You are on page 1of 18

The Definitive Guide To

tm tm

Active Directory Troubleshooting, Auditing, and Best Practices


2011 Edition
Don Jones

TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition

IntroductiontoRealtimePublishers
by Don Jones, Series Editor

Forseveralyearsnow,Realtimehasproduceddozensanddozensofhighqualitybooks thatjusthappentobedeliveredinelectronicformatatnocosttoyou,thereader.Weve madethisuniquepublishingmodelworkthroughthegeneroussupportandcooperationof oursponsors,whoagreetobeareachbooksproductionexpensesforthebenefitofour readers. Althoughwevealwaysofferedourpublicationstoyouforfree,dontthinkforamoment thatqualityisanythinglessthanourtoppriority.Myjobistomakesurethatourbooksare asgoodasandinmostcasesbetterthananyprintedbookthatwouldcostyou$40or more.Ourelectronicpublishingmodeloffersseveraladvantagesoverprintedbooks:You receivechaptersliterallyasfastasourauthorsproducethem(hencetherealtimeaspect ofourmodel),andwecanupdatechapterstoreflectthelatestchangesintechnology. Iwanttopointoutthatourbooksarebynomeanspaidadvertisementsorwhitepapers. Wereanindependentpublishingcompany,andanimportantaspectofmyjobistomake surethatourauthorsarefreetovoicetheirexpertiseandopinionswithoutreservationor restriction.Wemaintaincompleteeditorialcontrolofourpublications,andImproudthat weveproducedsomanyqualitybooksoverthepastyears. Iwanttoextendaninvitationtovisitusathttp://nexus.realtimepublishers.com,especially ifyouvereceivedthispublicationfromafriendorcolleague.Wehaveawidevarietyof additionalbooksonarangeoftopics,andyouresuretofindsomethingthatsofinterestto youanditwontcostyouathing.WehopeyoullcontinuetocometoRealtimeforyour educationalneedsfarintothefuture. Untilthen,enjoy. DonJones

TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition

IntroductiontoRealtimePublishers.................................................................................................................i Chapter1:ANonIntroductiontoActiveDirectory..................................................................................1 ABriefADHistoryandBackground............................................................................................................1 InventoryingYourAD........................................................................................................................................2 ForestsandTrusts..........................................................................................................................................3 DomainsandTrusts.......................................................................................................................................4 DomainControllers........................................................................................................................................6 GlobalCatalogs................................................................................................................................................7 . FSMOs..................................................................................................................................................................8 Containers..........................................................................................................................................................8 Subnets,Sites,andLinks.............................................................................................................................9 . DNS.....................................................................................................................................................................12 WhatsAhead......................................................................................................................................................12 ADTroubleshooting...................................................................................................................................12 ADSecurity.....................................................................................................................................................13 ADAuditing....................................................................................................................................................13 ADBestPractices.........................................................................................................................................13 ADLDS..............................................................................................................................................................13 LetsGetStarted!...............................................................................................................................................13 DownloadAdditionaleBooksfromRealtimeNexus!........................................................................14

ii

TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition

Copyright Statement
2010 Realtime Publishers. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtime Publishers (the Materials) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtime Publishers or its web site sponsors. In no event shall Realtime Publishers or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. Realtime Publishers and the Realtime Publishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. If you have any questions about these terms, or if you would like information about licensing materials from Realtime Publishers, please contact us via e-mail at info@realtimepublishers.com.

iii

TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition

[Editor'sNote:ThiseBookwasdownloadedfromRealtimeNexusTheDigitalLibraryforIT Professionals.AllleadingtechnologyeBooksandguidesfromRealtimePublisherscanbefoundat http://nexus.realtimepublishers.com.]

Chapter1:ANonIntroductiontoActive Directory
TheworldhasbeenusingActiveDirectory(AD)formorethanadecadenow,sotheres probablylittlepointindoingatraditionalintroductionforthisbook.However,theresstill abitofcontextthatweshouldcoverbeforewegetstarted,andweshoulddefinitelythink aboutADshistoryasitappliestoourtopicsoftroubleshooting,auditing,andbest practices. TherealpointofthischapteristoidentifykeyelementsofADthatyouneedtocompletely inventoryinyourenvironmentbeforeproceedinginthisbook.Muchofthematerialinthe followingchapterswillrefertospecificinfrastructureelements,andwillmake recommendationsbasedonspecificsincommonADenvironmentsandscenarios.Tomake themostofthoserecommendations,youllneedtoknowthespecificsofyourown environmentsothatyouknowexactlywhichrecommendationsapplytoyouanda complete,uptodateinventoryisthebestwaytogainthatfamiliarity.Toconcludethis chapter,Illbrieflyoutlinewhatscomingupinthechaptersahead.

ABriefADHistoryandBackground
ADwasintroducedwithWindows2000Server,andreplacedtheNTDomainServices (NTDS)thathadbeenusedsinceWindowsNT3.1.ADisMicrosoftsfirstrealdirectory; NTDSwasprettymuchjustaflatuseraccountdatabase.ADwasdesignedtobemore scalable,moreefficient,morestandardsbased,andmoremodernthatitspredecessor. However,ADwas(andis)stillbuiltontheWindowsoperatingsystem(OS),andassuch sharessomeoftheOSsparticularpatterns,technologies,eccentricities,andother characteristics. ADalsointegratedasuccessortoMicrosoftsthennascentregistrybasedmanagement tools.KnowntodayasGroupPolicy,thisnewfeatureaddedsignificantrolestothe directorybeyondthenormaloneofauthentication.WithGroupPolicy,youcancentrally defineandassignliterallythousandsofconfigurationsettingstoWindowscomputers(and evennonWindowscomputers,withtherightaddins)belongingtothedomain.

TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition

WhenADwasintroduced,securityauditingwassomethingthatrelativelyfewcompanies worriedabout.Since2000,numerouslegislativeandindustryregulationsthroughoutthe worldhavemadesecurityandprivacyauditingmuchmorecommonplace,althoughADs nativeauditingcapabilitieshavechangedverylittlethroughoutthattime.Becauseofits centralroleinauthenticationandconfigurationmanagement,ADoccupiesacriticalrolefor securityoperations,management,andreviewwithinorganizations. Wealsohavetorecognizethat,outsidefromgoverningpermissionsonitsownobjects,AD doesntplayacentralroleinauthorization.Thatis,permissionsonthingslikefiles,folders, mailboxes,databases,andsofortharentmanagedwithinAD.Instead,thosepermissions aremanagedattheirpoint,meaningtheyremanagedonyourfileservers,mailservers, databaseservers,andsoforth.Thoseserversmayassignpermissionstoidentitiesthatare authenticatedbyAD,butthoseserverscontrolwhoactuallyhasaccesstowhat.This divisionoflaborbetweenauthenticationandauthorizationmakesforahighlyscalable, robustenvironment,butitalsocreatessignificantchallengeswhenitcomestosecurity managementandauditingbecausetheresnocentralplacetocontrolorreviewallofthose permissions. Overthepastdecade,wevelearnedalotabouthowADshouldbebuiltandmanaged.Gone arethedayswhenconsultantsroutinelystartedanewforestbycreatinganemptyroot domain;alsogonearethedayswhenwebelievedthedomainwastheultimatesecurity boundaryandthatorganizationswouldonlyeverhaveasingleforest.Inadditionto coveringtroubleshootingandauditing,thisbookwillpresentsomeofthecurrentindustry bestpracticesaroundmanagingandarchitectingAD. Wevealsolearnedthat,althoughdifficulttochange,yourADdesignisntnecessarily permanent.ToolsandtechniquesoriginallycreatedtohelpmigratetoADarenowusedto restructureAD,ineffectmigratingtoanewversionofadomainasourbusinesseschange, merge,andevolve.Thisbookdoesntspecificallyfocusonmergersandrestructures,but keepinmindthatthosetechniques(andtoolstosupportthem)areavailableifyoudecide thatadirectoryrestructureisthebestwaytoproceedforyourorganization.

InventoryingYourAD
Beforewegetstarted,itsimportantthatyouhaveanuptodate,accuratepictureofwhat yourdirectorylookslike.Thisdoesntmeanturningtothegiantdirectorydiagramthatyou probablyhavetapedtothewallinyourdatacenterorserverroom,unlessyouvedouble checkedtomakesurethatthingisuptodateandaccurate!Throughoutthisbook,Illbe referringtospecificelementsofyourADinfrastructure,andinsomecases,youmighteven wanttoconsiderimplementingchangestothatinfrastructure.Inordertobestfollowalong, andmakedecisions,youllwanttohaveallofthefollowingelementsinventoried.

TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition

ForestsandTrusts
Mostorganizationshaverealizedthat,giventhepoweroftheforestlevelEnterprise Adminsgroup,theADforestisinfactthetoplevelsecurityboundary.Manycompanies havemultipleforests,simplybecausetheyhaveresourcesthatcantallbeunderthedirect controlofasinglegroupofadministrators.However,toensuretheabilityforusers,with theappropriatepermissionsofcourse,toaccessresourcesacrossforests,crossforest trustsareusuallydefined.Yourfirstinventoryshouldbetodefinetheforestsinyour organization,determinewhocontrolseachforest,anddocumentthetruststhatexist betweenthoseforests. Crossforesttrustscanbeoneway,meaningthatifForestAtrustsForestB,theconverseis notnecessarilytrueunlessaseparatetrusthasbeenestablishedsothatForestBexplicitly trustsForestA.Twowaytrustsarealsopossible,meaningthatForestAandForestBcan trusteachotherthroughasingletrustconnection.Foresttrustsarealsonontransitive:If ForestAtrustsForestB,andForestBtrustsForestC,thenForestAdoesnottrustForestC unlessaseparate,explicittrustiscreateddirectlybetweenAandC. Whenwetalkabouttrust,weresayingthatthetrustingforestwillacceptuseraccounts fromthetrustedforest.Thatis,ifForestAtrustsForestB,thenuseraccountsfromForestB canbeassignedpermissionsonresourceswithinForestA.Foresttrustsautomatically includeeverydomainwithintheforestsothatifForestAcontainsfivedomains,thenevery oneofthosedomainswouldbeabletoassignpermissionstouseraccountsfromForestB. Eachforestconsistsofarootdomainandmayalsoincludeoneormorechilddomains. Figure1.1showshowyoumightdocumentyourforests.Keyelementsincludemeta directorysynchronizationlinks,foresttrusts,andageneralindicationofwhateachforestis usedfor(suchasforusersorforresources).

TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition

Figure1.1:Documentingforests. Note Forthevariousdiagramsinthischapter,Imgoingtodrawfromavarietyof sources,includingmypastconsultingengagementsandMicrosoft documentation.Mypurposeindoingsoistoillustratethatthesediagrams cantakemanydifferentforms,atmanydifferentlevelsofcomplexity,and withmanydifferentlevelsofsophistication.Considereachofthem,and produceyourowndiagramsusingthebesttoolsandskillsyouhave.

DomainsandTrusts
Domainsactasakindofsecurityboundary.Althoughsubjecttothemanagementof membersoftheEnterpriseAdminsgroup,andtoadegreetheDomainAdminsoftheforest rootdomain,domainsareotherwiseindependentlymanagedbytheirownDomainAdmins group(orwhatevergroupthosepermissionshavebeenassignedordelegatedto). Accountdomainsarethosethathavebeenconfiguredtocontainuseraccountsbutwhich containnoresourceserverssuchasfileservers.Resourcedomainscontainonlyresources suchasfileservers,anddonotcontainuseraccounts.Neitherofthesedesignationsis strict,andneitherexistswithinADitself.Forexample,anyresourcedomainwillhaveat leastafewadministratoruseraccounts,usergroups,andsoforth.Thetypeofdomain designationisstrictlyahumanconvenience,usedtoorganizedomainsinourminds.Many companiesalsousemixeddomains,inwhichbothuseraccountsandresourcesexist.

TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition

Domainsaretypicallyorganizedintoatree,beginningwiththerootdomainandthen throughdomainsthatareconfiguredaschildrenoftheroot.Domainnamesreflectthis hierarchy:Company.commightbethenameofarootdomain,andWest.Company.com, East.Company.com,andNorth.Company.commightbechilddomains.Withinsuchatree,all domainsautomaticallyestablishatransitiveparentchildtwowaytrust,effectively meaningthateachdomaintrustseachotherdomainwithinthesametree. Forests,asthenameimplies,cancontainmultipledomaintrees.Bydefault,therootofeach treehasatwoway,transitivetrustwiththeforestrootdomain(whichistherootofthe firsttreecreatedwithinthatforest),effectivelymeaningthatalldomainswithinaforest trusteachother.Thatsthemainreasoncompanieshavemultipleforests,becausethefull trustmodelwithinaforestgivestoplevelforestwidecontroltotheforestsEnterprise Adminsgroup. Evenifyourelyentirelyonthesedefaultinterdomaintrusts,itsstillimportantto documentthem,alongwiththedomainsnames.Figure1.2showshowyoumightbuilda domaindiagraminaprogramlikeMicrosoftOfficeVisio.Theemphasisinthisdiagramis onthelogicaldomainstructure.

Figure1.2:Documentingdomains. Ifyouhaveanyspecializeddomainssuchasresourceonlydomains,useronlydomains, andsoforthnotethoseinyourdocumentation.Alsonotethenumberofobjects (especiallycomputeranduseraccounts)ineachdomain.Thatisactuallyoneofthemost importantmetricsyoucanknowaboutyourdomains,althoughmanyadministratorscant immediatelyrecalltheirnumbers.

TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition

DomainControllers
Domaincontrollers(DCs)arewhatmakeADwork.TheyretheserversthatrunADs services,makingthedirectoryareality.Itsabsolutelycrucial,asyoustartreadingthis book,thatyouknowhowmanyDCsyouhave,wheretheyrelocated,whatdomainstheyre in,andtheirindividualIPaddresses. Inmanyenvironments,DCsalsoprovideotherservices,mostfrequentlyDomainName Service(DNS).OtherrolesheldbyDCsmayincludeWINSandDHCPservices. ADCsmainroleistoprovideauthenticationservicesfordomainusersandforresources withinthedomain.Wetypicallythinkofthisauthenticationstuffashappeningmainly whenusersshowupforworkinthemorningandinmostcases,thatiswhenthebulkof theauthenticationtrafficoccurs.However,asusersattempttoaccessresourcesthroughout theday,theircomputerwillautomaticallycontactaDCtoobtainaKerberosticketforthose resources.Inotherwords,authenticationtrafficcontinuesthroughoutthedayalbeitata somewhatslower,moreevenlydistributedpacethanthemorningrush. Thatmorningrushcanbesignificant:EachuserscomputermustcontactaDCtologitself ontothedomain,andthenagainwhentheuserisreadytologon.Usersalmostalwaysstart thedaywithafewmappeddrives,eachofwhichmayrequireaKerberosticket,andthey usuallyfireupOutlook,requiringyetanotherticket.SomeoftheorganizationsIve consultedwithhaveeachuserinteractingwithaDCmorethanadozentimeseach morning,andthenseveraldozenmoretimesthroughouttheday. WetendtosizeourDCsforthatmorningrush,andthatcapacitygenerallyseesus throughoutthedayevenifwetaketheoddDCofflinemiddayforpatchingorother maintenance. EachDCmaintainsacomplete,read/writecopyoftheentiredirectory(theonlyexception beingnewfangledreadonlydomaincontrollersRODCs,whichasthenameimplies, containonlyareadablecopyofthedirectory).Multimasterreplicationensuresthatany changemadeonanyDCwilleventuallypropagatetoeveryotherDCinthedomain. ReplicationisoftenoneofthetrickiestbitsofAD,andisoneofthethingswetendtospend themosttimemonitoringandtroubleshooting.Notalldomaindataiscreatedequally: Somehighprioritydata,suchasaccountlockouts,replicatealmostimmediately(oratleast asquicklyaspossible),whilelesscriticalinformationcantakemuchlongertomakeitsway throughouttheorganization. Figure1.3showswhataDCinventorymightlooklike.Notetheemphasisonphysical details:IPaddresses,DNSconfiguration,domainmembership,andsoforth.

TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition

Figure1.3:DCinventory. ItsalsoimportanttonotewhetheranyofyourDCsareperforminganynonADrelated tasks,suchashostingaSQLServerinstance(whichisntrecommended),runningIIS,and soforth.

GlobalCatalogs
Aglobalcatalog(GC)isaspecificservicethatcanbeofferedbyaDCinadditiontoitsusual DCduties.TheGCcontainsasubsetofinformationabouteveryobjectinanentireforest, andenablesusersineachdomaintodiscoverinformationfromotherdomainsinthesame forest.EachdomainneedsatleastoneGC;however,giventhepopularityofExchange ServeranditsheavydependenceonGCs(Outlook,forexample,reliesonGCstodoemail addressresolution),itsnotunusualtoseeamajority,orevenall,DCsinadomain configuredasGCservers. MakesureyouknowexactlywhereyourGCsarelocated.Numerousnetworkoperations canbehinderedbyapaucityofGCs,buthavingtoomanyGCscansignificantlyincreasethe replicationburdenonyournetwork. Note InFigure1.3,GCisusedtoindicateDCsthatarealsohostingtheGCserver role. 7

TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition

FSMOs
Certainoperationswithinadomain,andwithinaforest,needasingleDCtobeincharge.It isabsolutelyessentialformosttroubleshootingprocessesthatyouknowwherethese FlexibleSingleMasterofOperation(FSMO)roleholderssitwithinyourinfrastructure: TheRIDMasterisinchargeofhandingoutRelativeIDs(RIDs)withinasingle domain(andsoyoullhaveoneRIDMasterperdomain).RIDsareusedtouniquely identifynewADobjects,andtheyareassignedinbatchestoDCs.IfaDCrunsoutof RIDsandcantgetmore,thatDCcantcreatenewobjects.Itscommontoputthe RIDMasterroleonaDCthatsusedbyadministratorstocreatenewaccountsso thatthatDCwillalwaysbeabletorequestRIDs. TheInfrastructureMastermaintainssecurityidentifiersforobjectsreferencedin otherdomainstypically,thatmeansupdatinguserandgrouplinks.Youhaveone oftheseperdomain. ThePDCEmulatorprovidesbackwardcompatibilitywiththeoldNTDS,andisthe onlyplacewhereNTDSstylechangescanbemade(anyDCprovidesreadaccessfor NTDSclients).GiventhatNTDSclientsarebecomingextinctinmostorganizations, thePDCEmulator(youllhaveoneineachofyourdomains,bytheway)doesntget usedalotforthatpurpose.Fortunately,ithasafewotherthingstokeepitbusy.For example,passwordchangesprocessedbyotherDCstendtoreplicatetothePDC Emulatorfirst,andthePDCEmulatorservesastheauthoritativetimesourcefor timesynchronizationwithinadomain. EachforestwillcontainasingleSchemaMaster,whichisresponsibleforhandling schemamodificationsfortheforest. EachforestalsohasaDomainNamingMaster,whichkeepstrackofthedomainsin theforest,andwhichisrequiredwhenaddingorremovingdomainstoorfromthe forest.TheDomainNamingMasteralsoplaysaroleinmaintaininggroup membershipacrosstheforest.

Markingtheseroleownersonyourmaindiagram(suchasFigure1.3)isagreatwayto documenttheFSMOlocations.SomeorganizationsalsoliketoindicateabackupDCfor eachFSMOrolesothatintheeventaFSMOrolemustbemoved,itsclearwhereitshould bemovedto.

Containers
ThelogicalstructureofADisdividedintoasetofhierarchicalcontainers.ADsupportstwo maintypes:containersandorganizationalunits(OUs).Acoupleofbuiltincontainers(such astheUserscontainer)existbydefaultwithinadomain,andyoucancreatealltheOUsthat youwanttohelporganizeyourdomainsobjectsandresources.Again,aninventoryhereis critical,asseveraloperationsmostespeciallyGroupPolicyapplicationworkprimarily basedonthingslikeOUmembership. Figure1.4showsonewayinwhichyoumightdocumentyourOUandcontainerhierarchy. Dependingonthesizeanddepthofyourhierarchy,youcouldalsojustgrabascreenshot fromaprogramlikeActiveDirectoryUsersandComputers. 8

TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition

Figure1.4:DocumentingOUsandcontainers. Trytomakesomenotationofhowmanyobjectsareineachcontainer,andifpossiblemake anoteofwhichcontainershavewhichGroupPolicyObjects(GPOs)linkedtothem.That informationwillbeusefulaswediveintotroubleshootingandbestpracticesdiscussions.

Subnets,Sites,andLinks
InADterms,asubnetisanentryinthedirectorythatdefinesasinglenetworksubnet,such as192.168.1.0/8.Asiteisacollectionofsubnetsthatallsharelocalareanetwork(LAN) styleconnectivity,typically100Mbpsorfaster.Inotherwords,asiteconsistsofallthe subnetsinagivengeographiclocation. Links,orsitelinks,definethephysicalorlogicalconnectivitybetweensites.ThesetellADs replicationalgorithmswhichDCsareabletophysicallycommunicateacrosswidearea network(WAN)linkssothatreplicateddatacanmakeitswaythroughouttheorganization. Documentingyoursubnets,sites,andlinksisquiteprobablythemostimportantinventory youcanhaveforageographicallydisperseddomain.

TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition

Typically,youllhavesitelinksthatrepresentthephysicalWANconnectivitybetweensites. Acostcanbeappliedtoeachlink,indicatingitsrelativeexpense.Forexample,iftwosites areconnectedbyahighspeedWANlinkandalowerspeedbackuplink,thebackuplink mightbegivenahighercosttodiscourageitsusebyADundernormalconditions.AsFigure 1.5shows,youcanalsocreatesitelinksthatrepresentavirtualconnection.TheAClink connectstwositesthatdonothavedirectWANconnectivity.Thisisntnecessarilyabest practice,asittellsADtoexpectWANconnectivitywherenoneinfactexists.

Figure1.5:Configuringsitelinks. EliminatingtheACsitelinkwillnothinderADoperations:Thedirectorywillcorrectly determinethebestpathforreplication.Forexample,changesmadeinSiteCwould replicatetoD,thentoB,andeventuallytoA.IfSiteCwerethesourceofmanychanges (perhapsaconcentrationofadministratorsworkthere),youcouldspeedupreplication fromtheretoSiteAbycreatingasitelinkbridge,effectivelyinformingADofthecomplete pathfromCtoAbyleveragingtheexistingAB,BD,andCDsitelinks.Suchabridge accuratelyreflectsthephysicalWANtopologybutprovidesahigherpriorityroutefromC toA.Figure1.6showshowyoumightdocumentthat.

10

TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition

Figure1.6:Configuringasitelinkbridge. Asyoudocumentyoursites,thinkagainaboutnumbers:Howmanycomputersareineach site?Howmanyusers?Makeanotationofthesenumbers,alongwithanotationofhow manyDCsexistateachsite. Sitesshould,asmuchaspossible,reflectthephysicalrealityofyournetwork;theydont correspondtothelogicalstructureofthedomaininanyway.OnesitemaycontainDCs fromseveraldomainsorforests,andanygivendomainmayeasilyspanmultiplesites. However,sitelinksarekindofapartofthedomainslogicalstructurebecausethoselinks aredefinedwithinthedirectoryitself.Ifyouhavemultipledomains,itsworthbuildinga diagram(likeFigure1.5or1.6)foreachdomaineveniftheylooksubstantiallythesame. Infact,anygroupofdomainsthatspansthesamephysicalsitesshouldhaveidentical lookingsitediagramsbecausethephysicalrealityofyournetworkisntchanging.Going throughtheexerciseofcreatingthediagramswillhelpensurethateachdomainhasits linksandbridgesconfiguredproperly.

11

TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition

DNS
ThelastcriticalpieceofyourinventoryconsistsofyourDNSservers.Youshouldclearly documentwhereeachserverphysicallysitsandthinkaboutwhichclientsitserves.Most companieshaveatleasttwoDNSservers,althoughhavingmore(anddistributingthem throughoutyournetwork)canprovidebetterDNSperformancetodistantclients.AD absolutelycannotfunctionwithoutDNS,soitsimportantthatbothserversandclients havereadyaccesstoahighperformanceDNSserver.MostADproblemsarerootedinDNS issues,meaningmuchofourtroubleshootingdiscussionwillbeaboutDNS,andthat discussionwillbemoremeaningfulifyoucanquicklylocateyourDNSserversonyour network. Alsotrytomakesomenotationofwhichusers,andhowmanyusers,utilizeeachDNS servereitherasaprimary,secondary,orotherserver.Thatwillhelpgiveyouanata glanceviewofeachDNSserversworkload,andgiveyouanideaofwhichusersarerelying onaparticularserver. PuttingYourInventoryintoVisualForm AtoollikeMicrosoftOfficeVisioisoftenutilizedtocreateADinfrastructure diagrams,oftenshowingboththelogicalstructure(domains,forests,and trusts)andthephysicaltopology(subnets,sites,links,andsoforth).There arealsothirdpartytoolsthatcanautomaticallydiscoveryourinfrastructure elementsandcreatetheappropriatechartsanddiagramsforyou.Thebenefit ofsuchtoolsisthattheyrealwaysrightbecausetheyrereflectingreality notsomeonesmemoryofreality.Theycanusuallycatchchangesandcreate updateddiagramsmuchfasterandmoreaccuratelythanyoucan. Ilovetousethosekindsoftoolsincombinationwithmyownhanddrawn diagrams.Ifthetoolgeneratedpictureofmytopologydoesntmatchmyown picture,IknowIvegotaproblem,andthatcantriggeraninvestigationanda change,ifneeded.

WhatsAhead
Letswrapupthisbriefintroductionwithalookatwhatscomingupinthenextseven chapters.

ADTroubleshooting
Chapters2and3willconcernthemselvesprimarilywithtroubleshooting.InChapter2, wellfocusonthewaysandmeansofmonitoringAD,includingnativeeventlogs,system tools,commandlinetools,networkmonitors,andmore.Illalsopresentdesirable capabilitiesavailableinthirdpartytools(bothfreeandcommercial),withagoalofhelping youtobuildasortofshoppinglistoffeaturesthatmaysupporttroubleshooting,security, auditing,andotherneeds.

12

TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition

Chapter3willfocusontroubleshooting,includingtechniquesfornarrowingtheproblem domain,addressingnetworkissues,resolvingnameresolutionproblems,dealingwithAD serviceissues,andmore.Wellalsolookatreplication,ADdatabasefailures,GroupPolicy issues,andevensomeofthethingsthatcangowrongwithKerberos.Illpresentthis informationintheformofatroubleshootingflowchartthatwasdevelopedbyaleadingAD MostValuableProfessional(MVP)awardrecipient,andwalkyouthroughthetoolsand tasksnecessarytotroubleshooteachkindofproblem. Illwrapupthisbookwithmoretroubleshooting,devotingChapter8toadditional troubleshootingtipsandtricks.

ADSecurity
InChapter4,welldiveintoanddiscussthebasearchitectureforADsecurity.Welllook moreattheissueofdistributedpermissionsmanagement,anddiscusssomeofthe problemsthatitpresentsandsomeoftheadvantagesitoffers.Welllookatsomedoit yourselftoolsforcentralizingpermissionschangesandreporting,andexplorewhetheryou shouldrethinkyourADsecuritydesign.Wellalsolookatthirdpartycapabilitiesthatcan makesecuritymanagementeasier,anddiveintothelittleunderstoodtopicofDNS security.

ADAuditing
Chapter5willcoverauditing,discussingADsnativeauditingarchitectureandlookingat howwellthatarchitecturehelpstomeetmodernauditingrequirements.Illalsopresent capabilitiesthatareofferedbythirdpartytoolsandhowwellthosecanmeettodays businessrequirementsandgoals.

ADBestPractices
Chapter6willbearoundupofbestpracticesforAD,includingaquicklookatwhetheryou shouldreconsideryourcurrentADdomainandforestdesign(and,ifyoudo,howyoucan migratetothatnewdesignwithminimumriskandeffort).Wellalsolookatbestpractices fordisasterrecovery,restoration,security,replication,FSMOplacement,DNSdesign,and more.IllpresentnewideasforvirtualizingyourADinfrastructure,andlookatbest practicesforongoingmaintenance.

ADLDS
Chapter7givesmeanopportunitytocoveradditionalinformation:ADssmallercousin, ActiveDirectoryLightweightDirectoryServices(ADLDS).Welllookatwhatitis,whento useit,whennottouseit,andhowtotroubleshootandauditthisvaluableservice.

LetsGetStarted!
WithyourADinventoryupdatedandinhand,werereadytobegin.Thenextchapterwill introduceyoutothemajorityofthetoolsthatyoullneedtopryvaluableinformationoutof ADsothatyoucanstartassemblingyoursecurityandtroubleshootingutilitybelt.

13

TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition

DownloadAdditionaleBooksfromRealtimeNexus!
RealtimeNexusTheDigitalLibraryprovidesworldclassexpertresourcesthatIT professionalsdependontolearnaboutthenewesttechnologies.IfyoufoundthiseBookto beinformative,weencourageyoutodownloadmoreofourindustryleadingtechnology eBooksandvideoguidesatRealtimeNexus.Pleasevisit http://nexus.realtimepublishers.com.

14

You might also like