torsdag 6 mars 2014

Active Directory, Compliance and Identity: Part 1a

Cleaning up and stabilizing your Active Directory:

Let's face the truth, AD has been alive and running in a majority of all companies around the world for 15 years.  During that time, there have been tons of upgrades and development, bringing more and better functionality to face the demands of time.

Microsoft have provided "simple" ways of keeping your AD environment updated, but sometimes the simplicity brings complexity under the "hood" of the user friendly interface.

A major task for all AD Engineers is to make sure everything is really running as expected not only from a visual perspective but also in reality, otherwise the benefits of being updated are lost or at least limited.

So, what should I be looking for? What have changed over the years?  Below are some examples:

Windows 2000:
Domain Level:
  • Support for Universal groups, both security and distribution
  • Group Nesting
  • SID History
Forest Level:
  • n/a
Windows 2003:
Domain Level:
  • Netdom.exe
  • Updates to Logon time stamp
  • Selective Authentication
  • Container redirection (Computers and Users)
  • Constrained delegation
Forest Level
  • Forest Trust
  • Domain Rename
  • LVR (Linked-Value Replication)
  • Improved KCC (Knowledge Consistency Checker)
  • RODC Deployment (Read-Only Domain Controllers)
Windows 2008:
Domain Level:
  • DFSR support for Sysvol Replication (running on Windows 2003 or later)
  • Domain Based DFS with support for ABE and Scalability running in Windows 208 Native Mode
  • AES 128 and 256 support for Kerberos
  • Last Interactive Logon Information
  • Fine-Grained Password Policies
Forest Level:
  • n/a
Windows 2008 R2:
Domain Level:
  • AMA (Authentication Mechanism Assurance)
  • Automatic SPN Management
Forest Level:
  • Active Directory Recycle Bin
Windows 2012:
Domain Level:
  • Added KDC support for Claims, Compound Authentication and Kerberos Armoring
Forest Level:
  • n/a
Windows 2012 R2:
Domain Level:
  • DC-Side Protection for Protected Users
  • Authentication Policies
  • Authentication Policy Silos
Forest Level:
  • n/a
For additional Information regarding added functionality refer to the following link:

Above functionality of course also requires moving the Domain and Forest to the appropriate level. Taking this into consideration from your own Active Directory perspective, you soon realize, there are most likely things to be done and reasons to make sure everything is running smoothly. 

You could potentially compromise the security and functionality provided by AD by ignoring or not knowing about the added values.

Now it's time for the Golden Rule number 1: Before even thinking about doing any changes to you production environment, make sure you have  a well-tested, well-documented and fully functional Disaster Recovery Plan. Also make sure you are able to at least use one level of Testing environment or Q&A (Quality Assurance) environment.

A backup is not a Disaster Recovery Plan, it's only a part of it. A Disaster Recovery Plan must consist of at least the following:
  • A tested and verified backup strategy (running)
  • A tested and verified recovery method, for all critical services provided and surrounding Active Directory (including the actual Operating system and Hardware as well)
  • All possible recovery scenarios, documented in detail (from individual objects, Domain Controllers, Sites, Domains to the entire Forest itself)
  • "Fire drills" on at least a yearly basis, performing the entire Disaster Recovery process,
  • A well trained group of people able to perform the operations if necessary, always attending the fire drills for yearly training and knowledge update purposes.
  • A dedicated person(s) responsible for maintaining and updating the documentation.

Do you need to be a rocket scientist to prepare all this? No, not really, you can always use specialized software to ease your burdens and of course combine them with the Active Directory Recycle Bin Feature.

Active Directory, Compliance and Identity: Part 1b, will take a road trip into the specialized software of my choice and also provide some tips and tricks surrounding it. 

While you are waiting for the next part, please active the AD Recycle Bin:
Activating the AD Recycle Bin

lördag 1 februari 2014

Active Directory, Compliance and Identity: Preface


During my years as a consultant I have often faced the challenges of customers having problems communicating internally, especially between the department responsible for running the internal infrastructure and the rest of the company. Often this is an outcome of the unwillingness to speak the same language as well as capabilities to actually translate the IT related terms into business terms and have them make sense.

Sometimes I sense that IT people use complex terminology to hide their own shortcomings in understanding the business needs and also from time to time, their ability to actually manage the systems installed in the most beneficial way from a business perspective.

As long as non-IT departments don't depend on IT for their core business this is manageable and everything is kind of peaceful, but as soon as dependencies start to really show so does the problems. When business start to question the actual cost and efficiency provided by IT, words like "It's Complicated" isn't good enough any more.

Starting back in the late 1990s Microsoft released Active Directory to provide an enhanced capability not only to manage larger but also more complex environments, giving us "geeks" the possibilities to start "integrating" surrounding systems using industry-standard LDAP (Lightweight Directory Access Protocol).

In the early 2000s corrupted business people caused us to add controls and regulations into our financial systems and since all those systems already by that point in time was digitalized, the effect on IT in general was to straighten up and add more security and the capabilities of auditing and tracing all changes to financial systems and their transactions.

Starting around 2005 we realized we had so many IT-systems causing our users spending a huge amount of time just trying to authenticate to different systems before even being able to perform their actual work, initiating the Identity Integration boom to kick off for real.

Add to this Virtualization, Cloud Services and full blown Identity Management solutions hitting us during the last 5-6 years and the conclusion is clear, we have gone from "IT-simplicity" using a few interconnected systems to "Business-simplicity" using a huge amount of semi-interconnected systems  causing "IT-complexity".

Here we stand today, with an even bigger need of communication between IT-department and the other departments like HR, Economy, Sales and various Production units. Now we have also reached a new level of IT maturity within the non IT-departments on most of the companies, making the phrase "It's Complicated" an obsolete answer when communicating between IT Admins and Business.

In this Blog Series I will provide my view on how you could move away from a non-managed AD with gaps in Compliance and lack of simplicity in Management of multiple Authentication Services and into a system interconnecting all your business systems with the heart of your infrastructure, Active Directory.

The series will contain the following parts with a lot of separate posts on every topic:
1. Cleaning up and stabilizing your existing Active Directory
2. Disaster Recovery planning and Resilience
3. Adding Compliance and Security
4. Connecting External Systems and Directories to Active Directory
5. Identity Management beyond the New User Portal

Stay tuned, enjoy and remember: A fool with a tool is still a fool.