FUNCTIONAL LEVELS AND FSMO

Transcription

1 Ondřej Ševeček GOPAS a.s. MCM: Directory Services MVP: Enterprise Security CISA FUNCTIONAL LEVELS AND FSMO Active Directory Troubleshooting FUNCTIONAL LEVELS

2 Domain vs. Forest levels Forest level defines the least possible domain level in the whole forest can be raised by Schema FSMO only Domain level defines the least possible DC version hosting the domain requires PDC to be raised Domain Levels Windows 2000 Mixed = NT4.0 not supported by Windows Windows 2000 Native Windows 2003 Windows 2008 Windows 2008 R2 Windows 2012

3 Windows 2000 Native level Forest level cannot be lower than this Domain level universal groups group nesting group conversions between security/distribution sidhistory Windows 2003 level Forest level forest trust (Kerberos enabled) domain rename linked value replication (merge) RODC can be deployed deactivation and redefinition of attributes in schema Domain level domain controller rename redircmp, redirusr lastlogontimestamp constrained delegation, protocol transition selective authentication

4 Windows 2008 level Forest level Domain level granular (fine-grained) password policies personal virtual desktops last interactive logon information AES support for Kerberos DFS replication for SYSVOL Windows 2008 R2 level Forest level recycle bin Domain level authentication assurance automatic SPN management for managed service accounts

5 Level invariant operations Try next closest site cannot return this information to clients should be removed Confidential attributes would be revealed (do not require Full Control) by 2000 DCs RODC can work even in 2003 domain requires at least one 2008 DC to download from Computed attributes msds-useraccountdisabled (2008+) msds-user-account-control-computed (2003+) msds-userpasswordexpirytimecomputed (2008+) Level invariant operations LDAP_MATCHING_RULE_IN_CHAIN since Windows 2003 SP1 objectclass being indexed in addition to objectcategory since Windows 2008 Restore snapshot of a virtual DC since Windows 2012 Managed Service Accounts must have 2008 R2 schema (DFL 2008 R2 offers automatic SPN management) must run on 2008 R2 member servers

6 Level invariant operations MD5 Digest hashes since Windows 2003 sidcompatibilityversion linkid automatic generation Windows OID Active Directory Troubleshooting FSMO ROLES

7 FSMO Roles Forest wide Schema Master Domain Naming Master Domain wide PDC Emulator RID Master Infrastructure Master Site wide "FSMO" Intersite Topology Generator (ISTG), dynamical skipping from a DC to a DC if one shuts down for more than 75 minutes Finding FSMOs DSQUERY * dc=idtt,dc=local -filter (fsmoroleowner=*) -attr distinguishedname fsmoroleowner CN=configuration,DC=idtt,DC=local CN=schema,DC=configuration,DC=idtt,DC=local

8 FSMO Transfer vs. Seizure Transfer requires both to be online After seizure the original owner must not start again NTDSUTIL Roles Connections Connect to server srv2.idtt.local Quit Transfer / Seize Transfer/seizure permissions Role Group Operational attribute Control Access Right Schema Domain Naming PDC Emulator RID Infrastructure Schema Admins Enterprise Admins Domain Admins Domain Admins Domain Admins becomeschemamaster Change-Schema-Master becomedomainmaster Change-Domain-Master becomepdc Change-PDC becomeridmaster Change-RID-Master becomeinfrastructuremaster Change-Infrastructure-Master fsmoroleowner CN=Schema,CN=Configuration,DC=... CN=Partitions,CN=Configuration,DC=... DC=... CN=RID Manager$,CN=System,DC=... CN=Infrastructure,DC=...

9 Domain Naming Master Installation of a new domain Prevents name collisions The only DC that can accept changes into CN=Partitions,CN=Configuration,DC=rootdomain Schema Master Enables modifications of schema partition new classes new attributes class/attribute relationship inclusion in GC default security descriptor

10 PDC Emulator Immediate password changes Forwarded account lockout failed logons are forwarded for another trial at PDC Time authority other DCs synchronize with PDC domain members synchronize with their current DC AdminSDHolder Trust password creation and maintenance GPMC operation target Transfering PDC from 2000 to 2003 Creates new BUILTIN groups Builtin\Remote Desktop Users Builtin\Network Configuration Operators Performance Monitor Users Performance Log Users Builtin\Incoming Forest Trust Builders Builtin\Performance Monitoring Users Builtin\Performance Logging Users Builtin\Windows Authorization Access Group Builtin\Terminal Server License Servers Changes some memberships

11 Transfering PDC from 2003 to 2008 Also happens when a new RODC is added Newly created groups Builtin\IIS_IUSRS Builtin\Cryptographic Operators Allowed RODC Password Replication Group Denied RODC Password Replication Group Read-only Domain Controllers Builtin\Event Log Readers Builtin\Certificate Service DCOM Access Enterprise Read-only Domain Controllers Trust If you trust a bank, you would create an account there You will also have to remember some access code (password) to access that account

12 Trust TDO Password Trust user account Trusting domain Trust Trusted domain Hash Trust creation TDO in trusting domain stores full password password maintained by PDC emulator changed regularly every 30 days (same policy as computers) CN=System,DC=... Trust object in the trusted domain just a user account (hidden$) CN=Users,DC=...

13 Trust passwords and NTLM Secure channel SRV DC1 Trust password DC2 Password Kamil Password Trusting domain Trusted domain SRV Shortcut trusts idtt.local am. idtt.local eu. idtt.local ny.am. idtt.local paris.eu. idtt.local

14 Trust Creation Both FQDNs must be resolvable mutually Each part of the trust can be created separately After the initial manual password set, the password is reset automatically to some random form Trust maintenance Netlogon on PDC Changes password regularly every 30 days the same policy as computer passwords Updates name routing mappings every service restart

15 Time synchronization Time must be within +/- 5 minutes performance setting for Kerberos Authentication problems accessing servers that are out of sync DC replication NTP time synchronization PDC PDC DC DC DC DC SRV Cl Cl SRV Cl Cl

16 NTP time synchronization w32tm /query /configuration w32tm /query /status PDC: w32tm /config /syncfromflags:allsync /manualpeerlist:"tik.cesnet.cz tak.cesnet.cz" AnnounceFlags = 5 DC: w32tm /config /syncfromflags:nt5ds or use GPO NTP packets are signed by keys generated by windows authentication RID Master Allocates RID pools for DCs to create new security principals Required during DCPROMO not required for RODC promotion (if one RID available to create the RODC object on any writable DC)

17 Infrastructure Master Updates DN references to objects in different domains only required in multidomain forest only required when having some nongc computers Cannot run on GC would not see the differences Group membership Sales member member CN=Kamil,OU=London,DC=mainoffice,DC=idtt,DC=... CN=Judith,OU=Paris,DC=mainoffice,DC=idtt,DC=... Stored in local database Complete control over moves/deletes Stored in remote database How do we track moves/deletes? member member CN=Victor,OU=Roma,DC=italy,DC=idtt,DC=... CN=Stan,OU=Venezia,DC=italy,DC=idtt,DC=...

18 Group membership Sales member member CN=Kamil,OU=London,DC=mainoffice,DC=idtt,DC=... CN=Judith,OU=Paris,DC=mainoffice,DC=idtt,DC=... Stored in local database Complete control over moves/deletes Referencing local phantoms Stores GUID + DN of the real object member member Victor-GUID Stan-GUID Infrastructure master vs. GC

19 checkphantoms scan Every 2 days HKLM\System\CurrentControlSet\Services\N TDS\Parameters Days per database phantom scan = DWORD checkphantoms Must be run on Infra FSMO

20 Availability design Global Catalogue security every logon PDC mgmt some logons, time synchronization security? AdminSDHolder Infrastructure security other domain references RID mgmt newly created objects, DC installation Schema, Naming mgmt schema, new domains RID/Naming transfer replication Old RID New RID tries the original FSMO owner first updates the reference immediately even without replication (no fail) RID OldRID RID NewRID DC DC

21 PDC transfer replication Old PDC New PDC uses the original PDC until new information is replicated NTP and password replication goes to wrong destination PDC OldPDC PDC NewPDC DC DC Initial Synchronization FSMO roles after restart must replicate at least one partner for the FSMO s partition only Windows 2003 RTM and older only in-site automatically intersite only on regular schedule Windows 2003 SP1 and newer any partner in any site in a random order immediatelly

22 Requirements for promoting DCs D=251 New DC in the same domain Domain Admins RID FSMO for writable DC in order to obtain initial RID pool New domain in the same forest Enterprise Admins Naming FSMO to create the new partition Domain Admins in the trusting/trusted domain PDC in the trusted/trusting domain Schema FSMO if installing newer version