Overview
Reliability is the state in which a service and all the components it depends on are behaving as desired within acceptable limits. This task list provides a schedule of proactive health monitoring and maintenance tasks to review and adapt to your individual requirements. For further instructions about the configuration and use of this task list, see the Administrator's Guide to Reliability Workbooks at www.microsoft.com/mof.
Feedback
Please direct questions and comments about this guide to mofpm@microsoft.com. Note Although many of the monitoring and maintenance tasks in this guide can be performed manually, best practice is to use automated methods because of the frequency and complexity of the individual tasks.
Monitoring Activities
Title
Verify that all accounts with Remote Access Service access are appropriate.
Health attribute
Security
Health area
Authentication
Verify that all accounts with Terminal Services access are Security appropriate.
Authentication
Security
Authentication
Security
Certificate Maintenance
Verify that expiration dates for domain controller certificates have been set.
Security
Certificate Maintenance
Monitor for network authentication requests by malicious Security users who are located in a trusted forest network and have administrative credentials.
Monitor for network authentication requests by malicious Security users who are located in a trusted forest network and have administrative credentials.
Security
Group Policy
Security
Share Permissions
Security
Shared Folders
Verify that NTFS file system permissions are set Security appropriately on all shared folders and content in shared folders.
NTFS Permissions
Verify that all security settings available via Group Policy objects are managed centrally by policies. Security Group Policy
Verify that all user account passwords are configured to meet minimum length and complexity requirements.
Security
Authentication
Check the password policy for the Maximum Password Age setting.
Security
Authentication
Check the password policy for the Minimum Password Age setting.
Security
Authentication
Check the password policy for the Minimum Password Length setting.
Security
Authentication
Verify that the Account Lockout policy meets minimum organizational security policy requirements.
Security
Authentication
Security
Authentication
Security
Authentication
Verify that all domain controllers are in the Domain Controllers organizational unit.
Security
Availability
Replication
Availability
Replication
Availability
Replication
Replication
Verify that the Kerberos Key Distribution Center service is Availability running.
Replication
Security
Continuity
Continuity
Continuity
Continuity
Continuity
Appropriate Use
Administrative Authority
Look for non-standard grants of Write access to Active Directory Domain Services (AD DS) and AD DS objects.
Appropriate Use
Check for dangerous or unnecessary services that are not Appropriate use disabled.
Appropriate Use
User Accounts
Audit the membership of all domain groups that grant Appropriate Use administrative privilegesfor example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operators.
Administrative Authority
Appropriate Use
User Rights
Monitor each domain controller for general responsiveness. Monitor the responsiveness of Active Directory Domain Services to a Lightweight Directory Access Protocol request.
Performance
Performance
Measure the time required to perform a global catalog search. Verify that operations masters are responsive.
Performance
Performance
Performance
Domain Controller
Patching
Integrity
Monitor database and log file size as well as the available Availability free space on the associated disk volumes.
Security
Active Directory Domain Services Functional Level Active Directory Domain Services Functional Level DNS SRV Records
Security
Verify that all Domain Name System (DNS) service records Availability are registered in DNS for each domain controller and appropriate service.
Verify that anonymous access to shares, the Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.
Security
Anonymous Connections
Security
Anonymous Connections
Ensure that no standard users can read key properties for Security administrative groups and users.
Lightweight Directory Access Protocol Access to Active Directory Domain Services Encrypting File System
Verify that Encrypting File System is not enabled for domain controllers.
Security
Verify that no user accounts have the Password Never Expires property configured.
Security
Authentication
Appropriate Use
Domain Controller
Security
Group Policy
Security
Auditing
Verify that the name of the last user who logged on does Security not appear during logon.
Authentication
Security
Authentication
Continuity
Ensure that administrator-level accounts have dual accounts or use User Account Control.
Appropriate Use
Administrative Authority
Ensure that the crash dump file is configured to meet company requirements.
Continuity
Domain Controllers
Ensure that Domain Name System servers that support Active Directory Domain Services (AD DS) are all AD DS integrated.
Security
Ensure that the correct security is in place for all Domain Appropriate Use Host Configuration Protocol services running on domain controllers.
Ensure that all domain controllers are in the appropriate site based on IP address.
Continuity
Replication
Ensure that the design of the location of global catalog servers is appropriate for the number of users, applications, and other criteria for logging on and accessing information in the global catalog.
Continuity
Ensure that the design of the location of Domain Name System (DNS) servers is appropriate for the number of users, applications, and other criteria for logging on and accessing information on the DNS servers.
Continuity
Ensure that the design of the location of domain controllers is appropriate for the number of users, applications, and other criteria for logging on and accessing information on domain controllers.
Continuity
Health requirement
Remote access
Monitoring task
Verify that all accounts with Remote Access Service access are appropriate.
Monitoring parameter
Remote Access Service account access is limited to those deemed appropriate per company policy.
Verify that all accounts with Terminal Services access are appropriate.
Terminal Services account access is limited to those deemed appropriate per company policy.
Current accounts
Check for a high number No more than n number of of locked-out, disabled, anomalous accounts or expired accounts.
Current certificates
Verify that upcoming Certificates are valid for one certificate renewals are in month past the current date. the schedule. Verify that expiration dates for domain controller certificates have been set. The expiration date is in the future.
Current certificates
Monitor for network Security ID filtering on all trusts by authentication requests default by malicious users who are located in a trusted forest network and have administrative credentials.
Monitor for network Security ID filtering on all trusts by authentication requests default by malicious users who are located in a trusted forest network and have administrative credentials.
Confirm that Group Policy No Override is disabled for all has not been Active Directory Domain Services misconfigured. nodes (domain and all organizational units), and Block Policy Inheritance is not configured for Group Policy objects.
Verify that shared folders The list of shared folders should are required. meet the minimum shared folders required for each server. Verify that NTFS file The most restrictive permissions system permissions are are applied. set appropriately on all shared folders and content in shared folders. Verify that all security settings are managed centrally by policies. All settings are confirmed.
NTFS file system permissions should protect shared folders and all content from unauthorized users.
Strong passwords
Verify that all user Password length and complexity account passwords are are established (specifics per configured to meet company policy). minimum length and complexity requirements.
Check the password policy for the Maximum Password Age setting. Check the password policy for the Minimum Password Age setting.
The Maximum Password Age is set between 30 and 120 days per organization policy. The Minimum Password Age is set to a minimum of one day or per organization policy.
Check the password The Minimum Password Length is policy for the Minimum set to a minimum of 714 days or Password Length setting. per organization policy. Verify that the Account Account Lockout policy settings Lockout policy meets the minimum organization security policy requirements. Review LanManager compatibility settings. Review the LanManager authentication protocol hash storage settings. LMCompatibilityLEvel setting
All domain controllers receive Verify that all domain the same Group Policy objects. controllers are in the Domain Controllers organizational unit. Replication links between Check the replication domain controllers and provider. replication partners are healthy.
Domain controllers within a Check the partner forest are able to replicate with replication count. each other.
The domain controller always has at least one outbound connection; the domain controller has at least one connection to another site; the domain controller does not have more than a specified number of connections.
Changes are properly replicated Check replication latency. Convergence latency is within the across the forest. desired maximum determined time. Changes are properly replicated Verify that the across the forest. appropriate replication service is running. Updated domain controllers Verify that the Kerberos Key Distribution Center service is running. NT File Replication Service and/or Distributed File System Replication is running. The Kerberos Key Distribution Center service is running.
The System Volume share is accessible on every domain controller. Domain controller backup
The System Volume share can be accessed on each domain controller from across the network. System state has been backed up within the past 24 hours.
Critical volumes are backed up. Verify that critical volumes are backed up.
Completed
Verify the full server backup. Verify the authoritative restore of Active Directory Domain Services.
Completed
Completed
No change
Check for dangerous or Dangerous or unnecessary unnecessary services that services are disabled. are not disabled. Check for dormant User accounts. User accounts are disabled when a personnel change is entered in the Human Resources system.
Audit the membership of Apply least privilege. all domain groups that grant administrative privilegesfor example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operators.
Verify that user rights are Only administrators should have not assigned to users. user rights assigned.
Monitor the Less than one second responsiveness of Active Directory Domain Services to a Lightweight Directory Access Protocol request.
The Active Directory Domain Services global catalog is responsive. Operations masters are responsive. The domain controller is advertising.
Measure the time required to perform a global catalog search. Verify that operations masters are responsive. Verify that the domain controller is advertising.
The system is up to date with the latest service pack and security updates. Domain controllers on the network are in time synchronization with each other.
Check for the latest Completed service pack and security updates. Verify that the Windows Time service is running. The primary domain controller is synching with a valid external time source/MaxPosPhaseCorrection and MaxPosPhaseCorrection should not be <48 hours but >1 hour. Verify that the Windows Time service is running.
Monitor database and log At least 20% of the current file size as well as database is available. available free space on the associated disk volumes. Existing domain functional level
Ensure that the functional level Check the Active of the domain is at the highest Directory Domain level possible. Services domain functional level.
Ensure that the functional level Check the Active Existing forest functional level of the forest is at the highest Directory Domain level possible. Services forest functional level. Domain controller services are available. Verify that all Domain The Domain Name System service Name System (DNS) records exist. service records are in DNS for each domain controller and appropriate service.
Verify that anonymous access to shares, the Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.
Verify membership in the Verify membership in the PrePre-Windows Compatible Windows Compatible Access Access group. group. Ensure that no standard Verify Lightweight Directory users can read key Access Protocol access to Active properties for Directory Domain Services. administrative groups and users. Verify that Encrypting File Check whether files can be System is not enabled for encrypted. domain controllers. Verify that no user accounts have the Password Never Expires property configured. Check for Windows Firewall rules. Check all user accounts for the Password Never Expires property configuration.
Deny Read access to key security groups and users for standard users.
Ensure that Encrypting File System is disabled for domain controllers. Ensure that user account passwords expire.
Dangerous or unnecessary network access protocols/applications are denied. Group Policy Management Console delegation is set correctly.
Check for changes in administrative authority for Group Policy management. Verify that audit policy settings are configured properly.
Verify that the name of Check whether the last user name the last user who logged is displayed at logon. on does not appear during logon.
Group Policy objects are backed Verify that Group Policy up. objects are backed up. Appropriate logon access privilege level
Ensure that administrator- Require least-privilege access for level accounts have dual administrators. accounts or use User Account Control. Ensure that the crash Verify crash dump settings. dump file is configured to meet company requirements. Ensure that Domain Name System servers that support Active Directory Domain Services (AD DS) are all AD DS integrated. Verify the configuration and location of Domain Name System.
Domain Host Configuration Ensure that the correct Verify membership in the Protocol services are running on security is in place for all DNSUpdateProxy group domain controllers. Domain Host Configuration Protocol services running on domain controllers. Site configuration Ensure that all domain Verify domain controller locations controllers are in the in sites. appropriate site based on IP address. Ensure that the design of Verify the number of global the location of global catalog servers in each physical catalog servers is location. appropriate for the number of users, applications, and other criteria for logging on and accessing information in the global catalog.
Ensure that the design of Verify the number of Domain the location of Domain Name System servers in each Name System (DNS) physical location. servers is appropriate for the number of users, applications, and other criteria for logging on and accessing information on the DNS servers.
Ensure that the design of Verify the number of domain the location of domain controllers in each physical controllers is appropriate location. for the number of users, applications, and other criteria for logging on and accessing information on domain controllers.
Frequency
Daily
Owner
Operator
Manual
Verify under Permissions for Remote Access Service (RAS) and Internet Authentication Service servers in the Active Directory Servers and Computers snap-in. Verify group membership for RAS access.
Automation
Microsoft System Center Operations Manager can audit Remote Access Service access. Perfmon
Daily
Operator
Verify under the User account Perfmon properties and the Remote Desktop group and that the Terminal Server has the correct user right for Allow Logon Through Terminal Services configured. Verify group membership for Remote Access Service access.
Daily
Operator
Verify that the Account Lockout Duration policy setting in Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy matches the policy.
Microsoft System Center Operations Manager can audit for anomalous accounts.
Active Directory Users and Computers Lockoutstatus.exe saved queries Weekly Operator Use the Certificate Request Wizard in the Microsoft Management Console Certificates snap-in. Use the Certificate Request Wizard in the Microsoft Management Console Certificates snap-in. Use Microsoft Certificate Lifecycle Manager 2007 or Microsoft Forefront Identity Manager 2010. Use Microsoft Certificate Lifecycle Manager 2007 Certificate Authority Monitor and Microsoft System Center Operations Manager Automate this process by using Desired Configuration Management Packs or by analyzing the results of Gpresult.
Weekly
Operator
Daily
Operator
Firewall logs
Daily
Operator Netmon
Automate this process by using Desired Configuration Management Packs or by analyzing the results of Gpresult.
Monthly
Operator
Check Group Policy settings in the Group Policy Management Console. GPOTool.exe
Use Windows PowerShell scripts in the Windows Server 2008 R2 and Windows 7 release of the Group Policy management tools. If possible, install and use Microsoft Advanced Group Policy Management.
Monthly
Operator
Monthly
Operator
Computer Management
Semi-annually
Operator
Access control lists (ACLs) in a script; Group Policy object to establish ACLs
Daily
Operator
Automated by using Desired Configuration Management Packs or by analyzing the results of Gpresult.
Monthly
Operator
Audit the Group Policy password policy with Microsoft System Center Operations Manager.
Monthly
Operator
Microsoft System Center Operations Manager audits the Group Policy password policy. Microsoft System Center Operations Manager
Monthly
Operator
Monthly
Operator
Monthly
Operator
Secpol.msc
Monthly
Operator
Secpol.msc
Microsoft System Center Operations Manager Microsoft System Center Operations Manager
Monthly
Operator
Secpol.msc
Monthly
Operator
Dsquery Weekly Operator Monitor the event logs for event ID 13508 and event ID 13509, which may point to File Replication Service replication issues. Also, use Repladmin/Showrepl to find replication partners and issues.
Daily
Operator
Use Repadmin.
Daily
Operator
Use Repadmin.
Daily
Operator
Daily
Operator
Daily
Operator
Ping command
Daily
Operator
Verify backup logs. Configure auditing and verify using Event Viewer.
Daily
Backup operator
Verify backup logs. Configure auditing and verify using Event Viewer. Verify backup logs.
Weekly
Backup operator
NTdsutil.exe
Backup operator
NTdsutil.exe
Daily
Operator
Daily
Operator
Active Directory Domain Services delegation of authority, Dsacls.exe Use Computer Management or Server Manager.
Configure auditing and verify using Event Viewer. Windows PowerShell script
Daily
Operator
Daily
Operator
Custom Lightweight Directory Access Windows PowerShell script Protocol query, saved query using Active Directory Users and Computers.
Daily
Operator
Monthly
Operator
Secpol.msc
Daily
Operator
Ping command
Microsoft System Center Operations Manager Microsoft System Center Operations Manager
Daily
Operator
Daily
Operator
Operator
Operator
Daily
Operator
Daily
Operator
Verify these registry settings using the Windows PowerShell script Registry Editor.
Use Computer Management or Server Manager. Every 15 minutes Operator System Monitor Microsoft System Center Operations Manager
Once
Operator
Once
Operator
Daily
Operator
Monthly
Operator
Secpol.msc
Monthly
Operator
Secpol.msc
Monthly
Operator
Dsacls.exe
Monthly
Operator
Group Policy object report of the Default Domain policy through Group Policy Management Console, Secpol.msc Active Directory Users and Computers user properties, saved queries, custom Lightweight Directory Access Protocol query Server Manager
Monthly
Operator
Daily
Operator
Daily
Operator
Group Policy Management Console Delegation tab, Advanced Group Policy Management Secpol.msc Windows PowerShell script
Daily
Operator
Daily
Operator
Daily
Operator
Daily
Group Policy Management Console, Scheduled Task using Group Event Viewer operational log for Group Policy Management Console Policy scripts Secpol.msc Windows PowerShell script
Daily
Daily
Operator
System properties
Drwtsn32
Monthly
Operator
Monthly
Operator
Monthly
Operator
Dsquery.exe
Monthly
Operator
Monthly
Operator
Monthly
Operator
Notes
Consult the Microsoft Identity and Access Management Series Solution Accelerator.
Look for global settings here, not detailed settings within Group Policy Management Console. This is only to make sure that the Group Policy object application is not effected incorrectly.
Verify that share permissions set are not too weak. NTFS file system permissions should control access, not share permissions. Make sure that any shares created are really needed.
Ensure that all legacy LanManager protocols are removed and disabled. Ensure that all legacy LanManager protocols are removed and disabled.
Make sure that all domain controllers can replicate to other domain controllers, that none is orphaned, and that the topology is efficient.
Make sure the domain controllers are online and that the System Volume share is working.
Make sure that the key domain groups that have admin authority are not modified incorrectly. Make sure delegation was not granted to update (write) to Active Directory Domain Services objects incorrectly.
User rights should be to groups, not to users. If to a user, it Is difficult to alter when a user no longer needs the user right. Confirm for each domain controller.
This provides the highest level of Domain Name System security in Active Directory Domain Services.
Maintenance Activities
Title
Review the Remote Access Service account access policy, and update it to meet security policies.
Health attribute
Security
Health area
Authentication
Review User account properties, and update the Remote Desktop group to meet security policies.
Security
Authentication
Security
Authentication
Security
Certificate Maintenance
Security
Certificate Maintenance
Deny network authentication requests by malicious Security users who are located in a trusted forest network and have administrative credentials.
No Override is disabled for all Active Directory Domain Services nodes (domains and all organizational units), and Block Policy Inheritance is not configured for Group Policy objects.
Security
Group Policy
Security
Share Permissions
Security
Shared Folders
Verify and ensure that NTFS file system permissions are set appropriately on all shared folders and content in shared folders.
Security
Change any security settings not set to the standard security policy.
Security
Group Policy
Review the password policy for password length and complexity settings, and ensure that the policy matches company security requirements.
Security
Authentication
Review the password policy for the Maximum Password Age setting, and ensure that the setting matches organizational security requirements.
Security
Authentication
Review the password policy for the Minimum Password Age setting, and ensure that the setting matches organizational security requirements.
Security
Authentication
Review the password policy for the Minimum Security Password Length setting, and ensure that the setting matches organizational security requirements.
Authentication
Review the Account Lockout policy, and ensure that it Security meets minimum organizational security policy requirements.
Authentication
Review LanManager compatibility settings, and ensure that they meet minimum organizational security policy requirements.
Security
Authentication
Review LanManager authentication protocol hash Security storage settings, and ensure that they meet minimum organizational security policy requirements.
Authentication
Security
Ensure that all domain controllers are in the Domain Controllers organizational unit.
Security
Restore replication links between domain controllers Availability and replication partners.
Replication
Availability
Replication
Verify that the replication intervals of site links between domain controllers in different sites meet company requirements.
Availability
Replication
Availability
Replication
Replication
Availability
Sysvol Share
Continuity Continuity
Schedule a backup.
Continuity
Continuity
Continuity
Continuity
Continuity
Appropriate use
Administrative Authority
Appropriate use
Appropriate use
Appropriate use
User Accounts
Ensure that the membership of all domain groups Appropriate Use that grant administrative privilegesfor example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operatorsmeets least-privilege requirements.
Administrative Authority
Remove user rights where they are assigned to users. Appropriate Use
User Rights
Performance
Performance
Performance
Performance
Operations Masters
Performance
Domain Controller
Ensure that the latest service pack and security updates are scheduled.
Patching
Change any user account permissions that have been Privacy set to Read access by default.
Account Permissions
Synch domain controllers running the primary domain Integrity controller emulator with a valid external time source, if required.
Address the need for more available free space on the Availability associated disk volumes.
Verify the domain functional level and adjust it according to company requirements.
Security
Verify the forest functional level and adjust it according to company requirements.
Security
Verify that all Domain Name System (DNS) service Availability records are in DNS for each domain controller and appropriate service, and update them when needed.
Ensure that anonymous access to shares, the Security Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.
Anonymous Connections
Security
Anonymous Connections
Ensure that no standard users can read key properties Security for administrative groups and users; deny access, if necessary.
Verify that Encrypting File System is not enabled for domain controllers; disable, if necessary.
Security
Verify that no user accounts have the Password never Security expires property configured; remove this setting, if necessary.
Authentication
Check for Windows Firewall rules, and configure additional rules where appropriate.
Appropriate Use
Domain Controller
Check for changes in administrative authority for Group Policy management; modify security to meet company security requirements.
Security
Group Policy
Verify that audit policy settings are configured properly; modify audit policy settings to meet company security requirements.
Security
Auditing
Verify that the name of the last user who logged on does not appear during logon; configure this setting not to show the name if it is displayed.
Security
Authentication
Verify that the logon banner is displayed during logon; Security configure it not to appear if it is displayed.
Authentication
Ensure that accounts with administrator-level privilege have dual accounts or use User Account Control.
Appropriate Use
Administrative Authority
Ensure that the crash dump file is configured to meet Continuity organizational requirements; modify settings to meet organizational security requirements.
Domain Controllers
Ensure that all Domain Name System (DNS) servers Security that support Active Directory Domain Services are Active Directoryintegrated; configure only Active Directoryintegrated DNS servers when appropriate.
Ensure that the correct security is in place for all Appropriate use Dynamic Host Configuration Protocol services running on domain controllers; modify DNSUpdateProxy group membership where appropriate.
Ensure that all domain controllers are in the appropriate site based on IP address; modify site membership where appropriate.
Continuity
Replication
Continuity
Continuity
Health requirement
Remote access
Maintenance task
Frequency
Owner
Operator
Review the Remote Access Monthly Service account access policy, and update it to meet security policies.
Review User account Monthly properties, and update the Remote Desktop group to meet security policies.
Operator
Current accounts
Daily
Operator
Current certificates
Review the Active Directory Monthly Domain Services Expiration Dates policy.
Operator
Current certificates
Operator
Deny network Daily authentication requests by malicious users who are located in a trusted forest network and have administrative credentials.
Backup operator
No Override is disabled for Daily all Active Directory Domain Services nodes (domains and all organizational units), and Block Policy Inheritance is not configured for Group Policy objects.
Operator
Monthly
Operator
Limit the number of shared folders. NTFS file system permissions should protect shared folders and all content from unauthorized users.
Remove shared folders that Monthly are no longer required. Verify and ensure that NTFS Semiannually file system permissions are set appropriately on all shared folders and content in shared folders.
Operator
Operator
Change any security settings Daily not set to the standard security policy. Review the password policy Monthly for password length and complexity settings, and ensure that the policy matches company security requirements.
Operator
Strong passwords
Operator
Review the password policy Monthly for the Maximum Password Age setting, and ensure that the setting matches organizational security requirements.
Operator
Review the password policy Monthly for the Minimum Password Age setting, and ensure that the setting matches organizational security requirements.
Operator
Review the password policy Monthly for the Minimum Password Length setting, and ensure that the setting matches organizational security requirements.
Operator
Review the Account Lockout Monthly policy, and ensure that it meets minimum organizational security policy requirements.
Operator
Review LanManager compatibility settings, and ensure that they meet minimum organizational security policy requirements. Review LanManager authentication protocol hash storage settings, and ensure that they meet minimum organizational security policy requirements. Review the certificate renewal policy.
Monthly
Operator
Monthly
Operator
Current certificates
Monthly
Operator
All domain controllers receive Ensure that all domain the same Group Policy objects. controllers are in the Domain Controllers organizational unit. Healthy replication links are established between domain controllers and replication partners.
Monthly
Operator
Restore replication links As needed between domain controllers and replication partners.
Operator
Domain controllers within a forest are able to replicate with each other.
As needed
Operator
Verify that the replication Daily intervals of site links between domain controllers in different sites meet company requirements.
Operator
As needed
Operator
Restart the Kerberos Key As needed Distribution Center service, if required. Schedule tests on each domain controller. Daily
Operator
The System Volume share is accessible on every domain controller. Domain controller backup Critical volumes are backed up. Servers are backed up. Active Directory Domain Services is authoritatively restored.
Operator
Daily Daily
Restore Active Directory Ensure that a test Monthly Domain Services from system restoration is scheduled and state, critical-volumes, or a full verified. server backup.
Backup operator
Active Directory Domain Schedule a nonServices is non-authoritatively authoritative restore of restored. Active Directory Domain Services. Effective non-authoritative restore Schedule a test for a nonauthoritative restore.
Backup operator
Tied to restore
Effective authoritative restore Schedule a test for an authoritative restore. Appropriately assigned authority Remove inappropriately assigned administrative authority. Remove non-standard grants of Write access.
Tied to restore
As needed
As needed
Operator
Domain controllers are free of Remove dangerous or dangerous services. unnecessary services that are not disabled. The network is free of unauthorized users. Remove dormant user accounts.
As needed
Operator
As needed
Operator
Ensure that the As needed membership of all domain groups that grant administrative privilegesfor example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operatorsmeets leastprivilege requirements.
Operator
As needed
Operator
Troubleshoot slow response As needed times. Troubleshoot Active Directory Domain Services nonresponsiveness. As needed
Operator
Operator
The Active Directory Domain Services global catalog is responsive. Operations masters are responsive.
Operator
Operator
Operator
The system is up to date with the latest service pack and security updates. User information is private.
Ensure that the latest service pack and security updates are scheduled.
Daily
Operator
Change any user account As needed permissions that have been set to Read access by default. Synch domain controllers As needed running the primary domain controller emulator with a valid external time source, if required.
Operator
Domain controllers on the network are in time synchronization with each other.
Operator
Address the need for more As needed available free space on the associated disk volumes.
Operator
Ensure that the functional level of the domain is at the highest level possible.
Verify the domain Once functional level and adjust it according to company requirements.
Operator
Ensure that the functional level of the forest is at the highest level possible.
Verify the forest functional Once level and adjust it according to company requirements.
Operator
Domain controller services are Verify that all Domain Name Daily available. System (DNS) service records are in DNS for each domain controller and appropriate service, and update them when needed.
Operator
Ensure that anonymous access to shares, the Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.
Monthly
Operator
Monthly
Operator
Deny Read access to key security groups and users for standard users.
Ensure that no standard users can read key properties for administrative groups and users; deny access, if necessary.
Monthly
Operator
Ensure that Encrypting File Verify that Encrypting File Monthly System is disabled for domain System is not enabled for controllers. domain controllers; disable, if necessary.
Operator
Verify that no user accounts have the Password never expires property configured; remove this setting, if necessary.
Domain controllers are free of Check for Windows Firewall Daily dangerous network access. rules, and configure additional rules where appropriate. Appropriately assigned authority Check for changes in Daily administrative authority for Group Policy management; modify security to meet company security requirements.
Operator
Operator
Verify that audit policy settings are configured properly; modify audit policy settings to meet company security requirements.
Daily
Operator
Restrict access to user names. Verify that the name of the Daily last user who logged on does not appear during logon; configure this setting not to show the name if it is displayed.
Operator
Verify that the logon banner Daily is displayed during logon; configure it not to appear if it is displayed.
Operator
Ensure that accounts with Daily administrator-level privilege have dual accounts or use User Account Control.
Operator
Configure the crash dump file. Ensure that the crash dump Daily file is configured to meet organizational requirements; modify settings to meet organizational security requirements. Active Directoryintegrated Domain Name System Ensure that all Domain Monthly Name System (DNS) servers that support Active Directory Domain Services are Active Directoryintegrated; configure only Active Directoryintegrated DNS servers when appropriate.
Operator
Operator
Ensure that the correct Monthly security is in place for all Dynamic Host Configuration Protocol services running on domain controllers; modify DNSUpdateProxy group membership where appropriate.
Operator
Site configuration
Ensure that all domain Daily controllers are in the appropriate site based on IP address; modify site membership where appropriate. Monthly
Operator
Global catalog servers must be Add global catalog servers available. to physical locations when required.
Operator
Domain Name System servers Add Domain Name System Monthly must be available. servers to physical locations when required.
Operator
Monthly
Operator
Manual
Automation
Read written Remote Access Review using the TripWire Compliance Service access policies, and match Management Pack for Microsoft them with the permissions in place. System Center Operations Manager.
Review User account properties, and update the Remote Desktop group to meet security policies; Dsmod.exe; Dsquery.exe.
Use User Manager or Active Directory Users and Computers to remove invalid accounts.
Use the Certificate Request Wizard Use Microsoft Certificate Lifecycle in the Certificates console. Manager 2007.
Use the Certificate Request Wizard Use Microsoft Certificate Lifecycle in the Certificates console. Manager 2007.
Exercise access control to manage user access to shared resources in Active Directory Users and Computers.
Group Policy
Windows Explorer
Group Policy
Group Policy
Group Policy
Group Policy
Group Policy
Group Policy
Group Policy
Group Policy
Wbadmin Wbadmin
Wbadmin Wbadmin
Wbadmin Ntdsutil
Wbadmin
Ntdsutil
Ntdsutil
Ntdsutil
Ntdsutil
Active Directory Users and Computers, Delegation Wizard Computer Management, Server Manager
Active Directory Users and Computers, Lightweight Directory Access Protocol queries
Active Directory Users and Computers, Lightweight Directory Access Protocol queries, Dsmod.exe, Dsquery.exe
Group Policy
Varies
Varies
Varies
Varies
Varies
Active Directory Users and Computers, Lightweight Directory Access Protocol queries
Group Policy
Group Policy
Active Directory Users and Computers, Lightweight Directory Access Protocol queries, Dsquery.exe, Dsmod.exe
Group Policy
Group Policy
Active Directory Users and Computers, Lightweight Directory Access Protocol queries
Group Policy
Group Policy Management Console, Delegation tabs, Advanced Group Policy Management
Group Policy
Group Policy
Group Policy
User Account Control, Group Policy User Account Control, Group Policy Management Console, Secpol.msc
Wbadmin
Active Directory Users and Computers, Lightweight Directory Access Protocol queries, Dsquery.exe, Dsmod.exe
Group Policy
Dcpromo
Notes
Health Risks
ID
1
Description
Trust relationships are not appropriate, compromising identity and access. Active Directory Domain Services object change management allows inappropriate changes to Group Policy objects.
Probability (1100%)
40%
50%
Domain controllers are not in compliance with corporate policy and/or managements stated baseline settings. Domain controller security is unknowingly compromised because of inadequate review of monitoring or maintenance activities.
60%
50%
Restoration of a domain controller results in compromising the entire Active Directory Domain Services service. Inappropriate administrator access: Former administrators who have left the Active Directory Domain Services group still have administrative access. Flexible Single Master Operations roles are not configured appropriately, resulting in service degradation or inability of users to log on to the domain. Replication across forests is slow or broken. Access to data is affected or compromised. Domain controllers are out of time synchronization, resulting in degraded services. Active Directory Domain Services servers run out of database space. User passwords are not secure.
70%
25%
25%
80%
50%
10
50%
11
12
13 14
Anonymous access is allowed to Active Directory Domain Services. Legacy authentication protocols are used and stored.
15
Users will not be able to find domain controllers and the associated services running on them. Access to Active Directory Domain Services user names.
16
17
18
Inability to replicate between domain controllers because of incorrect Domain Name System configuration.
Impact (15)
5
Exposure
2
2.5
2.5
3.5
0.75
2.4
1.5
2.5
0 0
Mitigation strategy
Review trust and domain oversight; verify the need for existing trusts.
Risk owner
Evaluate compliance with documented thresholds for classifying changes to ensure that Active Directory Domain Services object changes receive the correct level of scrutiny and approval. Policy settings are linked appropriately, and reviews include verification of account/password policy, audit and event log policy, and security options. Regular review of monitoring to ensure that specialized monitoring or security scanning is performed on domain controllers, incidents are managed and resolved appropriately and in a timely manner, and server configuration is reviewed and monitored for changes. Procedures for restoring a domain controller are well understood, documented, and tested. Management periodically changes the password for the DS Restore Mode Administrator account and logs that the change has been made.
Periodically validate Flexible Single Master Operations roles and the appropriate number of domain controllers and global catalogs.
Monitor and maintain time synchronization, and verify that the time source is valid.
Monitor capacity and initiate expansion (and any needed provisioning of hardware) with an appropriate lead time. Ensure that a password policy for domain and domain controllers is set to appropriate levels for User account passwords. Secure Lightweight Directory Access Protocol access to Active Directory Domain Services for standard users with regard to administrative groups and administrator accounts.
Restrict anonymous access to the domain controllers. Deny the use of LanManager and NT LAN Manager as well as storage of these hashes for user passwords. Ensure that Domain Name System (DNS) has all the correct information for domain controller DNS service records. Ensure that Lightweight Directory Access Protocol Read access is negated to key accounts, anonymous connections are denied, and last user name displayed is denied. Ensure that all domain controllers are in the correct Active Directory Domain Services site, the site topology is correct, intersite topology is configured correctly, and all replication events are successful. Ensure that all Domain Name System (DNS) service records for all domain controllers are correct, DNS is configured to Active Directoryintegrated DNS, automatic updates are configured, and replication between DNS servers is set up correctly.
Standard Changes
Proposed standard change
Review membership in key Active Directory Domain Services security groups for correct membership. Remove locked-out, disabled, or expired accounts. Ensure that the most restrictive permissions are applied. Remove shared folders that are no longer required. Review key security settings such as password policy, audit policy, and user rights assignment for domain controllers. Review the password policy for the Default Domain Policy or Group Policy object linked to a domain that establishes password policy for domain user accounts and most computer accounts. Ensure that all domain controllers are in the domain controllers organizational unit.
Schedule backups of domain controllers, including system state. Verify that domain controller backups were successful. Remove inappropriately assigned administrative authority within Active Directory Domain Services or inappropriately assigned administrative authority produced through delegation. Remove dangerous or unnecessary services that are not disabled. Remove dormant user accounts. Ensure that the latest service pack and security updates are scheduled.
Category verified?
Approved by
Acknowledgments
The Microsoft Operations Framework team acknowledges and thanks the people who produced Reliability Workbook for Active Directory. The following people were either directly responsible for or made a substantial contribution to the writing and development of this guide. Contributors Joe Coulombe, Microsoft Jerry Dyer, Microsoft Mike Kaczmarek, Microsoft Don Lemmex, Microsoft Derek Melber, Xtreme Consulting Group, Inc. Betsy Norton-Middaugh, Microsoft Reviewers Jason Missildine Steve Schofield Sainath K.E.V. Robert Stuczynski Editors Michelle Anderson, Xtreme Consulting Group, Inc. Pat Rytkonen, Volt Technical Services Copyright 2010 Microsoft Corporation. This documentation is licensed to you under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/us or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94150, USA. When using this documentation, provide the following attribution: The Microsoft Operations Framework 4.0 is provided with permission from Microsoft Corporation. Microsoft, Active Directory, Forefront, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.