client interactions

CLIENT INTERACTIONS

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |ondrej@sevecek.com | www.sevecek.com |

CLIENT INTERACTIONSActive Directory Troubleshooting

Client Applications

Kerberos and NTLM authentication Secure Channel

password changes, NTLM pass-through, Kerberos PAC validation

Group Policy client DFS client Certificate Autoenrollment client

Client Applications

NPS (IAS), RRAS, TMG (ISA), RD Gateway (TS Gateway) group membership, Dial-In tab

RD Host (Terminal Server) Remote Control tab etc., Licensing servers

DHCP Server authorization

IIS account and group membership for SSL certificate

authentication WDS

computer MAC addresses or GUIDs

Site Design Scenarios

Central

Branche Branche Branche

Branche

Branche

BrancheBranche

Branche

Branche

Site Design Scenarios

Office Office

Office

Site Design Scenarios

Central

Branche

Branche

Branche

Branche

BrancheBranche

Network Interactions Racap(DC Location)

Any DC2000+

Client2000+

LDAPUDP

SRV: Any DC List

Get My Site

DNSDNS

SRV: My Side DC

My Site DC

2000+

Network Interactions Recap(2008/Vista+ DC Location)

Any DC2008+

ClientVista+

LDAPUDP

SRV: Any DC List

Get My Site

DNSDNS

SRV: My Site DC

Next Closest Site

Close Site DC2000+ My Site

DC2000+

SRV: Close Site

Network Interactions (Network Logon)

DC2000+

Client2000+

Kerberos

Server2000+

App Traffic

DC2000+

SMBD/COMTGT: User

In-bandTGS: Server

NTLM Occasional PAC

Validation

TGS: Server

D/COM Dynamic TCP

NTLMPass-through

Connection Properties

Bandwidth (Mbps) forget about this

Latency (ms) round-trip-time (RTT) SMB, D/COM, SQL

Packet Loss (per sec., per Mb) packet loss rate (PLR) VPN such as PPTP, SSTP, IP-HTTPS

Timeouts

DNS primary DNS = 1 sec. secondary DNSs = 2 sec. ... 1 2 2 4 8 ...

ARP ... 600 ms 1000 ms

LDAP UDP Site Location 600 ms

TCP SYN = 21 sec. (3x retransmission) PSH/ACK = 93 sec. (5x retransmission) ... 3 6 12 24 48 ...

Kerberos (TCP, 3 attempts, KdcSendRetries) 63 sec.

Basic DC location

Know the DNS name of the domain Query general DNS DC SRV records

_ldap._tcp.dc._msdcs.idtt.local Ping DC

Windows 2003- LDAP UDP (ping) DC

to get the client’s site/close site

Site DC Location

Site unaware lookup NSLOOKUP

SET Q=SRV _ldap._tcp.dc._msdcs.idtt.local

Site specific lookup NSLOOKUP

SET Q=SRV _ldap._tcp.Paris._sites.dc._msdcs.idtt.local

Lab: Finding DCs Manually

Use NSLOOKUP to query for the generic DC list NSLOOKUP SET q=SRV _ldap._tcp.dc._msdcs.idtt.local

London 10.10.x.x

Site Example – Single Site

DC1

DC2

DC3

Client

DC4

DC5

Paris10.20.x.x London 10.10.x.x

Site Example – Multihomed DC (DNS Bitmask Ordering OK)

DC1

DC2

DC3

Client

DC4

DC5

Roma10.30.x.x

Paris10.20.x.x London 10.10.x.x

Site Example – Multihomed DC (DNS Bitmask Ordering Error)

DC1

DC2

DC3

ClientDC

4

DC5

DNS Record Priority and Weight

Berlin10.50.x.x

Paris10.20.x.xRoma

10.30.x.x

London10.10.x.x

Site Awareness

DC1

DC2

DC3

DC4

DC5

DC6

Client

where I am?Anonymous

LDAP UDP

General Operation

Use DNS to find generic DC list Ping selected DC

Windows 2003- Anonymous LDAP (UDP) to determine

site DC defines site from the request source IP

address (NAT?) Use DNS to find close DC in site Ping or LDAP UDP to determine

availability

DC Locator

NetLogon Service nltest /sc_query:idtt

no network access nltest /sc_verify:idtt

tries to authenticate with the DC nltest /sc_reset:idtt

always performs new DNS lookup nltest /dsgetsite

anonymous query against selected DC

Lab: Check NLTEST Usage

Try the NLTEST to query, verify and reset secure channel from Seven2 to its London DCs

Berlin10.50.x.x

Paris10.20.x.xRoma

10.30.x.x

London10.10.x.x

Limit UDP Site Location to a Central Site?

DC1

DC2

DC3

DC4

DC5

DC6

Client

where I am?Anonymous

LDAP UDP

Limiting Generic DC List

Limit creation of generic DC DNS records

GPO: Computer Configuration – Administrative Templates – System – Netlogon – DC Locator DNS Records DC Locator DNS Records not Registered Dc Kdc

Limiting Generic DC List (Wise?)

Central

Branche Branche Branche

Branche

Branche

BrancheBranche

Branche

Branche

Limiting Generic DC List (Wise?)

Office Office

Office

DFS Client (MUP)

Multiple UNC provider (MUP) driver Determines its own DFS server

referrals obtains the list of DFS root servers from

AD using the default DC from Netlogon SYSVOL may be accessed from a

different DC DFSUTIL /PKTINFO

Windows Server 2003/Windows XP DFSUTIL CACHE REFERRAL

Windows Server 2008/Windows Vista

DFS Context Menu

Paris10.20.x.x

Cyprus10.40.x.x

Roma10.30.x.x

London10.10.x.x

Site Example – Empty Site

DC1

DC2

DC3

DC4

DC5

DC6

DC7

Berlin10.50.x.x

Client

DC4

DC5

Paris10.20.x.x

Cyprus10.40.x.x

Roma10.30.x.x

London10.10.x.x

Site Example – Empty Site

DC1

DC2

DC3

DC4 DC

5

DC6

DC7

Berlin10.50.x.x

Client

DC4

DC5

DC1DC

2

DC3

Paris10.20.x.x

Cyprus10.40.x.x

Roma10.30.x.x

London10.10.x.x

Site Example – Empty Site

DC1

DC2

DC3

DC6

DC7

Berlin10.50.x.x

Client

DC4

DC5

DC1DC

2

DC3

cost 50

cost 100

Automatic Site Coverage

Each DC registers itself for its neighboring empty sites

HKLM\System\CurrentControlSet\Services\Netlogon AutoSiteCoverage = DWORD = 1/0

GPO: Sites Covered by the DC Locator DNS SRV Records

MISPLACED OR CONFUSED CLIENTS

Active Directory Troubleshooting

Paris10.20.x.x

Cyprus10.40.x.x

Roma10.30.x.x

London10.10.x.x

Site Example – Out of Site

DC1

DC2

DC3

DC4

DC5

DC6

DC7

Berlin10.50.x.x

Client

10.100.0.7

Super-netting or Sub-netting

Out-of-site Clients

Out-of-site Clients

Paris10.20.x.x

Cyprus10.40.x.x

Roma10.30.x.x

London10.10.x.x

Limiting Generic DC List

DC1

DC2

DC3

Berlin10.50.x.x

Client

10.100.0.7

DC Stickiness

When one close selected, client sticks to it even when moved into a different site must reset secure channel

Force rediscovery interval GPO Vista+ hotfix for Windows XP also registry value

ForceRediscoveryInterval

London10.10.x.x

Site Example – Until Restart/24 hours

DC3

DC1

DC2

ClientClientClient

ClientClient

Client

Client ClientClient

Paris10.20.x.x

Cyprus10.40.x.x

Roma10.30.x.x

London10.10.x.x

Site Example – Moving Client

DC1

DC2

DC3

DC4

DC5

DC6

DC7

Berlin10.50.x.x

Client

DC4

DC5

previously in Paris

Lab: Moving the Client

On Seven2 verify the current DC in use NLTEST /sc_query:idtt

Move the client into Paris and update group policy GPUPDATE

Verify the current DC in use again the client should use the same DC still although

in remote site (stick) Reset the secure channel several times and

determine the result NLTEST /sc_reset:idtt

CLIENT FAILOVERActive Directory Troubleshooting

Berlin10.50.x.x

Paris10.20.x.x

Cyprus10.40.x.x

Roma10.30.x.x

London10.10.x.x

Site Example – Failed DC

DC1

DC2

DC3

DC4

DC5

DC6

DC7 Clien

t

Lab: Client Failover

Move the client into Cyprus Reset the secure channel and verify

it has been connected to DC5 Unplug DC5 from network Update group policy

GPUPDATE Verify the resulting DC in use

NLTEST /sc_query:idtt

Non-close Site DC

Close site client’s site next closest site if enabled

If there is not DC available in the close site, rediscovery every 15 minutes HKLM\System\CurrentControlSet\

Services\Netlogon\Parameters CloseSiteTimeout = REG_DWORD = x

seconds

Paris10.20.x.x

Cyprus10.40.x.x

Roma10.30.x.x

London10.10.x.x

Site Example – Next Close Site

DC1

DC2

DC3

DC4

DC5

DC6

DC7

Berlin10.50.x.x

Client

Paris10.20.x.x

Cyprus10.40.x.x

Roma10.30.x.x

London10.10.x.x

Site Example – Close Site

DC1

DC2

DC3

DC4

DC5

DC6

DC7

Berlin10.50.x.x

Client

cost 50

cost 100

Paris10.20.x.x

Cyprus10.40.x.x

Roma10.30.x.x

London10.10.x.x

Site Example – Close Site

DC1

DC2

DC3

DC4

DC5

DC6

DC7

Berlin10.50.x.x

Client

cost 100

cost 50

Try Next Closest Site

First get any DC name from DNS Second query the DC for clients site

name returns the clients site plus the closest site (determined by the

DC) Then query DNS for DCs in its current

site and then tries to use the DCs If none responds, the client queries

DNS for its next closest site and tries to use the found DCs

Try Next Closest Site

Does not consider RODC sites by default Can be change in registry NextClosestSiteFilter

Windows 2003- cannot return the next closest site information problem if the hit “any DC” is Windows

2003- it is then going to be used regardless of

its site

Lab: Next Closest Site

Enable Try next closest site in a GPO Have DC5 unplugged from network Update group policy Check the resulting DC in use

NLTEST /sc_query:idtt

Client Rules Recap

Windows 2003- In current site In any site

Windows Vista+ with Next closest site In current site In the closest site In any site

If the client is out of any site, find any dc consider creating subnets for VPNs etc.

General Best Practice

Use only AD DNS servers on clients Do not use multi-homed DCs Define all IP ranges in AD

may use super-netting if necessary Limit the generic DC list

site UDP location, out-of-site clients, DC failure

may use static GPO Site assignment Force rediscovery Try next closest site

RODCActive Directory Troubleshooting

Read/only DC

Physically insecure locations Only specified password hashes Read/only database

other DCs are not willing to replicate back from the RODC

Local Administrator Managed By tab in the DC properties

RODC scenario

Cyprus10.40.x.x

London10.10.x.x

DC1 DC2 DC3

DC5SRV

SRVCL1

2003

2003

2008

GC

2008

Requirements

Forest functional level 2003 Domain functional level 2003 Global catalogue 2003+

understands confidential attributes At least one writable 2008+ DC

RODC and Windows 2003

Windows 2003 doesnot consider RODC

Do not constructreplicationconnections

RODC and Windows 2003

Disable Auto Site Coverage HKLM\SYSTEM\CurrentControlSet\

Services\Netlogon\Parameters AutoSiteCoverage = REG_DWORD = 0

or install RODC compatibility pack Windows 2003, XP (11 issues) KB 944043 Windows 2003, XP

DNS locator records

Password caching

Passwords are only cached once the user logs on using writable DC

first time can be prepopulated

If the login fails on RODC, the request is forwarded to another writable DC if offline, password expiration is ignored

Password caching/forwarding

Cyprus10.40.x.x

London10.10.x.x

DC1 DC2 DC3

DC5SRV

SRVCL1

2003

2003

2008

GC

2008

not cached yet not cached yet after

recent password change wrong password expired password account locked

Write referrals

Cyprus10.40.x.x

London10.10.x.x

DC1 DC2 DC3

DC5SRV

SRVCL1

2003

2003

2008

GC

2008

try update on RODC referral returned try update on the

referred writable DC directly

Write Referral Problems

BitLocker SP1 for Windows 2008/Vista

Managed Service Accounts SP1 for Windows 2008 R2/Windows 7

Account lockout

Accounts locked locally not replicated

But the failure attempt is also reattempted on a writable DC so this then replicates

Expired passwords

pwdLastSet older than allowed by policy

Logon attempt fails completely Password must be changed out-of-

band and logon then attempted again

Expired password

DC CL1

logon

error: expired

logon

ok

password change

pwdLastSetbefore 3 months

pwdLastSet

actual

Discarding RODC

RODC DMZ Scenario

Only RODC has internal domain access Cannot join domain normally

use a join script (+ RODC compatibility pack) Cannot change machine passwords Cannot determine their site from the "any DC

list" HKLM\SYSTEM\CCS\Services\Netlogon\Parameters

SiteName = REG_SZ Cannot update AD account

operating system service principal names

DNS INTEGRATIONActive Directory Troubleshooting

DNS Integration

Clients find DCs by domain/site name DCs find replication partners

according to their GUID Netlogon de/registers locator records DNS stores its data in

domain partition DomainDnsZones application partition ForestDnsZones application partition

Netlogon de/registration

Netlogon de/registers its own records at startup and deregisters them at shutdown requires DNS registration enabled on at

least one network adapter does not require DNS/DHCP Client

service %windir%\System32\Config\netlogon.dns

It does not touch others’ records Autosite coverage

turned on by default

Netlogon de/registration

Restarting Netlogon NLTEST /DSREGDNS

force reregistration NLTEST /DSQUERYDNS

query last status

does not require DNS/DHCP Client service and does not react on /REGISTERDNS

AD Integrated Zones

Offer Secure Dynamic Update Timestamping

trimmed to whole hour Aging and scavenging

records deleted by default between 14-21 days of their age

DNS Application Partitions Domain partition

CN=MicrosoftDNS,CN=System,DC=... DomainDnsZones

replicated to all DNS Server which are also DCs for the domain

ForestDnsZones replicated to all DNS Server which are

also DCs for the forest

Secure Dynamic Update

Client side feature DHCP Client on Windows 2003- DNS Client on Windows Vista+ IPCONFIG /REGISTERDNS

DNS Server must be on DC to authenticate clients with Kerberos

All Authenticated Users can create new records

When a record is created, only the creator/owner can modify/update it

Secure Dynamic Update

Updates done regularly by clients once a day by default by DNS/DHCP

Client once a day by Netlogon once a day by Cluster Service

Default TTL is 20 minutes Disable DHCP dynamic updates

insecure!

Dynamic Update

Primary DNS

Secondary DNS

Secondary DNS

Secondary DNSClient DNS1

3

2

SOA

Update

Adjust A/PTR Record TTL

Dynamic Update and Replication

DNS

AD AD

DNS

0 sec.

15-21 sec.

0-3 min.

schedule

Dynamic Update and Replication

Speed up the refresh

DHCP and dynamic update

DHCP acts only on behalf of its clients client must provide its name

(anonymously) Domain member computers since

Windows 2000 do register themselves

DHCP registers only workgroup computers, mobile phones printers, scanners, network devices,

crap… Insecure, chaotic, unnecessary,

corrupting

Disabling DHCP dynamic update

Dynamic DNS Update on RODC Each writable DC returns itself as a

primary DNS RODC returns either (random)

writable DC as the primary DNS

Dynamic DNS Update on RODC

DNS

AD RODC

R/ODNS

0 sec.

Client

SOA

Upd1

2

Dynamic DNS Update on RODC

DNS

AD RODC

R/ODNS

0 sec.0-3 min.

Client

replicateSingleObject

0 sec.

DsRemoteReplicationDelay

default 30 sec.

DsRemoteReplicationDelay

Determines how long RODC's DNS server waits until it requests replication of the single object

Default = 30 sec. Minimum = 5 sec. Do not forget the DsPollingInterval

Time stamping/Aging

Record Created timestamp trimmed to whole hour

No-refresh period starts by default 7 days timestamp does not change if the record

does not change Refresh period follows

by default next 7 days timestamp gets updated at the first

update

Scavenging

Server wide configuration Should be done by only one DNS

Server as best practice By default ocurres only once per 7

days

DNS Aging and Scavenging per-zone setting implemented by all

DNS servers timestamp updates

only during the refresh interval

limits replication traffic

DNS Aging and Scavenging per-server setting should be done only

by one of the DNS servers

DNS Aging and Scavenging

DnsTombstoned = TRUE

Scavenged records remain in AD yet for another time DsTombStoneInterval before they are deleted from AD default 7 days checked and potentially deleted

everyday at 2:00 Aimed to decrease replication traffic

and limit DNT/USN exhaustion

DNS Best Practice

DC1

DNS

DC2

DNS

ADAD

DNS Waiting for AD

DNS Best-Practice Reasons

Faster boot time without errors and timeouts

Deregistration at shutdown is recorded in live DNS Server would have problems replicate if sent

into shutting-down DC

Client DNS balancing

Clients do not balance DNS servers queries/updates use the first one always if possible

DHCP server does not use round robin

Configuration must be done “manually” manual on servers more DHCP scopes for clients

Client DNS non-balancing

Always alternateDNS serverIP addresses

Client DNS non-balancing

DNS1

DNS2

Client1

DNS1

DNS2

Client2

DNS1

DNS2

Client3

DNS1

DNS2

DNS Client Settings

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

Timetouts DNSQueryTimeouts

Disjoint namespace on multihomed machines DisjointNameSpace PrioritizeRecordData

GPO – DNS Suffix appending on Vista+

DNS Server UDP Pool

After applying KB 953230, DNS Server reserves 2500 UDP ports

HKLM\System\CurrentControlSet\Services\DNS\Parameters SocketPoolSize = DWORD = 2500

DNSCMD /Config /SocketPoolSize 2500

DNS Cache Pollution

rogue attacker's DNS server: idtt.com, 1.2.3.4 server: idtt.com authoritative DNS server

question: www.idtt.com, type A answer: no records authority answer:

idtt.com SOA idtt.com NS a.gtld-servers.net a.gtld-servers.net A 1.2.3.4

server: idtt.com authoritative DNS server question: www.idtt.com, type A answer: no records authority answer:

microsoft.com NS ns.idtt.com ns.idtt.com A 1.2.3.4

Enabled by default since 2000 SP3 SecureResponses

DNS Cache Locking

Further limits cache poisoning as already improved by the UDP pool

Records present in the cache cannot be updated before their TTL expires prevents cache poisoning in some

scenarios frequently visited sites are already in the

cache Windows 2008 R2

enabled by default - 100% CacheLockingPercent = DWORD = 0-

100

Performance Considerations MaxCacheTtl

maximum Ttl limit on cached RRs by default 1 day maximum

MaxNegativeCacheTtl by default 15 minutes

General Best Practice

More than 2 DNS servers are usually unnecessary for a site

Enable DNS Aging and Scavenging may decrease DsPollingInterval may shorten the client update refresh

interval Alter clients’ DNS settings to rotate

the DNS server addresses Disable DHCP dynamic update