Keep up with TechEd Europe 2013 (Madrid) even when you’re not an attendee

Next week, Microsoft organizes the second TechEd continental event of this quarter: TechEd Europe 2013 in Madrid. With 7000 seats, chances are small this event will sell out (although I still have hopes due to the special Surface offer for attendees).

Even when it sells out and you can’t attend, when you want to use your ginormous bandwidth to be the first to leech the Windows 8.1 and Windows Server 2012 R2 Previews, or when you simply want to follow the event from the comfort of your couch at home, the links below will provide you with a dose of Microsoft news:

	Official website http://europe.msteched.com
	Blog http://channel9.msdn.com/Blogs/TechEd
	Twitter http://www.twitter.com/TechEd_Europe and tags #msteched and #TEE13
	Facebook http://www.facebook.com/TechEdEurope
	LinkedIn http://www.linkedin.com/groups/Microsoft-TechEd-Europe-1055617

As Brad Anderson and Jon DeVaan will both be hosting a keynote during TechEd Europe 2013, you might want to tune into Channel9 to see these streamed live and (afterwards) on-demand:

	The Cloud OS: It’s Time! Brad Anderson June 25, 2013 from 9:00AM to 10:30AM GMT +1 (Brussels, Copenhagen, Paris, Madrid)    Brad Anderson will review a broad set of newly-announced updates across the full suite of Microsoft Cloud OS products and technologies.
	Windows is the Future Jon DeVaan June 27, 2013 from 8:30AM to 9:45AM GMT +1 (Brussels, Copenhagen, Paris, Madrid)     In this keynote, Jon DeVaan, Corporate Vice President, Windows, will discuss a broad set of new features for Windows 8.1.

Enjoy!

Common Challenges when Managing Active Directory Domain Services, Part 5: (Accidental) Misconfiguration

A lot of organizations run Active Directory Domain Services as their Identity and Access Management (IAM) solutions. Their Domain Controllers unlock access to the simplified view on the organization’s processes, structure and systems, so people can perform the jobs they were hired to do.

Just when you thought your Active Directory environment couldn’t get any more optimized after the first four blogpost in this series, I’m back again today to help Active Directory admins out with fighting their worst nightmare: Inadvertently and/or accidental misconfiguring Active Directory, grinding the entire business to a halt.

The challenge

It’s not like it didn’t happen in the past. You might not have heard of any organizations going out of business due to disastrous Identity and Access Management, but I’ve seen a couple in my heyday… To be honest, most organizations had trouble throughout, including a lack of proper processes, policies and auditing. The ‘pile-on effect’, due to not being able to find the root cause of issue, inadequate documentation and the inability to restore backups, eventually got the best of them.

(Parts of) The Solution

So, how do we avoid misconfiguring Active Directory?
                                            - Anonymous customer

As many Active Directory admins have asked me how to avoid misconfiguring Active Directory. Either stemming from true loyalty towards their employer or from a Cover Your *ss (CYA) attitude, this question is a good one. The answer is pretty simple though:

Apply the Principle of Least Administrative Privilege

The amount of administrators, able to make changes to the database, and their administrative reach, as in the changes they’re allowed to make, should be as limited as possible. In real-world environments, membership to the groups Enterprise Admins and Enterprise Admins but also domain admins in a multi-forest environment, should only be given to the most trustworthy and capable persons in your organization. The Schema Admins group, on the other hand, should be empty by default as a best practice, since as an Active Directory admin, you would only need access to its permissions when you perform a (planned and tested) Active Directory schema update, defunct and/or extension.

Use the Best Practices Analyzer (regularly)

Since Windows Server 2008 R2, Microsoft ships Best Practices Analyzers (BPAs) with Windows Server. Best Practices Analyzers help you to avoid 80% – 90% of the common misconfigurations that lead to data loss. You do not need to purchase BPAs as extras; you gain access to them from the Server Manager and through the many Best Practice Analyzer PowerShell Cmdlets. The ability to run the BPAs from a remote (management) workstation with the Remote Server Administration Tools (RSAT) installed and through PowerShell make them useful in environments with Server Core installations too.

The Active Directory Domain Services Best Practices Analyzer (AD DS BPA) checks for many misconfigurations at the server level (PDCe time synchronization is a big one, that pops up in many environments I see), at the organization-level (Regular Backups), but also inside the Active Directory. One important AD DS BPA check within the database, that I particularly like, is whether all Organizational Units (OUs) are protected against accidental deletion.

Protect important objects against accidental deletion

Even in organizations with well-skilled Active Directory admins, people slip up.(Administration is still a job done by humans, and humans tend to make mistakes)

Many processes in Active Directory already exist to prevent changes you might not want to see occur. AdminSDHolder is a prime example of such processes; Hourly, it mulls through the ACLs on user objects that are part of typical administration groups (Domain Admins, Print Operators, etc.) and resets them to default. Other objects are marked as system objects and these cannot be deleted with the default tools, like Active Directory Users and Computers (dsa.msc) and the Active Directory Administrative Center (dsac.exe).

The most pervasive human error in Active Directory administration is the accidental deletion of an important object. A feature in Active Directory Domain Services for Windows Server 2008, called Protect against accidental deletion, when enabled, can save your behind.

While presented as a simple check mark on objects in the common management tools, under the hood, this feature changes the ACLs on the object to prevent it from being deleted. The only way to be able to delete it is by either changing the ACLs or remove the check mark.

Since Organizational Units (OUs) hold other objects, these are the kind of object you’d want to protect, regardlessly. Protection against accidental deletion for Organizational Units is enabled by default when an Active Directory domain is first setup using a Domain Controller with at least Windows Server 2008. Also, be weary of Protection against accidental deletion for Organizational Units when you’re using tools like csvde.exe and ldifde.exe to create Organizational Units.

Deploy Read-only (Server Core) Domain Controllers

In organizations where teams of administrators are divided by geographic boundaries, often problems seem to magically appear due to ineffective communication between the teams. Language barriers may apply, but also the loss of nonverbal communication during digital meetings can hamper conveying sarcasm and cynicism.

In these cases, a team of administrators located at the HQ of the organization (or located at any hub in a typical hub-and-spoke networking environment) might decide to prevent changes in the Active Directory database (and surrounding services) while still maintaining an Active Directory foothold at (spoke) locations and allowing the administrators at the (spoke) location to manage the Windows Server(s), hosting Active Directory Domain Services.

In this scenario, Read-only Domain Controllers can be placed in (spoke) locations, installed with Server Core installations of Windows Server. Read-only Domain Controllers, in this scenario, act a more secure method for deploying Domain controllers and Domain Admins can grant non-administrative domain users the right to log on to them while minimizing the security risk to the Active Directory forest. Server Core installations of Windows Server lack most of the Graphical User Interface (GUI) and administrators using these systems are less prone to click-and-miss errors.

As a Domain Admin, you can configure (Server Core) installations of Windows Server for this type of role separation in the following way:

1. Log on to the Read-Only Domain Controller as a Domain Admin

2. Click Start, (click Run,) type cmd, and then press ENTER.

3. At the command prompt, type dsmgmt.exe, and then press ENTER.

4. At the DSMGMT prompt, type local roles, and then press ENTER.

5. For a list of valid parameters, type ?, and then press ENTER.

        Note:
        By default, no local administrator role is defined on the RODC after AD DS
        installation. To add the local administrator role, use the Add parameter.
      

6. Type add <DOMAIN>\<user> <administrative role>

        For example, type add CONTOSO\testuser administrators

Block changes to Active Directory Domain Services

A more rigorous, but viable solution is to block changes to Active Directory. While you can make administration more process-driven by incorporating Role-based Access Control (RBAC) with a super account and making this account perform actions based on workflows, (System Center Orchestrator and SharePoint Server are Microsoft tools you can use to that purpose) or use a 3rd party management solution like Quest’s ActiveRoles Server and its proprietary management tools , blocking changes to Active Directory is also possible with the native tools, like Active Directory Users and Computers (dsa.msc) and the Active Directory Administrative Center (dsac.exe).

One of the solutions that can limit Active Directory administrators from making changes to specific objects, specific attributes and at specific hours is STEALTHbits StealthINTERCEPT. As part of this solution, a StealthINTERCEPT agent is installed on each of the (R/W) Domain Controllers, that monitors changes to the database on the database level (not the protocol level). When the changes do not adhere to the policies laid out by the Chief Security Officer (CSO), the changes do not get applied, get logged and (optionally) the CSO and his/her auditing department get notified.

Set up Adequate Auditing

Speaking of auditing… Every organization, multi-national or not, should have some sort of mechanism for (external) Active Directory auditing. Whether you’d simply want to track changes to Active Directory (a granular auditing feature found in Domain Controllers running Windows Server 2008 and up), set up a 3rd party auditing infrastructure for the CSO and his/her department, or employ the services of an audit, assurance or governance firm, like PwC and KPMG, depends on the needs and requirements of your organization.

In my opinion, though, no auditing is inadequate auditing. To set up auditing of Active Directory changes, including the ability to see old and new values when changes are made to objects and their attributes, perform the following steps:

1. First enable the global audit policy. With the Group Policy Management Console (gpmc.msc), right-click Default Domain Controllers Policy, and then click Edit.
         
   Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy.
    
   In the details pane, right-click Audit directory service access, and then click Properties. Select the Define these policy settings check box. Under Audit these attempts, select the Success, check box, and then click OK.
        
2. As the second step, enable the change auditing policy. On each of your Domain Controllers running (Server Core installations of) Windows Server 2008 or up, click Start, right-click Command Prompt, and then click Run as administrator. Type the following command, and then press ENTER:
       
   auditpol /set /subcategory:"directory service changes" /success:enable
       
       
3. Now you’re able to determine the objects and attribute modifications you want to have audited. For instance, when you want changes to the Builtin container audited, right-click it in either Active Directory Users and Computers (dsa.msc) and the Active Directory Administrative Center (dsac.exe), and then click Properties.
       
   Click the Security tab, click Advanced, and then click the Auditing tab. Click Add, and under Enter the object name to select, type Authenticated Users (or any other security principal), and then click OK. In Apply onto, click Descendant User objects (or any other objects). Under Access, select the Successful check box for Write all properties. Click OK until you exit the property sheet for the OU or other object.
        

Now, when an accidental change occurs on a object or its attributes, the old value and new value are logged as event-IDs 5136 (object modification), 5137 (object creation), 5139 (object move) and 5141 (object deletion) in the Security event log.  

Concluding

To have control over an Active Directory environment is to take control over it. By adhering to best practices like the ones above, you can take control and be in charge of the contents within Active Directory. When less of your time is spent like a fireman in your networking environment, you have time to become the dentist and pull out some rotting teeth and fill gaps.

Related blogposts

Common Challenges when Managing AD DS, Part 1: Security 
Common Challenges when Managing AD DS, Part 2: Unnecessary Complexity & Token Bloat 
Common Challenges when Managing AD DS, Part 3: Performance 
Common Challenges when Managing AD DS, Part 4: Attribute Integrity 
Active Directory Feature Requirements 
PowerShell, LDIFDE, CSVDE and Protection from Accidental Deletion 

Further reading

Well-known security identifiers in Windows operating systems 
Schema vs. Enterprise vs. Domain Admins   
Description and Update of the Active Directory AdminSDHolder Object   
Best Practices Analyzer for Active Directory Domain Services   
AdminSDHolder - or where did my permissions go? 
Modify the AdminSDHolder container 
AdminSDHolder, Protected Groups and SDPROP 
Understanding AdminSDHolder and Protected Groups     
AD DS: Read-Only Domain Controllers 
Administrator Role Separation Configuration     
AD DS Auditing Step-by-Step Guide

Nice offer on a great Server Core book when you’re in the Netherlands! (and a little promotion of this blog)

For a limited time, Computer Collectief is offering books on Windows Server 2008 for a mere €10 each. While all these books would be great resources and a professional way to spend your holidays on the beach, I feel one particular book, should really make it to your reading list, when you’re working with Server Core installations of Windows Server 2008:

Windows Server 2008 Server Core Administrator's Pocket Consultant

This Microsoft Press book is the practical, portable guide to Server Core, written by Mitch Tulloch. This pocket-sized guide delivers ready answers for administering your Server Core installation and helps you out on the first version of Microsoft’s lean mean Windows server machine.

It helps you zero in on essential support and maintenance tasks using quick-reference tables, instructions, and lists. You'll get the focused information you need to solve problems and get the job done - whether at your desk or in the field!

By now, you might be wondering why I like this book… The reason is simple. On page xix, Mitch recommends this very blog:

Always good to know you’re already reading the right resources… and to help you out here’s a direct link to all Server Core-related blogposts on the DirTeam.com / Activedir.org Weblogs.

10 Things you need to be aware of before deploying Dynamic Access Control

Microsoft introduced Dynamic Access Control (DAC) as its claims-based authorization solution. It’s revolutionary, because it enables admins to more granularly control access to file resources, based on attributes of objects in Active Directory, like department, manager and country, instead of through an elaborate and obscure group membership structure and static Access Control Lists (ACLs) on files and folders.

Tip!
More information on actually configuring Dynamic Access Control can be found here.

If you want to go and use Dynamic Access Control in your environment, I feel you should be aware of these 10 things:

1. Dynamic Access Control is a v1 product.
   While Dynamic Access Control (DAC) is available in the Release to Manufacturers (RTM) version of Windows Server 2012, by no means, this implies the feature is as ready as you need it to be to be able to run it in your production environment. Many organizations hold off on introducing Microsoft technologies until v3 to avoid problems other organizations had with (for instance) Hyper-V in Windows Server 2008, SharePoint Portal Server 2001 and archiving in Exchange Server.
    
   I should not, however, that most of the time, the culprit is not faulty code, but incompatibilities with older platforms and applications. DACs incompatibility with Windows XP for instance, means 40% of organizations cannot deploy claims-based access natively to these clients.
      
2. Dynamic Access Control is currently limited to File Services only.
   While you might look to apply Dynamic Access Control (DAC) to accommodate rich authorization scenarios, with Windows Server 2012, you will only be able to use claims for authorization on File Services only. Claims-based Access Control is not available for Microsoft Exchange or Microsoft SQL Server. The consequence is you will need to deploy both a group membership-based access control solution and Dynamic Access Control throughout your organization.    
      
3. Token bloat is just around the corner with Dynamic Access Control.
   This coexistence, even if you only have File Services in your organization and you can quickly get rid of your group membership-based authorization solution, will lead to an initial growth in the tokens of your colleagues. The improved SID Compression in Windows Server 2012 might be enough to compensate for it, but it also might not. 
      
4. Calculating the expected ticket sizes is no longer straightforward.
   If you want to calculate what the impact on ticket size would be in your situation, then you would have a hard time doing so, because Microsoft KnowledgeBase article 327825 specifically mentions the following:
       
        Dynamic Access Control adds Active Directory Claims to the Ticket. Therefore,
        calculating the expected ticket sizes is no longer straightforward. The expectation
        is that tickets that are issued by Windows Server 2012 domain controllers are
        smaller than the same tickets that are issued from older operating system
        versions. Claims add to the ticket size. However, after Windows Server 2012 file
        servers are using claims broadly, you can expect to phase out a significant 
        number of your groups that control file access to trim ticket sizes.
     
   I think point 2 adequately addresses the issues surrounding the ability to trim ticket sizes.
    
5. Dynamic Access Control offers no Deny rules, only Allow rules.
   Microsoft has shifted from a security point of view on Identity and Access Management, to an access point of view. Instead of securing an environment by limiting people access, in recent Windows (Server) releases, you will have to specifically grant access before anyone can access a resource. The most prevalent situation where you can observe this shift is the difference in standard Share permissions between Windows XP, Windows Server 2003 (R2) and more recent Windows (Server) versions.
     
   From this new point of view, as an admin you won’t have to be using deny rights or permissions. You simply allow the people with the right attributes access.
       
6. Attribute integrity is getting more important
   As a consequence, attribute integrity is getting more important. When you want to allow access to full-time employees (FTEs) only, but lack the proper processes to convert a part-time employee to a full-time one, you will inadvertently deny access to people with even the slightest skew in attributes. Even Microsoft IT faced this problem in their first tests.
   
7. Naming conventions are important when deploying Dynamic Access Control
   Attribute integrity processes depend on naming conventions for locations, departments and descriptions. without them, your claims would not make sense or might not be as specific as you want them to be, because you’d build your claims-based access through ‘contains’ rules, instead of ‘equal to’ and ‘not equal to’ rules to address the situation.
     
8. There’s no built-in way to migrate Dynamic Access Control cross-forest.
   While the rules and policies used to define Dynamic Access Control-based access are stored in Active Directory, the current Active Directory cross-forest migration tool, the Microsoft Active Directory Migration Tool (ADMT) does not support migrating these rules and policies.
     
   When you can foresee a merger, divestiture or migration, putting of your Dynamic Access Control deployment might be a good idea.
       
9. There’s no/little support by 3rd party tools for managing DAC lifecycle.
   With the Dynamic Access Control (DAC) technology on the market for a year, we’re seeing little third parties delivering Dynamic Access Control-capable management tools and/or Dynamic Access Control integration with current 3rd party management tools. 
       
   The NetApp integration with Dynamic Access Control stands in stark contrast to this and its competitors.
     
10. You’ll need a File Classification strategy to fully profit from DAC
    Managing access to unstructured data is not magically more straightforward when you use Dynamic Access Control. However, when you use the File Classification Infrastructure (FCI) technology on Windows Server 2012-based File Servers in combination with Dynamic Access Control (DAC), it’s a different story. You can then grant granular access to files based on their contents. The dark side? You will need a file classification strategy, before you can actually tap into this potential.

I’ll be staffing at TechEd Europe 2013

After last year’s TechEd North America (Orlando) and TechEd Europe (Amsterdam), but specifically after last week’s TechEd North America (New Orleans), I’m excited to share with you that I’ve been selected to staff the Access and Information Protection booth at TechEd Europe 2013 (Madrid):

I’ll be at the Access and Information Protection booth at:

• Tuesday, June 25 12:30 – 13:30
• Wednesday, June 26 12:45 – 14:30
• Thursday, June 27, 14:30 – 17:00
• Friday, June 28, 11:15 – 13:45

When you’re also attending TechEd Europe 2013, drop by the booth and come say “Hi!”.

Common Challenges when Managing Active Directory Domain Services, Part 4: Attribute Integrity

Using Active Directory Domain Services as the solid foundation of your Identity and Access Management (IAM) strategy, results in common challenges for most organizations I meet. While the first three parts of this series have focused on objects and links between objects in the Active Directory database. Today, I want to talk about more ethereal stuff, concerning your Active Directory: I want to discuss the value in the actual properties of the objects in your directory, their attributes.

About attribute integrity

When I talk about attribute integrity, the thing that matters most is the way Identity and Access is evolving from a group membership and user-based security solution for domain-joined computers inside (the physical locations of) organizations to a solution based on granular access to resources, information and apps, based on assertions on people and devices.

I’ve written about this trend in a blogpost roughly 6 months ago. In it, I talked about how ForeFront Identity Manager (FIM), Active Directory Federation Services (AD FS), Active Directory Rights Management Services (AD RMS), Dynamic Access Control (DAC), Azure Active Directory, Office 365 and DirSync all leverage properties of user and computer objects in Active Directory Domain Services.

My conclusion back then was that wise Active Directory admins begin now to take care of attribute consistency throughout the identity lifecycle. Fields like Department, Manager (for user objects) and Primary User (for computer objects) are essential. Your current provisioning tool should force you to provide these attributes, processes should be in place to modify the correct attributes in the right way when someone changes department, gets promoted, gets demoted, etc. Furthermore, I recommended frequent audits should take place to trace attribute inconsistencies and proactively solve them.

The Dawn of the BYO Era

At TechEd North America, last week, my feelings towards the importance of attribute integrity grew even stronger. Also, the urgency of having processes in place to guarantee attribute integrity dawned on my.

These two new Windows Server 2012 R2 technologies made me feel attribute integrity is now both important and urgent:

WorkPlace Join

A new feature in Windows Server 2012 R2 is the ability to more loosely couple devices and computers to Active Directory. Next to the exclusive Active Directory domain join, a new join will become available: WorkPlace Join.

This new type of coupling allows for devices to attain a level of trust through a certificate, that allows single sign-on from the device to corporate resources, both on-premises and in the cloud. As an admin you can provide granular access to resources based on whether or not a WorkPlace Joined device is being used or not, whether the users primary device is used on or off the corporate network or whether an untrusted device is used.

I think you can guess where I’m heading with this: the relationships between devices and colleagues is based on object attributes.

Web Application Proxy

The Web Application Proxy allows admins to publish claims to the Internet through a secure proxy for cloud-based applications, partners and vendors. Whenever I read claims, I think of attributes.

The Challenge

When you want to take advantage of these new Bring Your Own (BYO)-inspired Microsoft technologies in Windows Server 2012 R2, attribute inconsistencies will stand in your way of adoption.

When attributes are inconsistent, access to files, apps, partners and cloud functionality becomes inconsistent. If you think it won’t happen to you, think twice. During the first internal Microsoft deployment of Dynamic Access Control, attribute inconsistency was the first encountered problem; in the past a user account was incorrectly changed from a temp to an FTE, resulting in Access-denied situations. You’d think Microsoft, of all companies, knows how to manage Active Directory.

(Part of) The Solution

Unfortunately, no turnkey solution exists to eradicate attribute inconsistency throughout your networking environment. However, the following pieces of action exist to remedy the situation:

Optimizing communication

First of all, your biggest problem is not that attributes for users and devices have become inconsistent, but the way these inconsistencies were (unnecessarily) introduced.

Before you can go and perform a meaningful and long lasting spring cleanup of the data in Active Directory, you will need to have a plan of what the information in Active Directory should look like and how to keep the information up to date. This should be captured in a design and corresponding policies with accompanying management procedures and auditing.

Tip!
Needless to say, this design, the policies and procedures should be kept up to date and thus reviewed regularly

Use a (de)provisioning tool and/or script

Now, part of these procedures for optimizing communication, in some organizations Human Resource (HR) Departments are granted delegated control to create and/or manage objects. These colleagues should be provided with a tool and/or script to perform their management tasks. Whether you opt for a GUI on top of your PowerShell scripts or turnkey solutions like Z-Hire and Z-Term, is up to your needs.

Even if you’re not delegating control, one of the things we can learn from the management approaches for Online Services like Microsoft’s Office 365 is to use a script whenever possible. My rule of thumb has become to perform a repeatable action with a script the third time around.

Perform your attribute spring cleanup

With (naming) policies in place, attribute inconsistencies don’t magically disappear. You will need to actively search for these inconsistencies and solve them. The most straightforward way I know is to make an export from Active Directory with csvde.exe, open the export in Microsoft Excel (Web App) and search for inconsistencies by sorting in columns and/or validating data.

Tip!
If you’re not into Microsoft Excel, you can also use Google Docs to this purpose. Spreadsheets in Google Docs allow for sorting and data validation. On the other hand, you’d probably want to keep the information on your colleagues on-premises instead of in a 

After identifying the inconsistencies, target the specific rows (users, devices, groups) and change offending attributes to what they’re supposed to be, with scripts.

Audit attribute integrity

Don’t think, after you’ve performed a spring cleanup of your Active Directory, attributes will be fine for the rest of your career. You should perform regular sample surveys to proactively detect attribute (and thus process and/or policy) inconsistencies. Auditing changes to Active Directory objects might allow you to find offending colleagues who (unintentionally) specify inconsistent attributes.

Blocking and/or workflowing attribute changes

A more complete strategy to prevent attribute inconsistencies is to block or workflow changes to attributes. Solutions like Dell’s ActiveRoles, STEALTHbits’ StealthINTERCEPT might work wonders in your environment to prevent unintentional changes to attributes. Custom solutions based on System Center Orchestrator and/or the Windows WorkFlow Foundation in SharePoint, might also make for a more organization-friendly, but more labor-intensive solution.

Concluding

Attributes integrity is getting more and more important in Identity and Access Management (IAM). When you want to take advantage of new Microsoft technologies, like the new Windows Server 2012 Dynamic Access Control, Office 365 single sign-on, or the BYO solutions in Windows Server 2012 R2, attribute inconsistencies will stand in your way of adoption.   

Related blogposts

Common Challenges when Managing AD DS, Part 1: Security     
Common Challenges when Managing AD DS, Part 2: Unnecessary Complexity, Token Bloat  
Common Challenges when Managing AD DS, Part 3: Performance
Why Active Directory attribute integrity is getting more important (and you should care) 

Further reading

Windows Server 2012 R2 Active Directory Embraces BYOD    
TechEd 2013: Windows Server 2012 R2 and System Center 2012 R2 Unveiled 
BYOD scenarios will become great in Windows 8.1 and Windows Server 2012 R2

The first official Dutch Microsoft Surface Pro

The proud owner of the first official Dutch Microsoft Surface Pro is … me.

Yesterday evening, Microsoft Netherlands organized a Pre-Launch Party for the Surface Pro. The event was hosted by the Windows Client Marketing Team from the Dutch Microsoft subsidiary and located at the Microsoft Brand Store in the busy Kalverstraat of Amsterdam:

I won the device during a pub quiz in four rounds.

The first round was a team round, where teams had to answer 22 multiple-choice questions. Most of these questions were around Microsoft (history), but also a couple of music-related questions were asked. Our team (dubbed Team 42) won this round by answering 14 questions right. With Helmer Zandbergen and Martien de Kleijn in our team, our team was the strongest team.

In the second round, we had the opportunity to answer 5 multiple choice questions. All four of us had four correct answers. We then proceeded to a shoot out question (round three), which none of us knew the answer to. The last question was a question on the number of active users of HotMail and Outlook.com in the Netherlands in May 2013, according to ComScore.

My guesstimate of 8 million wasn’t too far off and won me the Surface Pro device:

Since the Surface Pro device is available in the Netherlands from this morning, the Surface Pro I won is the first official Dutch Microsoft Surface Pro. If you want your own Surface Pro, you can buy one in a store near you, or online in the Microsoft Store Online.

KnowledgeBase: Incorrect results when you run AD Windows PowerShell Cmdlets on a Windows Server 2012 or Windows Server 2008 R2-based Domain Controller

Windows Server 2008 R2 and Windows Server 2012-based Domain Controllers (as well as Windows 7 and Windows 8 management workstations with the Remote Server Administration Tools installed) offer the built-in ability to manage Active Directory through PowerShell. Windows 7 and Windows Server 2008 R2 offer 76 Active Directory Management PowerShell Cmdlets and 15 Active Directory Provider PowerShell Cmdlets. Windows 8 and Windows Server 2012 offer 68 additional PowerShell Cmdlets.

Last month, Microsoft fixed an issue in these PowerShell Cmdlets in combination with User Account Control (UAC), where you would get incorrect results when you run Active Directory PowerShell Cmdlets on a Windows Server 2012 or Windows Server 2008 R2-based Domain Controller with UAC enabled.

The situation

Microsoft has identified two scenarios where you would get incorrect results:

Situation 1

In the first situation, you would still get Access Denied messages, when you log on to a Domain Controller with UAC enabled and you start (the Active Directory Module for) Windows PowerShell elevated as an administrator (not the built-in administrator account) to open another PowerShell window, after you’ve previously started it directly without promoting it by using administrator privilege.

The screenshot below shows this situation:

Situation 2

In the second situation, you first start (the Active Directory Module for) Windows PowerShell elevated as an administrator and then perform a similar action in a second instance of (the Active Directory Module for) Windows PowerShell that is not elevated. In this case the action would succeed.

The resolution

Workarounds

Several workarounds are available to address the specific issues:

• Do not log on interactively to Domain Controllers to perform actions in Active Directory. Instead use the Remote Server Administration Tools.
• Do not log on interactively to Domain Controllers but instead use Windows PowerShell from a (Windows 7 or Windows 8-based) management workstation or (Windows Server 2008 R2 or Windows Server 2012-based) management server.

Also, the built-in Administrator account does not encounter the situations above, since User Account Control (UAC) does not apply to the built-in Administrator account (the account with RID 500). All programs will be run with all privileges. While I strongly condemn the interactive use of this account, using it is a workaround for the specific situations mentioned above.

Hotfix

Hotfixes are available to address this issue:

For Windows Server 2012-based Domain Controllers, install the May 2013 update rollup, as described in Microsoft KnowledgeBase article 2836988. You must restart the Domain Controller(s) after you apply this update.

For Windows Server 2008 R2 and Windows Server 2008 R2 with Service Pack 1-based Domain Controllers, install update 2806748. You must restart the Domain Controller(s) after you apply this update.

Related KnowledgeBase articles

2806748 Incorrect results when you run AD Windows PowerShell Cmdlets on a Windows Server 2012 or Windows Server 2008 R2-based Domain Controller 
2836988 Windows 8 and Windows Server 2012 update rollup: May 2013  

Related blogposts

New features in AD DS in Windows Server 2012, Part 4: New PowerShell Cmdlets  

Further reading

Use Windows PowerShell Commands in Windows Server 2012
Active Directory Cmdlets in Windows PowerShell
Introduction to Active Directory Replication and Topology Management Using PowerShell
Advanced Active Directory Replication and Topology Management Using PowerShell
Windows Server 2012 AD DS Administration Cmdlets in Windows PowerShell
PowerShell oneliners to get information about your Active Directory infrastructure

KnowledgeBase: AD DS Best Practices Analyzer fails after you add an OU whose name contains XML escape characters to a Domain Controller in Windows Server 2012

Microsoft identified an issue, where scans of the Active Directory Domain Services Best Practices Analyzer (BPA) fail.

About the AD DS BPA

Microsoft’s Best Practices Analyzers (BPAs) offer guidance on avoiding 80% to 90% of situations that lead to system unavailability and data loss.

Since Windows Server 2008 R2, the Server Manager application in Windows Server allows for scans of Server Roles. The Best Practices Analyzer for Active Directory Domain Services in Windows Server 2012 includes 43 recommendations, ranging from the recommendation to deploy at least two Domain Controller per Active Directory domain to configuring adequate time synchronization for the Domain Controller holding the Primary Domain Controller emulator (PDCe) Flexible Single Master Operations (FSMO) role.

Together with the Best Practices Analyzer for File Services and the Best Practices Analyzer for DNS Server, a clear picture emerges on how Domain Controllers should be configured.

The situation

When you have Windows Server 2012-based Domain Controllers and you add an Organizational Unit (OU) to the Domain Controller, where the name of the OU contains some XML escape characters and you create some user accounts or computer objects in the OU for which you enable the Use Kerberos DES types for this account setting, like in the screenshot below:

Then, when you try to run the AD DS Best Practices Analyzer, it fails with error:

BPA scan did not complete for Active Directory Domain Services on one or more servers.

When you walk through the three notifications in the lower pane, you will find a more detailed error mentioning An error occurred while parsing EntityName.

The cause

This issue occurs because characters in the name of the Organizational Unit (OU) that should be escaped are interpreted incorrectly as XML markup. The characters that cause the problem are:

• Quote ( " )
• Apostrophe ( ' )
• Ampersand ( & )
• Less than ( < )
• Greater than ( > )

These characters, however, are allowed in the names of Organizational Units, according to Microsoft KnowledgeBase 909264 (Naming conventions in Active Directory for computers, domains, sites and OUs).

The resolution

You can solve the situation of the failed BPA scans in three ways:

1. Rename Organizational Units that contain objects with the Use Kerberos DES types for this account setting enabled to not contain XML escape characters.
     
2. Disable the Use Kerberos DES types for this account setting on objects residing in Organizational Units with names containing XML escape characters.
     
3. Install the Hotfix for this specific problem.

Each of these three methods will result in the ability to successfully run Active Directory Domain Services Best Practices scans.     

Related KnowledgeBase articles

2832338 AD DS Best Practices Analyzer fails after you add an OU whose name contains XML escape characters to a domain controller in Windows Server 2012 
977321 KDC Event ID 16 or 27 is logged if DES for Kerberos is disabled  
909264 Naming conventions in Active Directory for computers, domains, sites, and OUs 

Further reading

Introducing AD DS Best Practices Analyzer 
What's New in AD DS: Active Directory Best Practices Analyzer in Windows Server 2012 
Best Practices Analyzer for Active Directory Domain Services  
[VIDEO] Windows Server 2008 R2: Active Directory Best Practices Analyzer 
Changes in Kerberos Authentication 
DES encryption, Kerberos and 2008 Server

Common Challenges when Managing Active Directory Domain Services, Part 3: Performance

Domain Controllers are the backbone of many networking environments in many organizations. Unavailability and a lack of performance of these servers quickly escalates into numerous helpdesk calls and employee disgruntlement.

Many admins opt to beef up Domain Controllers with larger amounts of RAM, more processor power and more capable networking interface cards (NICs). Another avenue is to optimize the contents within the Active Directory database. Here’s how.

The challenges

Caching the Active Directory Database

Every object in Active Directory takes up space in the Active Directory database (ntds.dit). For performance, the Active Directory databases is cached into RAM by Domain Controllers, since accessing data on Random Access Memory is way faster than accessing data on traditional hard disks and solid state disks. When parts of the Active Directory database are not cached in memory, these parts will be significantly slower compared to parts that are.

Keeping the Active Directory database as small as possible is key to Domain Controller performance, especially on (x86-based 32bit-only) hardware that can no longer be beefed up and on Windows Server installations that don’t support more processors or RAM, like Windows Server Standard Edition in previous versions of Windows Server.

While many large Active Directory databases have grown steadily throughout the years, new functionality might lead to sudden growth. Storing user photos and BitLocker recovery information in Active Directory without proper planning will quickly result in poor Active Directory performance.

Indexing of attributes

Indexing an attribute helps queries find objects that have that attribute more quickly and efficiently than if the attribute had no index. The Active Directory directory service index is built automatically by a background thread on the directory server, instead of being created through a query at the moment you need it (and then have to wait for it).

By default, some attributes in Active Directory are indexed. You can index additional attributes for objects, when you (or your application’s vendor) feel this might improve the performance of queries for the attributes.

(Part of) The solution

Properly plan Domain Controllers

When introducing a Domain Controller to a networking environment, ideally, you should make sure you enable the Domain Controller to make it through its economic lifetime without major problems. In most organizations, this means:

• Comply with Best Practices
  The Active Directory infrastructure needs to comply with Microsoft’s best practices, since these make you avoid 90% of the situations where data loss might occur. Typical best practices include placing at least two Domain Controllers per Active Directory domain and making regular backups of Domain Controllers. The Active Directory Best Practices Analyzer (AD BPA), available since Windows Server 2008 R2, can help you make your environment compliant.
   
• Properly dimension Domain Controllers
  Domain Controllers need to be dimensioned to handle the load for four to seven years (their typical economic lifetimes). This means you need to make sure free disk space is adequate to accommodate the Active Directory database and leave sufficient disk space for online and offline defragmentation.
    
• Install Domain Controllers with supported Windows Server versions
  Two Domain Controllers might exhaust your budget, but, economically, avoiding the risk of data loss will aid your business case swing in the right direction. Another argument for making the right choices (like not implementing new Windows Server 2003-based Domain Controllers) is, economically it’s more efficient to only implement the environment once (instead of having to migrate it later on). Procrastinating during the planning phase doesn’t pay off.

These planning thoughts, however, are to no use, when your Active Directory infrastructure is suddenly experiencing a performance impact.

Reducing the size of the Database

Reducing the Active Directory Database size will increase the performance of Active Directory on improperly dimensioned Domain Controllers. Not only does this imply only the necessary objects are created, but also that unnecessary  objects are gone from the database. The latter is not as easily achieved as you would think, though.

Creating only necessary objects

Let’s start by only creating necessary objects. Since every object in the database consumes at least 4KB in the Active Directory database size, every object that is reused or relabeled saves 4KB both on disc and in RAM. Every large attribute that is stored as efficiently as possible will prevent database bloat.

Part 1 of this series on stale objects and Part 2 of this series on unnecessary complexity and token bloat are good takes on how to successfully achieve this goal within your organization.

Deleting unnecessary objects

The second part would be to keep only the previously created necessary objects, and toss out the unnecessary objects. The first part would be to identify these objects, then deleting them and then the third part would be to take out the trash.

Identify unnecessary data

Unnecessary data appear in many shapes and forms in Active Directory. They can be user accounts, computer accounts, groups, managed service accounts, fine-grained password policies, Active Directory sites, Active Directory-integrated DNS data and Active Directory replication-related data, like old InvocationIDs.

Most of the data won’t take up much space, unless you’re really putting your Active Directory environments through their backup and restore paces. One of the situations in which a new InvocationID is created is a successful non-authoritative Domain Controller restore. This is not something you should be needing to do on a daily basis…

Delete unnecessary objects

Once you’ve identified unnecessary objects, you can delete them. If you paid attention while reading this blog through the years, you should know by now that deleting in Active Directory does not immediately result in a smaller Active Directory database size. That’s because you need to take out the trash.

Take out the trash

When you delete an object in Active Directory, it becomes tombstoned. With the Active Directory Recycle Bin enabled, items become recyclable for a period of time and then tombstoned. Only after the tombstone lifetime period, the object is deleted from the database.

While this deletion helps the performance of Active Directory in terms of caching the database, it merely creates whitespace (slack) in the database. This whitespace does not result in a diminished size of the database on disk.

To diminish the database size on disk, you will need to offline defragment the Active Directory database as described in Microsoft KnowledgeBase article 232122:

1. Reboot the Domain Controller, select the appropriate installation from the boot menu, and press F8 to display the Advanced Options menu. Choose Directory Services Restore Mode and press ENTER. Press ENTER again to start the boot process.
2. Log on using the Administrator account with the password defined for the local Administrator account in the offline SAM. 
3. Open a Command Prompt. At the command prompt, type ntdsutil.exe, and then press ENTER.
4. Type files, and then press ENTER.
5. Type info, and then press ENTER. This displays current information about the path and size of the Active Directory database and its log files. Note the path.
6. Establish a location that has enough drive space for the compacted database to be stored.
7. Type
     
        compact to drive:\directory
       
   Where drive and directory is the path to the location you established in the previous step. Then press ENTER.
        
        Note:
        You must specify a directory path. If the path contains any spaces, the entire
        path must be surrounded by quotation marks. For example, type: 
          
               compact to "c:\new folder" 
      
8. A new database named Ntds.dit is created in the path you specified.
9. Type quit, and then press ENTER. Type quit again to return to the command prompt.
10. If defragmentation succeeds without errors, follow the Ntdsutil.exe on-screen instructions. Delete all the log files in the log directory by typing the following command: 
        
         del drive:\pathToLogFiles \*.log
        
    Copy the new Ntds.dit file over the old Ntds.dit file in the current Active Directory database path that you noted in step 6.
        
         Note:
         You do not have delete the Edb.chk file. 
        
11. Restart the computer normally.

Depending on the amount of whitespace (slack) in the database, you will need up to 100% more disk size to perform an offline defragmentation.

Index often-queried attributes

When you identify typical Active Directory actions with poor performance, you might opt to index the queried attribute. An example would be an Active Directory-integrated application that references a specific attribute. In that case, you can speed up the action by marking the attribute as an indexed attribute in the Active Directory schema.

The procedure for this is:

1. Open the Active Directory Schema snap-in (schmmgmt.msc).
2. In the left-hand pane, click Attributes.
3. In the right-hand pane, right-click the attribute that you want to index, and then click Properties.
4. Click Index this attribute in the Active Directory and click OK to save the change.
5. Close the Active Directory Schema snap-in.

Your Domain Controllers will now build an index for that attribute.

When you’re using Windows Server 2012-based Domain Controllers, however, you might have enabled Deferred Index Creation. In that case, you might need to perform a UpdateSchemaNow rootDSE mod or reboot your Domain Controllers before they start building the index.

Concluding

Optimal performance of Active Directory is not just the art of throwing sufficient hardware at it. Keeping your Active Directory database tidy may have a significant impact on performance, depending on the amount of RAM in your Domain Controllers, the amount of slack in the database and whether crucial attributes are indexed.

Related blogposts

Domain Controllers: Standard, Enterprise or Datacenter? 
New features in AD DS in Windows Server 2012, Part 15: Deferred Index Creation  

Related KnowledgeBase articles

232122 Performing offline defragmentation of the Active Directory database   
257218 Default Active Directory Attributes in the Windows 2000 Schema  
307323 AD replication delayed when indexed attributes rebuilt during schema upgrade
307219 Replication Stops After Active Directory Schema Update

Further reading

How to Index an Attribute in Active Directory  
Indexing in Active Directory
attributeSchema Objects
rootDSE Modify Operations
ADSI Edit (adsiedit.msc) 
Memory Limits for Windows Releases

Common Challenges when Managing Active Directory Domain Services, Part 2: Unnecessary Complexity and Token Bloat

A lot of organizations run Active Directory Domain Services as their Identity and Access Management (IAM) solutions. Their Domain Controllers unlock access to the simplified view on the organization’s processes, structure and systems, so people can perform the jobs they were hired to do.

Now, not every organization acknowledges the importance of an up to date and lean Active Directory environment. In this series, I will show you four of the key challenges involved with managing Active Directory for any organization and how to solve them. This series will focus most on the data inside the Active Directory database, instead of the actual technical implementation of Domain Controllers and such. My first post in this series addressed stale objects and their security risks.

The challenge

Today, we’ll dive deeper into unnecessary complexity within the Active Directory database on your Domain Controllers. When I talk about unnecessary complexity, I’m mostly referring to a group structure in Active Directory where groups, organizational units (OUs) and access control lists (ACLs) were once used to mimic the structure of the organization and its systems, but where this structure has been circumvented, misunderstood and/or neglected, resulting in duplicate group memberships and improper nesting.

This type of misconfiguration leads to:

• Inability to audit (see who has access where, why and since when)
• More time needed to resolve common issues like granting or revoking access
• More time needed to get acquainted with the environment for new admins
• Deviance of Microsoft’s best practices, resulting in a higher risk of data and productivity loss
• Token bloat

Of these consequences, token bloat is the most serious.

Token bloat

Active Directory uses Kerberos v5 as one of its authentication protocols, based on RFC 1510. As part of the Kerberos authentication process, a Kerberos token is generated. This access token is created for the user containing all security groups to which they belong. These memberships will be enumerated. The group memberships are used for authorization purposes.

The amount of groups a user belongs to and sIDHistory determine the size of the access token. Since this token has to be transferred over the network and cached in memory, size matters. A smaller access token results in faster logon times and improved system responsiveness. Large access tokens will result in unreliable logon experiences.

As Microsoft has set a maximum to the size of the access token, eventually, users with many group memberships will be unable to log on. The MaxTokenSize is set to 8,00 bytes in Windows 2000 Server pre-SP2 and 12,000 bytes in Windows 2000 Server SP2+, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2, by default. In Windows Server 2012, the default value is set to 48,000 bytes to accommodate for Dynamic Access Control.

(Part of) The solution 

In the case of unnecessary complexity, Active Directory should be cleaned up. However, it’s idealistic to think you and your organization can start over, design a new view of your organization and be done with it.

Optimizing communication

First of all, the root of the problem is not the unnecessary complexity, but the way this complexity was (unnecessarily) introduced by admins who were not clear with the procedures to manage objects, grant access and revoke access. Another cause might be an overhaul of the business without Active Directory ever getting remodeled to the new situation.

Before you can go and perform a meaningful and long lasting spring cleanup of the data in Active Directory, you will need to have a plan of what the information in Active Directory should look like and how to keep the information up to date. This should be captured in a design and corresponding policies with accompanying management procedures and auditing.

Tip!
Needless to say, this design, the policies and procedures should be kept up to date and thus reviewed regularly.

Mitigating factors

If you’re running into Token Bloat situations, you can opt to increase the MaxTokenSize, on all your servers and workstations, but this will only fix this problem in the short run. Communication, processes and cleanup will fix your environment in the long run. It might, however, be helpful to perform the following actions:

• Upgrade or migrate Domain Controllers running versions of Windows Server before Windows Server 2012. The improved Resource SID Compression feature in Windows Server 2012 helps reduce the size of the access token.
• Clear sIDHistory. sIDHistory is a method of retaining old SIDs and thus group memberships for access in Active Directory migration scenarios. As a result, when a user with sIDHistory logs on, the access token will contain both the information for the new Active Directory environment and the old environment.
• Limit the number of users that are configured to use trusted for delegation. For accounts that are configured to use "trusted for delegation" the buffer requirements for each SID may double.

Cleanup

With the policy in hand, you can now dig into your Active Directory and clean things up. Naming conventions for groups and accounts can be executed upon and kinks in group memberships can be ironed out.

A couple of solutions exist today to help you with Active Directory inventory and cleanup.

When it comes to group inventory, and especially the effective rights on a NTFS folder gained by group membership, the amount of available tools diminishes fast. STEALTHbits offers a free StealthAUDIT Active Directory Assessment aiming at the above issues, able to report on:

• Circular, improper and deep nesting
  In Microsoft’s best practices for Active Directory, the AGULP (Account, Global Groups, Universal Groups, Local Groups, Permissions ) principle is used to nest groups into groups. However, when fully anticipating for all Active Directory use cases, token bloat is easily encountered.
    
• Empty groups
  A group without members might indicate an unnecessary group.
     
• Direct and effective duplicate group membership
  Groups with direct of effective duplicate membership are prime targets to be consolidated. One or more groups can be consolidated based on the outcome to minimize token size and to minimize the possibility of admin adding a group or user to the wrong group.
    
• Stale groups
  When a group has a large percentage of members that have been inactive for a period of time, the group may be stale and thus ready for consolidation.
   
• Groups without a description or manager
  Documentation within Active Directory to indicate the use of a group is stronger than documentation in an (offline) manual or procedure. Descriptions can be used to identify the right group membership for the right purpose. The Managed by attribute has many uses, both inside and outside Active Directory.
   
• Groups with a large percentage of users
  Active Directory comes with built-in groups. These groups can be used to govern access within the environment. Groups with a large percentage of users might indicate the group might better be replaced with one of the built-in groups, like Authenticated Users.

The graphical output looks like this:
(only a portion of the Toxic Group Conditions report is shown below)

Unfortunately, the free StealthAUDIT Active Directory Assessment does not offer the much coveted effective rights report, showing who has access where (on File Servers, in Exchange) based on Active Directory group memberships and Dynamic Access Control. When you want this functionality, StealthAUDIT Data & Access Governance is the suite you might want. The free StealthAUDIT Active Directory Assessment, however, will give you a fair preview of what you might expect from the full platform.

An alternative solution

As an alternative to using group memberships as your access management strategy, you might opt to implement Dynamic Access Control (DAC). This new feature in Active Directory Domain Services in Windows Server 2012 offers a way to manage access to files and folders, based on attributes in Active Directory (fields like location, manager and department) and (optionally) file classification. No longer will you need to create thousands of groups to build a granular access solution. As a bonus, you can create far more robust access rules.

In contrast to group memberships, in Dynamic Access Control scenarios, access is granted based on attribute values. These attribute values result in claims. These claims are then used for authorization purposes, where filtering is done based on the combination of claims.

To migrate to an environment where authorization is based on claims instead of group memberships, the two authorization methods, most likely, need to coexist for a while. To remediate Token Bloat in this situation, increasing the MaxTokenSize throughout your environment is a good temporary fix.

Concluding

Only after you’ve created a policy and processes within the organization will you, your admins and your auditors, be able to model your Active Directory environment to your organization and enjoy easy Identity and Access Management…

Related blogposts

Common Challenges when Managing Active Directory Domain Services, Part 1: Security 
New features in AD DS in Windows Server 2012, Part 20: Dynamic Access Control (DAC)   
New features in AD DS in Windows Server 2012, Part 21: Resource SID Compression    
How to search for groups of different type and scope 
Groups and tokens 

Further reading

MaxTokenSize and Kerberos Token Bloat
Avoiding Token Bloat in Your Active Directory Group Design - Part 1 
Avoiding Token Bloat in Your Active Directory Group Design - Part 2 
Active Directory token bloat & group glut 
Strategies for minimising 'Token Bloat' 
Kerberos Explained

I’ll be staffing at TechEd North America 2013

A while ago, I received a mail from TechEd. In it, the TechEd North America Staff Communications team congratulated me with being selected to participate as product subject matter expert, learning guide or ambassador at TechEd North America 2013!

For last year’s TechEd North America in Orlando, I also was selected for this role and could be found at the booth labeled Active Directory / Dynamic Access Control for most of the opening hours of the TechExpo.

This year, the booth is relabeled to Access and Information Protection.

I will be there for most of the opening hours of the TechExpo, not just the hours I’m scheduled to be there. The reason for what sounds like sheer dedication (ahum) is pretty logical, though. Staffing the booth of your main interest at an event like TechEd is one of the most rewarding activities for the loads of feedback on both the technology and this blog, interaction with Microsoft PMs and the endless ability to practice answering questions like “What’s Dynamic Access Control?” quickly. These activities allow me to build inspiring, up to date and relevant presentations and demos.

I’ll be at the Access and Information Protection booth at:

• Monday, June 3 12:00 PM – 2:00 PM
• Tuesday, June 4 12:15 PM – 2:30 PM
• Thursday, June 6, 10:45 PM – 12:45 PM

Also, you can find me at the Ask The Experts evening event on Tuesday, June 4 6:30 PM – 8:30 PM. This event is designed to give TechEd attendees the opportunity to interact directly with product group members and other experts in a more informal setting. The goal of the evening is to allow for a free flow of questions and answers between attendees and speakers and other experts.

When you’re also attending TechEd North America 2013, drop by the booth and come say “Hi!”.

Common Challenges when Managing Active Directory Domain Services, Part 1: Security

In many organizations Active Directory Domain Services is the top tier in access management. Access to systems, information and connections, often, is governed by information in Active Directory. User objects and computer objects play a big role in this model, since they represent actual physical objects within the organization.

Now, not every organization acknowledges the importance of an up to date and lean Active Directory environment. In this series, I will show you four of the key challenges involved with managing Active Directory for any organization and how to solve them.

This series will focus most on the data inside the Active Directory database, instead of the actual technical implementation of Domain Controllers and such.

The challenge

Today, I want to talk to you about stale user objects and stale computer objects. From a security point of view, these objects represent a real security risk to your organization.

Stale user objects

Depending on the process surrounding creating user objects, these objects are usually created with a predefined password. This makes the tasks of creating an account and communicating the account to the actual colleague two separate tasks, that can be carried out by two different persons at two different times.

Alas, the delegation of work does not outweigh the security risk involved with tens, hundreds or even thousands of user objects that can be brute forced for their password , most of the time configured with a default password for new accounts (Welcome123 and P@ssw0rd come to mind). Tools like Zohno’s free Z-Hire, I discussed last year, have the explicit option to provide a default password (but not generating one) per template.

One of the other factors that don’t help in the situation with stale user objects is that account lockout settings are non-existent in default Active Directory implementations.

Stale computer objects

Stale computer objects are even worse than stale user objects from a security point of view. By default computer accounts have broader access to information in Active Directory and by default, the password for the security channel used to be a default derivation of the hostname as explained in Microsoft KnowledgeBase article 255042 on How to make machine accounts programmatically by using ADSI with Visual C++:

The initial password for the machine account must be set to the name of the computer in lower case.

Using net use from a non-domain joined computer using the computer account (the NetBIOS hostname) and the default password for the computer account, a malicious person might gain access to data in Active Directory, on file servers and in Exchange public folders, as explained by Marcus Murray in his Live demonstration about some of the ways hackers attack [PDF] on page 11.

Luckily, by default a domain-joined computer will change its computer password at a regular interval. This means, the security concerns surrounding stale computer objects only apply to the first week or month of the lifecycle of the computer object, depending on the Operating System of the domain-joined machine:

A more permanent solution to the problem was introduced with Windows 7 with Offline Domain Join. Not only does this Active Directory Domain Services-related feature offer the ability to join a computer to an Active Directory domain without a networking connection between a Domain Controller and the computer to be joined. Its communication streamlining also applies to every domain join, as I covered earlier in my blog post on the Top 5 Myths on Offline Domain Join.

(Part of) The solution

A lot of times, the root cause of stale objects in Active Directory is the lack of (procedures for the) interaction between an HR department (who known who were hired and fired), a facilities department (who knows where computers are located) and the IT department (who need to make these changes to keep Active Directory up to date).

Optimizing communication

Optimizing communication between the HR, facilities and IT departments should be your main focus when trying to solve the situations surrounding stale user objects and computer objects. A process-based approach would best suit tackling this.

Mitigating factors

Processes will save you in the long run, but as an Active Directory admin, there’s also a couple of things you can do right now. You can take action to prevent most of the security breaches, by:

• configuring Account lockout policies in Active Directory
• configuring new user objects with randomly generated complex passwords
• migrating client computers to Windows 7 and/or Windows 8

Cleanup

With the long term covered with processes and the biggest security problems tackled, the only task left is the perform a cleanup in the Active Directory database.

You might want to get rid of:

• Computer objects that have not been used to log onto in the last 30 days
• User objects that have not been used to (interactively) log on ever
• User objects that have not been used to (interactively) log on in the last 30 days.

Cleaning stale computer objects

To detect stale computer objects, Microsoft has released a script as part of Knowledgebase Article 197478 that, under the hood, uses nltest.exe to check the PasswordLastSet output. Several PowerShell scripts exist that check the PwdLastSet (script) or lastLogonTimestamp (script) attributes directly in the Active Directory database. Joe Richards’ command-line tool oldcmp.exe is one of the leanest tools available to tackle the problem, while many other 3rd party solutions offer the functionality as part of a more elaborate reporting solution.

Many of these Active Directory reporting  solutions will set you back a fair amount of budget, but STEALTHbits’ free StealthAUDIT Active Directory Assessment will both report on stale objects in bar graphs and will output its findings in XML-based files, ready for your PowerShell scripts. Since StealthAUDIT uses its own Microsoft SQL Server database, the load on your Domain Controllers when being examined remains minimal.

When you use these tools, you might find a surprising list of computers that have been identified as stale, but purring away peacefully as part of every day operations… This situation can be caused by settings that disable computer account password resets. Always browse through the list with inactive computer objects, before accidentally deleting active computer objects.

Tip!
Protection from Accidental Deletion on individual computer objects might help preserving often targeted computer objects

Tip!
Before performing any cleanup actions, would be an excellent moment to  enable the Active Directory Recycle Bin.

Cleaning stale user objects

Stale user objects can be targeted with much of the same 3rd party tools. Again, a load of scripts can be used to find (and remove) unnecessarily created user objects.

When running Windows Server 2012 and Windows Server 2008 R2-based Domain Controllers you can also use the Global Search functionality in Active Directory Administrative Center (dsac.exe). The Global Search option has a couple of helpful default criteria, that help you identify dangerous user objects. Below is a view on the criteria in the Windows Server 2012 Active Directory Administrative Center:

Obviously, the stale user objects that have the most potential to be used to wreck your environment would be:

• enabled user objects
• user objects without a password expiration date
• user objects that have not been used to log on for more than 30 days.

Clicking on the Search button, would return a list with objects that need the attention of an Active Directory admin. Now, the list should not be considered as input to a script, since several reasons exist why user objects appear as stale, but still need to be retained:

• User objects belonging to colleagues on maternity leave, sabbatical, etc.
• User objects belonging to services that don’t log on interactively

From the list in the Active Directory Administrative Center you can easily pick the user objects you want to delete and disarming them by either right-clicking the selection and select Delete or Disable all from the context menu or pressing the Del button on your keyboard.

Concluding

Stale objects in Active Directory pose a significant security risk. You can address these risks by introducing processes to control the lifecycle of objects in Active Directory. Additionally, you can take actions to clean up your Active Directory.

Related blogposts

Tip: Zohno’s Z-Hire & Z-Term (freeware)   
Top 5 Myths on Offline Domain Join 

Related Microsoft Knowledgebase articles

154501 How to disable automatic machine account password changes  
255042 How to make machine accounts programmatically by using ADSI with Visual C++ 
197478 How to detect and remove inactive machine accounts

Further reading

SIA338: Authentication & Passwords, The Good, The Bad & The Really Ugly 
Active Directory Recycle Bin Step-by-Step Guide 
What's New in AD DS: Active Directory Administrative Center 
Using Active Directory Administrative Center in Windows Server 2008 R2 
Finding Stale Accounts in Active Directory 
Active Directory: How to identify inactive computer accounts 
Detecting and Removing Stale Computer Accounts in Active Directory 
Active Directory True Last Logon

Active Directory Services and their System Center Management Packs

As you might be aware, every Microsoft technology has the requirement to be manageable through PowerShell and System Center. Manageability through System Center is done through Management Packs. (MPs).

While I discussed the PowerShell manageability stories for the five Active Directory services last Saturday, below is the overview of the availability and functionality of the Management Packs (MPs) for the five Active Directory services:

Active Directory Domain Services

For Windows Servers running the Active Directory Domain Services as Domain Controllers, a System Center Management Pack has been available for ages, even before the products responsible for management were labeled ‘System Center’ (System Center Operations Manager was called MOM Server and System Center Configuration Manager was called SMS Server).

The Active Directory Domain Services Management Pack for System Center provides both proactive and reactive monitoring of your Active Directory deployment. It monitors events that various Active Directory components and subsystems place in the Application, System, and Service event logs. It also monitors the overall health of the Active Directory system and provides alerts for critical performance issues.

When used with the Management Pack for the Windows Server Operating System, the DNS Server Role, File Services, Group Policy and DFS Replication, a complete management view starts to emerge, where you can monitor the health of your Domain Controllers.

The latest version (v6.0.8070.0) adds support for Windows Server 2012.

Download MP for AD Domain Services v6.0.8070.0

Also available is a System Center Integration Pack, that allows System Center 2012 - Orchestrator to connect to your Active Directory Server to automate Identity and Access management tasks.

Download System Center Integration Pack for Active Directory v7.0

Active Directory Lightweight Directory Services

The Active Directory Lightweight Directory Services (AD LDS) Management Pack provides both proactive and reactive monitoring of your AD LDS deployment running on Windows Server 2008 and Windows Server 2008 R2. It monitors events that are placed in the Application, System, and Service event logs by various Active Directory Lightweight Directory Services components and subsystems. It also monitors the overall health of the Active Directory Lightweight Directory Services system and alerts you to critical performance issues.

Download MP for AD Lightweight Directory Services v6.0.7220.0

Active Directory Certificate Services

The System Center Management Pack for Active Directory Certificate Services provides an early warning to administrators on issues that could affect services so they can investigate and take action, if necessary.

Two Management Packs for Active Directory Certificate Services are currently available. An ‘old’ Management Pack exists to manage Certification Authorities running on Windows Server 2008 and Windows Server 2008 R2. This Management Pack follows the 6.x version numbering. A completely new 7.x Management Pack is available alongside the 6.x version and enables management of Certification Authorities on Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012.

Note:
The Management Packs for Active Directory Certificate Services monitors the core Certification Authority, but does not monitor Certificate Services role services (such as the Online (OCSP) responder, Network Device Enrollment Services (NDES), Certificate enrollment web services, NDES, or CA web enrollment).

Download MP for AD Certificate Services v6.0.7231.0 
Download MP for Windows Server 2012 AD Certificate Services v7.0.8560.0 

Active Directory Federation Services

The System Center Management Pack for Active Directory Federation Services 1.x has been available since September 2007 and for Active Directory Federation Services  2.x since June 2010.

The Management Pack for Active Directory Federation Services offers the ability to detect service outages, operational errors and operational warnings. It also alerts on configuration issues and background tasks failures. Auditing can also be monitored, as well as the communication between the federation server and the federation server proxy. With the Management Pack you can be notified of malformed access requests and the health of the Secure Sockets Layer (SSL) certificate of the federation passive website in Internet Information Services (IIS).

Depending on the version of Active Directory Federation Services, you can choose between the 6.x version and the 7.x version of the Management Pack, where version 6.x can be used to monitor Active Directory Federation Services 1.0 and version 7.x can be used to monitor Active Directory Federation Services 2.0 (available as a separate download for Windows Server 2008 R2) and 2.1 (bundled with Windows Server 2012).

Download MP for Windows Server 2003 R2 AD Federation Services v6.0.5000.0 
Download MP for AD Federation Services 2.0 and 2.1 v7.0.8560.0 

Active Directory Rights Management Services

The System Center Management Pack for Active Directory Rights Management Services (AD RMS) has been available since July 2011 and monitors the performance and availability of the Windows Server 2008 SP2 or Windows Server 2008 R2 versions of AD RMS. By detecting, alerting on, and automatically responding to critical events and performance indicators, this Management Pack helps indicate, correct, and prevent possible AD RMS related service outages. The System Center Monitoring Pack for Active Directory Rights Management Services for Windows Server 2008 SP2 or Windows Server 2008 R2 helps ensure that your AD RMS components are available and working correctly.

In September 2012, Microsoft released a version 7.x of the Management Pack for Active Directory Rights Management Services. This Management Pack can be used to manage Rights Management Services, running on Windows Server 2012. For Rights Management Services running on Windows Server 2008 and Windows Server 2008 R2, the 6.0.7xxx.x version of the Management Pack is the one to use. For sturdy Rights Management Servers on Windows Server 2003, the 6.0.5000.0 version of the Management Pack offers the desired monitoring capabilities.

Download MP for Windows Server 2003 Rights Management Services v6.0.5000.0
Download MP for AD Rights Management Services v6.0.7597.0
Download MP for Windows Server 2012 AD Rights Management Services v7.0.8560.0

Related blogposts

Further reading

Understanding Active Directory Domain Services Management Pack Operations 
OpsMgr: Recent Management Pack Releases and Updates (January 2013) 
New and Recent System Center Downloads 
New Version: Active Directory Domain Services Management Pack for System Center  
Windows Server Active Directory Certificate Services 2012 MP *Language Packs* Released 

Related downloads

System Center Management Pack for Windows Server Operating System  
System Center Management Pack for Windows 8 Client Operating System

Active Directory Services and PowerShell manageability

As you might be aware, every Microsoft server product has the requirement to be manageable through PowerShell and System Center. The PowerShell requirement is formulated as part of the Common Engineering Criteria (CEC).

With PowerShell available as a version 3 product (and part of Windows Server 2012) it’s time to see how the teams, responsible for the Active Directory products have built their management stories around PowerShell.

Active Directory Domain Services

The Active Directory Domain Services, that we love and loath as the core of our networking infrastructure on our Domain Controllers is manageable through PowerShell scripting. To enjoy PowerShell support in Active Directory Domain Services, it is recommended to manage your Domain Controllers from Windows Server 2012 or from a Windows 8 installation with the Remote Server Administration Tools (RSAT) for Active Directory installed. This way you can enjoy the 135 Active Directory Domain Services management-related PowerShell Cmdlets and 9 Active Directory Domain Services deployment-related PowerShell Cmdlets.

The Active Directory Domain Services team even went a few steps further and incorporated the PowerShell History viewer into the Active Directory Administrative Center (dsac.exe), that helps you discover the PowerShell magic that happens under the hood.

A couple of exceptions still exist, that make it impossible to manage Active Directory Domain Services from the PowerShell prompt completely. Tools like ntdsutil.exe, dsamain.exe, redirusr.exe and redircmp.exe come to mind, almost immediately. On the other end of the spectrum, several other functions in Active Directory Domain Services are only easily manageable with PowerShell. MSAs come to mind, quite to my own surprise...

Active Directory Lightweight Domain Services

The Active Directory Lightweight Domain Services offer specialized Domain Services, targeted at applications and perimeter networks. Their charm is you can manage the Lightweight Directory Services (mostly) with the same tools as you can manage the Directory Services in PowerShell (as long as you install the AD LDS Display Specifiers schema and Display Specifiers by importing MS-ADLDS-DisplaySpecifiers.ldf.).

Alas, the PowerShell learning ability, offered by the Active Directory Administrative Center (dsac.exe), is not available for Active Directory Lightweight Directory Services, since this management tool can not be directed to a Lightweight Directory Services installation.

Since most tools are exchangeable between Lightweight Directory Services and Directory Services, roughly the same exceptions for full PowerShell manageability exist.

Active Directory Certificate Services

Active Directory Certificate Services enable you to run Certification Authorities on Windows Servers. For Windows Server 2012, the team behind Active Directory Certificate Services has developed twelve PowerShell Cmdlets to deploy Certificate Services. Also an additional nine PowerShell Cmdlets were specifically created to manage certificates, but you can also manage these by mounting the Certificate Store as a PowerShell drive, if need be.

In versions of Windows Server earlier than Windows Server 2012, no built-in PowerShell Cmdlets were available to manage Active Directory Certificate Services, but you could rely on certutil.exe to script through them.

Active Directory Federation Services

As was the case with Active Directory Federation Services 2.0, which was a separately downloadable installation, Active Directory Federation Services 2.1, that comes bundled with Windows Server 2012, can be managed through PowerShell. A total of 48 Active Directory Federation Services-related PowerShell Cmdlets are available on Windows Server 2012, covering both deployment and management.

Active Directory Rights Management Services

As you might expect, the Active Directory Rights Management Services in Windows Server 2008 R2 and Windows Server 2012 are also PowerShell-enabled. Three straightforward Rights Management Services deployment-focused PowerShell Cmdlets (appropriately named Install-ADRMS, Uninstall-ADRMS and Update-ADRMS) and 21 Rights Management Services administration-focused PowerShell Cmdlets are at your disposal.

Related blogposts

New features in AD DS in Windows Server 2012, Part 4: New PowerShell Cmdlets 
New features in AD DS in Windows Server 2012, Part 5: PowerShell History Viewer

Further reading

Managing Active Directory with Windows PowerShell 
Active Directory Cmdlets for Windows Server 2008 R2 
AD FS 2.0 Cmdlets for Windows Server 2008 R2  
AD RMS Cmdlets for Windows Server 2008 R2   
AD CS Administration Cmdlets in Windows Server 2012 
AD CS Deployment Cmdlets in Windows Server 2012 
AD DS Administration Cmdlets in Windows Server 2012  
AD DS Deployment Cmdlet in Windows Server 2012  
AD FS Cmdlets in Windows Server 2012  
AD RMS Administration Cmdlets in Windows Server 2012  
AD RMS Deployment Cmdlets in Windows Server 2012