| gopas a.s. | ondrej@sevecek.com | ......fsmo roles after restart must replicate at least one...
Post on 21-Sep-2020
2 Views
Preview:
TRANSCRIPT
FUNCTIONAL LEVELS AND FSMO
Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CISA |ondrej@sevecek.com | www.sevecek.com |
FUNCTIONAL LEVELSActive Directory Troubleshooting
Domain vs. Forest levels
Forest level
defines the least possible domain level in the whole forest
can be raised by Schema FSMO only
Domain level
defines the least possible DC version hosting the domain
requires PDC to be raised
Domain Levels
Windows 2000 Mixed = NT4.0
not supported by Windows 2008+
Windows 2000 Native
Windows 2003
Windows 2008
Windows 2008 R2
Windows 2012
Windows 2000 Native level
Forest level
cannot be lower than this
Domain level
universal groups
group nesting
group conversions between security/distribution
sIDhistory
Windows 2003 level
Forest level forest trust (Kerberos enabled) domain rename linked value replication (merge) RODC can be deployed deactivation and redefinition of attributes in schema
Domain level domain controller rename redircmp, redirusr lastLogonTimestamp constrained delegation, protocol transition selective authentication
Windows 2008 level
Forest level
Domain level
granular (fine-grained) password policies
personal virtual desktops
last interactive logon information
AES support for Kerberos
DFS replication for SYSVOL
Windows 2008 R2 level
Forest level
recycle bin
Domain level
authentication assurance
automatic SPN management for managed service accounts
Level invariant operations
Try next closest site 2003- cannot return this information to clients
should be removed
Confidential attributes would be revealed (do not require Full Control) by 2000 DCs
RODC can work even in 2003 domain requires at least one 2008 DC to download from
Computed attributes msDS-UserAccountDisabled (2008+)
msDS-User-Account-Control-Computed (2003+)
msDS-UserPasswordExpiryTimeComputed (2008+)
Level invariant operations
LDAP_MATCHING_RULE_IN_CHAIN since Windows 2003 SP1
objectClass being indexed in addition to objectCategory since Windows 2008
Restore snapshot of a virtual DC since Windows 2012
Managed Service Accounts must have 2008 R2 schema (DFL 2008 R2 offers
automatic SPN management) must run on 2008 R2 member servers
Level invariant operations
MD5 Digest hashes
since Windows 2003
sIDCompatibilityVersion
linkId automatic generation
Windows 2003+
OID 1.2.840.113556.1.2.50
FSMO ROLESActive Directory Troubleshooting
FSMO Roles
Forest wide Schema Master
Domain Naming Master
Domain wide PDC Emulator
RID Master
Infrastructure Master
Site wide "FSMO" Intersite Topology Generator (ISTG), dynamical
skipping from a DC to a DC if one shuts down for more than 75 minutes
Finding FSMOs
DSQUERY * dc=idtt,dc=local -filter (fsmoRoleOwner=*) -attr distinguishedNamefsmoRoleOwner
CN=configuration,DC=idtt,DC=local
CN=schema,DC=configuration,DC=idtt,DC=local
FSMO Transfer vs. Seizure
Transfer requires both to be online
After seizure the original owner must not start again
NTDSUTIL
Roles
Connections
Connect to server srv2.idtt.local
Quit
Transfer / Seize
Transfer/seizure permissions
Role Group Operational attributeControl Access Right
fSMORoleOwner
Schema Schema Admins
becomeSchemaMasterChange-Schema-Master
CN=Schema,CN=Configuration,DC=...
Domain Naming
Enterprise Admins
becomeDomainMasterChange-Domain-Master
CN=Partitions,CN=Configuration,DC=...
PDC Emulator
Domain Admins
becomePDCChange-PDC
DC=...
RID DomainAdmins
becomeRIDMasterChange-RID-Master
CN=RID Manager$,CN=System,DC=...
Infrastructure DomainAdmins
becomeInfrastructureMasterChange-Infrastructure-Master
CN=Infrastructure,DC=...
Domain Naming Master
“Installation of a new domain”
Prevents name collisions
The only DC that can accept changes into CN=Partitions,CN=Configuration,DC=root-domain
Schema Master
Enables modifications of schema partition
new classes
new attributes
class/attribute relationship
inclusion in GC
default security descriptor
PDC Emulator
Immediate password changes
“Forwarded” account lockout
failed logons are forwarded for another trial at PDC
Time authority
other DCs synchronize with PDC
domain members synchronize with their current DC
AdminSDHolder
Trust password creation and maintenance
GPMC operation target
Transfering PDC from 2000 to 2003
Creates new BUILTIN groups Builtin\Remote Desktop Users
Builtin\Network Configuration Operators
Performance Monitor Users
Performance Log Users
Builtin\Incoming Forest Trust Builders
Builtin\Performance Monitoring Users
Builtin\Performance Logging Users
Builtin\Windows Authorization Access Group
Builtin\Terminal Server License Servers
Changes some memberships
Transfering PDC from 2003 to 2008
Also happens when a new RODC is added
Newly created groups Builtin\IIS_IUSRS
Builtin\Cryptographic Operators
Allowed RODC Password Replication Group
Denied RODC Password Replication Group
Read-only Domain Controllers
Builtin\Event Log Readers
Builtin\Certificate Service DCOM Access
Enterprise Read-only Domain Controllers
Trust
If you trust a bank, you would create an account there
You will also have to remember some access code (password) to access that account
Trust
Trusting domain Trusted
domain
TDO
Password Trust user account
HashTrust
Trust creation
TDO in trusting domain
stores full password
password maintained by PDC emulator
changed regularly every 30 days (same policy as computers)
CN=System,DC=...
Trust object in the trusted domain
just a user account (hidden$)
CN=Users,DC=...
Trust passwords and NTLM
Trusting domain
DC1
SRV
Trusted domain
DC2
Kamil Password
SRV
Password
Trust password
“Secure channel”
Shortcut trusts
idtt.local
am.idtt.local
ny.am.idtt.local
eu.idtt.local
paris.eu.idtt.local
Trust Creation
Both FQDNs must be resolvable mutually
Each part of the trust can be created separately
After the initial manual password set, the password is reset automatically to some random form
Trust maintenance
Netlogon on PDC
Changes password regularly
every 30 days
the same policy as computer passwords
Updates name routing mappings
every service restart
Time synchronization
Time must be within +/- 5 minutes
“performance” setting for Kerberos
Authentication problems
accessing servers that are out of sync
DC replication
NTP time synchronization
DC
PDC
DC
SRV Cl Cl
DC
PDC
DC
SRV Cl Cl
NTP time synchronization
w32tm /query /configuration
w32tm /query /status
PDC: w32tm /config /syncfromflags:AllSync/manualpeerlist:"tik.cesnet.cz tak.cesnet.cz" AnnounceFlags = 5
DC: w32tm /config /syncfromflags:NT5DS or use GPO
NTP packets are signed by keys generated by windows authentication
RID Master
Allocates RID pools for DCs to create new security principals
Required during DCPROMO
not required for RODC promotion (if one RID available to create the RODC object on any writable DC)
Infrastructure Master
Updates DN references to objects in different domains
only required in multidomain forest
only required when having some nonGCcomputers
Cannot run on GC
would not see the differences
Group membership
Sales
member
member
member
member
Stored in local databaseComplete control over moves/deletes
CN=Kamil,OU=London,DC=mainoffice,DC=idtt,DC=...
CN=Judith,OU=Paris,DC=mainoffice,DC=idtt,DC=...
Stored in remote databaseHow do we track moves/deletes?
CN=Victor,OU=Roma,DC=italy,DC=idtt,DC=...
CN=Stan,OU=Venezia,DC=italy,DC=idtt,DC=...
Group membership
Sales
member
member
member
member
Stored in local databaseComplete control over moves/deletes
CN=Kamil,OU=London,DC=mainoffice,DC=idtt,DC=...
CN=Judith,OU=Paris,DC=mainoffice,DC=idtt,DC=...
Referencing local phantomsStores GUID + DN of the real object
Victor-GUID
Stan-GUID
Infrastructure master vs. GC
checkPhantoms scan
Every 2 days
HKLM\System\CurrentControlSet\Services\NTDS\Parameters
Days per database phantom scan = DWORD
checkPhantoms
Must be runon Infra FSMO
Availability design
Global Catalogue security – every logon
PDC mgmt – some logons, time synchronization security? – AdminSDHolder
Infrastructure security – other domain references
RID mgmt – newly created objects, DC installation
Schema, Naming mgmt – schema, new domains
RID/Naming transfer replication
Old RID New RID
DC
DCRID NewRID
RID OldRID
tries the original FSMO owner first
updates the reference immediately even without replication(no fail)
PDC transfer replication
Old PDC New PDC
DC
DCPDC NewPDC
PDC OldPDC
uses the original PDC until new information is replicated
NTP and password replication goes to wrong destination
Initial Synchronization
FSMO roles after restart must replicate
at least one partner
for the FSMO’s partition only
Windows 2003 RTM and older
only in-site automatically
intersite only on regular schedule
Windows 2003 SP1 and newer
any partner in any site in a random order immediatelly
Requirements for promoting DCs
http://www.sevecek.com/Lists/Posts/Post.aspx?ID=251
New DC in the same domain Domain Admins RID FSMO for writable DC in order to obtain initial RID
pool
New domain in the same forest Enterprise Admins Naming FSMO to create the new partition Domain Admins in the trusting/trusted domain PDC in the trusted/trusting domain
Schema FSMO if installing newer version
top related