Document version: 1.0
Published: January 2010
Overview
Task List Columns
Feedback
Reliability Workbook for Active Directory Domain Services
Reliability is the state in which a service and all the components it depends on are behaving as desired within acceptable limits. This task list provides a schedule of proactive health monitoring and maintenance tasks to review and adapt to your individual requirements. For further instructions about the configuration and use of this task list, see the Administrator's Guide to Reliability Workbooks at www.microsoft.com/mof.
Health Attribute: A group of requirements for a healthy system. Health Area: A category of health action.Health Requirement: A requirement in a particular health control area that drives monitoring activity, which ensures continued component health.
Monitoring Task: An action that involves observing trends and paying attention to warning levels and error alerts. These alerts will trigger maintenance tasks.
Maintenance Task: Regularly scheduled or trend-driven work that ensures the continued health of the component.
Monitoring Parameter: The picture of health for a component. These conditions are determined by your organization's requirements and may vary according to factors such as the component's importance to the business, the size of the organization, or staffing constraints.
Owner: Person with the responsibility to ensure that a task is done. The owner can complete the task, automate it, or delegate it and confirm that the work has been done.
Notes: Additional information relating to this item.
Please direct questions and comments about this guide to [email protected].
Note Although many of the monitoring and maintenance tasks in this guide can be performed manually, best practice is to use automated methods because of the frequency and complexity of the individual tasks.
Monitoring Activities
Title Health attribute Health areaSecurity Authentication
Security Authentication
Security Authentication
Security
Security
Security
Verify that all accounts with Remote Access Service access are appropriate.
Verify that all accounts with Terminal Services access are appropriate.
Check for a high number of locked-out, disabled, or expired accounts.
Verify that upcoming certificate renewals are in the schedule.
Certificate Maintenance
Verify that expiration dates for domain controller certificates have been set.
Certificate Maintenance
Monitor for network authentication requests by malicious users who are located in a trusted forest network and have administrative credentials.
Domain and Forest Trust Management
Security
Confirm that Group Policy has not been misconfigured. Security Group Policy
Verify that share permissions are set appropriately. Security Share Permissions
Verify that shared folders are required. Security Shared Folders
Security NTFS Permissions
Security Group Policy
Security Authentication
Monitor for network authentication requests by malicious users who are located in a trusted forest network and have administrative credentials.
Domain and Forest Trust Management
Verify that NTFS file system permissions are set appropriately on all shared folders and content in shared folders.
Verify that all security settings available via Group Policy objects are managed centrally by policies.
Verify that all user account passwords are configured to meet minimum length and complexity requirements.
Security Authentication
Security Authentication
Security Authentication
Security Authentication
Review LanManager compatibility settings. Security Authentication
Security Authentication
Security
Check the replication provider. Availability Replication
Check the password policy for the Maximum Password Age setting.
Check the password policy for the Minimum Password Age setting.
Check the password policy for the Minimum Password Length setting.
Verify that the Account Lockout policy meets minimum organizational security policy requirements.
Review the LanManager authentication protocol hash storage settings.
Verify that all domain controllers are in the Domain Controllers organizational unit.
Domain Controller Security
Check the partner replication count. Availability Replication
Check replication latency. Availability Replication
Verify that the appropriate replication service is running. Availability Replication
Availability Replication
Test the availability of each domain controller. Security
Back up system state on each domain controller. Continuity Backup and Restore
Verify that critical volumes are backed up. Continuity Backup and Restore
Verify the full server backup. Continuity Backup and Restore
Continuity Backup and Restore
Verify that the Kerberos Key Distribution Center service is running.
The System Volume share
Verify the authoritative restore of Active Directory Domain Services.
Continuity Backup and Restore
Check for changes in administrative authority. Appropriate Use
Appropriate Use
Appropriate use Domain Controller
Check for dormant user accounts. Appropriate Use User Accounts
Appropriate Use
Verify that user rights are assigned to groups, not users. Appropriate Use User Rights
Performance
Verify the non-authoritative restore of Active Directory Domain Services.
Administrative Authority
Look for non-standard grants of Write access to Active Directory Domain Services (AD DS) and AD DS objects.
Administrative Authority
Check for dangerous or unnecessary services that are not disabled.
Audit the membership of all domain groups that grant administrative privileges—for example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operators.
Administrative Authority
Monitor each domain controller for general responsiveness.
Authentication Response Time
Performance General Response
Performance
Verify that operations masters are responsive. Performance Operations Masters
Verify that the domain controller is advertising. Performance Domain Controller
Check for the latest service pack and security updates. Patching
Verify that the Windows Time service is running. Integrity
Availability
Security
Monitor the responsiveness of Active Directory Domain Services to a Lightweight Directory Access Protocol request.
Measure the time required to perform a global catalog search.
Global Catalog Search Response
Updates and Configuration
Windows Time Service
Monitor database and log file size as well as the available free space on the associated disk volumes.
Active Directory Domain Services Database
Check the Active Directory Domain Services domain functional level.
Active Directory Domain Services Functional Level
Security
Availability DNS SRV Records
Security
Security
Security
Security
Security Authentication
Check for Windows Firewall rules. Appropriate Use Domain Controller
Check the Active Directory Domain Services forest functional level.
Active Directory Domain Services Functional Level
Verify that all Domain Name System (DNS) service records are registered in DNS for each domain controller and appropriate service.
Verify that anonymous access to shares, the Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.
Anonymous Connections
Verify membership in the Pre-Windows Compatible Access group.
Anonymous Connections
Ensure that no standard users can read key properties for administrative groups and users.
Lightweight Directory Access Protocol Access to Active Directory Domain Services
Verify that Encrypting File System is not enabled for domain controllers.
Encrypting File System
Verify that no user accounts have the Password Never Expires property configured.
Security Group Policy
Verify that audit policy settings are configured properly. Security Auditing
Security Authentication
Verify that the logon banner is displayed during logon. Security Authentication
Verify that Group Policy objects are backed up. Continuity Backup and Restore
Appropriate Use
Continuity Domain Controllers
Security
Appropriate Use
Check for changes in administrative authority for Group Policy management.
Verify that the name of the last user who logged on does not appear during logon.
Ensure that administrator-level accounts have dual accounts or use User Account Control.
Administrative Authority
Ensure that the crash dump file is configured to meet company requirements.
Ensure that Domain Name System servers that support Active Directory Domain Services (AD DS) are all AD DS integrated.
Domain Name System
Ensure that the correct security is in place for all Domain Host Configuration Protocol services running on domain controllers.
Domain Host Configuration Protocol
Continuity Replication
Continuity
Continuity
Continuity
Ensure that all domain controllers are in the appropriate site based on IP address.
Ensure that the design of the location of global catalog servers is appropriate for the number of users, applications, and other criteria for logging on and accessing information in the global catalog.
Global Catalog Location
Ensure that the design of the location of Domain Name System (DNS) servers is appropriate for the number of users, applications, and other criteria for logging on and accessing information on the DNS servers.
Domain Name System Location
Ensure that the design of the location of domain controllers is appropriate for the number of users, applications, and other criteria for logging on and accessing information on domain controllers.
Domain Controller Location
Health requirement Monitoring task Monitoring parameter FrequencyRemote access Daily
Daily
Current accounts Daily
Current certificates Weekly
Current certificates Weekly
Secure trusting forest Daily
Verify that all accounts with Remote Access Service access are appropriate.
Remote Access Service account access is limited to those deemed appropriate per company policy.
Terminal Services/Remote Desktop
Verify that all accounts with Terminal Services access are appropriate.
Terminal Services account access is limited to those deemed appropriate per company policy.
Check for a high number of locked-out, disabled, or expired accounts.
No more than n number of anomalous accounts
Verify that upcoming certificate renewals are in the schedule.
Certificates are valid for one month past the current date.
Verify that expiration dates for domain controller certificates have been set.
The expiration date is in the future.
Monitor for network authentication requests by malicious users who are located in a trusted forest network and have administrative credentials.
Security ID filtering on all trusts by default
Secure trusting forest Daily
Monthly
Monthly
Monthly
Semi-annually
All settings are confirmed. Daily
Strong passwords Monthly
Monitor for network authentication requests by malicious users who are located in a trusted forest network and have administrative credentials.
Security ID filtering on all trusts by default
Group Policy is working as expected.
Confirm that Group Policy has not been misconfigured.
No Override is disabled for all Active Directory Domain Services nodes (domain and all organizational units), and Block Policy Inheritance is not configured for Group Policy objects.
Shares are safe from unauthorized users.
Verify that share permissions are set appropriately.
The most restrictive permissions are applied.
Limit the number of shared folders.
Verify that shared folders are required.
The list of shared folders should meet the minimum shared folders required for each server.
NTFS file system permissions should protect shared folders and all content from unauthorized users.
Verify that NTFS file system permissions are set appropriately on all shared folders and content in shared folders.
The most restrictive permissions are applied.
The server is configured to a standard security policy.
Verify that all security settings are managed centrally by policies.
Verify that all user account passwords are configured to meet minimum length and complexity requirements.
Password length and complexity are established (specifics per company policy).
Maximum password age Monthly
Minimum password age Monthly
Minimum password length Monthly
Account Lockout policy Account Lockout policy settings Monthly
Monthly
LanManager hash storage settings Monthly
Monthly
Weekly
Check the password policy for the Maximum Password Age setting.
The Maximum Password Age is set between 30 and 120 days per organization policy.
Check the password policy for the Minimum Password Age setting.
The Minimum Password Age is set to a minimum of one day or per organization policy.
Check the password policy for the Minimum Password Length setting.
The Minimum Password Length is set to a minimum of 7–14 days or per organization policy.
Verify that the Account Lockout policy meets the minimum organization security policy requirements.
LanManager authentication protocol
Review LanManager compatibility settings.
LMCompatibilityLEvel setting
LanManager authentication protocol hash storage
Review the LanManager authentication protocol hash storage settings.
All domain controllers receive the same Group Policy objects.
Verify that all domain controllers are in the Domain Controllers organizational unit.
No domain controllers are outside the Domain Controllers organizational unit.
Replication links between domain controllers and replication partners are healthy.
Check the replication provider.
ModifiedNumConsecutiveSyncFailures is <2 days old; TimeOfLastSyncSuccess is <14 days old
Daily
Check replication latency. Daily
Daily
Updated domain controllers Daily
Daily
Domain controller backup Daily
Critical volumes are backed up. Completed Daily
The server is backed up. Completed Weekly
Completed
Domain controllers within a forest are able to replicate with each other.
Check the partner replication count.
The domain controller always has at least one outbound connection; the domain controller has at least one connection to another site; the domain controller does not have more than a specified number of connections.
Changes are properly replicated across the forest.
Convergence latency is within the desired maximum determined time.
Changes are properly replicated across the forest.
Verify that the appropriate replication service is running.
NT File Replication Service and/or Distributed File System Replication is running.
Verify that the Kerberos Key Distribution Center service is running.
The Kerberos Key Distribution Center service is running.
The System Volume share is accessible on every domain controller.
Test the availability of each domain controller.
The System Volume share can be accessed on each domain controller from across the network.
Back up system state on each domain controller.
System state has been backed up within the past 24 hours.
Verify that critical volumes are backed up.
Verify the full server backup.
Active Directory Domain Services is authoritatively restored.
Verify the authoritative restore of Active Directory Domain Services.
Every three backups
Completed
No change Daily
No change Daily
Daily
Daily
Apply least privilege. Daily
Monthly
Expected response time Less than one second Daily
Active Directory Domain Services is non-authoritatively restored.
Verify the non-authoritative restore of Active Directory Domain Services.
Every three backups
Appropriately assigned authority
Check for changes in administrative authority.
Appropriately assigned authority
Look for non-standard grants of Write access.
Domain controllers are free of dangerous services.
Check for dangerous or unnecessary services that are not disabled.
Dangerous or unnecessary services are disabled.
The network is free of unauthorized users.
Check for dormant User accounts.
User accounts are disabled when a personnel change is entered in the Human Resources system.
Appropriately assigned authority
Audit the membership of all domain groups that grant administrative privileges—for example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operators.
Appropriately assigned authority
Verify that user rights are not assigned to users.
Only administrators should have user rights assigned.
Monitor each domain controller for responsiveness.
Less than one second Daily
Response time is <5 seconds. Daily
Operations masters are available.
Daily
Completed Daily
Daily
Every 15 minutes
Existing domain functional level Once
Active Directory Domain Services is responsive.
Monitor the responsiveness of Active Directory Domain Services to a Lightweight Directory Access Protocol request.
The Active Directory Domain Services global catalog is responsive.
Measure the time required to perform a global catalog search.
Operations masters are responsive.
Verify that operations masters are responsive.
Every five minutes
The domain controller is advertising.
Verify that the domain controller is advertising.
The domain controller locator is working.
The system is up to date with the latest service pack and security updates.
Check for the latest service pack and security updates.
Domain controllers on the network are in time synchronization with each other.
Verify that the Windows Time service is running.
The primary domain controller is synching with a valid external time source/MaxPosPhaseCorrection and MaxPosPhaseCorrection should not be <48 hours but >1 hour.
Verify that the Windows Time service is running.
Adequate free space in database
Monitor database and log file size as well as available free space on the associated disk volumes.
At least 20% of the current database is available.
Ensure that the functional level of the domain is at the highest level possible.
Check the Active Directory Domain Services domain functional level.
Existing forest functional level Once
Daily
Deny anonymous access. Monthly
Deny anonymous access. Monthly
Monthly
Monthly
Monthly
Daily
Ensure that the functional level of the forest is at the highest level possible.
Check the Active Directory Domain Services forest functional level.
Domain controller services are available.
Verify that all Domain Name System (DNS) service records are in DNS for each domain controller and appropriate service.
The Domain Name System service records exist.
Verify that anonymous access to shares, the Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.
Check anonymous connection parameters.
Verify membership in the Pre-Windows Compatible Access group.
Verify membership in the Pre-Windows Compatible Access group.
Deny Read access to key security groups and users for standard users.
Ensure that no standard users can read key properties for administrative groups and users.
Verify Lightweight Directory Access Protocol access to Active Directory Domain Services.
Ensure that Encrypting File System is disabled for domain controllers.
Verify that Encrypting File System is not enabled for domain controllers.
Check whether files can be encrypted.
Ensure that user account passwords expire.
Verify that no user accounts have the Password Never Expires property configured.
Check all user accounts for the Password Never Expires property configuration.
Domain controllers are free of dangerous network access.
Check for Windows Firewall rules.
Dangerous or unnecessary network access protocols/applications are denied.
Daily
Daily
Restrict access to user names. Daily
Daily
Completed Daily
Daily
Configure the crash dump file. Verify crash dump settings. Daily
Monthly
Monthly
Appropriately assigned authority
Check for changes in administrative authority for Group Policy management.
Group Policy Management Console delegation is set correctly.
Appropriately assigned audit policy
Verify that audit policy settings are configured properly.
Check audit policy settings for success and/or failure.
Verify that the name of the last user who logged on does not appear during logon.
Check whether the last user name is displayed at logon.
Display the company logon banner.
Verify that the logon banner is displayed during logon.
Verify that the logon banner is displayed at logon.
Group Policy objects are backed up.
Verify that Group Policy objects are backed up.
Appropriate logon access privilege level
Ensure that administrator-level accounts have dual accounts or use User Account Control.
Require least-privilege access for administrators.
Ensure that the crash dump file is configured to meet company requirements.
Active Directory–integrated Domain Name System
Ensure that Domain Name System servers that support Active Directory Domain Services (AD DS) are all AD DS integrated.
Verify the configuration and location of Domain Name System.
Domain Host Configuration Protocol services are running on domain controllers.
Ensure that the correct security is in place for all Domain Host Configuration Protocol services running on domain controllers.
Verify membership in the DNSUpdateProxy group
Site configuration Monthly
Monthly
Monthly
Monthly
Ensure that all domain controllers are in the appropriate site based on IP address.
Verify domain controller locations in sites.
Global catalog servers must be available.
Ensure that the design of the location of global catalog servers is appropriate for the number of users, applications, and other criteria for logging on and accessing information in the global catalog.
Verify the number of global catalog servers in each physical location.
Domain Name System servers must be available.
Ensure that the design of the location of Domain Name System (DNS) servers is appropriate for the number of users, applications, and other criteria for logging on and accessing information on the DNS servers.
Verify the number of Domain Name System servers in each physical location.
Domain controllers must be available.
Ensure that the design of the location of domain controllers is appropriate for the number of users, applications, and other criteria for logging on and accessing information on domain controllers.
Verify the number of domain controllers in each physical location.
Owner Manual AutomationOperator
Perfmon
Operator Perfmon
Operator
Lockoutstatus.exe
Operator
Operator
Operator Firewall logs
Verify under Permissions for Remote Access Service (RAS) and Internet Authentication Service servers in the Active Directory Servers and Computers snap-in.
Microsoft System Center Operations Manager can audit Remote Access Service access.
Verify group membership for RAS access.
Verify under the User account properties and the Remote Desktop group and that the Terminal Server has the correct user right for Allow Logon Through Terminal Services configured.
Verify group membership for Remote Access Service access.
Verify that the Account Lockout Duration policy setting in Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy matches the policy.
Microsoft System Center Operations Manager can audit for anomalous accounts.
Active Directory Users and Computers saved queries
Use the Certificate Request Wizard in the Microsoft Management Console Certificates snap-in.
Use Microsoft Certificate Lifecycle Manager 2007 or Microsoft Forefront Identity Manager 2010.
Use the Certificate Request Wizard in the Microsoft Management Console Certificates snap-in.
Use Microsoft Certificate Lifecycle Manager 2007
Certificate Authority Monitor and Microsoft System Center Operations Manager
Automate this process by using Desired Configuration Management Packs or by analyzing the results of Gpresult.
Operator
Netmon
Operator
GPOTool.exe
Operator Windows PowerShell scripts
Operator Computer Management Script to enumerate shares
Operator
Operator
Operator
Automate this process by using Desired Configuration Management Packs or by analyzing the results of Gpresult.
Check Group Policy settings in the Group Policy Management Console.
Use Windows PowerShell scripts in the Windows Server 2008 R2 and Windows 7 release of the Group Policy management tools. If possible, install and use Microsoft Advanced Group Policy Management.
Use Computer Management or Server Manager to verify.
Review of access control lists on the Security tab.
Access control lists (ACLs) in a script; Group Policy object to establish ACLs
Use Gpresult to confirm security settings.
Automated by using Desired Configuration Management Packs or by analyzing the results of Gpresult.
Verify Group Policy password settings using Secpol.msc on a domain controller.
Audit the Group Policy password policy with Microsoft System Center Operations Manager.
Operator Secpol.msc on a domain controller
Operator Secpol.msc on a domain controller
Operator Secpol.msc on a domain controller
Operator Secpol.msc
Operator Secpol.msc
Operator Secpol.msc
Operator Active Directory Users and Computers Script
Dsquery
Operator
Microsoft System Center Operations Manager audits the Group Policy password policy.
Microsoft System Center Operations Manager
Microsoft System Center Operations Manager
Microsoft System Center Operations Manager
Microsoft System Center Operations Manager
Microsoft System Center Operations Manager
Monitor the event logs for event ID 13508 and event ID 13509, which may point to File Replication Service replication issues. Also, use Repladmin/Showrepl to find replication partners and issues.
Operator Use Repadmin.
Operator Use Repadmin.
Operator Windows PowerShell script
Operator Windows PowerShell script
Operator
Operator Verify backup logs.
Verify backup logs.
Verify backup logs.
NTdsutil.exe
Use Computer Management or Server Manager.
Use Computer Management or Server Manager.
Ping command
Configure auditing and verify using Event Viewer.
Configure auditing and verify using Event Viewer.
Backup operator
Configure auditing and verify using Event Viewer.
Configure auditing and verify using Event Viewer.
Configure auditing and verify using Event Viewer.
Backup operator
NTdsutil.exe
Operator
Operator
Operator Windows PowerShell script
Operator Windows PowerShell script
Operator Windows PowerShell script
Active Directory Users and Computers Event Viewer
Operator Secpol.msc
Operator
Backup operator
Active Directory Domain Services delegation of authority, Dsacls.exe
Configure auditing and verify using Event Viewer.
Active Directory Domain Services delegation of authority, Dsacls.exe
Configure auditing and verify using Event Viewer.
Use Computer Management or Server Manager.
Custom Lightweight Directory Access Protocol query, saved query using Active Directory Users and Computers.
Custom Lightweight Directory Access Protocol query
Ping command Microsoft System Center Operations Manager
Operator
Operator
Operator
Operator
Operator
Operator Windows PowerShell script
Operator System Monitor
Operator Active Directory Users and Computers Windows PowerShell script
Microsoft System Center Operations Manager
Microsoft System Center Operations Manager
Windows Server Update Services, Microsoft Baseline Security Analyzer
Microsoft System Center Configuration Manager
Verify these registry settings using the Registry Editor.
Use Computer Management or Server Manager.
Microsoft System Center Operations Manager
Operator Active Directory Domains and Trusts Windows PowerShell script
Operator
Operator Secpol.msc Windows PowerShell script
Operator Secpol.msc Windows PowerShell script
Operator Dsacls.exe
Operator
Operator
Operator Server Manager
DNS Admin tool, Nslookup, Dnscmd.exe
Group Policy object report of the Default Domain policy through Group Policy Management Console, Secpol.msc
Active Directory Users and Computers user properties, saved queries, custom Lightweight Directory Access Protocol query
Operator
Operator Secpol.msc Windows PowerShell script
Operator Windows PowerShell script
Operator Windows PowerShell script
Operator Secpol.msc Windows PowerShell script
Operator System properties Drwtsn32
Operator DNS Admin tool, Dnscmd.exe
Operator Active Directory Users and Computers
Group Policy Management Console Delegation tab, Advanced Group Policy Management
Secpol.msc, manual check after pressing CTRL+ALT+DEL
Secpol.msc, manual check after pressing CTRL+ALT+DEL
Backup operator
Group Policy Management Console, Event Viewer operational log for Group Policy
Scheduled Task using Group Policy Management Console scripts
Operator Dsquery.exe
Operator
Operator DNS Admin tool
Operator
Notes
Consult the Microsoft Identity and Access Management Series Solution Accelerator.
Look for global settings here, not detailed settings within Group Policy Management Console. This is only to make sure that the Group Policy object application is not effected incorrectly.
Verify that share permissions set are not too weak. NTFS file system permissions should control access, not share permissions.
Make sure that any shares created are really needed.
Ensure that all legacy LanManager protocols are removed and disabled.
Ensure that all legacy LanManager protocols are removed and disabled.
Ensure that replication between domain controllers is configured and available.
Make sure that all domain controllers can replicate to other domain controllers, that none is orphaned, and that the topology is efficient.
Make sure the domain controllers are online and that the System Volume share is working.
Confirm for each domain controller.
Make sure that the key domain groups that have admin authority are not modified incorrectly.
Make sure delegation was not granted to update (write) to Active Directory Domain Services objects incorrectly.
User rights should be to groups, not to users. If to a user, it Is difficult to alter when a user no longer needs the user right.
This can possibly grant anonymous access.
This provides the highest level of Domain Name System security in Active Directory Domain Services.
Maintenance Activities
Title Health attribute Health areaSecurity Authentication
Security Authentication
Remove locked-out, disabled, or expired accounts. Security Authentication
Security
Ensure that certificates are renewed. Security
Security
Security Group Policy
Review the Remote Access Service account access policy, and update it to meet security policies.
Review User account properties, and update the Remote Desktop group to meet security policies.
Review the Active Directory Domain Services Expiration Dates policy.
Certificate Maintenance
Certificate Maintenance
Deny network authentication requests by malicious users who are located in a trusted forest network and have administrative credentials.
Domain and Forest Trust Management
No Override is disabled for all Active Directory Domain Services nodes (domains and all organizational units), and Block Policy Inheritance is not configured for Group Policy objects.
Security Share Permissions
Remove shared folders that are no longer required. Security Shared Folders
Security
Security Group Policy
Security Authentication
Security Authentication
Security Authentication
Ensure that the most restrictive permissions are applied.
Verify and ensure that NTFS file system permissions are set appropriately on all shared folders and content in shared folders.
NTFS File System Permissions
Change any security settings not set to the standard security policy.
Review the password policy for password length and complexity settings, and ensure that the policy matches company security requirements.
Review the password policy for the Maximum Password Age setting, and ensure that the setting matches organizational security requirements.
Review the password policy for the Minimum Password Age setting, and ensure that the setting matches organizational security requirements.
Security Authentication
Security Authentication
Security Authentication
Security Authentication
Review the certificate renewal policy. Security
Security
Availability Replication
Review the password policy for the Minimum Password Length setting, and ensure that the setting matches organizational security requirements.
Review the Account Lockout policy, and ensure that it meets minimum organizational security policy requirements.
Review LanManager compatibility settings, and ensure that they meet minimum organizational security policy requirements.
Review LanManager authentication protocol hash storage settings, and ensure that they meet minimum organizational security policy requirements.
Certificate Maintenance
Ensure that all domain controllers are in the Domain Controllers organizational unit.
Domain Controller Security
Restore replication links between domain controllers and replication partners.
Availability Replication
Availability Replication
Availability Replication
Availability Replication
Schedule tests on each domain controller. Availability Sysvol Share
Schedule a backup. Continuity Backup and Restore
Schedule a backup. Continuity Backup and Restore
Schedule a backup. Continuity Backup and Restore
Continuity Backup and Restore
Continuity Backup and Restore
Remove excess replication connections between domain controllers in different sites.
Verify that the replication intervals of site links between domain controllers in different sites meet company requirements.
Restart the appropriate replication service, if required.
Restart the Kerberos Key Distribution Center service, if required.
Schedule an authoritative restore of Active Directory Domain Services.
Ensure that a test restoration is scheduled and verified.
Continuity Backup and Restore
Schedule a test for a non-authoritative restore. Continuity Backup and Restore
Schedule a test for an authoritative restore. Continuity Backup and Restore
Appropriate use
Remove non-standard grants of Write access. Appropriate use
Appropriate use Domain Controller
Remove dormant user accounts. Appropriate use User Accounts
Appropriate Use
Remove user rights where they are assigned to users. Appropriate Use User Rights
Schedule a non-authoritative restore of Active Directory Domain Services.
Remove inappropriately assigned administrative authority.
Administrative Authority
Administrative Authority
Remove dangerous or unnecessary services that are not disabled.
Ensure that the membership of all domain groups that grant administrative privileges—for example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operators—meets least-privilege requirements.
Administrative Authority
Troubleshoot slow response times. Performance
Performance General Response
Troubleshoot global catalog nonresponsiveness. Performance
Troubleshoot operations master nonresponsiveness. Performance Operations Masters
Performance Domain Controller
Patching
Privacy Account Permissions
Integrity Windows Time Service
Availability
Security
Authentication Response Time
Troubleshoot Active Directory Domain Services nonresponsiveness.
Global Catalog Search Response
Troubleshoot why a domain controller is not advertising.
Ensure that the latest service pack and security updates are scheduled.
Updates and Configuration
Change any user account permissions that have been set to Read access by default.
Synch domain controllers running the primary domain controller emulator with a valid external time source, if required.
Address the need for more available free space on the associated disk volumes.
Active Directory Domain Services Database
Verify the domain functional level and adjust it according to company requirements.
Active Directory Domain Services Functional Level
Security
Availability DNS SRV Records
Security
Security
Security
Security Encrypting File System
Verify the forest functional level and adjust it according to company requirements.
Active Directory Domain Services Functional Level
Verify that all Domain Name System (DNS) service records are in DNS for each domain controller and appropriate service, and update them when needed.
Ensure that anonymous access to shares, the Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.
Anonymous Connections
Verify membership in the Pre-Windows Compatible Access group.
Anonymous Connections
Ensure that no standard users can read key properties for administrative groups and users; deny access, if necessary.
Lightweight Directory Access Protocol Access to Active Directory Domain Services
Verify that Encrypting File System is not enabled for domain controllers; disable, if necessary.
Security Authentication
Appropriate Use Domain Controller
Security Group Policy
Security Auditing
Security Authentication
Security Authentication
Verify that no user accounts have the Password never expires property configured; remove this setting, if necessary.
Check for Windows Firewall rules, and configure additional rules where appropriate.
Check for changes in administrative authority for Group Policy management; modify security to meet company security requirements.
Verify that audit policy settings are configured properly; modify audit policy settings to meet company security requirements.
Verify that the name of the last user who logged on does not appear during logon; configure this setting not to show the name if it is displayed.
Verify that the logon banner is displayed during logon; configure it not to appear if it is displayed.
Appropriate Use
Continuity Domain Controllers
Security Domain Name System
Appropriate use
Continuity Replication
Continuity Global Catalog Location
Ensure that accounts with administrator-level privilege have dual accounts or use User Account Control.
Administrative Authority
Ensure that the crash dump file is configured to meet organizational requirements; modify settings to meet organizational security requirements.
Ensure that all Domain Name System (DNS) servers that support Active Directory Domain Services are Active Directory–integrated; configure only Active Directory–integrated DNS servers when appropriate.
Ensure that the correct security is in place for all Dynamic Host Configuration Protocol services running on domain controllers; modify DNSUpdateProxy group membership where appropriate.
Dynamic Host Configuration Protocol
Ensure that all domain controllers are in the appropriate site based on IP address; modify site membership where appropriate.
Add global catalog servers to physical locations when required.
Continuity
Continuity
Add Domain Name System servers to physical locations when required.
Domain Name System Server Location
Add domain controllers to physical locations when required.
Domain Controller Location
Health requirement Maintenance task Frequency OwnerRemote access Monthly Operator
Monthly Operator
Current accounts Daily Operator
Current certificates Monthly Operator
Current certificates Weekly Operator
Secure trusting forest Daily
Daily Operator
Review the Remote Access Service account access policy, and update it to meet security policies.
Terminal Services/Remote Desktop
Review User account properties, and update the Remote Desktop group to meet security policies.
Remove locked-out, disabled, or expired accounts.
Review the Active Directory Domain Services Expiration Dates policy.
Ensure that certificates are renewed.
Deny network authentication requests by malicious users who are located in a trusted forest network and have administrative credentials.
Backup operator
Group Policy is working as expected.
No Override is disabled for all Active Directory Domain Services nodes (domains and all organizational units), and Block Policy Inheritance is not configured for Group Policy objects.
Monthly Operator
Monthly Operator
Semiannually Operator
Daily Operator
Strong passwords Monthly Operator
Maximum Password Age Monthly Operator
Minimum Password Age Monthly Operator
Shares are safe from unauthorized users.
Ensure that the most restrictive permissions are applied.
Limit the number of shared folders.
Remove shared folders that are no longer required.
NTFS file system permissions should protect shared folders and all content from unauthorized users.
Verify and ensure that NTFS file system permissions are set appropriately on all shared folders and content in shared folders.
Servers are configured to the standard security policy.
Change any security settings not set to the standard security policy.
Review the password policy for password length and complexity settings, and ensure that the policy matches company security requirements.
Review the password policy for the Maximum Password Age setting, and ensure that the setting matches organizational security requirements.
Review the password policy for the Minimum Password Age setting, and ensure that the setting matches organizational security requirements.
Minimum Password Length Monthly Operator
Account Lockout policy Monthly Operator
Monthly Operator
Monthly Operator
Current certificates Monthly Operator
Monthly Operator
As needed Operator
Review the password policy for the Minimum Password Length setting, and ensure that the setting matches organizational security requirements.
Review the Account Lockout policy, and ensure that it meets minimum organizational security policy requirements.
LanManager authentication protocol
Review LanManager compatibility settings, and ensure that they meet minimum organizational security policy requirements.
LanManager authentication protocol hash storage
Review LanManager authentication protocol hash storage settings, and ensure that they meet minimum organizational security policy requirements.
Review the certificate renewal policy.
All domain controllers receive the same Group Policy objects.
Ensure that all domain controllers are in the Domain Controllers organizational unit.
Healthy replication links are established between domain controllers and replication partners.
Restore replication links between domain controllers and replication partners.
As needed Operator
Daily Operator
As needed Operator
Updated domain controllers As needed Operator
Daily Operator
Domain controller backup Schedule a backup. Daily
Schedule a backup. Daily
Servers are backed up. Schedule a backup. Weekly
Monthly
Domain controllers within a forest are able to replicate with each other.
Remove excess replication connections between domain controllers in different sites.
Changes are properly replicated across the forest.
Verify that the replication intervals of site links between domain controllers in different sites meet company requirements.
Changes are properly replicated across the forest.
Restart the appropriate replication service, if required.
Restart the Kerberos Key Distribution Center service, if required.
The System Volume share is accessible on every domain controller.
Schedule tests on each domain controller.
Backup operator
Critical volumes are backed up.
Backup operator
Backup operator
Active Directory Domain Services is authoritatively restored.
Schedule an authoritative restore of Active Directory Domain Services.
Every three backups
Backup operator
Restore Active Directory Domain Services from system state, critical-volumes, or a full server backup.
Ensure that a test restoration is scheduled and verified.
Backup operator
Tied to restore
Effective authoritative restore Tied to restore
As needed Operator
As needed Operator
As needed Operator
As needed Operator
As needed Operator
As needed Operator
Active Directory Domain Services is non-authoritatively restored.
Schedule a non-authoritative restore of Active Directory Domain Services.
Every three backups
Backup operator
Effective non-authoritative restore
Schedule a test for a non-authoritative restore.
Backup operator
Schedule a test for an authoritative restore.
Backup operator
Appropriately assigned authority
Remove inappropriately assigned administrative authority.
Appropriately assigned authority
Remove non-standard grants of Write access.
Domain controllers are free of dangerous services.
Remove dangerous or unnecessary services that are not disabled.
The network is free of unauthorized users.
Remove dormant user accounts.
Appropriately assigned authority
Ensure that the membership of all domain groups that grant administrative privileges—for example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operators—meets least-privilege requirements.
Appropriately assigned authority
Remove user rights where they are assigned to users.
Expected response time As needed Operator
As needed Operator
As needed Operator
As needed Operator
As needed Operator
Daily Operator
User information is private. As needed Operator
As needed Operator
As needed Operator
Once Operator
Troubleshoot slow response times.
Active Directory Domain Services is responsive.
Troubleshoot Active Directory Domain Services nonresponsiveness.
The Active Directory Domain Services global catalog is responsive.
Troubleshoot global catalog nonresponsiveness.
Operations masters are responsive.
Troubleshoot operations master nonresponsiveness.
The domain controller is advertising.
Troubleshoot why a domain controller is not advertising.
The system is up to date with the latest service pack and security updates.
Ensure that the latest service pack and security updates are scheduled.
Change any user account permissions that have been set to Read access by default.
Domain controllers on the network are in time synchronization with each other.
Synch domain controllers running the primary domain controller emulator with a valid external time source, if required.
Adequate free space in the database
Address the need for more available free space on the associated disk volumes.
Ensure that the functional level of the domain is at the highest level possible.
Verify the domain functional level and adjust it according to company requirements.
Once Operator
Daily Operator
Deny anonymous access. Monthly Operator
Deny anonymous access. Monthly Operator
Monthly Operator
Monthly Operator
Ensure that the functional level of the forest is at the highest level possible.
Verify the forest functional level and adjust it according to company requirements.
Domain controller services are available.
Verify that all Domain Name System (DNS) service records are in DNS for each domain controller and appropriate service, and update them when needed.
Ensure that anonymous access to shares, the Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.
Verify membership in the Pre-Windows Compatible Access group.
Deny Read access to key security groups and users for standard users.
Ensure that no standard users can read key properties for administrative groups and users; deny access, if necessary.
Ensure that Encrypting File System is disabled for domain controllers.
Verify that Encrypting File System is not enabled for domain controllers; disable, if necessary.
Daily Operator
Daily Operator
Daily Operator
Restrict access to user names. Daily Operator
Daily Operator
Ensure that user account passwords expire.
Verify that no user accounts have the Password never expires property configured; remove this setting, if necessary.
Domain controllers are free of dangerous network access.
Check for Windows Firewall rules, and configure additional rules where appropriate.
Appropriately assigned authority
Check for changes in administrative authority for Group Policy management; modify security to meet company security requirements.
Appropriately assigned audit policies
Verify that audit policy settings are configured properly; modify audit policy settings to meet company security requirements.
Verify that the name of the last user who logged on does not appear during logon; configure this setting not to show the name if it is displayed.
Display the company logon banner.
Verify that the logon banner is displayed during logon; configure it not to appear if it is displayed.
Daily Operator
Configure the crash dump file. Daily Operator
Monthly Operator
Monthly Operator
Site configuration Daily Operator
Monthly Operator
Appropriate logon access privilege level
Ensure that accounts with administrator-level privilege have dual accounts or use User Account Control.
Ensure that the crash dump file is configured to meet organizational requirements; modify settings to meet organizational security requirements.
Active Directory–integrated Domain Name System
Ensure that all Domain Name System (DNS) servers that support Active Directory Domain Services are Active Directory–integrated; configure only Active Directory–integrated DNS servers when appropriate.
Dynamic Host Configuration Protocol service running on a domain controller
Ensure that the correct security is in place for all Dynamic Host Configuration Protocol services running on domain controllers; modify DNSUpdateProxy group membership where appropriate.
Ensure that all domain controllers are in the appropriate site based on IP address; modify site membership where appropriate.
Global catalog servers must be available.
Add global catalog servers to physical locations when required.
Monthly Operator
Monthly Operator
Domain Name System servers must be available.
Add Domain Name System servers to physical locations when required.
Domain controllers must be available.
Add domain controllers to physical locations when required.
Manual AutomationRead written Remote Access Service access policies, and match them with the permissions in place.
Review using the TripWire Compliance Management Pack for Microsoft System Center Operations Manager.
Review User account properties, and update the Remote Desktop group to meet security policies; Dsmod.exe; Dsquery.exe.
Use User Manager or Active Directory Users and Computers to remove invalid accounts.
Use Microsoft System Center Configuration Manager.
Use the Certificate Request Wizard in the Certificates console.
Use Microsoft Certificate Lifecycle Manager 2007.
Use the Certificate Request Wizard in the Certificates console.
Use Microsoft Certificate Lifecycle Manager 2007.
Exercise access control to manage user access to shared resources in Active Directory Users and Computers.
Apply Windows Service Hardening in Windows Server 2008 R2.
Verify and modify in Group Policy Management Console.
Group Policy preferences
Windows Explorer Group Policy
Windows Explorer Group Policy
Group Policy
Group Policy
Group Policy
Use the Configure Your Server Wizard to configure settings.
Windows Explorer or Computer Management
Group Policy Management Console, Secpol.msc
Group Policy Management Console, Secpol.msc
Group Policy Management Console, Secpol.msc
Group Policy
Group Policy
Group Policy
Group Policy
Group Policy Management Console, Secpol.msc
Group Policy Management Console, Secpol.msc
Group Policy Management Console, Secpol.msc
Group Policy Management Console, Secpol.msc
Active Directory Users and Computers, Dsquery.exe
Repladmin, Active Directory Sites and Services
Wbadmin Wbadmin
Wbadmin Wbadmin
Wbadmin Wbadmin
Ntdsutil
Ntdsutil
Repladmin, Active Directory Sites and Services
Repladmin, Active Directory Sites and Services
Computer Management, Server Manager
Computer Management, Server Manager
Computer Management, Server Manager
Ntdsutil
Ntdsutil
Ntdsutil
Group Policy Restricted Groups
Group Policy
Active Directory Users and Computers, Delegation Wizard
Active Directory Users and Computers, Delegation Wizard
Computer Management, Server Manager
Active Directory Users and Computers, Lightweight Directory Access Protocol queries
Active Directory Users and Computers, Lightweight Directory Access Protocol queries, Dsmod.exe, Dsquery.exe
Varies
Varies
Varies
Varies
Varies
Windows Server Update Services Windows Server Update Services
Group Policy
Active Directory Users and Computers, Lightweight Directory Access Protocol queries
Active Directory Users and Computers
Group Policy
Group Policy
Group Policy
Active Directory Domains and Trusts
Domain Name System Admin tool, Nslookup.exe, Dnscmd
Secpol.msc, Group Policy Management Console
Active Directory Users and Computers, Lightweight Directory Access Protocol queries, Dsquery.exe, Dsmod.exe
Active Directory Users and Computers, Delegation Wizard, Ldp.exe
Group Policy Management Console, Secpol.msc
Server Manager, firewall Group Policy
Group Policy
Group Policy
Group Policy
Active Directory Users and Computers, Lightweight Directory Access Protocol queries
Group Policy Management Console, Delegation tabs, Advanced Group Policy Management
Group Policy Management Console, Secpol.msc
Secpol.msc, Group Policy Management Console
Secpol.msc, Group Policy Management Console
User Account Control, Group Policy
Wbadmin
Group Policy
Active Directory Sites and Services
Active Directory Sites and Services
User Account Control, Group Policy Management Console, Secpol.msc
System Properties – setup and recovery
Active Directory Users and Computers, Lightweight Directory Access Protocol queries, Dsquery.exe, Dsmod.exe
Dcpromo
Notes
Health Risks
ID Description Probability (1–100%)1 40%
2 50%
3 60%
4 50%
5 70%
6 25%
7 25%
8 80%
9 50%
10 50%
11 User passwords are not secure.
12 User and group information is available to standard users.
Trust relationships are not appropriate, compromising identity and access.
Active Directory Domain Services object change management allows inappropriate changes to Group Policy objects.
Domain controllers are not in compliance with corporate policy and/or management’s stated baseline settings.
Domain controller security is unknowingly compromised because of inadequate review of monitoring or maintenance activities.
Restoration of a domain controller results in compromising the entire Active Directory Domain Services service.
Inappropriate administrator access: Former administrators who have left the Active Directory Domain Services group still have administrative access.
Flexible Single Master Operations roles are not configured appropriately, resulting in service degradation or inability of users to log on to the domain.
Replication across forests is slow or broken. Access to data is affected or compromised.
Domain controllers are out of time synchronization, resulting in degraded services.
Active Directory Domain Services servers run out of database space.
13
14 Legacy authentication protocols are used and stored.
15
16 Access to Active Directory Domain Services user names.
17
18
Anonymous access is allowed to Active Directory Domain Services.
Users will not be able to find domain controllers and the associated services running on them.
Inability to replicate between domain controllers because of incorrect site configurations.
Inability to replicate between domain controllers because of incorrect Domain Name System configuration.
Impact (1–5) Exposure5 2
5 2.5
5 3
5 2.5
5 3.5
3 0.75
4 1
3 2.4
3 1.5
5 2.5
0
0
0
0
0
0
0
0
Mitigation strategy Risk ownerReview trust and domain oversight; verify the need for existing trusts.
Replication monitoring and maintenance activities are performed and reviewed.
Evaluate compliance with documented thresholds for classifying changes to ensure that Active Directory Domain Services object changes receive the correct level of scrutiny and approval.
Policy settings are linked appropriately, and reviews include verification of account/password policy, audit and event log policy, and security options.
Regular review of monitoring to ensure that specialized monitoring or security scanning is performed on domain controllers, incidents are managed and resolved appropriately and in a timely manner, and server configuration is reviewed and monitored for changes.
Procedures for restoring a domain controller are well understood, documented, and tested.
Management periodically changes the password for the DS Restore Mode Administrator account and logs that the change has been made.
Periodically validate Flexible Single Master Operations roles and the appropriate number of domain controllers and global catalogs.
Monitor and maintain time synchronization, and verify that the time source is valid.
Monitor capacity and initiate expansion (and any needed provisioning of hardware) with an appropriate lead time.
Ensure that a password policy for domain and domain controllers is set to appropriate levels for User account passwords.
Secure Lightweight Directory Access Protocol access to Active Directory Domain Services for standard users with regard to administrative groups and administrator accounts.
Restrict anonymous access to the domain controllers.
Deny the use of LanManager and NT LAN Manager as well as storage of these hashes for user passwords.
Ensure that Domain Name System (DNS) has all the correct information for domain controller DNS service records.
Ensure that Lightweight Directory Access Protocol Read access is negated to key accounts, anonymous connections are denied, and last user name displayed is denied.
Ensure that all domain controllers are in the correct Active Directory Domain Services site, the site topology is correct, intersite topology is configured correctly, and all replication events are successful.
Ensure that all Domain Name System (DNS) service records for all domain controllers are correct, DNS is configured to Active Directory–integrated DNS, automatic updates are configured, and replication between DNS servers is set up correctly.
Standard Changes
Proposed standard change
Remove locked-out, disabled, or expired accounts.
Ensure that the most restrictive permissions are applied.
Remove shared folders that are no longer required.
Ensure that all domain controllers are in the domain controllers organizational unit.
Schedule backups of domain controllers, including system state.
Verify that domain controller backups were successful.
Remove dangerous or unnecessary services that are not disabled.
Remove dormant user accounts.
Ensure that the latest service pack and security updates are scheduled.
Review membership in key Active Directory Domain Services security groups for correct membership.
Review key security settings such as password policy, audit policy, and user rights assignment for domain controllers.
Review the password policy for the Default Domain Policy or Group Policy object linked to a domain that establishes password policy for domain user accounts and most computer accounts.
Remove inappropriately assigned administrative authority within Active Directory Domain Services or inappropriately assigned administrative authority produced through delegation.
Category verified? Approved by Date for change development complete
Date for change release
Acknowledgments
Contributors
Reviewers
Jason MissildineSteve SchofieldSainath K.E.V.Robert Stuczynski
Editors
The Microsoft Operations Framework team acknowledges and thanks the people who produced Reliability Workbook for Active Directory. The following people were either directly responsible for or made a substantial contribution to the writing and development of this guide.
Joe Coulombe, MicrosoftJerry Dyer, MicrosoftMike Kaczmarek, MicrosoftDon Lemmex, MicrosoftDerek Melber, Xtreme Consulting Group, Inc.Betsy Norton-Middaugh, Microsoft
Michelle Anderson, Xtreme Consulting Group, Inc.Pat Rytkonen, Volt Technical Services
Copyright © 2010 Microsoft Corporation. This documentation is licensed to you under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/us or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94150, USA. When using this documentation, provide the following attribution: The Microsoft Operations Framework 4.0 is provided with permission from Microsoft Corporation.
Microsoft, Active Directory, Forefront, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.