Top 10 tips for a healthier Active Directory
The state of Active Directory instances that I have come across over the years has left me amazed. It is rare that I have run an audit on an Active Directory instance that has been configured correctly, which is concerning given its importance in managing users, groups, and resources in a Windows-based environment.
The most common issue that I have encountered is poorly configured manual links in sites and services, which can lead to replication problems between domain controllers, causing outdated or inconsistent data. Additionally, I often find poor DNS configurations, which can cause problems with name resolution, making it difficult to access network resources.
Another common issue that I have come across is old Domain Controllers that have never been demoted. These Domain Controllers can still hold Active Directory data and can cause replication issues when new Domain Controllers are introduced to the network. Furthermore, I have seen a flurry of warning and error events that can indicate potential problems.
Despite the availability of newer, more reliable technologies, I still see some domains using NT-FRS instead of DFSR. This is surprising given that DFSR has been available since 2008 and is much faster and more reliable. Migrating to DFSR is a straightforward process and can significantly improve the performance and reliability of Active Directory.
To ensure that your ADDS deployment is working correctly, here are some essential things to check:
1. Check You’ve Migrated to DFSR
Merely using an outdated software version is not always a sufficient reason to switch to a newer version. However, in this particular scenario, it is worthwhile to investigate the latest approach and consider upgrading if the enhancements are significant enough to justify the transition, especially given that the binaries for NT-FRS are no longer present from Server 2019, so you’ll have to upgrade soon!
The process is incredibly easy. To transition SYSVOL replication from File Replication Service (FRS) to Distributed File System (DFS Replication), the domain must go through three phases: Prepared, Redirected, and Eliminated. The procedures for each stage of the migration are detailed below.
I have written a guide on migrating to DFSR which you can find here: Migrating from NTFRS to DFSR. Here is, also, the official Microsoft documentation for the migration process.
2. Check Sites and Services
Since 2011, I’ve had a quote rolling around in my head whenever I think of an ADDS deployment: “You Are Not Smarter Than The KCC!”. I’d love to take credit for it, but it was a line I read on a blog post from Mark Morowczynski, now Principal Product Manager at Microsoft.
Just like Mark says in that article, I often see manually created connections between DCs in Sites and Services… and I don’t understand why! If your Active Directory (AD) sites and site costing are configured correctly, there should be no need to manually create connection objects, in fact, creating manual connections will usually cause you more problems than it solves.
The Knowledge Consistency Checker (KCC) is a component of Active Directory Domain Services (AD DS) that is responsible for generating and maintaining the replication topology for domain controllers in a given domain.
The KCC runs automatically on each domain controller and calculates the most efficient replication topology for the domain based on the site, subnet, and server information that is stored in Active Directory. The replication topology determines how changes to Active Directory objects are replicated between domain controllers, and ensures that all domain controllers in the domain have consistent and up-to-date information.
The KCC is responsible for creating, modifying, and removing connection objects between domain controllers to establish replication links. It also monitors the replication links to ensure that they are functioning correctly, and automatically adjusts the replication topology if there are changes to the network or if domain controllers are added or removed from the domain.
The KCC is an essential component of AD DS, as it ensures that all domain controllers have the same information and that changes to Active Directory objects are replicated efficiently and reliably. By automatically creating and maintaining the replication topology, the KCC simplifies the management of large, complex Active Directory environments and ensures that they remain consistent and reliable.
If you’re interested in how the KCC does it’s thing, check out this Microsoft Article: How Active Directory Replication Topology Works. I’ll warn you know – it’s easily a couple of hours read, and the article is from 2014, so some things may now be out of date – bust the basic principles of replication still apply.
3. Check the event log
The Event Log is a powerful tool that can provide valuable insights into the health of a Windows environment. By using it proactively and making it a first point of call when troubleshooting issues, you can improve system reliability and reduce the time it takes to resolve problems.
For me, the Event Log is an essential tool in Windows that can provide valuable insights into the root cause of various issues with services or applications. However, I find that many administrators tend to overlook the Event Log and only turn to it as a last resort. This approach can be problematic since the Event Log often contains detailed information about errors, warnings, and other events that may help diagnose the root cause of a problem. In fact, in many cases, the Event Log can be screaming out the reason why a service or application is not functioning correctly!
Make the Event Log the first point of call when troubleshooting issues with Windows services or applications. Get used to using event log filters to narrow down issues.
Also, by regularly reviewing the Event Log, you can quickly identify potential problems before they escalate into major issues. I would also highly recommend monitoring the Event Log to alert you to potential issues in real-time. This approach can help improve system uptime and reduce the time it takes to diagnose and resolve issues.
Microsoft has compiled a list of critical events that are essential to monitor to maintain the health and security of a ADDS environment. By monitoring these critical event IDs, you can quickly identify potential security threats, system performance issues, and other critical events that may impact the overall health of the environment, helping proactively prevent issues and ensure the reliability and security of the Windows environment.
The full list of Event IDs can be found here: Appendix L: Events to Monitor. I have listed the most critical events to monitor below.
| Current Windows Event ID | Legacy Windows Event ID | Potential Criticality | Event Summary |
|---|---|---|---|
| 4618 | N/A | High | A monitored security event pattern has occurred. |
| 4649 | N/A | High | A replay attack was detected. May be a harmless false positive due to misconfiguration error. |
| 4719 | 612 | High | System audit policy was changed. |
| 4765 | N/A | High | SID History was added to an account. |
| 4766 | N/A | High | An attempt to add SID History to an account failed. |
| 4794 | N/A | High | An attempt was made to set the Directory Services Restore Mode. |
| 4897 | 801 | High | Role separation enabled: |
| 4964 | N/A | High | Special groups have been assigned to a new logon. |
| 5124 | N/A | High | A security setting was updated on the OCSP Responder Service |
| N/A | 550 | Medium to High | Possible denial-of-service (DoS) attack |
| 1102 | 517 | Medium to High | The audit log was cleared |
4. Check DNS
Ah, the old adage: “It’s always DNS”! The trouble is, the adage is usually true! When customers are having issues with ADDS, it’s the first place I’ll look.
If there is an issue with DNS, it can cause a huge amount of problems in your network. These issue can include slow or unresponsive applications, inability to access websites or network resources, and authentication failures.
DNS is a fundamental and essential service for Active Directory because it provides the mechanism for locating domain controllers, which are the core infrastructure components of Active Directory.
In an Active Directory environment, DNS is used to store and locate information about Active Directory objects, including users, computers, and other resources. DNS enables clients to locate domain controllers and other Active Directory services by resolving the names of these resources to IP addresses. This allows clients to authenticate and access resources on the network.
In addition, Active Directory relies on DNS to enable replication between domain controllers, which ensures that changes to Active Directory objects are propagated throughout the environment. DNS provides the necessary information for domain controllers to communicate with each other and replicate changes in a consistent and reliable manner.
Furthermore, DNS is used by Active Directory to support Domain Name System Security Extensions (DNSSEC), which provides additional security features such as data origin authentication and data integrity. DNSSEC helps to prevent attacks that attempt to corrupt or hijack DNS traffic, ensuring the integrity and security of the Active Directory environment.
Overall, DNS is an absolutely critical component of Active Directory and provides the essential mechanism for locating and communicating with domain controllers, which are the foundation of Active Directory infrastructure. Without DNS, Active Directory would not function properly, and users would be unable to authenticate or access network resources.
5. Remove Old DCs
I see this a lot, often in Sites and Services or DNS. Old, powered off domain controllers should be removed from the Active Directory environment for several reasons.
Firstly, these domain controllers may still be listed in the Active Directory metadata and can cause issues with replication and updates. This can lead to inconsistencies in the Active Directory database and can cause delays or failures in authentication and authorization services.
Secondly, old, powered off domain controllers can pose a security risk to the environment. These domain controllers may have vulnerabilities that have not been patched or may be running outdated software that is no longer supported. Hackers and malicious actors may exploit these vulnerabilities to gain unauthorized access to the domain controller and potentially gain access to the sensitive data stored in the Active Directory.
Furthermore, old, powered off domain controllers can create unnecessary complexity in the Active Directory environment. These domain controllers may be associated with legacy applications or services that are no longer in use, which can make it difficult to manage the environment and ensure that it is secure and up-to-date.
To ensure the performance and security of the Active Directory environment, it is important to remove old, powered off domain controllers from the environment as soon as possible. This can be done by properly demoting the domain controller and ensuring that all sensitive data is securely erased from the device. This helps to minimize the risk of security threats and ensures that the environment is running efficiently and effectively.
6. Check Domain and Forest Functional Levels
Raising the Domain and Forest Functional Levels in a Windows Active Directory environment can provide several benefits, including:
- Improved security: Raising the functional levels can allow for the use of more advanced security features and policies. For example, some security features, such as Advanced Encryption Standard (AES) encryption, are only available at higher functional levels.
- New features: Raising the functional levels can also enable new features and functionality within Active Directory. For example, raising the functional level to Windows Server 2016 allows for the use of the Group Managed Service Account feature.
- Improved compatibility: Raising the functional levels can ensure compatibility with newer versions of Windows Server and other Microsoft products. This can help organizations take advantage of the latest features and capabilities offered by these products.
It’s worth noting that raising the functional levels requires careful planning and testing to ensure that it is done correctly and without causing any disruptions to the environment. It is recommended to consult Microsoft documentation and best practices, as well as seek advice from experienced Active Directory professionals, before raising the functional levels.
If you want to learn more about the features and capabilities offered by each Forest and Domain Functional Level in a Windows Active Directory environment, you can consult the official documentation provided by Microsoft. This documentation provides a detailed overview of the functional levels, including the features and capabilities available at each level, as well as the prerequisites and requirements for raising the functional levels.
7. Enable the Firewall and AV
It’s a common problem to come across firewalls disabled and antivirus uninstalled, and while I can understand why this might have happened in the past for troubleshooting purposes, it’s simply not acceptable anymore. Your systems are your crown jewels and protecting them should be your top priority.
Cybercriminals always target the most valuable assets and once they’re inside your network, their goal is to gain as much access and control as possible. If you have disabled your antivirus and firewall on your Domain Controllers, you’re leaving the door wide open for the hackers to waltz in without any resistance.
To prevent this, it’s important to follow the best practices and have antivirus software running on all devices, as well as enabling the Windows Firewall or a third-party firewall. It’s no longer enough to just have perimeter protection; your Domain Controllers must also be safeguarded. Don’t compromise on security, protect your assets with the highest level of security measures.
8. Don’t use your DC for anything else
A Domain Controller plays a critical role in a network by providing centralized authentication and authorization services. As such, it is not advisable to use a Domain Controller for running other applications.
When additional applications are installed on a Domain Controller, it can lead to several issues such as security vulnerabilities, performance degradation, increased complexity in server configuration, and potential compatibility problems.
Using a Domain Controller to run other applications can compromise the security of the network by increasing the attack surface of the server. It can also cause performance issues and slow down the response times of the server, making it difficult for users to access network resources efficiently.
Moreover, running other applications on a Domain Controller can create conflicts with the server configuration, leading to compatibility issues and causing downtime for the entire network.
To maintain the security, performance, and stability of the network, it is best to keep a Domain Controller dedicated to its primary role of providing authentication and authorization services and avoid using it to run other applications.
Let’s take a closer look at each of the reasons why it is generally not recommended to use a Domain Controller for running other applications:
- Security risks: By installing additional applications on a Domain Controller, you are expanding the attack surface of the server, which can increase the risk of security breaches. Any vulnerability in one of the applications can be exploited by attackers to gain access to the Domain Controller and potentially the entire network.
- Performance issues: Running non-critical applications on a Domain Controller can cause performance issues, especially if the applications require significant resources. This can slow down the server’s response times, resulting in longer logon times and other performance-related problems.
- Complexity: Installing other applications on a Domain Controller can make the server configuration more complex and difficult to manage. It can also lead to compatibility issues and make it harder to apply updates and patches.
- Compatibility issues: Some applications may not be compatible with a Domain Controller, which can cause downtime and other issues. This can be especially problematic if the application is critical to the operation of the network.
9. Have multiple DCs
Having multiple Domain Controllers is important for several reasons:
- High availability: Multiple Domain Controllers ensure that even if one server goes down, the other Domain Controllers can continue to function and provide authentication and other services. This helps ensure that your users can still access the network and their resources without any downtime.
- Load balancing: With multiple Domain Controllers, you can distribute the load of authentication requests across them, reducing the chances of any one server becoming overwhelmed and slowing down or failing.
- Redundancy: In case of hardware or software failures, having multiple Domain Controllers means that you have a backup that can quickly take over the services of the failed server.
- Disaster recovery: In the event of a disaster, such as a fire or flood, having multiple Domain Controllers that are geographically distributed can help ensure that your network remains operational.
- Security: Having multiple Domain Controllers can also enhance security by allowing you to place Domain Controllers in different security zones and limiting the exposure of your network to potential attackers.
Overall, having multiple Domain Controllers is important for ensuring high availability, load balancing, redundancy, disaster recovery, and security of your network.
10. Get an unbiased external Audit
It’s easy to become complacent with your Active Directory configuration, having an external audit can yield significant benefits. This assessment can provide recommendations for improving the health of your Active Directory, and serve as evidence to your company that your deployment aligns with industry best practices and has been verified by a third party. Don’t overlook the advantages of seeking an external audit to ensure the continued stability and security of your Active Directory environment.
In conclusion, regularly auditing your Active Directory instances is crucial to ensure that they are configured correctly and taking advantage of the latest technologies and features. By doing so, you can improve network performance, reliability, and security and ensure that your organization’s Windows-based environment is working optimally.
