Active Directory

Active Directory: What to learn next?

The Microsoft MVP summit was held last week (3rd – 7th November) in Redmond, where I had the good fortune to spend the week with members of various Microsoft product teams that are responsible for what we commonly know as Active Directory.  I can genuinely say that in technology terms I have not been this interested in the future of Windows since I did my first Windows Server 2000 course (MOC 1561) back  in 1999.

The MVP Summit content is mostly under NDA and I have always respected the NDA and with this in mind all I will say is that over the next few months I will be reading and learning as much as I can on the following areas of Microsoft technology.

Azure Active Directory

Azure Active Directory Sync Services

Azure Rights Management

Windows 10

I would also recommend that you start to start to think about the concept of Active Directory being an identity provider and that in the future it will all be about managing identities and not solely about managing the technologies that deliver them.

Food for thought, think about what type of identities your business will support, business only or perhaps personal too? What is an identity? What is a personal identity? Who owns the identity?  (I will follow up on this concept with another post).

Active Directory: A user cannot be in more than 1015 groups.

In any Microsoft Active Directory forest, a user can only a member of 1024 groups but after allowing for up to 9 well known SIDS this number is actually 1015.
See KB http://support.microsoft.com/kb/328889

If a user exceeds the hard limit of 1015 group memberships they probably will not be able to logon.

  • What do you do to rectify the issue?
  • How do you find out what changed and caused a tipping point?

A quick visual method to see a user’s nested group memberships expanded, is to run the command:

dsget user “CN=Mark Parris,OU=Administration,DC=clickclicknext,DC=com” -memberof -expand

If this command returns a short list of groups then the membership of too many groups is probably not an issue, but if the command returns a scrolling list of group memberships then we need to utilise NTDSUTIL. NTDSUTIL has within it a command that you may not even know is there, unless you have this specific issue.

The command is group membership evaluation

At an elevated command prompt.

Type

ntdsutil

group membership evaluation

set account DC nameOfDC

set global catalog nameOfDC

set resource dc nameOfDC

run clickclicknext.com mark.parris

clickclicknext.com is the fqdn of your domain and mark.parris is the username.

The output of this command is a .tsv file and will be found in the path of the prompt (run it from C:\Temp it will be in C:\Temp), this file can be renamed to a .csv.
The report produces a lot of interesting information in a tabular format.

The report will have these column headings.

SID in token
SID type
SID History Count
Distinguished Name
SamAccountName
Active Directory Domain Controller Queried
Group Owner
Group Owner SID
WhenCreated (UTC)
WhenChanged (UTC)
Member WhenChanged (UTC)
GroupType WhenChanged (UTC)
One Level MemberOf Count
Total MemberOf Count
Group Type
Depth From User
Closest Parent OU

From the column heading, there are specific columns with timestamps, if these are then sorted upon, it will tell you what group or groups were modified most recently, these changes then need to be understood and reversed or perhaps other legacy group memberships identified and removed.

2014-07-31_17-41-38

 

As I review and update my old consulting notes I have decided to publishing them.
These are by no means definitive and are intended as an ‘aide memoire’.

Comments welcome.

Associated Post: MaxTokenSize – Change of recommendation from Microsoft

 

 

 

Active Directory: Disaster Recovery (Recap)

In preparation for the Active Directory forest to be upgraded (to Windows Server 2012 R2), it may be prudent to re-evaluate Active Directory disaster recovery plans.

Active Directory if configured correctly will just sit there and work; servicing all requests that are presented and because of this robustness, its importance is often overlooked and its criticality not understood.

Management buy in.

The most critical component in the disaster recovery plan, is the education of management and key stakeholders in the criticality of Active Directory to the business. No Active Directory can mean, no authentication; no authorisation; no name resolution or no printing;  effectively the IT function may cease to operate until the Active Directory is restored or made available.

Plan and approach.

Define what Active Directory recovery scenarios that are being catered for, is it total loss of the Active Directory or the loss of objects within the Active Directory?

Agree with the business and calculate realistic Recovery Point Objectives (RPO’s) and Recovery Time Objective (RTO’s) for Active Directory.

RPO – this is the point where you have to recover to (or the amount of information you can afford to lose).

RTO – this is the time you have to recover the environment back to the RPO.

Choose your method of backup

When if actually comes to backing up Active Directory, technical insight is needed to understand the scenarios that are being protect against.  Ensure that each scenario is catered for so that Active Directory can be recovered.

Domain/Forest Recovery.

In a worst case scenario it would mean restoring a single domain controller from backup and then rebuilding all the existing domain controllers to be domain controllers to this restored domain.

This could be a logistical nightmare to perform and orchestrate.

Object Recovery

This would usually mean restoring a domain controller from backup and then marking the object(s) that are to be recovered as authoritative.

Active Directory Recycle Bin.

The Active Directory Recycle Bin provides a certain degree of insurance in protecting Active Directory, but it will only enable the recovery of deleted items and not for example the recovery of modified users or groups. All domain controllers must be running at a minimum Windows Server 2008 R2 and the forest mode is Windows Server 2008 R2.

Backup

All of the well-known backup providers support the backing up of Active Directory, a key component of backing up the AD is that it is not only the Operating System that needs to be backed up, but the entire system state, which includes all the underlying  components of the Operating System and Active Directory.

Quest Recovery Manager for Active Directory – Forest Edition.

The only tool I have found on the market that provides Active Directory Disaster Recovery from a single pane of glass, it enables recovery from a single attribute to a full forest recovery.

Recovery Manager for Active Directory

Test your processes

Whatever process or method you take to back up your Active Directory, ensure that you are confident and able to recovery your Active Directory not only in the time required, but also physically able to do so.

As I review and update my old consulting notes I have decided to publishing them. These are by no means definitive and are intended as an ‘aide memoire’ to enable discussion.
Please feel free to comment.

Top 6 (Independent) Microsoft Active Directory Integration Experts to Follow

Blatant self-promotion, but I wanted to share a blog post from OneLogin that gives their list of top Active Directory experts (including me) and our top tips on “What you should never do when working with Active Directory“.

Top 6 (Independent) Microsoft Active Directory Integration Experts to Follow

Experts

Does anyone else have any other “No No’s” they would like to share?

MaxTokenSize – Change of recommendation from Microsoft.

 

Microsoft have stated for numerous years that anyone with Kerberos authentication issues often due to users being in multiple groups and commonly known as Token Bloat should increase the MaxTokenSize to 65535 bytes.

Whilst reading Understand and Troubleshoot Dynamic Access Control in Windows Server 2012 guide, I read that

“Previous versions of Windows had a default maximize token size of 12k.  However, this value remained too low for many environments and required reconfiguring each computer in the enterprise.  Windows Server 2012 and Windows 8 increase the default maximum token size to 48k.  This new value is the maximum viable size for SSPI tokens in Windows and may require additional settings changes for applications to support. For example, HTTP settings are required for SSPI tokens over 12K.”

But this article How to use Group Policy to add the MaxTokenSize registry entry to multiple computers also stated the 48K maximum and with a similar reasoning.

“The maximum allowed value of MaxTokenSize is 65535 bytes. However, because of HTTP’s base64 encoding of authentication context tokens, we do not recommend that you set the maxTokenSize registry entry to a value larger than 48000 bytes. Starting with Windows Server 2012, the default value of the MaxTokenSize registry entry is 48000 bytes”.

This lead me to do a little further research as Microsoft stated in the article Active Directory Maximum Limits – Scalability that the “maximum recommended size for a Kerberos ticket is 65,535 bytes”

image

Getting nowhere fast, I had an email exchange with the Active Directory Documentation team, it was confirmed that this value should now be set to 48K

The Active Directory Maximum Limits – Scalability website should be updated soon (approx. 09/05/2013) to confirm this.

The question now to ask though is – I have set the MaxTokenSIze to 65535 bytes, should I now change it to 48000 bytes?

So I asked the question:-

“What happens to people who have set the key to 65535? Should they test and change it to 48000 now?  Will Windows Server 2012 break? Will things fail as a result of having it set to the maximum?”

The response:-

Kerberos itself doesn’t really understand the concept of a token size because what it transports is opaque to the protocol. 

Applications, however, are different and can implement their own constraints such as buffer size.  Applications ask SSPI (Kerberos) for the size of the authorization buffer of the authenticating user.  If the size reported back is greater than the buffer allocated by the application, authentication fails.  The size reported back is the actual size not the maximum size.  Therefore, with MaxToken set to 65k and authorization data amounting to 12k; Windows will only report back 12k.  MaxTokenSize simply limits the maximum value the SSPI can return to an application.  Prior to Windows 8/2012 , most environments would set MaxTokenSize to the maximum because it was nearly impossible to determine a user’s true token size.  Therefore, if you set it to the max, and still had an authentication problem it was not because of MaxTokenSize ( at which point engineers would instruct customers to return the setting to the prior value).

With MaxTokenSize defaulting to the max Authentication buffer size for IIS; there shouldn’t be a authentication  problem resulting from token size.  Http caps out at 48k.  Making it higher won’t fix the authentication issue. So it there is no gain people nothing by increasing it.

While the setting in the documentation should mostly be harmless; we should suggest 48k as the ideal setting for MaxTokenSize and point to the Group Policy setting in Windows Server 2012/Windows 8 as the means which to modify it.

http://blogs.technet.com/b/askds/archive/2012/09/12/maxtokensize-and-windows-8-and-windows-server-2012.aspx

and now we know.

Active Directory

Active Directory: Forest Recovery – Whitepaper updated.

Microsoft have updated the must read Active Directory document on Active Directory Forest Recovery.

The guide contains best-practice recommendations for recovering an Active Directory forest if forest-wide failure renders all domain controllers in the forest incapable of functioning normally. The steps, which you must customize for your particular environment, describe how to recover the entire Active Directory forest to a point in time before the critical malfunction. They also ensure that none of the restored domain controllers replicate from a domain controller with potentially dangerous data.

The steps in this guide apply to Active Directory forests where the domain controllers run Microsoft® Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003 operating systems.”

Please ignore the fact that the document is titled “Windows Server 2008: Planning for Active Directory Forest Recovery” it covers all supported versions of Windows Server that can run Active Directory.

April 2013 Update.

Download it here.

Best Practices for Securing Active Directory

 

Microsoft have released a new document which contains best practice recommendations to assist organisations in enhancing the security of their Active Directory installations.

Microsoft state that “In implementing these recommendations, organisations will be able to identify and prioritise security activities, protect key segments of their organisation’s computing infrastructure and create controls that significantly decrease the likelihood of successful attacks against critical components of the IT environment“.

This document discusses the most common attacks against Active Directory and countermeasures to reduce the attack surface, and recommendations for recovery in the event of complete compromise.

Download