torsdag 6 mars 2014

Active Directory, Compliance and Identity: Part 1a

Cleaning up and stabilizing your Active Directory:

Let's face the truth, AD has been alive and running in a majority of all companies around the world for 15 years.  During that time, there have been tons of upgrades and development, bringing more and better functionality to face the demands of time.

Microsoft have provided "simple" ways of keeping your AD environment updated, but sometimes the simplicity brings complexity under the "hood" of the user friendly interface.

A major task for all AD Engineers is to make sure everything is really running as expected not only from a visual perspective but also in reality, otherwise the benefits of being updated are lost or at least limited.

So, what should I be looking for? What have changed over the years?  Below are some examples:

Windows 2000:
Domain Level:
  • Support for Universal groups, both security and distribution
  • Group Nesting
  • SID History
Forest Level:
  • n/a
Windows 2003:
Domain Level:
  • Netdom.exe
  • Updates to Logon time stamp
  • Selective Authentication
  • Container redirection (Computers and Users)
  • Constrained delegation
Forest Level
  • Forest Trust
  • Domain Rename
  • LVR (Linked-Value Replication)
  • Improved KCC (Knowledge Consistency Checker)
  • RODC Deployment (Read-Only Domain Controllers)
Windows 2008:
Domain Level:
  • DFSR support for Sysvol Replication (running on Windows 2003 or later)
  • Domain Based DFS with support for ABE and Scalability running in Windows 208 Native Mode
  • AES 128 and 256 support for Kerberos
  • Last Interactive Logon Information
  • Fine-Grained Password Policies
Forest Level:
  • n/a
Windows 2008 R2:
Domain Level:
  • AMA (Authentication Mechanism Assurance)
  • Automatic SPN Management
Forest Level:
  • Active Directory Recycle Bin
Windows 2012:
Domain Level:
  • Added KDC support for Claims, Compound Authentication and Kerberos Armoring
Forest Level:
  • n/a
Windows 2012 R2:
Domain Level:
  • DC-Side Protection for Protected Users
  • Authentication Policies
  • Authentication Policy Silos
Forest Level:
  • n/a
For additional Information regarding added functionality refer to the following link:

Above functionality of course also requires moving the Domain and Forest to the appropriate level. Taking this into consideration from your own Active Directory perspective, you soon realize, there are most likely things to be done and reasons to make sure everything is running smoothly. 

You could potentially compromise the security and functionality provided by AD by ignoring or not knowing about the added values.

Now it's time for the Golden Rule number 1: Before even thinking about doing any changes to you production environment, make sure you have  a well-tested, well-documented and fully functional Disaster Recovery Plan. Also make sure you are able to at least use one level of Testing environment or Q&A (Quality Assurance) environment.

A backup is not a Disaster Recovery Plan, it's only a part of it. A Disaster Recovery Plan must consist of at least the following:
  • A tested and verified backup strategy (running)
  • A tested and verified recovery method, for all critical services provided and surrounding Active Directory (including the actual Operating system and Hardware as well)
  • All possible recovery scenarios, documented in detail (from individual objects, Domain Controllers, Sites, Domains to the entire Forest itself)
  • "Fire drills" on at least a yearly basis, performing the entire Disaster Recovery process,
  • A well trained group of people able to perform the operations if necessary, always attending the fire drills for yearly training and knowledge update purposes.
  • A dedicated person(s) responsible for maintaining and updating the documentation.

Do you need to be a rocket scientist to prepare all this? No, not really, you can always use specialized software to ease your burdens and of course combine them with the Active Directory Recycle Bin Feature.

Active Directory, Compliance and Identity: Part 1b, will take a road trip into the specialized software of my choice and also provide some tips and tricks surrounding it. 

While you are waiting for the next part, please active the AD Recycle Bin:
Activating the AD Recycle Bin

lördag 1 februari 2014

Active Directory, Compliance and Identity: Preface


During my years as a consultant I have often faced the challenges of customers having problems communicating internally, especially between the department responsible for running the internal infrastructure and the rest of the company. Often this is an outcome of the unwillingness to speak the same language as well as capabilities to actually translate the IT related terms into business terms and have them make sense.

Sometimes I sense that IT people use complex terminology to hide their own shortcomings in understanding the business needs and also from time to time, their ability to actually manage the systems installed in the most beneficial way from a business perspective.

As long as non-IT departments don't depend on IT for their core business this is manageable and everything is kind of peaceful, but as soon as dependencies start to really show so does the problems. When business start to question the actual cost and efficiency provided by IT, words like "It's Complicated" isn't good enough any more.

Starting back in the late 1990s Microsoft released Active Directory to provide an enhanced capability not only to manage larger but also more complex environments, giving us "geeks" the possibilities to start "integrating" surrounding systems using industry-standard LDAP (Lightweight Directory Access Protocol).

In the early 2000s corrupted business people caused us to add controls and regulations into our financial systems and since all those systems already by that point in time was digitalized, the effect on IT in general was to straighten up and add more security and the capabilities of auditing and tracing all changes to financial systems and their transactions.

Starting around 2005 we realized we had so many IT-systems causing our users spending a huge amount of time just trying to authenticate to different systems before even being able to perform their actual work, initiating the Identity Integration boom to kick off for real.

Add to this Virtualization, Cloud Services and full blown Identity Management solutions hitting us during the last 5-6 years and the conclusion is clear, we have gone from "IT-simplicity" using a few interconnected systems to "Business-simplicity" using a huge amount of semi-interconnected systems  causing "IT-complexity".

Here we stand today, with an even bigger need of communication between IT-department and the other departments like HR, Economy, Sales and various Production units. Now we have also reached a new level of IT maturity within the non IT-departments on most of the companies, making the phrase "It's Complicated" an obsolete answer when communicating between IT Admins and Business.

In this Blog Series I will provide my view on how you could move away from a non-managed AD with gaps in Compliance and lack of simplicity in Management of multiple Authentication Services and into a system interconnecting all your business systems with the heart of your infrastructure, Active Directory.

The series will contain the following parts with a lot of separate posts on every topic:
1. Cleaning up and stabilizing your existing Active Directory
2. Disaster Recovery planning and Resilience
3. Adding Compliance and Security
4. Connecting External Systems and Directories to Active Directory
5. Identity Management beyond the New User Portal

Stay tuned, enjoy and remember: A fool with a tool is still a fool.

tisdag 14 maj 2013

Active Directory - Keep it Simple

During my years working with Active Directory based solutions, I've been thrilled by the way companies tend to make it more complicated then necessary. When Microsoft introduced the new way of organizing a Windows Domain using Organisational Units (OU), Trees and Forests back in the late nineties, everyone went berserk in their struggles to become the most creative designer, without really listening to the Mantra: Keep it simple....

Today, fifteen years later, we have to face the consequences and clean the mess, leading to endless amounts of CleanUp projects and Migration Projects, often initiated as "Missions of Mercy", to save what is savable before the final crash.

Having taken part of quite a few of those projects during the last 4-5 years, I have once again had to put up with the creative people, that suddenly have popped up from their crypts again, just waiting to create yet another AD bubble that will burst in a few years.

I will give you a few advises from my experiences so far on how to avoid this situation again (and by the way, this is only my strictly personal perspective), or at least ease the pain.

1. Most likely ONE single Active Directory Domain will cover all your needs today and tomorrow.

2. Think administrative delegation not organization when building the domain/OU structure.

3. Make sure the Governance Model is in place, before running DCPROMO.

4. ADFS, ADRMS, RODC, PKI, DFS, DNSSEC etc...are not only cool terms or features, use them and use them correctly.

5. The Schema is not full of Attribute classes for no reason, make sure you use the attributes provided in a meaningful way, this is your future connection to surrounding systems.

6. Yes, you can utilize only Universal Groups, that's enough.

7. Make sure the part of the identities you store in Active Directory is both secure and well-managed.

8. This list can actually continue for a while, but I will stop it here to avoid taking myself out of business, by just once more providing you with the most basic advise  when it comes to Directory Services in general and Active Directory in particular:


tisdag 30 april 2013

Localized version of ActiveRoles Server 6.8

I have had the luck being able to enjoy the result of numerous implementations of Quest One ActiveRoles Server and of course the latest version 6.8 is bringing it to yet another level. It's been comfortable to be able to assist customers in the struggles to achieve uniformity and consistency in the provisioning and de-provisioning of objects in Active Directory, using this intuitive tool and by that mean speeding up the processes and bringing real business to the table.

<snip from Quest>

Secure access – Acts as a virtual firewall around Active Directory, enabling you to control access through delegation using a least privilege model. Based on defined administrative policies and associated permissions generates and strictly enforces access rules, eliminating the errors and inconsistencies common with native approaches to AD management. Plus, robust and personalized approval procedures establish an IT process and oversight consistent with business requirements, with responsibility chains that complement the automated management of directory data.
Automate account creation – Automates a wide variety of tasks, including:
  • Creating user and group accounts in AD
  • Creating mailboxes in Exchange
  • Populating groups
  • Assigning resource in Windows
ActiveRoles Server also automates the process of reassigning and removing user access rights in AD and AD-joined systems (including user and group de-provisioning) to ensure an efficient and secure administrative process over the user and group lifetimes. When a user’s access needs to be changed or removed, updates are made automatically in AD, Exchange, SharePoint, OCS, Lync and Windows, as well as any AD-joined systems such as Unix, Linux and Mac OS X.
Day-to-day directory management – Simplifies management of:
  • Exchange recipients, including mailbox/OCS assignment, creation, movement, deletion, permissions and distribution list management
  • Groups
  • Computers, including shares, printers, local users and groups
  • Active Directory, including AD LDS
ActiveRoles Server also includes intuitive interfaces for improving day-to-day administration and help desk operations via both an MMC snap-in and a Web interface.
Manage groups and users in a hosted environment – Works in tandem with Quest One Quick Connect in a hosted environment where accounts from client AD domain are synchronized with a host AD domain. ActiveRoles Server enables user and group account management from the client domain to the hosted domain, while also synchronizing attributes and passwords.
The solution uses out-of-the-box connectors to synchronize your on-premises AD accounts to cloud-based services such as, Google Apps, Microsoft Office 365, Lync Online and SharePoint Online.
Consolidate management points through integration – Complements your existing technology and identity and access management strategy. Its Extend All feature simplifies and consolidates management points by ensuring easy integration with many Dell products, including Quest One Quick Connect, Quest One Identity Manager, Privilege Password Manager, Desktop Virtualization, Authentication Services, Defender, Password Manager, Webthority and ChangeAuditor. ActiveRoles Server also automates and extends the capabilities of PowerShell, ADSI, SPML and customizable Web interfaces. 

<End snip from Quest>

What suddenly strikes me like lightning from clear blue sky, is the mail I received a couple of weeks ago from Quest, not only stating but also providing a link to......The swedish version of the ARS Web Interface.

I didn't see that one coming.

This of course is a sign, telling me that finally the swedish market is wakening up, realizing there are other ways of managing your AD, perhaps even better, than using the native tools like ADUC and so forth.

This also marks a milestone in my extended travelling as being a consultant in the specific area, from now in I will be able to work in Sweden as well.

I'm coming home!