Active Directory Auditing Tools

Active Directory is a crucial component of just about any Windows-based IT infrastructure, and keeping tabs on who modified AD records, when they were changed, and why they were changed can be a full-time job. Throw in some additional requirements—such as the need to be in compliance with federal and state governance guidelines, from the Sarbanes-Oxley (SOX) Act to the Health Insurance Portability and Accountability Act (HIPAA)—and you have the makings of a headache-inducing task for many IT pros. But help is on the way.

Windows Server 2008 AD Improvements

Microsoft listened to IT pro complaints about AD auditing and implemented several new features in Windows Server 2008 to ease the pain. “Windows 2008 brings various benefits to the table with respect to event management, including a completely changed event-log storage model,” says Guido Grillenmeier, a Microsoft Active Directory Services MVP and a master technologist with HP’s Advanced Technology Group. “It also includes improved native AD auditing, as it allows more granular and more complete auditing of AD changes. For example, it can record the old value and new value of an attribute that was changed.”

Server 2008 breaks auditing into four categories: Access, Changes, Replication, and Detailed Replication. The Changes category improves upon the way AD changes were handled in Windows Server 2003 and Windows 2000, logging deltas of attribute changes, detailing new object creation and movement, and offering a create-event feature that’s triggered when objects are moved to different domains.

Choosing an AD Auditing Solution

Regardless of whether you’re running Server 2008, Windows 2003, or Win2K, an off-the-shelf AD auditing product can help minimize the workload. Determining what level of AD auditing your organization needs is important . Grillenmeier cautions against looking for a silver-bullet solution to AD auditing requirements. “For example, proxy-management solutions … such as AD Self-Service Suite and Ensim Unify … are nice tools to delegate specific management tasks to non-admin users and audit the changes they do to AD with the tool. However, these tools only audit what’s changed by them and can’t audit native changes in AD; they can never create a complete auditing trail.”

Grillenmeier contrasts those AD proxy-management auditing tools with AD auditing tools that gather security and auditing events from event logs on domain controllers - such as Microsoft System Center Operations Manager or HP OpenView—and AD auditing tools that combine native event logs with AD data gathered by agents, such as Quest InTrust and Quest ChangeAuditor.

“Event-log–based may be sufficient for many customers that need to meet specific compliancy requirements,” says Grillenmeier. “It’s mainly a matter of correctly setting up auditing in the directory itself, so that the changes are correctly logged in the event logs. Note that if proxy-management tools are used, you still have to combine the native event data with the data of the proxy tools to figure out which person actually performed a change in AD, since for changes done by the proxy tool the native event logs will only see the service account as the owner of the change.” Grillenmeier says that only products that combine event-log auditing with separate agents that gather AD data are capable of auditing all AD changes.

Don’t Forget the Data

One important yet overlooked aspect of AD auditing is the massive amount of data the auditing process can generate. “For enterprise-scale customers, this easily amounts to many gigabytes per day of auditing data,” Grillenmeier says. “Tools that [have the capability] to efficiently store the auditing data in a compressed format and are a critical factor for large companies.” You’ll do well to consider your organization’s auditing needs, the number of AD changes it makes, and how granular those changes are. And you’d be well advised to pay attention to the security, backup, and disaster recovery of AD auditing data, just as you would for other types of data.

Source: http://windowsitpro.com/ActiveDirectory/Article/ArticleID/100828/ActiveDirectory_100828.html

Active Directory Domain Services Features in Windows Server 2008

There are a number of new Active Directory Domain Services features in Windows Server 2008. These new features improve auditing, security, and the management of Active Directory Domain Services and show Microsoft's commitment to evolving Active Directory Domain Services. The following is an overview of the new Active Directory Domain Services features that are in Windows Server 2008.

Auditing

Windows Server 2008 introduces significant changes to Active Directory Domain Services auditing. Active Directory Domain Services auditing in Windows Server 2008 is more granular than previous versions and provides you with more control over what is audited.

Active Directory Domain Services auditing is now divided into the following four subcategories:

• Directory Service Access
• Directory Service Changes
• Directory Service Replication
• Detailed Directory Service Replication
  

You can disable or enable Active Directory Domain Services auditing at the subcategory level. For each subcategory, you can also configure whether to log successful events, failed events, both successful and failed events, or no auditing.

In Windows Server 2008, the new Directory Service Changes subcategory allows you to log the old value and new value of a changed attribute, in addition to the attribute name.

Windows Server 2008 also provides the ability to exclude the logging of changes to specific attributes by modifying the attribute properties.

The Active Directory Domain Service auditing subcategories are viewed and configured by using the Auditpol.exe command-line tool.

Fine-Grained Password Policies

Windows Server 2008 introduces the ability to create multiple password policies in a single domain, which is another first for Active Directory Domain Services. The introduction of fine-grained password policies in Windows Server 2008 allows organizations to create and manage multiple password policies and account lockout policies to meet diverse security requirements.

You can configure the same password policy and account lockout settings in a fine-grained password policy as you can at the domain level. Fine-grained password policies can be linked to users and to global groups. Because users can inherit multiple password fine-grained password policies, a precedence setting has been included to allow you more granular control.

Fine-grained password policies are configured by using the ADSI Edit snap-in.
Read-Only Domain Controllers

Microsoft has implemented a number of mitigating measures to ensure a compromised RODC does not impact the rest of your Active Directory Domain Services environment. These measures include the following:

* Read-only database
* Unidirectional replication
* Credential caching
* Administrator role separation
* Read-only Domain Name System (DNS)

Restartable Active Directory Domain Services

Windows Server 2008 now includes a true service, which allows you to stop, start, and restart Active Directory Domain Services without having to restart the operating system.

In Windows 2000 Server and Windows Server 2003, the operating system on a domain controller had to be restarted in Directory Services Restore Mode for most maintenance and recovery. However, Windows Server 2008 now provides the ability to start, stop, and restart the Domain Controller service.

The domain controller service can be manipulated by using the Services snap-in or the Computer Management snap-in.

Database Mounting Tool

Windows Server 2008 includes a new ability to take snapshots of an Active Directory Domain Services database and mount these snapshots into a new database mounting tool.

The database mounting tool allows you to view an Active Directory Domain Services object's previous state. You can then use this to compare the object's previous state to the object in production. This is particularly useful if you know that an object's attributes were changed, but do not know what the previous value of the attributes were.

User Interface Improvements

A number of user interface improvements have been made in Windows Server 2008. The following is a list of some of the most noteworthy interface changes in Windows Server 2008:

• New installation options for domain controllers.
• A more streamlined and simplified installation process.
• Improvements to the Active Directory Users and Computers console.
• A built-in Attribute Editor, which is accessible on the properties page of each object in the Active Directory Domain Services management tools.
  

Owner Rights

Windows Server 2008 now provides the ability to limit the default permissions that the owner of an object is given. In previous versions of Windows, the owner of an object was given the ability to read and change permissions on the object, which was more than they required in most cases. This new functionality in Windows Server 2008 also applies to Active Directory Domain Services objects.

Source: http://www.enterpriseitplanet.com/networking/features/article.php/3796561

How do I install Active Directory on my Windows 2000 Server?

You can configure your server as a Domain Controller manually, but if you don't have the time, skill, brains or will to do it manually, it can still be done with just a few mouse clicks.

Dynamic Host Configuration Protocol (DHCP), Domain Name Service (DNS), and DCPROMO can be by using the Windows 2000 Configure Your Server Wizard.

Even though it's all done automatically, you still need the following:

• A NIC
• The TCP/IP protocol
• An NTFS partition with enough free space
• A network connection (to a hub or to another computer via a crossover cable).
• An Administrator's username and password
• The Windows 2000 Server (or Advanced Server) CD media (or at least the i386 folder)

This article assumes that all of the above requirements are fulfilled. See my Active Directory Installation Requirements page for more info.

Note: This article does NOT assume you have a working brain, or that you can use it correctly. If you think you really want to know how this thing works, please read the How to Install Active Directory on W2K page instead...

To configure your server as a Domain Controller

1. 1. Press Ctrl-Alt-Del and log on to the server as administrator. Leave the password blank.
2. 2. When the Windows 2000 Configure Your Server page appears, select This is the only server in my network and click Next.
3. 3.Click Next to configure the server as a domain controller and set up Active Directory, DHCP, and DNS.
4. On the What do you want to name your domain page, type dpetri
   
5. In the Domain name box, type com (again, this is only an example). Click on the screen outside of the textbox to see the Preview of the Active Directory domain name. Click Next
6. Click Next to run the wizard. When prompted, insert the Windows 2000 Server CD-ROM. When the wizard is finished, the machine reboots.
7. The Configure Your Server Wizard installs DNS and DHCP and configures DNS, DHCP, and Active Directory. The default values set by the wizard are:
   

• DHCP Scope: 10.0.0.3-10.0.0.254
• Preferred DNS Server: 127.0.0.1
• IP address: 10.10.1.1
• Subnet mask: 255.0.0.0

Source: http://www.petri.co.il/how_to_install_active_directory_on_w2k_for_lamers.htm

Win Server 2008 Directory Services, Active Directory Snapshots

Snapshots represent differences between a volume's current content and its state at the moment of their creation. Although ultimately the size of a snapshot depends on how dynamic the environment is and how long you decide to keep them active, due to their nature, snapshots are typically small andd can be initiated in the matter of seconds. To provide meaningful information, they must be paired up with the volume from which they originated. In addition, since they are based on the copy-on-write principle, they result in increased number of disk I/O operations, which might have negative impact on overall performance. It is also important to realize that snapshot can not be used for direct restore of Active Directory objects. Their main appeal comes from an ability to easily generate and view Active Directory state at arbitrarily chosen intervals. In effect, they offer a convenient way to determine when a particular object has been modifed. This helps you identify a backup set most suitable for the restore and delivers extra auditing and change tracking benefits. For the same reason, they significantly simplify extracting any pertinent historical information that can be subsequently imported to an object recovered via tombstone reanimation or used to reverse undesired modifications.

Snapshots are generated using the ntdsutil command line utility launched either directly from the console or a Terminal Services sesssion of a Windows Server 2008-based domain controller. Once you are at the ntdsutil: prompt, Activate Instance NTDS. You also have an option of pointing to an AD LDS instance by specifying its name instead of NTDS value). Next, switch to the snapshot context by typing snapshot and follow by create command. Shortly thereafter you should receive a notification stating that the snapshot set has been generated successfully. The message includes its unique GUID. To confirm, you can execute list all from within the same context, which should provide the listing of all active snapshots (including the date and time they were created). Note that the same can be accomplished running the following from the command prompt, which comes handy when automating snapshot generation as a scheduled task:

ntdsutil "Activate Instance NTDS" snapshot create quit quit

Any active snapshots must be mounted before you can access it via DSAMAIN.EXE. This is done by invoking the mount command followed by either an integer assigned to each snapshot (which can be determined by running list all) or its GUID, resulting in the creation of a junction point, with the name generated by concatenating the word $SNAP, date and time (in military format) when snapshot was generated and the target volume (e.g., $SNAP_200808082008_VOLUMEC$). That, in turn (as we explained in our previous article), determines the full path to the Active Directory NTDS.DIT file. This, in turn, becomes $SNAP_200808082008_VOLUMEC$\Windows\NTDS\NTDS.DIT, assuming default placement of database and log files, and it gets associated with the -dbpath switch when running the Database Mounting Tool.

After you complete browsing through the mounted NTDS instance and terminate the DSAMAIN.EXE, unmount the snapshot by calling unmount command followed, as before, by either its integer identifier or its GUID. Removal of snapshots that are no longer needed can be accomplished with the delete command. For the full overview of snapshot syntax, refer to Windows Server 2008 Technical Library.

Third-Party Offerings

Although snapshots significantly simplify handling unintended deletions or modifications of Active Directory objects (for the reasons we described earlier), the actual recovery still requires multiple steps, which might include rather involved tombstone reanimation and restoring its attributes. Fortunately, a variety of free third-party offerings can further streamline the restore process. Some of the more notable ones are listed below.

Snapshot Recovery Tool from 1Identity - available as a free download containing the command line-based oirecmgr.exe utility, it provides ability to recover an object and restore its attributes from an LDAP instance loaded via Database Mounting Tool to an arbitrary Windows Server 2008 domain controller. It is also capable of reanimating tombstones in both Windows Server 2003 and 2008 Active Directory environments. Note, however, that this option precludes simultaneous attribute recovery.

Although it has a dependency on .NET Framework 2.0, it can be executed remotely from a system running Windows XP Professional or Vista. Its command line syntax allows you to restore arbitrary number of objects, either by specifying their GUIDs via multiple -o switches or by storing them in a text file, which name gets assigned to the -of switch) as well as attributes (in a comma-separated format. For example, the following command (executed directly from the console of a domain controller USDC-NYC001) would reanimate deleted user object with GUID of 7abadaba-daba-d000-0d15-c015dead and restore its attributes, populating both forward and back links, such as user's group membership, by extracting relevant information from an Active Directory snapshot accessible via port 33389. Reanimating tombstoned user accounts does not reinstate their passwords, which will need to be reset before you enable them since, by default, they are disabled following the restore:

oirecmgr.exe -o 7abadaba-daba-d000-0d15-c015dead -sh USDC-NYC001:33389 -ol -real

* Directory Service Comparison Tool is supposed to provide similar functionality but via a graphical interface in the form of a Microsoft Management Console snap-in, which becomes available once you install freely downloadable setup program. This is available in both x86 and x64 versions. To configure it, select Datasource Settings... entry from the context sensitive menu of its node in the tree pane. In the resulting Datasource Settings dialog box, specify the name of a target domain controller and a server hosting a snapshot (or another VSS compliant restore) mounted using DSAMAIN.EXE, along with their LDAP ports, as well as the naming context you intend to compare. The pane window of the console is divided into three tabs, intended for the list of modifications, additions and deletions (respectively) that took place since the DSA-mounted LDAP directory services store has been created. Unfortunately, the tool's functionality is somewhat limited (at least as far as snapshots are concerned), due to a bug affecting highestCommittedUSN value recorded in Active Directory snapshots. Just as Snapshot Recovery Tool, this utility relies on .NET Framework 2.0 being installed, in addition to MMC 3.0, and can be installed on remote Windows XP Professional or Vista system.

* Active Directory Explorer from the Sysinternals team a distinct position in this list since it provides its own capability to create snapshots, independent of the one introduced in Windows Server 2008 Active Directory and supported on all of its versions. Their content can be derived from an online Active Directory environment by connecting to one of its domain controllers or from a restored backup or VSS-compatible snapshot mounted using DSAMAIN.EXE utility. In addition, it is possible to store them for offline viewing in an arbitrary location. The intuitive graphical interface of AD Explorer simplifies browsing their content and includes search and comparison features.

Source: http://www.serverwatch.com/tutorials/article.php/3794191