Open a Socket!

I encounter a fair number of AD implementations as part of my work.  Some are good, some bad and some just plain ugly.  Here’s a more or less random collection of bad habits that I see quite regularly and some tips on how to avoid and/or kick them.

1.  Poor or missing Active Directory monitoring

A number of organisations rely on monitoring Domain Controllers simply as servers.  They will monitor things such as CPU, memory, disk utilisation, disk space, etc., but not AD as a service.  If something goes bad within AD it might not be picked up by standard server monitoring and alerting. You need to ensure that all AD services are available and healthy.  This involves monitoring items such as LDAP and GC port availability and response times, forest synchronisation with an authoritative time source, correctly published DNS SRV records, replication working, SYSVOL healthy, etc.

Implementing a monitoring and alerting solution for your AD service will allow problems to be detected and resolved early, rather than firefighting after the event has happened.

In addition to Microsoft’s Operations Manager Management Pack for AD, there are a number of 3rd party AD monitoring solutions.  NetPro’s DirectoryAnalyzer is one of the more comprehensive.

2.  Bad delegation

AD offers the ability to implement a granular delegation to suit environments of all sizes.  Why is it then that so many organisations end up with little or no delegation and security model?  For example, I regularly see environments that have 20 or more accounts in the Domain Admins group.  This appears to be because it is seen as too difficult and/or time consuming to configure the appropriate delegation.  Once an account is put into a privileged group there appears to be reluctance to remove it “in case it breaks something”.  Here are some general tips around delegation.

• Document your delegation model.  Implement it, enforce it and monitor it.
• Separate standard user accounts from administrative accounts.  Only allow administrative accounts to be members of privileged groups.
• Don’t allow service accounts to be members of the highly privileged groups (e.g. Domain Admins, Schema Admins, Enterprise Admins and built-in Administrators).  If the documentation from a vendor says that this membership is required the information is probably wrong.  99% of the time there is a way to delegate without making the account a member of a privileged group.
• Apply the principle of least privilege.  Give accounts the permissions they need to perform their tasks and no more.
• Keep the Schema Admins and Enterprise Admins groups empty.  Only populate these groups temporarily when required for a specific task.
• Don’t mess with the built-in Administrators group.  Leave it alone.
• Keep the membership of Domain Admins to a low number (should be no more than 5 trusted individuals, even in large environments).

3.  Abuse of the Default Domain Policy

I have seen a number of environments in which the Default Domain Policy and the Default Domain Controllers Policy are heavily used.  It is considered a best practice to leave the Default Domain Policy and the Default Domain Controllers Policy untouched and to create new GPOs linked at the Domain and Domain Controllers OU to hold your required settings.  The reason for this is that if the Default policies become corrupt and you have no good backups you at least have the option of restoring the defaults using DCGPOFIX.

4.  No formal object lifecycle management

I often encounter environments that have little or no formal process for AD object provisioning, re-provisioning and deprovisioning.  Amongst other issues, this can lead to a large number of inactive/unused accounts and other objects in the directory. Often the problem is only addressed during a migration or upgrade.  The clean-up can be time-consuming, difficult and expensive.  Try to associate each newly provisioned object with a human owner (guardian).  This will help when making changes in your environment and when you need to remove inactive or unused objects from your directory.

5.  No representative staging environment

When making changes to your AD environment, especially schema changes, it is important to have a representative staging environment.  This will reduce the overall risk when making the change in your production environment.  To make the environment representative, try to make sure at least the following items are the same in both environments:

• Schema extensions
• Domain Controller service pack and patch levels
• Domain and forest functional levels
• Number of domains
• GC availability
• FSMO role distribution

6.  No tracking of schema changes 

There is nothing built-in to AD that will keep track of what changes have been made to the default schema.  Quite often I see environments in which the administrators have no idea what changes have been made to the schema.  This can lead to risk and uncertainty when making future changes.  If you have a formal change management system in place in your organisation, ensure that schema changes are included and fully documented.  Try to maintain copies of the LDIF files that are used for the schema extensions,  These are useful for preparing test environments as well as being self-documenting. 

Even if you do have a formal change management system in place, consider keeping a separate change log somewhere inside your AD environment (e.g. in SYSVOL).  Change management systems may come and go, but your AD infrastructure could be in place for 20 years or more.

7.  Missing forest recovery plan

Given the importance of AD to most organisations, I am constantly amazed at how many have no forest recovery plan.  When challenged on this, most just point to off-site DCs as an indication of the redundancy they have.  But what if you lose forest-wide functionality?  Microsoft’s excellent whitepaper on forest recovery lists the following failure/horror scenarios that might require a forest recovery:

• None of the domain controllers can replicate with its replication partner.
• Changes cannot be made to Active Directory at any domain controller.
• New domain controllers cannot be installed in any domain.
• All domain controllers have been logically corrupted or physically damaged to a point that business continuity is impossible (for instance, all business applications that depend on Active Directory are non-functional).
• A rogue administrator has compromised the Active Directory environment.
• An adversary intentionally or an administrator accidentally runs a script that spreads data corruption across the Active Directory forest.
• An adversary intentionally or an administrator accidentally extends the Active Directory schema with malicious or conflicting changes.

The whitepaper offers guidelines for building your own forest recovery plan and provides a sample roadmap for the recovery steps involved.  Microsoft also recommends that you test your forest recovery at least once per year.

8.  Missing subnet registrations

In a number of environments I have seen, AD subnets are registered and associated with their corresponding AD site when the infrastructure is first put in place.  Subnets introduced afterwards are not always registered.  When subnets are not registered, clients on those subnets will not find an in-site DC and/or GC to use, which can lead to slow responses and unnecessary bandwidth utilisation.

DCs detect connections from clients on unregistered subnets and log the information in the Directory Service event log (Event 5807). The DC also commits the information into the %windir%\debug\netlogon.log.  You should regularly monitor your DCs for missing subnets and register them as required.

9.  No auditing of Directory Service Access events

If someone deletes an entire OU tree in your domain, you are very likely going to want to know who (or at least which account) was used to perform the deletion.  That information will be captured in the security event log of the DC where the change was made, as long as auditing is enabled for the DCs via Group Policy and turned on in the appropriate SACLs of the objects within the directory.  Quite often I see that either one or both of these two steps are missing.

I recommend defining and documenting an audit policy for your AD environment and then implementing the policy.  Each environment will have different auditing requirements based on the type of organisation that it is, so it is important not to simply accept the default configuration.

10. No event log consolidation

This is linked to the previous entry.  There is no point implementing an audit policy if you then subsequently lose the information you need simply because the events have been overwritten in the security event log.  Microsoft doesn’t provide a built-in mechanism for consolidation of audit and other event log information.  They do however include an Audit Collection System as part of Operations Manager.  A number of 3rd parties offer similar solutions that provide a centralised, consolidated view of event information.  These systems have the advantage of storing the events more efficiently for much longer periods of time and allowing faster event searches.  If the information is important to you (as it is for most organisations) then consider putting the money and resources aside to implement such a system.

It’s been a little while since I’ve blogged, so here’s a more or less random collection of snippets for you to enjoy/delete at leisure.

Quest acquires Netpro

Wow, this one took me by surprise, especially as I have been contracting to Quest on and off for the past 10 months.  Two of the biggest names in the Active Directory management space are now one.  It’s going to take quite a while for competitors to breach the gap.

Microsoft acquires Deano

I just learned from Joe Richard’s blog that Dean Wells has taken a position at Microsoft within the Directory Services product team in Redmond.  I’ve known Dean for the past six years or so and he is one of the most knowledgeable AD people around.  He’s forgotten more about AD than most of us know.  I’m sure he’ll be a huge asset to the DS team.  Good luck Deano!

Handy CSV import script

I came across a good vbscript for modifying AD attribute values using a CSV input file.  There are a number of methods and scripts around that can work with CSV input files, but the cool thing about this script is that can easily be modified to accommodate different attributes.  Check it out here.  I’m thinking of putting together a Powershell version of the same thing.

Good anecdote from Don Hacherl

A while back I blogged about one of the new features of AD in Windows Server 2008: protection from accidental deletion.  If you were looking for a good supporting anecdote to hasten the deployment of this feature in your environment, look no further than this nugget from one of the Godfathers of AD, Don Hacherl, posted on the mailing list at ActiveDir.org:

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Don Hacherl
Sent: Sunday, 7 September 2008 4:52 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegating Start/Stop Service on DCs

Years ago I worked with a “domain admin qualified” person at Microsoft who fat fingered the admin UI and deleted a container instead of the object he was intending.  The container was named “North America”, and that was the night we wrote our first authoritative restore tool.  (Later he said “I wondered why it was taking so long to finish.”)

A tightly constrained proxy program can be more reliable and less dangerous than a distracted human administrator.

Don

Tech-Ed

My sessions at Auckland and Sydney completed without mishap and my demos (bizarrely) worked without one single blue-screen :-)  The feedback was positive and I was happy with the eval scores.  Looking at the video of my session, I realise that I need to slow down a little, engage the audience more and stop saying “um” so much.  Talking in front of a large audience is nerve-wracking and I wasn’t even aware I was doing it.

Tech-Ed in Sydney was also a good opportunity to catch up with fellow DS MVP Gil Kirkpatrick and my ex-colleagues from Gen-i, Craig Pringle and James Brombergs.

When running through final preparations for a presentation to a few hundred people (well, tens of people…ok, at least 5 people…proabably) the last thing you need is for your Hyper-v environment to start misbehaving.   This is exactly what happened to me and I’ve just found the cause, so am feeling a lot more relaxed about things.

 I had prepared a number of Hyper-v VMs (child partitions, if using the Microsoft jargon) and found I was not able to log on to any of them following a log off.  The VMs were a mix of Windows Server 20008 64bit and 32bit.   When trying to re-log on, I received the error “Your system is running low on resources.  You cannot log on as a new user.  Please use an account that has already been logged on.”

The only workaround I found for this scenario was to shut down the machine and boot up again. 

After investigation the error about “running low on resources” appeared to be spurious.  The VMs were running fine and weren’t under any real resource load.  Assigning more memory and/or additional processors made no difference.  The problem was 100% reproducible.

 In the end I noticed that a newly created Windows Server 2008 VM did not exhibit the same problem.  From there it was a question of trial and error, running through each step of my build process to see what introduced the problem.  Bizarrely, it turned to be changing the default 96 DPI font size to large font (120 DPI).  I had been changing to the bigger font to save my failing eyesight! 

 As soon as I changed the font back to 96 DPI on my VMs the problem disappeared.

 I’m now trying to find out whether this is a bug, or just something weird in my environment.

A number of companies that I work with use the Acctinfo.dll to provide  additional user information when working with Active Directory Users and Computers (DSA.MSC).  You can download Acctinfo.dll from the Microsoft web site as part of the Account Lockout and Management Tools package.

What isn’t quite so well known is that an updated version of the tool, Acctinfo2.dll, has been available for some time.  There is sadly no download available for it and the only way I know to get hold of it is via Microsoft Product Support Services (PSS).  The newer version contains a number of enhancements, such as:

• Ability to view replication metadata.  This provides the same information as the repadmin /showmeta <objectDN> command.
• Support for lastLogonTimestamp attribute.  The original acctinfo.dll only shows the last logon for a specific Domain Controller.
• The tab now appears as an option when users are returned as a result of a search.  This was not the case with acctinfo.dll.

The screenshot below shows the acctinfo2.dll in action.

I was pleased to see from Kurt Roggen’s Blog that Acctinfo.dll still works with Vista SP1 and RSAT.  Based on this, I thought I would try to get Acctinfo2.dll working on Vista SP1 and RSAT.  Unfortunately, I currently only have a 64-bit version of Vista in my VMWare lab environment and it doesn’t work on this platform.  The dll fails to register with the following error:

“The module “c:\windows\acctinfo2.dll” was loaded but the call to DllRegisterServer failed with error code 0×80070002.”

I’ve since had it confirmed from an authoritative source within Microsoft that the tool won’t load on a x64 platform.  It seems no further development of the tool is planned, which is a shame given that so may people appear to be using it. ++++ Update: news about a 64-bit version available here ++++

There are a number of different versions of Acctinfo2.dll floating around.  If you are planning to request a copy from PSS make sure it is the following (or more recent):

Version 2.0.0.2000 (Modified: Thursday, 26 October 2006)

Here’s a cautionary tale.  In a rash moment I volunteered to present a session at TechEd in Auckland in early September.  Be careful what you wish for….I’ve been confirmed as a speaker for a break-out session on Windows Server 2008 Active Directory.  The title is Windows Server 2008 Active Directory Deep Dive and you can catch it on Wednesday 3rd September at 12.10pm.  Or you could simply take an early lunch

I remember the last time I spoke at TechEd.  I woke up at 5am on the morning of my session and thought about gnawing my leg off in an attempt to avoid having to stand up and talk in front of a few hundred people.  In the end it was all ok and I managed to make it through the presentation without looking like a complete idiot (or so my friends tell me…).

I won’t be presenting a session at TechEd Australia in Sydney.  Instead I will be speaking at what they call a MVP Theatre Session.  I’m kind of hoping the Theatre part refers to the venue, rather than a call upon my limited thespian skills.  Anyway, my theatre session is on Administrator Role Separation in Windows Server 2008 at 1pm on Friday 5th September.  Be there or be…at lunch.

If you’re reading this and will be attending either of the TechEd events, come along an say hi (even if you decide to prioritise lunch ahead of listening to my session).

Call me rash and impulsive, but the other day I blew away XP and installed Windows Server 2008 x64 Standard Edition on my Dell Latitude D830 laptop.  Other than idle curiosity, the main driver behind my foolishness was the need to create some demo machines using Hyper-V.  I don’t have any other hardware that meets the system specifications for Hyper-V, so it was the laptop or nothing.

The installation itself was a breeze and completed without mishap.  Windows Server 2008 didn’t have the correct video drivers, but I found these fairly quickly on the Dell support site.  They were Vista 64bit drivers, but work just as well for Windows Server 2008.

The first problem I encountered was that the built-in Intel PRO\Wireless 3945ABG wireless connection no longer works.  I found some 64bit Vista drivers from the Intel web site, which seemed to load ok, but I can’t see any wireless networks despite Device Manager showing the device as working properly. The Intel PROSet/Wireless diagnostic tool passes on the driver test, but fails on the hardware test.  The Dell web site also has 64bit Vista drivers but these are older than those from Intel.  I tried these older drivers too, but again without success.

I even tried installing my old Cisco Aironet 350 series wireless card, but couldn’t find any drivers that would work for that either.  The Cisco support site’s latest drivers for the card are for XP.

The second annoyance is that VMWare Workstation guests were working fine until I installed Hyper-V.  Then all hell broke loose.  The VMWare guests started causing the host to bluescreen.  There were also warning messages on the guests about changes to processor speed.  Oh, and I lost 64bit guest support.   Apparently, all this is due to incompatibilities between the hypervisors used by VMWare and Hyper-V.  Happily, I found a workaround on Geert Baeke’s web site that shows how to create a new entry in the boot loader that allows you to select a hypervisorless (is that a word?) boot option.  Good stuff.  Here’s a link to the information.

http://blog.baeke.info/blog/_archives/2007/12/18/3416738.html

Now I’m busy creating virtual machines in Hyper-V.  I haven’t used it before, but it all seems fairly intuitive, especially for anyone already familiar with VMWare.

Earlier this week, John Christie posted a question to the mailing list at ActiveDir.org on the topic of the history of Active Directory.  If you’re not already subscribed to the list, the full thread can be found here:

http://www.activedir.org/ListArchives/tabid/55/forumid/1/postid/29103/view/topic/Default.aspx

The most interesting and authoritative response was from Don Hacherl, as shown in full below.

Thanks for tipping me off to this thread, Eric.  I’ll see if I can clear up the pre-history.

The oldest traceable part of AD started life at 3Com in 1988 or 1989.  This was an (incomplete!) X.500-ish directory with custom communication protocols, built on top of a C-Tree database, running under 16-bit OS/2.  By 1990 3Com had abandoned its network software efforts and the directory code moved to Microsoft as part of some complicated deal.  The LanMan group planned to include the directory service in LanMan 3.0 and immediately started porting it to the JET Blue ISAM and building an RPC front end compliant with the X/Open XDS API.

At this point (in early 1991) Jim Allchin, who had recently taken over the LanMan group, cancelled LanMan 3.0 and scrapped its directory service project.  In its place he created the Cairo project, which included a completely non-X.500 like directory service that lived as part of OFS, the Cairo file system.

The email group at Microsoft picked up two pieces out of the wreckage of LanMan 3.0: the DS and an X.400 MTA.  We (this is when I became dev lead of the DS) ported the DS to Windows NT, finished the JET and XDS work, and added a MAPI RPC interface, a query engine, the KCC, a modifiable schema, the link table, and much, much more.  This version of the DSA (plus the MTA and a custom message store) shipped in Exchange 4.0 in 1996.  By this point there’s very little of the original code left, although some elderly data structures live on, at least in name.

Around late 1995 Cairo, and its attendant directory service, were cancelled.  This left the OS team with an urgent need for a DS (for Windows 2000) but no plans to build one.  To fill the hole, the week after Exchange 4.0 shipped two of us from the Exchange DS dev team made a copy of the DS sources and moved to the Windows group, where we got re-christened Active Directory, and the rest is history.

In summary:

• AD has no relation to Novell NDS/eDirectory.  Novell was a competitor (the competitor), not a licensee/licensor.
• AD has no relation to Banyan StreetTalk.  Although both Jim Allchin and one member of the AD dev team were former Banyan employees, there was no license or co-work between Microsoft and Banyan.
• AD has no relation to Cairo, except the relation that mammals have to dinosaurs.
• AD did not inherit code or functionality from Site Server or MCIS.  It did inherit their customers.
• AD is a direct descendant of the DSA in Exchange 4.0  (Note that LDAP support got added separately to the two branches of the directory in Exchange 5.something and Windows 2000.  Anything that important is clearly worth doing twice.)

Don

The long awaited new version of Microsoft’s Active Directory Migration Tool is now available for download from:

http://www.microsoft.com/downloads/details.aspx?FamilyID=ae279d01-7dca-413c-a9d2-b42dfb746059&displaylang=en

The most important feature of the new version is is the ability to migrate to Windows Server 2008 Functional Level domains.  This was not possible with version 3.0.

If you need to copy passwords as part of your user account migration, you will also need the Password Export Server (PES).

http://www.microsoft.com/downloads/details.aspx?familyid=F0D03C3C-4757-40FD-8306-68079BA9C773&displaylang=en

There is a also a separate document available for download entitled “Migrating and Restructuring Active Directory Domains Using ADMT v3.1″

http://www.microsoft.com/downloads/details.aspx?familyid=6D710919-1BA5-41CA-B2F3-C11BCB4857AF&displaylang=en

If you don’t like ADMT, you could also look at Quest’s Migration Manager for AD.

http://www.quest.com/migration-manager-for-active-directory/

Those of you familiar with Darren Mar-Elia’s excellent resource site GPOGUY.COM will notice the site has had a complete face-lift.  This comes as part of a recent collaboration with the ActiveDir.org AD resource site.

I’d like to say it was all my own work, but Matty Holland deserves the kudos for developing the shared site template and being (along with Darren) the driving force behind the new site launch.  Good work Matty!

The much-hyped iPhone launched in New Zealand on Friday last week to muted enthusiasm.  While the Kiwi geek collective loves the technology, the pricing offered by Vodafone (the sole carrier offering the iPhone in NZ) leaves much to be desired.  Across the ditch in Australia iPhone packages are more attractive, with competition between Optus, Telstra and Vodafone keeping the prices at a level consumers can live with.

I had been looking forward to replacing my old Nokia with an iPhone, but now I’m not so sure.  In the meantime, I’ve come up with my own alternative, which I’m calling the EyePhone (see below).