Search This Blog

What is tombstone period?

The tombstone lifetime in an Active Directory forest determines how long a deleted object - aka a ‘tombstone’ - is retained in Active Directory. The tombstone lifetime is determined by the value of the tombstoneLifetime attribute on the Directory Service object in the configuration directory partition.

Tombstone Lifetime assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. Actually when an object is deleted from Active Directory, it is not physically removed from the Active Directory for some days. Instead, the Active Directory sets the‘isDeleted’ attribute of the deleted object to TRUE and move it to a special container called ‘Tombstone’.

  • Windows 2000 (all SPs) = 60 days
  • Windows Server 2003 without SP = 60 days
  • Windows Server 2003 with SP1 = 180 days
  • Windows Server 2003 R2 with SP1 installed with both R2 discs = 60 days
  • Windows Server 2003 R2 with SP1 installed only with the first R2 Disc = 180 days
  • Windows Server 2003 with SP2 = 180 days
  • Windows Server 2003 R2 with SP2 = 180 days
  • Windows Server 2008 onwards 180 days

The tombstone lifetime attribute remains same on all the domain controllers and it is deleted from all the servers at the same time. This is because the expiration of a tombstone lifetime is based on the time when an object was deleted logically from the Active Directory, rather than the time when it is received as a tombstone on a server through replication.

Reconfiguring Tombstone Lifetime:

Default period of Tombstone Life time is 180 days in Windows Server 2003 SP2 or later. The default Tombstone Lifetime can be modified through ADSIEDIT console, if necessary.

This attribute is located in the below path:

cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=

To Change the Value, Run > ADSIEDIT.msc

Expand: Configuration > CN= Configuration > CN=Services > CN=Windows NT > and right click on CN= Directory Service

You will get an attribute window, Drill down to tombstoneLiftime, and double click it. You will get a field to type down the value, type the value you intended and click OK.

The below picture will help you out to reach the correct object.

Labels:

Name some OU design considerations.

The Group Policy architecture is flexible and allows for many types of design. The guiding principle as you design your organizational unit structure should be to create a structure that is easy to manage and troubleshoot.

Delegation of authority, separation of administrative duties, central versus distributed administration, and design flexibility are important factors you'll need to consider when designing Group Policy and selecting which scenarios to use for your organization.

Read more »
Labels: ,

What tool would I use to try to grab security related packets from the wire?

Network tap is best solution for grabbing data packet in a network. It is a hardware device which provides a way to access the data flowing across a computer network. Computer networks, including the Internet, are collections of devices, such as computers, routers, and switches that are connected to each other.

Network taps are commonly used for security applications because they are non-obtrusive, are not detectable on the network, can deal with full-duplex and non-shared networks, and will usually pass-through traffic even if the tap stops working or loses power.

Labels: ,

Can I get user passwords from the AD database?

By default user account passwords are stored as password hash (Hash is based on one-way encryption, which means you can’t reverse it to get plaintext). These hashes are stored in Active Directory (C:\Windows\NTDS\ntds.dit file on DCs). If you need to get user password than you have to change the way it is stored in AD. You have store passwords ciphered with reversible encryption algorithm.

To enable this option globally:

1. Select Start > Programs > Administrative Tools > Active Directory Users and Computers.

2. In the Active Directory Users and Computers window, right click on your domain and select Properties.

3. In the Group Policy tab, select "Default Domain Policy" and click Edit.

4. In the Group Policy window, navigate to Password Policy in the left-panel Tree view: Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.

5. Right click on "Store password using reversible encryption for all users in the domain" and select Security.

6. In the Security Policy Setting window, select the "Define this policy setting" checkbox and the Enabled radio button. Click OK.

7. Close all applications and restart the computer, and log into your domain.

To enable this option for a specific user:

1. Select Start > Programs > Administrative Tools > Active Directory Users and Computers.

2. In the Active Directory Users and Computers window, right-click on the user and select Properties.

3. In the Account tab, check "Store password using reversible encryption." Click OK.

4. Close all applications and restart the computer, and log into your domain.

When this is enabled (per user or for the entire domain), Windows stores the password encrypted, but in such a way that it can reverse the encryption and recover the plaintext password. This feature exists because some authentication protocols require the plaintext password to function correctly; the two most common examples are HTTP Digest Authentication and CHAP.

Niels Teusink have done great research on it

http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html

http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html

He also developed a nice tool called “RevDump” to decipher this encrypted password.

Labels:

How can you forcibly remove AD from a server, and what do you do later?

Dcpromo is the Windows 2000 and Windows Server 2003 GUI interface for promoting a server to the role of being a Domain Controller, and if is already a DC, then dcpromo will be the tool to use to demote it back to being a member server. If you run Dcpromo on an existing DC to demote it and it fails that you can Dcpromo with the /forceremoval switch (The big Hammer), which tells the process to ignore errors. With /forceremoval, an administrator can forcibly remove Active Directory and roll back the system without having to contact or replicate any locally held changes to another DC in the forest.

After you use the dcpromo /forceremoval command, all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers, and therefore you must manually remove it by using the NTDSUTIL command.

For more information please read:

http://www.petri.co.il/forcibly_removing_active_directoy_from_dc.htm

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Labels:

What can you do to promote a server to DC if you're in a remote location with slow WAN link?

Best solution in this scenario is to install DC from media, a new feature introduced with windows 2003 server. You have to take the system state backup of current Global Catalog server, burn it on the CD/DVD and send it to the destination (remote location). On the remote server which needs to be promoted to be DC restore files to Alternate Location and Run, type dcpromo /adv.

For more information please read: http://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htm

Labels:

What are the requirements for installing AD on a new server?

Requirements for Installing AD DS

  • Preinstalled Windows Server 2008 or Windows Server 2008 R2.
  • Administrative rights on server
  • Domain Name System (DNS) infrastructure is in place. When you install AD DS, you can include DNS server installation, if it is needed. When you create a new domain, a DNS delegation is created automatically during the installation process.
  • A NIC
  • Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)
  • A network connection (to a hub or to another computer via a crossover cable, loopback will also work)
  • In order to install a read-only domain controller (RODC), there must be a writable domain controller running Windows Server 2008 or Windows Server 2008 R2 in the domain.
  • The drives that store the database, log files, and SYSVOL folder for Active Directory Domain Services (AD DS) must be placed on a local fixed volume. SYSVOL must be placed on a volume that is formatted with the NTFS file system.
  • Windows Server 2008 or Windows Server 2008 R2 media
Labels: ,

What is the ISTG? Who has that role by default?

For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG).

By Default the first Server has this role. If that server can no longer perform this role then the next server with the highest GUID takes over the role of ISTG.

Labels:

What is the KCC?

The Knowledge Consistency Checker (KCC) is an Active Directory component that is responsible for the generation of the replication topology between domain controllers. The KCC creates separate replication topologies depending on whether replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the topology to accommodate new domain controllers, domain controllers moved to and from sites, changing costs and schedules, and domain controllers that are temporarily unavailable.

Labels:

What is Active Directory Naming Context or Directory Partition?

Each domain controller in a domain forest controlled by Active Directory Domain Services includes directory partitions. Directory partitions are also known as naming contexts. A directory partition is a contiguous portion of the overall directory that has independent replication scope and scheduling data. By default, the Active Directory Domain Service for an enterprise contains the following partitions:

1. Schema Partition - One per forest. The schema naming context contains the definitions of all objects that can be instantiated in Active Directory. It also stores the definitions of all attributes that can be a part of objects in Active Directory. Every domain controller has one fully writeable copy of the schema directory partition, although schema updates are allowed only on the domain controller that is the schema operations master.

1. Configuration Partition - One per forest. It stores forest-wide configuration data that is required for the proper functioning of Active Directory as a directory service. The configuration partition contains replication topology and other configuration data that must be replicated throughout the forest. Every domain controller has one fully writeable copy of the configuration directory partition.

2. Domain Partition - One per domain. The domain partition contains the directory objects, such as users and computers, and other objects for that domain. All domain controllers that are joined to the domain share a full writeable copy of the domain directory partition. Additionally, all domain controllers in the forest that host the global catalog also host a partial read-only copy of every other domain naming context in the forest.

Windows Server 2003 introduces the Application Directory Partition, which provides the ability to control the scope of replication and allow the placement of replicas in a manner more suitable for dynamic data.

Labels:
Subscribe to: Posts (Atom)