Category: Active directory 2012


In order to find out about user and computer account deletion, you must keep the “Account Management” auditing enabled, beforehand.

The Account Management auditing needs to be enabled as follows:

  • At Domain Controller OU level, edit the “Default Domain Controller” policy to enable auditing:

Computer configuration > Windows settings > Security settings > Local Policies > Audit Policies

Enable Success for “Audit Account Management”

  • Ensure that the GPO application is working on all DCs.

After the User/Computer account deletion occurs, the steps you need to follow to get more information about user or computer account deletion.

Note: The below steps need to be done before you restore the deleted object:

 

  1. Dump the deleted objects in “Deleted objects” container.

Ldifde –x –d “CN=Deleted Objects,DC=domain,DC=com” –f Deletedobj.ldf

  1. Search the Deletedobj.ldf file for the AD object that got deleted. The name of this object would have a GUID appended to it. Copy the DN attribute value of this object.

=========================================================

Extract from the LDF file above showing the deleted user object (TestUser):

dn: CN=TestUserADEL:aff006d7-7758-4b24-bb53-6e8f1a87834e,CN=Deleted Objects,DC=domain,DC=local

changetype: add

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

cn:: dGVydApERUw6YWZmMDA2ZDctNzc1OC00YjI0LWJiNTMtNmU4ZjFhODc4MzRl

distinguishedName: CN=TestUserADEL:aff006d7-7758-4b24-bb53-6e8f1a87834e,CN=Deleted Objects,DC=2008dom,DC=local

instanceType: 4

whenCreated: 20100526065020.0Z

whenChanged: 20100526065039.0Z

uSNCreated: 448479

isDeleted: TRUE – This attribute is set to true when an object is deleted.

uSNChanged: 448492

name:: dGVydApERUw6YWZmMDA2ZDctNzc1OC00YjI0LWJiNTMtNmU4ZjFhODc4MzRl

objectGUID:: 1wbwr1h3JEu7U26PGoeDTg==

userAccountControl: 512

objectSid:: AQUAAAAAAAUVAAAARb3/5MeOM1el+HeXPwgAAA==

sAMAccountName: TestUser

lastKnownParent: CN=Users,DC=2008dom,DC=local

 

if you didn’t got the lastknownparent for the about result, use Quest restore manager for AD to identify the lastknownparent

you can download from here

=========================================================

  1. Get the output of the following command on any DC.

Repadmin /Showmeta “DN of the deleted object” > Delshowmeta.txt

Eg:         Repadmin /Showmeta “CN=TestUserADEL:aff006d7-7758-4b24-bb53-6e8f1a87834e,CN=Deleted Objects,DC=2008dom,DC=local” > Delshowmeta.txt

  1. While reviewing the output in Delshowmeta.txt, check the “Org. Time/Date” and the “Originating DC” value of isDeleted attribute of this object. These values will tell you the time of deletion of this object and the source DC used to delete object, respectively.

=========================================================

Output of Showmeta:

Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute

======= =============== ========= ============= === =========

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 objectClass

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 cn

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 givenName

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 instanceType

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 whenCreated

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 displayName

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 1 isDeleted

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 nTSecurityDescriptor

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 name

448488 SiteA\2008-DC2 448488 2010-05-26 12:20:20 4 userAccountControl

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 codePage

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 countryCode

448481 SiteA\2008-DC2 448481 2010-05-26 12:20:20 2 dBCSPwd

448480 SiteA\2008-DC2 448480 2010-05-26 12:20:20 1 logonHours

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 3 unicodePwd

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 3 ntPwdHistory

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 4 pwdLastSet

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 primaryGroupID

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 supplementalCredentials

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 objectSid

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 accountExpires

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 3 lmPwdHistory

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 sAMAccountName

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 sAMAccountType

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 userPrincipalName

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 1 lastKnownParent

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 objectCategory

=========================================================

  1. 5. With the above info, we need to just check the security event logs on the “Originating DSA” during “Org. Time/Date”. With “Account Management” auditing enabled on the DCs, we should see the following events in the security log.

For computer account deletion:

  • On Windows 2003, we should get Event ID: 647
  • On Windows 2008, we should get Event ID: 4743

For User account deletion:

  • On Windows 2003, we should get Event ID: 630
  • On Windows 2008, we should get Event ID: 4726

=========================================================

Below is an example of an event confirming deletion and providing info about who deleted it.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 5/26/2010 12:20:39 PM

Event ID: 4726

Task Category: User Account Management

Level: Information

Keywords: Audit Success

User: N/A

Computer: 2008-dc2.2008dom.local

Description: A user account was deleted.

Subject:

Security ID: 2008DOM\Administrator

Account Name: Administrator

Account Domain: 2008DOM

Logon ID: 0x5fe2d

Target Account:

Security ID: S-1-5-21-3841965381-1462996679-2541222053-2111

Account Name: TestUser

Account Domain: 2008DOM

Advertisements

What’s New

Flexible Authentication Secure Tunneling (FAST) is part of the framework for Kerberos Pre-authentication. FAST provides a protected channel between the client and the Key Distribution Center (KDC), and it can optionally deliver key material used to strengthen the reply key within the protected channel. With FAST in place, it is relatively straightforward to chain multiple authentication mechanisms, utilize a different key management system, or support a new key agreement algorithm.

With FAST enabled and required, brute forcing the reply key is no longer possible and the highest possible cryptographic protocols and cipher strengths are guaranteed to be used by Windows 8 clients in their pre-authentication traffic with Windows Server 2012 Domain Controllers.

When FAST is required, this enables the Compound Authentication functionality in Dynamic Access Control (DAC), allowing authorization based on the combination of both user claims and device claims.

Enabling FAST

Enabling Flexible Authentication Secure Tunneling (FAST) can be achieved through Group Policy once you fulfill the requirements. (see below)

The Group Policy you need for this is located in Computer Configuration, Administrative Templates, System, KDC and is named KDC support for claims, compound authentication and Kerberos armoring:

a

This Group Policy supports four possible settings after you enable it:

  • Supported
  • Not supported
  • Always provide claims
  • Fail unarmored authentication requests

When you choose the ‘Supported’ setting and link the Group Policy to the Domain Controllers Organizational Unit (OU), it’s time to enable Flexible Authentication Secure Tunneling (FAST) on the Windows 8 clients.

Point your Group Policy Management Console (GPMC), assign a Group Policy object to the Organization Unit(s) containing your domain-joined Windows 8 computers. Open the Group Policy object and navigate to Computer Configuration, Administrative Templates, System, Kerberos. Here, enable the Kerberos client support for claims, compound authentication and Kerberos armoring Group Policy:

b

You will have Flexible Authentication Secure Tunneling (FAST) on your network between domain-joined Windows 8 clients and Windows Server 2012-based Domain Controllers after the next Group Policy refresh cycle.

Requiring FAST

Requiring Flexible Authentication Secure Tunneling is the next step. You will still use the Group Policy Management Console (GPMC) as your tool of choice, because a couple more Group Policies need to be configured.

Assign a Group Policy object to the Domain Controllers Organizational Unit (OU) and within the Group Policy object, again, navigate to Computer Configuration, Administrative Templates, System, Kerberos. Here, enable the Fail authentication requests when Kerberos armoring is not available Group Policy.

c

Lastly, the above mentioned Group Policy KDC support for claims, compound authentication and Kerberos armoring, located in Computer Configuration, Administrative Templates, System, KDC needs to be configured with the Fail unarmored authentication requests setting.

Requirements

Flexible Authentication Secure Tunneling can be enabled in an Active Directory environment when:

  • Sufficient Domain Controllers are running Windows Server 2012, with sufficient processing power (to additionally encrypt Kerberos messages and sign Kerberos errors on top of the baseline processing power needs) and networking connectivity (to handle the additional message exchange and increased Kerberos services tickets on top of the baseline networking connectivity needs).

Note:
When FAST is enabled Windows 8 clients will only communicate with Windows Server 2012 Domain Controllers. This might create a pile-on effect. Therefore, ensure you have sufficient Domain Controllers to prevent authentication traffic passing Active Directory site links.

  • The environment no longer contains domain controllers running Windows Server 2003. Supported Domain Controller Operating Systems include Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012.
  • Clients need to be running Windows 8

Flexible Authentication Secure Tunneling can be required in an Active Directory environment when:

  • All Domain Controllers in domains the client uses are running Windows Server 2012
    (including transited referral domains)
  • All domains the client uses are running the Windows Server 2012 Domain Functional Level (DFL).
  • Clients need to be running Windows 8

Introducing Hyper-V 3.0 Microsoft added some new features which allows for better virtualization management for Domain Controllers. From now, you don’t have to affraid USN Rollback when you restore your DC from snapshot or when you use DC’s clone in your environment. New Hyper-V 3.0 is “smarter” and it secures your environment. Thanks to that, you may use new feature for rapid DC deployment from the existing Domain Controller. You need to only allow cloning DC, adding it into appropriate domain group and prepare some XML config file with PowerShell v3.0 cmd-let. Then you can safely clone new DCs from the existing one(s).

In virtualized domain environments, this feature is also really good for disaster forest/domain recovery.

Important! To be able to use the new feature, you need at least one Windows Server 2012 Domain Controller on which you hold PDC Emulator operation master role.

More about Domain Controller virtualization process, you will read on Microsoft Technet at
http://technet.microsoft.com/en-us/library/hh831734.aspx

Active Directory Based Authentication

With Windows Server 2012, Microsoft presented new Windows activation method. This method is called Active Directory Based Authentication. That is available in Volume Activation Services role when you run Server Manager.

P1

Volume Activation Services – Active DIrectory Based Authentication

When you use Windows 8 in your environment, you can simply activate it when client is being joined to the domain. It happens automatically, you don’t need to put an activation key and there is no need to access the Internet.

This much more secures your environment in comparison to KMS server. When KMS was present in the environment, you need to only know server name on which it was running (there is also other method for that but I would not describe it here  and you can simply activate your Windows copy. Now, with AD BA you need to add client to the domain to allow for OS activation. It is also important to limit users in your environment with permission for joining computers into domain.

Of course, you can still use KMS server for that. It is suported by AD BA. However, it is required for previous Windows OSes. AD BA may be only used for Windows 8 activation!

Important! To be able to use AD BA option, you need to extend Active Directory schema to Windows Server 2012 but you don’t need to have Windows Server 2012 Domain Controller

RID Operation Master

Microsoft improved RID FSMO role in Windows Server 2012. The most know improvement in this role is its RID pool incrementation. Previously we had 2^30 available RIDs and now we have one bit more 2^31. This bit incremented pool  from one billion to two billions of RIDs. Thanks to that improvement we have doubled RID’s pool. But we need to know one important thing. If we want to use that, we need to have Windows Server 2012 Domain Controllers or Windows Server 2008R2 with appropriate hotfix installed. Other Windows versions do not support extended RID pool.

Remember! Extended RID pool may be used only by Windows Server 2012 and Windows Server 2008R2 with appropriate hotfix installed. Additionally, you need to have RID Operation Master role on Windows Server 2012 Domain Controller!

Another great thing introduced with Windows Server 2012 is RID Pool re-use feature! Microsoft did not fix RID leak issue which happens mostly when you are creating new users in a script mode. When password set up by script does not meet domain password criteria, object cannot be created successfully and RID is lost. In case that your script was prepared to create many user objects, you are loosing many RIDs. With Windows Server 2012 on which RID Operation Master is held, those RIDs are going to RID Pool re-use. This pool catches all those RIDs and uses them for the next objects which are created. If pool is empty then standard RID is used from global DC’s pool.

Important! RID Pool  re-use is only available until you will restart Domain Controller. After server reboot that pool is empty!

In Windows Server 2012 Microsoft introduced also event logging for used RIDs. The first entry will appear when RID consumes 100.000.000 (10% of pool). Another entry will be recorded when 10% of remaining pool will be used (in this case 1.000.000.000 – 100.000.000 = 900.000.000 and 10% from remaining pool is 90.000.000).

Events are recorded every 10% consumption of remaining pool. Smaller RIDs pool more frequent logs in Event log.

Microsoft changed also, possibility to issue large pool of RIDs from RID Master to other Domain Controllers. By default RIDs are delivered in 500 in a pool for each Domain Controller. Administrator is able to change that value in registry but when he/she sets up too high value, RIDs may be exhausted in short time. In Windows Server 2012 Microsoft limited maximum amount of RIDs to issue. The maximum pool allowed for distribution is 15.000 (decimal). When you set up higher value in the registry, it won’t be issued to Domain Controller(s) because new mechanism will issue maximum 15.000 RIDs in a pool.

One more interesting thing introduced in new RID Mater FSMO role is RID Manager artificial ceiling protection mechanism. Microsoft knows that administrators do not read event log frequently and even if they read it, they do not react too fast to solve the issue recorded in Event log. They implemented new mechanism which blocks RID distribution when its pool exceeds 90%. From that point, RID Master does not issue any pool to other Domain Controllers. Administrator must manually unlock this. That mechanism informs administrator about pool exhaustion (90% RIDs in general pool are used) and informs that additional activity may be required to prevent complete exhausting RID pool.

Other new Active Directory features

  • Kerberos enhancements
  • Active Directory Replication and Topology Management
  • Off-Premises Domain Join
  • Group Managed Service Accounts (GMSA)
  • Deferred Index Creation

Refer:  http://technet.microsoft.com/en-us/library/hh831477.aspx.

New features in Active Directory in Windows Server 2012

Some new features or improvements in Windows server 2012 Active directory.

  • New Domain Controller promotion process
  • Improved Active Directory Administrative Center console
  • New Domain Controller virtualization features
  • Dynamic Access Control
  • Active Directory Based Authentication
  • RID Operation Master improvements

For more features and advancement, Refer: http://technet.microsoft.com/en-us/library/hh831477.aspx

New Domain Controller promotion process

Microsoft simplified Domain Controller promotion process as much as they can. In Windows Server 2012 they do a real great improvement. Domain Controller promotion process allows much more simple introduction of the first Windows Server 2012 DC in your existing domain environment.

You don’t have to extend your schema and prepare domain environment for the first Windows Server 2012 Domain Controller. Previously, you had to extend schema and prepare domain using adprep manually with appropriate switches before you were able to promote DC based on newer operating system. Also dcpromo known from previous Windows v    ersions is no longer used for server promotion. That command is integrated with new Windows Server Manager. Whole process for Windows Server 2012 Domain Controller introduction in the existing environment is based on GUI wizard in Server Manager.

You need to only be logged on with appropriate permissions and you can start the process very quickly. Just add Active Directory: Domain Services role from the new manager and after all, follow post-installation steps in notification area. When you are promoting new DC, you are informed that wizard extends schema and prepares domain for the new Domain Controller.

P1

Automatic forest and domain preparation

P2

Automatic forest and domain preparation

P3

As I mentioned above, dcpromo cannot be used for DC promotion as it was in the previous versions of Windows. It is integrated with Server Manager and if you try to run it from command-line, you will see that it is not possible and you have to run the process from new manager.

P4

There is No dcpromo

However, you can still use dcpromo in command-line to:

  • forcefully decommission DC (/forceremoval switch)
  • install from media DC (/adv switch)

Note! You need to know that everything you will do in Server Manager is translated to PowerShell v3.0 code and run in the background.

New Active Directory Administrative Center

Microsoft introduced for the first time ADAC in Windows Server 2008R2. We were able to use this console for:

  • User management
  • Computer management
  • Group management
  • OU management
  • Domain Functional Level management
  • Forest Functional Level management
  • LDAP queries

Now, new Active Directory Administrative Center console allows for more. Of course, all the previous features are still suported but some new are available:

You don’t have to use complicated PowerShell cmd-lets to restore deleted object(s) or create/modify Fine-Grained Password policy. From now, you can simply use GUI for that. Just run new ADAC (it is available in tools or execute dsac.exe in run box) and go to Deleted Objects container to restore deleted object(s)

P5

GUI for AD Recycle Bin

The same situation is for Fine-Grained Password Policy, you don’t have to use ADSI Edit or PowerShell to create new PSO. This is also available over GUI method in ADAC console.

P6

GUI for Fine-Grained Password Policy

Everything what you do in Active Directory Administrative Center is also translated into PowerShell v3.0 code and run in the background. In this case, ADAC has implemented new feature called PowerShell History viewer which allows you to see cmd-lets used for action and whole syntax. You can copy it into notepad and modify to run it later. This is really good method to learn PowerShell.

PowerShell History viewer is available at the bottom of Active Directory Administrative Center console

PowerShell History viewer

Completely new feature in Windows Server 2012 is Dynamic Access Controll. It is responsible for simplified management of claims in AD and allows to extend FileServer permissions out of standard ACL method. User does not need to be a member of many groups in Active Directory, You can allow him/her access to resources over claims in combination with DAC. This option reduces Kerberos token size which is really important in large domain environments where user is a member of many groups.