsutil

Ntdsutil



Computer Management, Server Manager



Ntdsutil

Ntdsutil

Ntdsutil

Group Policy Restricted Groups

Group Policy

Active Directory Users and Computers, Delegation Wizard

Active Directory Users and Computers, Delegation Wizard


Active Directory Users and Computers, Lightweight Directory Access Protocol queries

Active Directory Users and Computers, Lightweight Directory Access Protocol queries, Dsmod.exe, Dsquery.exe

Varies

Varies

Varies

Varies

Varies

Windows Server Update Services Windows Server Update Services

Group Policy


Active Directory Users and Computers

Group Policy

Group Policy

Group Policy

Active Directory Domains and Trusts

Domain Name System Admin tool, Nslookup.exe, Dnscmd

Secpol.msc, Group Policy Management Console

Active Directory Users and Computers, Lightweight Directory Access Protocol queries, Dsquery.exe, Dsmod.exe

Active Directory Users and Computers, Delegation Wizard, Ldp.exe


Server Manager, firewall Group Policy

Group Policy

Group Policy

Group Policy


Group Policy Management Console, Delegation tabs, Advanced Group Policy Management




User Account Control, Group Policy

Wbadmin

Group Policy

Active Directory Sites and Services

Active Directory Sites and Services

User Account Control, Group Policy Management Console, Secpol.msc

System Properties – setup and recovery

Active Directory Users and Computers, Lightweight Directory Access Protocol queries, Dsquery.exe, Dsmod.exe

Dcpromo

Health Risks

ID Description Probability (1–100%)1 40%

2 50%

3 60%

4 50%

5 70%

6 25%

7 25%

8 80%

9 50%

10 50%

11 User passwords are not secure.

12 User and group information is available to standard users.

Trust relationships are not appropriate, compromising identity and access.

Active Directory Domain Services object change management allows inappropriate changes to Group Policy objects.

Domain controllers are not in compliance with corporate policy and/or management’s stated baseline settings.

Domain controller security is unknowingly compromised because of inadequate review of monitoring or maintenance activities.

Restoration of a domain controller results in compromising the entire Active Directory Domain Services service.

Inappropriate administrator access: Former administrators who have left the Active Directory Domain Services group still have administrative access.

Flexible Single Master Operations roles are not configured appropriately, resulting in service degradation or inability of users to log on to the domain.

Replication across forests is slow or broken. Access to data is affected or compromised.

Domain controllers are out of time synchronization, resulting in degraded services.

Active Directory Domain Services servers run out of database space.

13

14 Legacy authentication protocols are used and stored.

15

16 Access to Active Directory Domain Services user names.

17

18

Anonymous access is allowed to Active Directory Domain Services.

Users will not be able to find domain controllers and the associated services running on them.

Inability to replicate between domain controllers because of incorrect site configurations.

Inability to replicate between domain controllers because of incorrect Domain Name System configuration.

Impact (1–5) Exposure5 2

5 2.5

5 3

5 2.5

5 3.5

3 0.75

4 1

3 2.4

3 1.5

5 2.5

0

0

0

0

0

0

0

0

Mitigation strategy Risk ownerReview trust and domain oversight; verify the need for existing trusts.

Replication monitoring and maintenance activities are performed and reviewed.

Evaluate compliance with documented thresholds for classifying changes to ensure that Active Directory Domain Services object changes receive the correct level of scrutiny and approval.

Policy settings are linked appropriately, and reviews include verification of account/password policy, audit and event log policy, and security options.

Regular review of monitoring to ensure that specialized monitoring or security scanning is performed on domain controllers, incidents are managed and resolved appropriately and in a timely manner, and server configuration is reviewed and monitored for changes.

Procedures for restoring a domain controller are well understood, documented, and tested.

Management periodically changes the password for the DS Restore Mode Administrator account and logs that the change has been made.

Periodically validate Flexible Single Master Operations roles and the appropriate number of domain controllers and global catalogs.

Monitor and maintain time synchronization, and verify that the time source is valid.

Monitor capacity and initiate expansion (and any needed provisioning of hardware) with an appropriate lead time.

Ensure that a password policy for domain and domain controllers is set to appropriate levels for User account passwords.

Secure Lightweight Directory Access Protocol access to Active Directory Domain Services for standard users with regard to administrative groups and administrator accounts.

Restrict anonymous access to the domain controllers.

Deny the use of LanManager and NT LAN Manager as well as storage of these hashes for user passwords.

Ensure that Domain Name System (DNS) has all the correct information for domain controller DNS service records.

Ensure that Lightweight Directory Access Protocol Read access is negated to key accounts, anonymous connections are denied, and last user name displayed is denied.

Ensure that all domain controllers are in the correct Active Directory Domain Services site, the site topology is correct, intersite topology is configured correctly, and all replication events are successful.

Ensure that all Domain Name System (DNS) service records for all domain controllers are correct, DNS is configured to Active Directory–integrated DNS, automatic updates are configured, and replication between DNS servers is set up correctly.

Standard Changes

Proposed standard change

Remove locked-out, disabled, or expired accounts.


Remove shared folders that are no longer required.

Ensure that all domain controllers are in the domain controllers organizational unit.

Schedule backups of domain controllers, including system state.

Verify that domain controller backups were successful.


Remove dormant user accounts.


Review membership in key Active Directory Domain Services security groups for correct membership.

Review key security settings such as password policy, audit policy, and user rights assignment for domain controllers.

Review the password policy for the Default Domain Policy or Group Policy object linked to a domain that establishes password policy for domain user accounts and most computer accounts.

Remove inappropriately assigned administrative authority within Active Directory Domain Services or inappropriately assigned administrative authority produced through delegation.

Category verified? Approved by Date for change development complete

Date for change release

Acknowledgments

Contributors

Reviewers

Jason MissildineSteve SchofieldSainath K.E.V.Robert Stuczynski

Editors

The Microsoft Operations Framework team acknowledges and thanks the people who produced Reliability Workbook for Active Directory. The following people were either directly responsible for or made a substantial contribution to the writing and development of this guide.

Joe Coulombe, MicrosoftJerry Dyer, MicrosoftMike Kaczmarek, MicrosoftDon Lemmex, MicrosoftDerek Melber, Xtreme Consulting Group, Inc.Betsy Norton-Middaugh, Microsoft

Michelle Anderson, Xtreme Consulting Group, Inc.Pat Rytkonen, Volt Technical Services

Copyright © 2010 Microsoft Corporation. This documentation is licensed to you under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/us or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94150, USA. When using this documentation, provide the following attribution: The Microsoft Operations Framework 4.0 is provided with permission from Microsoft Corporation.

Microsoft, Active Directory, Forefront, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Reliability Workbook for Active Directory Domain Services

Documents

Transcript of Reliability Workbook for Active Directory Domain Services