Reliability Workbook for Active Directory Domain Services
Document version: 1.0 Published: January 2010
Overview
Reliability is the state in which a service and all the components it depends on are behaving as desired within acceptable limits. This task list provides a schedule of proactive health monitoring and maintenance tasks to review and adapt to your individual requirements. For further instructions about the configuration and use of this task list, see the Administrator's Guide to Reliability Workbooks at www.microsoft.com/mof.
Task List Columns
Health Attribute: A group of requirements for a healthy system. Health Area: A category of health action. Health Requirement: A requirement in a particular health control area that drives monitoring activity, which ensures continued component health. Monitoring Task: An action that involves observing trends and paying attention to warning levels and error alerts. These alerts will trigger maintenance tasks. Maintenance Task: Regularly scheduled or trend-driven work that ensures the continued health of the component. Monitoring Parameter: The picture of health for a component. These conditions are determined by your organization's requirements and may vary according to factors such as the component's importance to the business, the size of the organization, or staffing constraints. Owner: Person with the responsibility to ensure that a task is done. The owner can complete the task, automate it, or delegate it and confirm that the work has been done. Notes: Additional information relating to this item.
Feedback
Please direct questions and comments about this guide to
[email protected]. Note Although many of the monitoring and maintenance tasks in this guide can be performed manually, best practice is to use automated methods because of the frequency and complexity of the individual tasks.
Monitoring Activities
Title
Verify that all accounts with Remote Access Service access are appropriate.
Health attribute
Security
Health area
Authentication
Verify that all accounts with Terminal Services access are Security appropriate.
Authentication
Check for a high number of locked-out, disabled, or expired accounts.
Security
Authentication
Verify that upcoming certificate renewals are in the schedule.
Security
Certificate Maintenance
Verify that expiration dates for domain controller certificates have been set.
Security
Certificate Maintenance
Monitor for network authentication requests by malicious Security users who are located in a trusted forest network and have administrative credentials.
Domain and Forest Trust Management
Monitor for network authentication requests by malicious Security users who are located in a trusted forest network and have administrative credentials.
Domain and Forest Trust Management
Confirm that Group Policy has not been misconfigured.
Security
Group Policy
Verify that share permissions are set appropriately.
Security
Share Permissions
Verify that shared folders are required.
Security
Shared Folders
Verify that NTFS file system permissions are set Security appropriately on all shared folders and content in shared folders.
NTFS Permissions
Verify that all security settings available via Group Policy objects are managed centrally by policies. Security Group Policy
Verify that all user account passwords are configured to meet minimum length and complexity requirements.
Security
Authentication
Check the password policy for the Maximum Password Age setting.
Security
Authentication
Check the password policy for the Minimum Password Age setting.
Security
Authentication
Check the password policy for the Minimum Password Length setting.
Security
Authentication
Verify that the Account Lockout policy meets minimum organizational security policy requirements.
Security
Authentication
Review LanManager compatibility settings.
Security
Authentication
Review the LanManager authentication protocol hash storage settings.
Security
Authentication
Verify that all domain controllers are in the Domain Controllers organizational unit.
Security
Domain Controller Security
Check the replication provider.
Availability
Replication
Check the partner replication count.
Availability
Replication
Check replication latency.
Availability
Replication
Verify that the appropriate replication service is running. Availability
Replication
Verify that the Kerberos Key Distribution Center service is Availability running.
Replication
Test the availability of each domain controller.
Security
The System Volume share
Back up system state on each domain controller.
Continuity
Backup and Restore
Verify that critical volumes are backed up.
Continuity
Backup and Restore
Verify the full server backup.
Continuity
Backup and Restore
Verify the authoritative restore of Active Directory Domain Services.
Continuity
Backup and Restore
Verify the non-authoritative restore of Active Directory Domain Services.
Continuity
Backup and Restore
Check for changes in administrative authority.
Appropriate Use
Administrative Authority
Look for non-standard grants of Write access to Active Directory Domain Services (AD DS) and AD DS objects.
Appropriate Use
Administrative Authority Domain Controller
Check for dangerous or unnecessary services that are not Appropriate use disabled.
Check for dormant user accounts.
Appropriate Use
User Accounts
Audit the membership of all domain groups that grant Appropriate Use administrative privileges—for example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operators.
Administrative Authority
Verify that user rights are assigned to groups, not users.
Appropriate Use
User Rights
Monitor each domain controller for general responsiveness. Monitor the responsiveness of Active Directory Domain Services to a Lightweight Directory Access Protocol request.
Performance
Authentication Response Time General Response
Performance
Measure the time required to perform a global catalog search. Verify that operations masters are responsive.
Performance
Global Catalog Search Response Operations Masters
Performance
Verify that the domain controller is advertising.
Performance
Domain Controller
Check for the latest service pack and security updates.
Patching
Updates and Configuration Windows Time Service
Verify that the Windows Time service is running.
Integrity
Monitor database and log file size as well as the available Availability free space on the associated disk volumes.
Active Directory Domain Services Database
Check the Active Directory Domain Services domain functional level.
Security
Active Directory Domain Services Functional Level Active Directory Domain Services Functional Level DNS SRV Records
Check the Active Directory Domain Services forest functional level.
Security
Verify that all Domain Name System (DNS) service records Availability are registered in DNS for each domain controller and appropriate service.
Verify that anonymous access to shares, the Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.
Security
Anonymous Connections
Verify membership in the Pre-Windows Compatible Access group.
Security
Anonymous Connections
Ensure that no standard users can read key properties for Security administrative groups and users.
Lightweight Directory Access Protocol Access to Active Directory Domain Services Encrypting File System
Verify that Encrypting File System is not enabled for domain controllers.
Security
Verify that no user accounts have the Password Never Expires property configured.
Security
Authentication
Check for Windows Firewall rules.
Appropriate Use
Domain Controller
Check for changes in administrative authority for Group Policy management.
Security
Group Policy
Verify that audit policy settings are configured properly.
Security
Auditing
Verify that the name of the last user who logged on does Security not appear during logon.
Authentication
Verify that the logon banner is displayed during logon.
Security
Authentication
Verify that Group Policy objects are backed up.
Continuity
Backup and Restore
Ensure that administrator-level accounts have dual accounts or use User Account Control.
Appropriate Use
Administrative Authority
Ensure that the crash dump file is configured to meet company requirements.
Continuity
Domain Controllers
Ensure that Domain Name System servers that support Active Directory Domain Services (AD DS) are all AD DS integrated.
Security
Domain Name System
Ensure that the correct security is in place for all Domain Appropriate Use Host Configuration Protocol services running on domain controllers.
Domain Host Configuration Protocol
Ensure that all domain controllers are in the appropriate site based on IP address.
Continuity
Replication
Ensure that the design of the location of global catalog servers is appropriate for the number of users, applications, and other criteria for logging on and accessing information in the global catalog.
Continuity
Global Catalog Location
Ensure that the design of the location of Domain Name System (DNS) servers is appropriate for the number of users, applications, and other criteria for logging on and accessing information on the DNS servers.
Continuity
Domain Name System Location
Ensure that the design of the location of domain controllers is appropriate for the number of users, applications, and other criteria for logging on and accessing information on domain controllers.
Continuity
Domain Controller Location
Health requirement
Remote access
Monitoring task
Verify that all accounts with Remote Access Service access are appropriate.
Monitoring parameter
Remote Access Service account access is limited to those deemed appropriate per company policy.
Terminal Services/Remote Desktop
Verify that all accounts with Terminal Services access are appropriate.
Terminal Services account access is limited to those deemed appropriate per company policy.
Current accounts
Check for a high number No more than n number of of locked-out, disabled, anomalous accounts or expired accounts.
Current certificates
Verify that upcoming Certificates are valid for one certificate renewals are in month past the current date. the schedule. Verify that expiration dates for domain controller certificates have been set. The expiration date is in the future.
Current certificates
Secure trusting forest
Monitor for network Security ID filtering on all trusts by authentication requests default by malicious users who are located in a trusted forest network and have administrative credentials.
Secure trusting forest
Monitor for network Security ID filtering on all trusts by authentication requests default by malicious users who are located in a trusted forest network and have administrative credentials.
Group Policy is working as expected.
Confirm that Group Policy No Override is disabled for all has not been Active Directory Domain Services misconfigured. nodes (domain and all organizational units), and Block Policy Inheritance is not configured for Group Policy objects.
Shares are safe from unauthorized users.
Verify that share permissions are set appropriately.
The most restrictive permissions are applied.
Limit the number of shared folders.
Verify that shared folders The list of shared folders should are required. meet the minimum shared folders required for each server. Verify that NTFS file The most restrictive permissions system permissions are are applied. set appropriately on all shared folders and content in shared folders. Verify that all security settings are managed centrally by policies. All settings are confirmed.
NTFS file system permissions should protect shared folders and all content from unauthorized users.
The server is configured to a standard security policy.
Strong passwords
Verify that all user Password length and complexity account passwords are are established (specifics per configured to meet company policy). minimum length and complexity requirements.
Maximum password age
Check the password policy for the Maximum Password Age setting. Check the password policy for the Minimum Password Age setting.
The Maximum Password Age is set between 30 and 120 days per organization policy. The Minimum Password Age is set to a minimum of one day or per organization policy.
Minimum password age
Minimum password length
Check the password The Minimum Password Length is policy for the Minimum set to a minimum of 7–14 days or Password Length setting. per organization policy. Verify that the Account Account Lockout policy settings Lockout policy meets the minimum organization security policy requirements. Review LanManager compatibility settings. Review the LanManager authentication protocol hash storage settings. LMCompatibilityLEvel setting
Account Lockout policy
LanManager authentication protocol LanManager authentication protocol hash storage
LanManager hash storage settings
All domain controllers receive Verify that all domain the same Group Policy objects. controllers are in the Domain Controllers organizational unit. Replication links between Check the replication domain controllers and provider. replication partners are healthy.
No domain controllers are outside the Domain Controllers organizational unit.
ModifiedNumConsecutiveSyncFail ures is <2 days old; TimeOfLastSyncSuccess is <14 days old
Domain controllers within a Check the partner forest are able to replicate with replication count. each other.
The domain controller always has at least one outbound connection; the domain controller has at least one connection to another site; the domain controller does not have more than a specified number of connections.
Changes are properly replicated Check replication latency. Convergence latency is within the across the forest. desired maximum determined time. Changes are properly replicated Verify that the across the forest. appropriate replication service is running. Updated domain controllers Verify that the Kerberos Key Distribution Center service is running. NT File Replication Service and/or Distributed File System Replication is running. The Kerberos Key Distribution Center service is running.
The System Volume share is accessible on every domain controller. Domain controller backup
Test the availability of each domain controller.
The System Volume share can be accessed on each domain controller from across the network. System state has been backed up within the past 24 hours.
Back up system state on each domain controller.
Critical volumes are backed up. Verify that critical volumes are backed up.
Completed
The server is backed up.
Verify the full server backup. Verify the authoritative restore of Active Directory Domain Services.
Completed
Active Directory Domain Services is authoritatively restored.
Completed
Active Directory Domain Services is non-authoritatively restored.
Verify the nonCompleted authoritative restore of Active Directory Domain Services.
Appropriately assigned authority
Check for changes in No change administrative authority.
Appropriately assigned authority Domain controllers are free of dangerous services.
Look for non-standard grants of Write access.
No change
Check for dangerous or Dangerous or unnecessary unnecessary services that services are disabled. are not disabled. Check for dormant User accounts. User accounts are disabled when a personnel change is entered in the Human Resources system.
The network is free of unauthorized users.
Appropriately assigned authority
Audit the membership of Apply least privilege. all domain groups that grant administrative privileges—for example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operators.
Appropriately assigned authority
Verify that user rights are Only administrators should have not assigned to users. user rights assigned.
Expected response time
Monitor each domain controller for responsiveness.
Less than one second
Active Directory Domain Services is responsive.
Monitor the Less than one second responsiveness of Active Directory Domain Services to a Lightweight Directory Access Protocol request.
The Active Directory Domain Services global catalog is responsive. Operations masters are responsive. The domain controller is advertising.
Measure the time required to perform a global catalog search. Verify that operations masters are responsive. Verify that the domain controller is advertising.
Response time is <5 seconds.
Operations masters are available.
The domain controller locator is working.
The system is up to date with the latest service pack and security updates. Domain controllers on the network are in time synchronization with each other.
Check for the latest Completed service pack and security updates. Verify that the Windows Time service is running. The primary domain controller is synching with a valid external time source/MaxPosPhaseCorrection and MaxPosPhaseCorrection should not be <48 hours but >1 hour. Verify that the Windows Time service is running.
Adequate free space in database
Monitor database and log At least 20% of the current file size as well as database is available. available free space on the associated disk volumes. Existing domain functional level
Ensure that the functional level Check the Active of the domain is at the highest Directory Domain level possible. Services domain functional level.
Ensure that the functional level Check the Active Existing forest functional level of the forest is at the highest Directory Domain level possible. Services forest functional level. Domain controller services are available. Verify that all Domain The Domain Name System service Name System (DNS) records exist. service records are in DNS for each domain controller and appropriate service.
Deny anonymous access.
Verify that anonymous access to shares, the Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.
Check anonymous connection parameters.
Deny anonymous access.
Verify membership in the Verify membership in the PrePre-Windows Compatible Windows Compatible Access Access group. group. Ensure that no standard Verify Lightweight Directory users can read key Access Protocol access to Active properties for Directory Domain Services. administrative groups and users. Verify that Encrypting File Check whether files can be System is not enabled for encrypted. domain controllers. Verify that no user accounts have the Password Never Expires property configured. Check for Windows Firewall rules. Check all user accounts for the Password Never Expires property configuration.
Deny Read access to key security groups and users for standard users.
Ensure that Encrypting File System is disabled for domain controllers. Ensure that user account passwords expire.
Domain controllers are free of dangerous network access.
Dangerous or unnecessary network access protocols/applications are denied. Group Policy Management Console delegation is set correctly.
Appropriately assigned authority
Check for changes in administrative authority for Group Policy management. Verify that audit policy settings are configured properly.
Appropriately assigned audit policy Restrict access to user names.
Check audit policy settings for success and/or failure.
Verify that the name of Check whether the last user name the last user who logged is displayed at logon. on does not appear during logon.
Display the company logon banner.
Verify that the logon banner is displayed during logon.
Verify that the logon banner is displayed at logon. Completed
Group Policy objects are backed Verify that Group Policy up. objects are backed up. Appropriate logon access privilege level
Ensure that administrator- Require least-privilege access for level accounts have dual administrators. accounts or use User Account Control. Ensure that the crash Verify crash dump settings. dump file is configured to meet company requirements. Ensure that Domain Name System servers that support Active Directory Domain Services (AD DS) are all AD DS integrated. Verify the configuration and location of Domain Name System.
Configure the crash dump file.
Active Directory–integrated Domain Name System
Domain Host Configuration Ensure that the correct Verify membership in the Protocol services are running on security is in place for all DNSUpdateProxy group domain controllers. Domain Host Configuration Protocol services running on domain controllers. Site configuration Ensure that all domain Verify domain controller locations controllers are in the in sites. appropriate site based on IP address. Ensure that the design of Verify the number of global the location of global catalog servers in each physical catalog servers is location. appropriate for the number of users, applications, and other criteria for logging on and accessing information in the global catalog.
Global catalog servers must be available.
Domain Name System servers must be available.
Ensure that the design of Verify the number of Domain the location of Domain Name System servers in each Name System (DNS) physical location. servers is appropriate for the number of users, applications, and other criteria for logging on and accessing information on the DNS servers.
Domain controllers must be available.
Ensure that the design of Verify the number of domain the location of domain controllers in each physical controllers is appropriate location. for the number of users, applications, and other criteria for logging on and accessing information on domain controllers.
Frequency
Daily
Owner
Operator
Manual
Verify under Permissions for Remote Access Service (RAS) and Internet Authentication Service servers in the Active Directory Servers and Computers snap-in. Verify group membership for RAS access.
Automation
Microsoft System Center Operations Manager can audit Remote Access Service access. Perfmon
Daily
Operator
Verify under the User account Perfmon properties and the Remote Desktop group and that the Terminal Server has the correct user right for Allow Logon Through Terminal Services configured. Verify group membership for Remote Access Service access.
Daily
Operator
Verify that the Account Lockout Duration policy setting in Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy matches the policy.
Microsoft System Center Operations Manager can audit for anomalous accounts.
Active Directory Users and Computers Lockoutstatus.exe saved queries Weekly Operator Use the Certificate Request Wizard in the Microsoft Management Console Certificates snap-in. Use the Certificate Request Wizard in the Microsoft Management Console Certificates snap-in. Use Microsoft Certificate Lifecycle Manager 2007 or Microsoft Forefront Identity Manager 2010. Use Microsoft Certificate Lifecycle Manager 2007 Certificate Authority Monitor and Microsoft System Center Operations Manager Automate this process by using Desired Configuration Management Packs or by analyzing the results of Gpresult.
Weekly
Operator
Daily
Operator
Firewall logs
Daily
Operator Netmon
Automate this process by using Desired Configuration Management Packs or by analyzing the results of Gpresult.
Monthly
Operator
Check Group Policy settings in the Group Policy Management Console. GPOTool.exe
Use Windows PowerShell scripts in the Windows Server 2008 R2 and Windows 7 release of the Group Policy management tools. If possible, install and use Microsoft Advanced Group Policy Management.
Monthly
Operator
Use Computer Management or Server Manager to verify.
Windows PowerShell scripts
Monthly
Operator
Computer Management
Script to enumerate shares
Semi-annually
Operator
Review of access control lists on the Security tab.
Access control lists (ACLs) in a script; Group Policy object to establish ACLs
Daily
Operator
Use Gpresult to confirm security settings.
Automated by using Desired Configuration Management Packs or by analyzing the results of Gpresult.
Monthly
Operator
Verify Group Policy password settings using Secpol.msc on a domain controller.
Audit the Group Policy password policy with Microsoft System Center Operations Manager.
Monthly
Operator
Secpol.msc on a domain controller
Microsoft System Center Operations Manager audits the Group Policy password policy. Microsoft System Center Operations Manager
Monthly
Operator
Secpol.msc on a domain controller
Monthly
Operator
Secpol.msc on a domain controller
Microsoft System Center Operations Manager
Monthly
Operator
Secpol.msc
Microsoft System Center Operations Manager
Monthly
Operator
Secpol.msc
Microsoft System Center Operations Manager Microsoft System Center Operations Manager
Monthly
Operator
Secpol.msc
Monthly
Operator
Active Directory Users and Computers Script
Dsquery Weekly Operator Monitor the event logs for event ID 13508 and event ID 13509, which may point to File Replication Service replication issues. Also, use Repladmin/Showrepl to find replication partners and issues.
Daily
Operator
Use Repadmin.
Daily
Operator
Use Repadmin.
Daily
Operator
Use Computer Management or Server Manager.
Windows PowerShell script
Daily
Operator
Use Computer Management or Server Manager.
Windows PowerShell script
Daily
Operator
Ping command
Daily
Operator
Verify backup logs. Configure auditing and verify using Event Viewer.
Configure auditing and verify using Event Viewer.
Daily
Backup operator
Verify backup logs. Configure auditing and verify using Event Viewer. Verify backup logs.
Configure auditing and verify using Event Viewer.
Weekly
Configure auditing and verify using Event Viewer.
Every three backups
Backup operator
NTdsutil.exe
Every three backups
Backup operator
NTdsutil.exe
Daily
Operator
Active Directory Domain Services delegation of authority, Dsacls.exe
Configure auditing and verify using Event Viewer.
Daily
Operator
Active Directory Domain Services delegation of authority, Dsacls.exe Use Computer Management or Server Manager.
Configure auditing and verify using Event Viewer. Windows PowerShell script
Daily
Operator
Daily
Operator
Custom Lightweight Directory Access Windows PowerShell script Protocol query, saved query using Active Directory Users and Computers.
Daily
Operator
Custom Lightweight Directory Access Protocol query
Windows PowerShell script
Active Directory Users and Computers Event Viewer
Monthly
Operator
Secpol.msc
Daily
Operator
Ping command
Microsoft System Center Operations Manager Microsoft System Center Operations Manager
Daily
Operator
Daily
Operator
Microsoft System Center Operations Manager
Every five minutes Daily
Operator
Operator
Daily
Operator
Windows Server Update Services, Microsoft Baseline Security Analyzer
Microsoft System Center Configuration Manager
Daily
Operator
Verify these registry settings using the Windows PowerShell script Registry Editor.
Use Computer Management or Server Manager. Every 15 minutes Operator System Monitor Microsoft System Center Operations Manager
Once
Operator
Active Directory Users and Computers Windows PowerShell script
Once
Operator
Active Directory Domains and Trusts
Windows PowerShell script
Daily
Operator
DNS Admin tool, Nslookup, Dnscmd.exe
Monthly
Operator
Secpol.msc
Windows PowerShell script
Monthly
Operator
Secpol.msc
Windows PowerShell script
Monthly
Operator
Dsacls.exe
Monthly
Operator
Group Policy object report of the Default Domain policy through Group Policy Management Console, Secpol.msc Active Directory Users and Computers user properties, saved queries, custom Lightweight Directory Access Protocol query Server Manager
Monthly
Operator
Daily
Operator
Daily
Operator
Group Policy Management Console Delegation tab, Advanced Group Policy Management Secpol.msc Windows PowerShell script
Daily
Operator
Daily
Operator
Secpol.msc, manual check after pressing CTRL+ALT+DEL
Windows PowerShell script
Daily
Operator
Secpol.msc, manual check after pressing CTRL+ALT+DEL
Windows PowerShell script
Daily
Backup operator Operator
Group Policy Management Console, Scheduled Task using Group Event Viewer operational log for Group Policy Management Console Policy scripts Secpol.msc Windows PowerShell script
Daily
Daily
Operator
System properties
Drwtsn32
Monthly
Operator
DNS Admin tool, Dnscmd.exe
Monthly
Operator
Active Directory Users and Computers
Monthly
Operator
Dsquery.exe
Monthly
Operator
Monthly
Operator
DNS Admin tool
Monthly
Operator
Notes
Consult the Microsoft Identity and Access Management Series Solution Accelerator.
Look for global settings here, not detailed settings within Group Policy Management Console. This is only to make sure that the Group Policy object application is not effected incorrectly.
Verify that share permissions set are not too weak. NTFS file system permissions should control access, not share permissions. Make sure that any shares created are really needed.
Ensure that all legacy LanManager protocols are removed and disabled. Ensure that all legacy LanManager protocols are removed and disabled.
Ensure that replication between domain controllers is configured and available.
Make sure that all domain controllers can replicate to other domain controllers, that none is orphaned, and that the topology is efficient.
Make sure the domain controllers are online and that the System Volume share is working.
Make sure that the key domain groups that have admin authority are not modified incorrectly. Make sure delegation was not granted to update (write) to Active Directory Domain Services objects incorrectly.
User rights should be to groups, not to users. If to a user, it Is difficult to alter when a user no longer needs the user right. Confirm for each domain controller.
This can possibly grant anonymous access.
This provides the highest level of Domain Name System security in Active Directory Domain Services.
Maintenance Activities
Title
Review the Remote Access Service account access policy, and update it to meet security policies.
Health attribute
Security
Health area
Authentication
Review User account properties, and update the Remote Desktop group to meet security policies.
Security
Authentication
Remove locked-out, disabled, or expired accounts.
Security
Authentication
Review the Active Directory Domain Services Expiration Dates policy.
Security
Certificate Maintenance
Ensure that certificates are renewed.
Security
Certificate Maintenance
Deny network authentication requests by malicious Security users who are located in a trusted forest network and have administrative credentials.
Domain and Forest Trust Management
No Override is disabled for all Active Directory Domain Services nodes (domains and all organizational units), and Block Policy Inheritance is not configured for Group Policy objects.
Security
Group Policy
Ensure that the most restrictive permissions are applied.
Security
Share Permissions
Remove shared folders that are no longer required.
Security
Shared Folders
Verify and ensure that NTFS file system permissions are set appropriately on all shared folders and content in shared folders.
Security
NTFS File System Permissions
Change any security settings not set to the standard security policy.
Security
Group Policy
Review the password policy for password length and complexity settings, and ensure that the policy matches company security requirements.
Security
Authentication
Review the password policy for the Maximum Password Age setting, and ensure that the setting matches organizational security requirements.
Security
Authentication
Review the password policy for the Minimum Password Age setting, and ensure that the setting matches organizational security requirements.
Security
Authentication
Review the password policy for the Minimum Security Password Length setting, and ensure that the setting matches organizational security requirements.
Authentication
Review the Account Lockout policy, and ensure that it Security meets minimum organizational security policy requirements.
Authentication
Review LanManager compatibility settings, and ensure that they meet minimum organizational security policy requirements.
Security
Authentication
Review LanManager authentication protocol hash Security storage settings, and ensure that they meet minimum organizational security policy requirements.
Authentication
Review the certificate renewal policy.
Security
Certificate Maintenance Domain Controller Security
Ensure that all domain controllers are in the Domain Controllers organizational unit.
Security
Restore replication links between domain controllers Availability and replication partners.
Replication
Remove excess replication connections between domain controllers in different sites.
Availability
Replication
Verify that the replication intervals of site links between domain controllers in different sites meet company requirements.
Availability
Replication
Restart the appropriate replication service, if required.
Availability
Replication
Restart the Kerberos Key Distribution Center service, Availability if required.
Replication
Schedule tests on each domain controller.
Availability
Sysvol Share
Schedule a backup. Schedule a backup.
Continuity Continuity
Backup and Restore Backup and Restore
Schedule a backup.
Continuity
Backup and Restore Backup and Restore
Schedule an authoritative restore of Active Directory Continuity Domain Services.
Ensure that a test restoration is scheduled and verified.
Continuity
Backup and Restore
Schedule a non-authoritative restore of Active Directory Domain Services.
Continuity
Backup and Restore
Schedule a test for a non-authoritative restore.
Continuity
Backup and Restore
Schedule a test for an authoritative restore.
Continuity
Backup and Restore
Remove inappropriately assigned administrative authority.
Appropriate use
Administrative Authority
Remove non-standard grants of Write access.
Appropriate use
Administrative Authority Domain Controller
Remove dangerous or unnecessary services that are not disabled.
Appropriate use
Remove dormant user accounts.
Appropriate use
User Accounts
Ensure that the membership of all domain groups Appropriate Use that grant administrative privileges—for example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operators—meets least-privilege requirements.
Administrative Authority
Remove user rights where they are assigned to users. Appropriate Use
User Rights
Troubleshoot slow response times.
Performance
Authentication Response Time General Response
Troubleshoot Active Directory Domain Services nonresponsiveness.
Performance
Troubleshoot global catalog nonresponsiveness.
Performance
Global Catalog Search Response
Troubleshoot operations master nonresponsiveness.
Performance
Operations Masters
Troubleshoot why a domain controller is not advertising.
Performance
Domain Controller
Ensure that the latest service pack and security updates are scheduled.
Patching
Updates and Configuration
Change any user account permissions that have been Privacy set to Read access by default.
Account Permissions
Synch domain controllers running the primary domain Integrity controller emulator with a valid external time source, if required.
Windows Time Service
Address the need for more available free space on the Availability associated disk volumes.
Active Directory Domain Services Database
Verify the domain functional level and adjust it according to company requirements.
Security
Active Directory Domain Services Functional Level
Verify the forest functional level and adjust it according to company requirements.
Security
Active Directory Domain Services Functional Level
Verify that all Domain Name System (DNS) service Availability records are in DNS for each domain controller and appropriate service, and update them when needed.
DNS SRV Records
Ensure that anonymous access to shares, the Security Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.
Anonymous Connections
Verify membership in the Pre-Windows Compatible Access group.
Security
Anonymous Connections
Ensure that no standard users can read key properties Security for administrative groups and users; deny access, if necessary.
Lightweight Directory Access Protocol Access to Active Directory Domain Services
Verify that Encrypting File System is not enabled for domain controllers; disable, if necessary.
Security
Encrypting File System
Verify that no user accounts have the Password never Security expires property configured; remove this setting, if necessary.
Authentication
Check for Windows Firewall rules, and configure additional rules where appropriate.
Appropriate Use
Domain Controller
Check for changes in administrative authority for Group Policy management; modify security to meet company security requirements.
Security
Group Policy
Verify that audit policy settings are configured properly; modify audit policy settings to meet company security requirements.
Security
Auditing
Verify that the name of the last user who logged on does not appear during logon; configure this setting not to show the name if it is displayed.
Security
Authentication
Verify that the logon banner is displayed during logon; Security configure it not to appear if it is displayed.
Authentication
Ensure that accounts with administrator-level privilege have dual accounts or use User Account Control.
Appropriate Use
Administrative Authority
Ensure that the crash dump file is configured to meet Continuity organizational requirements; modify settings to meet organizational security requirements.
Domain Controllers
Ensure that all Domain Name System (DNS) servers Security that support Active Directory Domain Services are Active Directory–integrated; configure only Active Directory–integrated DNS servers when appropriate.
Domain Name System
Ensure that the correct security is in place for all Appropriate use Dynamic Host Configuration Protocol services running on domain controllers; modify DNSUpdateProxy group membership where appropriate.
Dynamic Host Configuration Protocol
Ensure that all domain controllers are in the appropriate site based on IP address; modify site membership where appropriate.
Continuity
Replication
Add global catalog servers to physical locations when Continuity required.
Global Catalog Location
Add Domain Name System servers to physical locations when required.
Continuity
Domain Name System Server Location
Add domain controllers to physical locations when required.
Continuity
Domain Controller Location
Health requirement
Remote access
Maintenance task
Frequency
Owner
Operator
Review the Remote Access Monthly Service account access policy, and update it to meet security policies.
Terminal Services/Remote Desktop
Review User account Monthly properties, and update the Remote Desktop group to meet security policies.
Operator
Current accounts
Remove locked-out, disabled, or expired accounts.
Daily
Operator
Current certificates
Review the Active Directory Monthly Domain Services Expiration Dates policy.
Operator
Current certificates
Ensure that certificates are Weekly renewed.
Operator
Secure trusting forest
Deny network Daily authentication requests by malicious users who are located in a trusted forest network and have administrative credentials.
Backup operator
Group Policy is working as expected.
No Override is disabled for Daily all Active Directory Domain Services nodes (domains and all organizational units), and Block Policy Inheritance is not configured for Group Policy objects.
Operator
Shares are safe from unauthorized users.
Ensure that the most restrictive permissions are applied.
Monthly
Operator
Limit the number of shared folders. NTFS file system permissions should protect shared folders and all content from unauthorized users.
Remove shared folders that Monthly are no longer required. Verify and ensure that NTFS Semiannually file system permissions are set appropriately on all shared folders and content in shared folders.
Operator
Operator
Servers are configured to the standard security policy.
Change any security settings Daily not set to the standard security policy. Review the password policy Monthly for password length and complexity settings, and ensure that the policy matches company security requirements.
Operator
Strong passwords
Operator
Maximum Password Age
Review the password policy Monthly for the Maximum Password Age setting, and ensure that the setting matches organizational security requirements.
Operator
Minimum Password Age
Review the password policy Monthly for the Minimum Password Age setting, and ensure that the setting matches organizational security requirements.
Operator
Minimum Password Length
Review the password policy Monthly for the Minimum Password Length setting, and ensure that the setting matches organizational security requirements.
Operator
Account Lockout policy
Review the Account Lockout Monthly policy, and ensure that it meets minimum organizational security policy requirements.
Operator
LanManager authentication protocol
Review LanManager compatibility settings, and ensure that they meet minimum organizational security policy requirements. Review LanManager authentication protocol hash storage settings, and ensure that they meet minimum organizational security policy requirements. Review the certificate renewal policy.
Monthly
Operator
LanManager authentication protocol hash storage
Monthly
Operator
Current certificates
Monthly
Operator
All domain controllers receive Ensure that all domain the same Group Policy objects. controllers are in the Domain Controllers organizational unit. Healthy replication links are established between domain controllers and replication partners.
Monthly
Operator
Restore replication links As needed between domain controllers and replication partners.
Operator
Domain controllers within a forest are able to replicate with each other.
Remove excess replication connections between domain controllers in different sites.
As needed
Operator
Changes are properly replicated across the forest.
Verify that the replication Daily intervals of site links between domain controllers in different sites meet company requirements.
Operator
Changes are properly replicated across the forest.
Restart the appropriate replication service, if required.
As needed
Operator
Updated domain controllers
Restart the Kerberos Key As needed Distribution Center service, if required. Schedule tests on each domain controller. Daily
Operator
The System Volume share is accessible on every domain controller. Domain controller backup Critical volumes are backed up. Servers are backed up. Active Directory Domain Services is authoritatively restored.
Operator
Schedule a backup. Schedule a backup.
Daily Daily
Backup operator Backup operator Backup operator Backup operator
Schedule a backup. Schedule an authoritative restore of Active Directory Domain Services.
Weekly Every three backups
Restore Active Directory Ensure that a test Monthly Domain Services from system restoration is scheduled and state, critical-volumes, or a full verified. server backup.
Backup operator
Active Directory Domain Schedule a nonServices is non-authoritatively authoritative restore of restored. Active Directory Domain Services. Effective non-authoritative restore Schedule a test for a nonauthoritative restore.
Every three backups
Backup operator
Tied to restore
Backup operator Backup operator Operator
Effective authoritative restore Schedule a test for an authoritative restore. Appropriately assigned authority Remove inappropriately assigned administrative authority. Remove non-standard grants of Write access.
Tied to restore
As needed
Appropriately assigned authority
As needed
Operator
Domain controllers are free of Remove dangerous or dangerous services. unnecessary services that are not disabled. The network is free of unauthorized users. Remove dormant user accounts.
As needed
Operator
As needed
Operator
Appropriately assigned authority
Ensure that the As needed membership of all domain groups that grant administrative privileges—for example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operators—meets leastprivilege requirements.
Operator
Appropriately assigned authority
Remove user rights where they are assigned to users.
As needed
Operator
Expected response time
Troubleshoot slow response As needed times. Troubleshoot Active Directory Domain Services nonresponsiveness. As needed
Operator
Active Directory Domain Services is responsive.
Operator
The Active Directory Domain Services global catalog is responsive. Operations masters are responsive.
Troubleshoot global catalog As needed nonresponsiveness.
Operator
Troubleshoot operations As needed master nonresponsiveness.
Operator
The domain controller is advertising.
Troubleshoot why a domain As needed controller is not advertising.
Operator
The system is up to date with the latest service pack and security updates. User information is private.
Ensure that the latest service pack and security updates are scheduled.
Daily
Operator
Change any user account As needed permissions that have been set to Read access by default. Synch domain controllers As needed running the primary domain controller emulator with a valid external time source, if required.
Operator
Domain controllers on the network are in time synchronization with each other.
Operator
Adequate free space in the database
Address the need for more As needed available free space on the associated disk volumes.
Operator
Ensure that the functional level of the domain is at the highest level possible.
Verify the domain Once functional level and adjust it according to company requirements.
Operator
Ensure that the functional level of the forest is at the highest level possible.
Verify the forest functional Once level and adjust it according to company requirements.
Operator
Domain controller services are Verify that all Domain Name Daily available. System (DNS) service records are in DNS for each domain controller and appropriate service, and update them when needed.
Operator
Deny anonymous access.
Ensure that anonymous access to shares, the Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.
Monthly
Operator
Deny anonymous access.
Verify membership in the Pre-Windows Compatible Access group.
Monthly
Operator
Deny Read access to key security groups and users for standard users.
Ensure that no standard users can read key properties for administrative groups and users; deny access, if necessary.
Monthly
Operator
Ensure that Encrypting File Verify that Encrypting File Monthly System is disabled for domain System is not enabled for controllers. domain controllers; disable, if necessary.
Operator
Ensure that user account passwords expire.
Verify that no user accounts have the Password never expires property configured; remove this setting, if necessary.
Domain controllers are free of Check for Windows Firewall Daily dangerous network access. rules, and configure additional rules where appropriate. Appropriately assigned authority Check for changes in Daily administrative authority for Group Policy management; modify security to meet company security requirements.
Operator
Operator
Appropriately assigned audit policies
Verify that audit policy settings are configured properly; modify audit policy settings to meet company security requirements.
Daily
Operator
Restrict access to user names. Verify that the name of the Daily last user who logged on does not appear during logon; configure this setting not to show the name if it is displayed.
Operator
Display the company logon banner.
Verify that the logon banner Daily is displayed during logon; configure it not to appear if it is displayed.
Operator
Appropriate logon access privilege level
Ensure that accounts with Daily administrator-level privilege have dual accounts or use User Account Control.
Operator
Configure the crash dump file. Ensure that the crash dump Daily file is configured to meet organizational requirements; modify settings to meet organizational security requirements. Active Directory–integrated Domain Name System Ensure that all Domain Monthly Name System (DNS) servers that support Active Directory Domain Services are Active Directory–integrated; configure only Active Directory–integrated DNS servers when appropriate.
Operator
Operator
Dynamic Host Configuration Protocol service running on a domain controller
Ensure that the correct Monthly security is in place for all Dynamic Host Configuration Protocol services running on domain controllers; modify DNSUpdateProxy group membership where appropriate.
Operator
Site configuration
Ensure that all domain Daily controllers are in the appropriate site based on IP address; modify site membership where appropriate. Monthly
Operator
Global catalog servers must be Add global catalog servers available. to physical locations when required.
Operator
Domain Name System servers Add Domain Name System Monthly must be available. servers to physical locations when required.
Operator
Domain controllers must be available.
Add domain controllers to physical locations when required.
Monthly
Operator
Manual
Automation
Read written Remote Access Review using the TripWire Compliance Service access policies, and match Management Pack for Microsoft them with the permissions in place. System Center Operations Manager.
Review User account properties, and update the Remote Desktop group to meet security policies; Dsmod.exe; Dsquery.exe.
Use User Manager or Active Directory Users and Computers to remove invalid accounts.
Use Microsoft System Center Configuration Manager.
Use the Certificate Request Wizard Use Microsoft Certificate Lifecycle in the Certificates console. Manager 2007.
Use the Certificate Request Wizard Use Microsoft Certificate Lifecycle in the Certificates console. Manager 2007.
Exercise access control to manage user access to shared resources in Active Directory Users and Computers.
Apply Windows Service Hardening in Windows Server 2008 R2.
Verify and modify in Group Policy Management Console.
Use the Configure Your Server Wizard to configure settings.
Windows Explorer or Computer Management Windows Explorer
Group Policy preferences
Group Policy
Windows Explorer
Group Policy
Group Policy Management Console, Secpol.msc
Group Policy
Group Policy Management Console, Secpol.msc
Group Policy
Group Policy Management Console, Secpol.msc
Group Policy
Group Policy Management Console, Secpol.msc
Group Policy
Group Policy Management Console, Secpol.msc
Group Policy
Group Policy Management Console, Secpol.msc
Group Policy
Group Policy Management Console, Secpol.msc
Group Policy
Active Directory Users and Computers, Dsquery.exe
Repladmin, Active Directory Sites and Services
Repladmin, Active Directory Sites and Services
Repladmin, Active Directory Sites and Services
Computer Management, Server Manager
Computer Management, Server Manager
Computer Management, Server Manager
Wbadmin Wbadmin
Wbadmin Wbadmin
Wbadmin Ntdsutil
Wbadmin
Ntdsutil
Ntdsutil
Ntdsutil
Ntdsutil
Active Directory Users and Computers, Delegation Wizard
Active Directory Users and Computers, Delegation Wizard Computer Management, Server Manager
Active Directory Users and Computers, Lightweight Directory Access Protocol queries
Active Directory Users and Computers, Lightweight Directory Access Protocol queries, Dsmod.exe, Dsquery.exe
Group Policy Restricted Groups
Group Policy
Varies
Varies
Varies
Varies
Varies
Windows Server Update Services
Windows Server Update Services
Active Directory Users and Computers, Lightweight Directory Access Protocol queries
Group Policy
Active Directory Users and Computers
Active Directory Domains and Trusts
Domain Name System Admin tool, Nslookup.exe, Dnscmd
Secpol.msc, Group Policy Management Console
Group Policy
Active Directory Users and Computers, Lightweight Directory Access Protocol queries, Dsquery.exe, Dsmod.exe
Group Policy
Active Directory Users and Computers, Delegation Wizard, Ldp.exe
Group Policy Management Console, Secpol.msc
Group Policy
Active Directory Users and Computers, Lightweight Directory Access Protocol queries
Server Manager, firewall
Group Policy
Group Policy Management Console, Delegation tabs, Advanced Group Policy Management
Group Policy Management Console, Secpol.msc
Group Policy
Secpol.msc, Group Policy Management Console
Group Policy
Secpol.msc, Group Policy Management Console
Group Policy
User Account Control, Group Policy User Account Control, Group Policy Management Console, Secpol.msc
System Properties – setup and recovery
Wbadmin
Active Directory Users and Computers, Lightweight Directory Access Protocol queries, Dsquery.exe, Dsmod.exe
Group Policy
Active Directory Sites and Services
Active Directory Sites and Services
Dcpromo
Notes
Health Risks
ID
1
Description
Trust relationships are not appropriate, compromising identity and access. Active Directory Domain Services object change management allows inappropriate changes to Group Policy objects.
Probability (1–100%)
40%
2
50%
3
Domain controllers are not in compliance with corporate policy and/or management’s stated baseline settings. Domain controller security is unknowingly compromised because of inadequate review of monitoring or maintenance activities.
60%
4
50%
5
Restoration of a domain controller results in compromising the entire Active Directory Domain Services service. Inappropriate administrator access: Former administrators who have left the Active Directory Domain Services group still have administrative access. Flexible Single Master Operations roles are not configured appropriately, resulting in service degradation or inability of users to log on to the domain. Replication across forests is slow or broken. Access to data is affected or compromised. Domain controllers are out of time synchronization, resulting in degraded services. Active Directory Domain Services servers run out of database space. User passwords are not secure.
70%
6
25%
7
25%
8
80%
9
50%
10
50%
11
12
User and group information is available to standard users.
13 14
Anonymous access is allowed to Active Directory Domain Services. Legacy authentication protocols are used and stored.
15
Users will not be able to find domain controllers and the associated services running on them. Access to Active Directory Domain Services user names.
16
17
Inability to replicate between domain controllers because of incorrect site configurations.
18
Inability to replicate between domain controllers because of incorrect Domain Name System configuration.
Impact (1–5)
5
Exposure
2
5
2.5
5
3
5
2.5
5
3.5
3
0.75
4
1
3
2.4
3
1.5
5
2.5
0
0
0 0
0
0
0
0
Mitigation strategy
Review trust and domain oversight; verify the need for existing trusts.
Risk owner
Evaluate compliance with documented thresholds for classifying changes to ensure that Active Directory Domain Services object changes receive the correct level of scrutiny and approval. Policy settings are linked appropriately, and reviews include verification of account/password policy, audit and event log policy, and security options. Regular review of monitoring to ensure that specialized monitoring or security scanning is performed on domain controllers, incidents are managed and resolved appropriately and in a timely manner, and server configuration is reviewed and monitored for changes. Procedures for restoring a domain controller are well understood, documented, and tested. Management periodically changes the password for the DS Restore Mode Administrator account and logs that the change has been made.
Periodically validate Flexible Single Master Operations roles and the appropriate number of domain controllers and global catalogs.
Replication monitoring and maintenance activities are performed and reviewed.
Monitor and maintain time synchronization, and verify that the time source is valid.
Monitor capacity and initiate expansion (and any needed provisioning of hardware) with an appropriate lead time. Ensure that a password policy for domain and domain controllers is set to appropriate levels for User account passwords. Secure Lightweight Directory Access Protocol access to Active Directory Domain Services for standard users with regard to administrative groups and administrator accounts.
Restrict anonymous access to the domain controllers. Deny the use of LanManager and NT LAN Manager as well as storage of these hashes for user passwords. Ensure that Domain Name System (DNS) has all the correct information for domain controller DNS service records. Ensure that Lightweight Directory Access Protocol Read access is negated to key accounts, anonymous connections are denied, and last user name displayed is denied. Ensure that all domain controllers are in the correct Active Directory Domain Services site, the site topology is correct, intersite topology is configured correctly, and all replication events are successful. Ensure that all Domain Name System (DNS) service records for all domain controllers are correct, DNS is configured to Active Directory–integrated DNS, automatic updates are configured, and replication between DNS servers is set up correctly.
Standard Changes
Proposed standard change
Review membership in key Active Directory Domain Services security groups for correct membership. Remove locked-out, disabled, or expired accounts. Ensure that the most restrictive permissions are applied. Remove shared folders that are no longer required. Review key security settings such as password policy, audit policy, and user rights assignment for domain controllers. Review the password policy for the Default Domain Policy or Group Policy object linked to a domain that establishes password policy for domain user accounts and most computer accounts. Ensure that all domain controllers are in the domain controllers organizational unit.
Schedule backups of domain controllers, including system state. Verify that domain controller backups were successful. Remove inappropriately assigned administrative authority within Active Directory Domain Services or inappropriately assigned administrative authority produced through delegation. Remove dangerous or unnecessary services that are not disabled. Remove dormant user accounts. Ensure that the latest service pack and security updates are scheduled.
Category verified?
Approved by
Date for change development complete
Date for change release
Acknowledgments
The Microsoft Operations Framework team acknowledges and thanks the people who produced Reliability Workbook for Active Directory. The following people were either directly responsible for or made a substantial contribution to the writing and development of this guide. Contributors Joe Coulombe, Microsoft Jerry Dyer, Microsoft Mike Kaczmarek, Microsoft Don Lemmex, Microsoft Derek Melber, Xtreme Consulting Group, Inc. Betsy Norton-Middaugh, Microsoft Reviewers Jason Missildine Steve Schofield Sainath K.E.V. Robert Stuczynski Editors Michelle Anderson, Xtreme Consulting Group, Inc. Pat Rytkonen, Volt Technical Services Copyright © 2010 Microsoft Corporation. This documentation is licensed to you under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/us or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94150, USA. When using this documentation, provide the following attribution: The Microsoft Operations Framework 4.0 is provided with permission from Microsoft Corporation. Microsoft, Active Directory, Forefront, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.