WUG - AD Klienti - Ondrej Sevecek`s Blog

Report
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security |
[email protected] | www.sevecek.com |
CLIENT INTERACTIONS
Active Directory Client Interactions
INTRO
Central Database
 LDAP – Lightweight Directory Access Protocol




database query language, similar to SQL
TCP/UDP 389, SSL TCP 636
Global Catalog (GC) – TCP/UDP 3268, SSL TCP 3269
D/COM Dynamic TCP – Replication
 Kerberos
 UDP/TCP 88
 Windows NT 4.0 SAM
 SMB/CIFS TCP 445 (or NetBIOS)
 password resets, SAM queries
 SMB/DCOM Dynamic TCP
 NTLM pass-through
 Kerberos PAC validation
Design Considerations
 Distributed system
 DCs disconnected for very long times
 several months
 Multimaster replication
 with some FSMO roles
Design Considerations
 Example: Caribean cruises, DC/IS/Exchange
on board with tens of workstations and users,
some staff hired during journey. No or bad
satelite connectivity only. DCs synced after
ship is berthed at main office.
 Challenge: Must work independently for long
time periods. Different independent cruiseliners/DCs can accomodate changes to user
accounts, email addresses, Exchange
settings. Cannot afford lost of any one.
Database
 Microsoft JET engine
 JET Blue
 common with Microsoft Exchange
 used by DHCP, WINS, COM+, WMI, CA, CS, RDS
Broker
 %WINDIR%\NTDS\NTDS.DIT
 ESENTUTL
 Opened by LSASS.EXE
Installed services
LSASS
Security Accounts Manager
TCP 445
SMB + Named Pipes
D/COM Dynamic TCP
Kerberos Key Distribution Center
UDP, TCP 88
Kerberos
Active Directory Domain Services
UDP, TCP 389, ...
LDAP
NTDS.DIT
Network Interactions
(DC Location)
SRV: Any DC List
Client
2000+
SRV: My Side DC
DNS
DNS
LDAP
UDP
My Site DC
2000+
Get My Site
Any DC
2000+
Network Interactions
(2008/Vista+ DC Location)
SRV: Any DC List
Client
Vista+
SRV: My Site DC
DNS
SRV: Close Site
DNS
LDAP
UDP
Close Site
DC
2000+
My Site DC
2000+
Get My Site
Next Closest Site
Any DC
2008+
Network Interactions
(Join Domain)
Client
2000+
TGT: User
Kerberos
SMB
TGT: CIFS
SAM Interface
DC
2000+
Network Interactions
(Local Logon)
Client
2000+
TGT: User
Kerberos
LDAP
SMB
TGS: LDAP, CIFS
GPO List
GPO Download
DC
2000+
Network Interactions
(Kerberos Network Logon)
Client
2000+
App Traffic
Server
2000+
In-band
TGS: Server
Kerberos
TGT: User
SMB
D/COM
Occasional PAC
Validation
TGS: Server
D/COM Dynamic
TCP
DC
2000+
DC
2000+
Network Interactions
(NTLM Network Logon)
Client
2000+
App Traffic
Server
2000+
In-band
NTLM
SMB
D/COM
Pass-through
NTLM
D/COM Dynamic
TCP
DC
2000+
DC
2000+
Network Interactions
(Basic/RDP Logon)
Client
2000+
App Traffic
Server
2000+
In-band
clear text
Kerberos
DC
2000+
DC
2000+
TGT: User
Active Directory Replication
ATTRIBUTE NOTES
Attribute Types
 string, integer, datetime, boolean, binary
 DN reference
 multivalue
 up to 5000 items
 linked multivalue
 unlimited, requires 2003 Forest Level
 backlink
 memberOf
 computed
 primaryGroupToken, tokenGroups, lastLogonTimestamp
 write/only attributes
 unicodePwd
Group membership
Sales
member
CN=Kamil,OU=London,DC=...
member
CN=Judith,OU=Paris,DC=...
Link
member CN=Victor,OU=London,DC=...
member
CN=Stan,OU=London,DC=...
Judith
Backlink
memberOf
CN=Sales,OU=Groups,DC=...
memberOf
CN=IS Access,OU=Groups,DC=...
(Not)replicated attributes
 Not replicated





logonCount
badPasswordCount
badPasswordTime
lastLogon
lastLogoff
 Replicated
 pwdLastSet
 lockoutTime
 lastLogonTimestamp (since 2003)
Logon timestamps (2003 DFL)
lastLogon
lastLogonTimestamp
11:00
DC
lastLogon
lastLogonTimestamp
11:00
11:00
11:38
DC
lastLogon
lastLogonTimestamp
9:00
DC
Client
-
lastLogonTimestamp
 Requires 2003 domain level
 Updated only once per 14-random(5) days
 DC=idtt,DC=local
 msDS-LogonTimeSyncInterval
 1+ – minimum without randomization
 5+ – randomization starts
 14 – the default
 ...
Password changes
Normal replication
Client
hash
PDC
Immediate
Replication
Password
Change
password
hash
DC
Normal replication
hash
Password changes
pwdLastSet
PDC
pwdLastSet
DC
pwdLastSet
DC
Client
pwdLastSet
DC
Authentication failures
pwd1
DC
pwd1
PDC
pwd1
DC
Client
Authentication failures
pwd1
DC
pwd2
PDC
pwd2
pwd2
DC
Client
Authentication failures
pwd1
pwd2
DC
pwd2
PDC
pwd2
DC
Client
Authentication failures
badPasswordCount
7
badPasswordCount
PDC
2
DC
lockoutTime
badPasswordCount
3
DC
badPasswordCount
DC
Client
2
Active Directory Client Interactions
DC LOCATION
Client Applications
 Kerberos and NTLM authentication
 Secure Channel
 password changes, NTLM pass-through, Kerberos
PAC validation
 Group Policy client
 DFS client
 Certificate Autoenrollment client
Client Applications
 NPS (IAS), RRAS, TMG (ISA), RD Gateway (TS
Gateway)
 group membership, Dial-In tab
 RD Host (Terminal Server)
 Remote Control tab etc., Licensing servers
 DHCP Server
 authorization
 IIS
 account and group membership for SSL certificate
authentication
 WDS
 computer MAC addresses or GUIDs
Connection Properties
 Bandwidth (Mbps)
 forget about this
 Latency (ms)
 round-trip-time (RTT)
 SMB, D/COM, SQL
 Packet Loss (per sec., per Mb)
 packet loss rate (PLR)
 VPN such as PPTP, SSTP, IP-HTTPS
Timeouts
 DNS
 primary DNS = 1 sec.
 secondary DNSs = 2 sec.
 ... 1 2 2 4 8 ...
 ARP
 ... 600 ms 1000 ms
 LDAP UDP Site Location
 600 ms
 TCP
 SYN = 21 sec. (3x retransmission)
 PSH/ACK = 93 sec. (5x retransmission)
 ... 3 6 12 24 48 ...
Basic DC location
 Know the DNS name of the domain
 Query general DNS DC SRV records
 _ldap._tcp.dc._msdcs.idtt.local
 Ping DC
 Windows 2003-
 LDAP UDP (ping) DC
 to get the client’s site/close site
DNS Domain Location
 Makes use of DNS round robin
 Site unaware lookup
 NSLOOKUP
 SET Q=SRV
 _ldap._tcp.dc._msdcs.idtt.local
 Site specific lookup
 NSLOOKUP
 SET Q=SRV
 _ldap._tcp.Paris._sites.dc._msdcs.idtt.local
Site Example – Single Site
DC1
DC2
DC3
DC5
DC4
Client
London 10.10.x.x
Site Example – Multihomed DC
(DNS Bitmask Ordering)
DC1
DC2
DC3
DC5
DC4
Client
Paris
10.20.x.x
London 10.10.x.x
Site Awareness
DC4
DC6
Paris
10.20.x.x
Roma
10.30.x.x
DC1
DC2
DC3
London
10.10.x.x
Anonymous
LDAP
UDP
where I am?
DC5
Client
Berlin
10.50.x.x
General Operation
 Use DNS to find generic DC list
 Ping selected DC
 Windows 2003-
 Anonymous LDAP (UDP) to determine site
 DC defines site from the request source IP address
(NAT?)
 Use DNS to find close DC in site
 Ping or LDAP UDP to determine availability
DC Locator
 NetLogon Service
 nltest /sc_query:idtt
 no network access
 nltest /sc_verify:idtt
 tries to authenticate with the DC
 nltest /sc_reset:idtt
 always performs new DNS lookup
 nltest /dsgetsite
 anonymous query against selected DC
DFS Client (MUP)
 Multiple UNC provider (MUP) driver
 Determines its own DFS server referrals
 obtains the list of DFS root servers from AD using
the default DC from Netlogon
 SYSVOL may be accessed from a different DC
 DFSUTIL /PKTINFO
 Windows Server 2003/Windows XP
 DFSUTIL CACHE REFERRAL
 Windows Server 2008/Windows Vista
Site Example – Empty Site
DC1
DC2
DC4
DC3
DC5
Paris
10.20.x.x
London
10.10.x.x
DC4
DC6
DC5
Berlin
10.50.x.x
Roma
10.30.x.x
Client
DC7
Cyprus
10.40.x.x
Automatic Site Coverage
 Each DC registers itself for its neighboring
empty sites
 HKLM\System\CurrentControlSet\Services\N
etlogon
 AutoSiteCoverage = DWORD = 1/0
 GPO: Sites Covered by the DC Locator DNS
SRV Records
Active Directory Troubleshooting
MISPLACED OR CONFUSED
CLIENTS
Site Example – Out of Site
DC1
DC2
DC4
DC3
DC5
Paris
10.20.x.x
London
10.10.x.x
Client
DC6
10.100.0.7
Roma
10.30.x.x
DC7
Cyprus
10.40.x.x
Berlin
10.50.x.x
Out-of-site clients
Out-of-site clients
Limiting generic DC list
 Limit creation of generic DC DNS records
 GPO: Computer Configuration –
Administrative Templates – System –
Netlogon – DC Locator DNS Records
 DC Locator DNS Records not Registered
 Ldap, Kdc
DC Stickiness
 When one close selected, client sticks to it
 even when moved into a different site
 must reset secure channel
 Force rediscovery interval GPO
 Vista+
 hotfix for Windows XP
 also registry value ForceRediscoveryInterval
Site Example – Moving Client
DC1
DC2
DC4
DC3
DC5
Paris
10.20.x.x
London
10.10.x.x
DC4
DC6
DC5
Berlin
10.50.x.x
Roma
10.30.x.x
Client
DC7
previously in
Paris
Cyprus
10.40.x.x
Active Directory Troubleshooting
CLIENT FAILOVER
Site Example – Failed DC
DC4
DC6
Paris
10.20.x.x
Roma
10.30.x.x
DC1
DC2
DC3
London
10.10.x.x
DC7
DC5
Client
Cyprus
10.40.x.x
Berlin
10.50.x.x
Non-close Site DC
 Close site
 client’s site
 next closest site if enabled
 If there is not DC available in the close site,
rediscovery every 15 minutes
 HKLM\System\CurrentControlSet\Services\Netlog
on\Parameters
 CloseSiteTimeout = REG_DWORD = x seconds
Site Example – Close Site
DC1
DC2
DC4
DC3
DC5
Paris
10.20.x.x
London
10.10.x.x
DC6
Berlin
10.50.x.x
Roma
10.30.x.x
DC7
Client
Cyprus
10.40.x.x
Try Next Closest Site
 First get any DC name from DNS
 Second query the DC for clients site name
 returns the clients site
 plus the closest site (determined by the DC)
 Then query DNS for DCs in its current site and
then tries to use the DCs
 If none responds, the client queries DNS for
its next closest site and tries to use the found
DCs
Try Next Closest Site
 Does not consider RODC sites by default
 Can be change in registry
 NextClosestSiteFilter
 Windows 2003- cannot return the next closest
site information
 problem if the hit “any DC” is Windows 2003 it is then going to be used regardless of its site
Client Rules Recap
 Windows 2003 In current site
 In any site
 Windows Vista+ with Next closest site
 In current site
 In the closest site
 In any site
 If the client is out of any site, find any dc
 consider creating subnets for VPNs etc.
Active Directory Client Interactions
SITE DESIGN
Site Link Design
Site Link Design (Better?)
Olomouc
London
Roma
Cyprus
Paris
Berlin
Site Link Design (Worse?)
Olomouc
Paris
London
Roma
Berlin
Cyprus
Active Directory Client Interactions
DNS INTEGRATION
DNS Integration
 Clients find DCs by domain/site name
 DCs find replication partners according to
their GUID
 Netlogon de/registers locator records
 DNS stores its data in
 domain partition
 DomainDnsZones application partition
 ForestDnsZones application partition
Netlogon de/registration
 Netlogon registers its own records at startup
and deregisters them at shutdown
 requires DNS registration enabled on at least one
network adapter
 %windir%\System32\Config\netlogon.dns
 It does not touch others’ records
 Autosite coverage
 turned on by default
AD Integrated Zones
 Offer Secure Dynamic Update
 Timestamping
 trimmed to whole hour
 Aging and scavenging
 records deleted by default between 14-21 days of
their age
DNS Application Partitions
 Domain partition
 CN=MicrosoftDNS,CN=System,DC=...
 DomainDnsZones
 replicated to all DNS Server which are also DCs for
the domain
 ForestDnsZones
 replicated to all DNS Server which are also DCs for
the forest
Secure Dynamic Update
 Client side feature
 DHCP Client on Windows 2003 DNS Client on Windows Vista+
 DNS Server must be on DC to authenticate
clients with Kerberos
 All Authenticated Users
 can create new records
 When a record is created, only the
creator/owner can modify/update it
Secure Dynamic Update
 Updates done regularly by clients
 every hour by default
 Default TTL is 20 minutes
 Disable DHCP dynamic updates
 insecure!
Dynamic Update
Primary DNS
3
Update
Secondary DNS
1
Secondary DNS
Client DNS
SOA
Secondary DNS
2
Adjust A/PTR Record TTL
Dynamic Update and
Replication
DNS
DNS
0 sec.
AD
0-3 min.
15-21 sec.
schedule
AD
Dynamic Update and
Replication
Dynamic DNS Update on RODC
 Each writable DC returns itself as a primary
DNS
 RODC returns either (random) writable DC as
the primary DNS
Dynamic DNS Update on RODC
Client
2
DNS
Upd
R/O
DNS
0 sec.
AD
RODC
1
SOA
Dynamic DNS Update on RODC
Client
R/O
DNS
DNS
0 sec.
replicateSingleObject
AD
0 sec.
0-3 min.
RODC
Time stamping/Aging
 Record Created
 timestamp trimmed to whole hour
 No-refresh period starts
 by default 7 days
 timestamp does not change if the record does not
change
 Refresh period follows
 by default next 7 days
 timestamp gets updated at the first update
Scavenging
 Server wide configuration
 Should be done by only one DNS Server as
best practice
 By default ocurres only once per 7 days
DNS Aging and Scavenging
 per-zone setting
 implemented by all
DNS servers
 timestamp updates
only during the refresh
interval
 limits replication traffic
DNS Aging and Scavenging
 per-server setting
 should be done only by
one of the DNS servers
DNS Aging and Scavenging
DNS Best Practice
DC1
DC2
AD
AD
DNS
DNS
DNS Waiting for AD
DNS Best-Practice Reasons
 Faster boot time without errors and timeouts
 Deregistration at shutdown is recorded in live
DNS Server
 would have problems replicate if sent into
shutting-down DC
Client DNS balancing
 Clients do not balance DNS servers
 queries/updates
 use the first one always if possible
 DHCP server does not use round robin
 Configuration must be done “manually”
 manual on servers
 more DHCP scopes for clients
Client DNS non-balancing
 Always alternate
DNS server
IP addresses
Client DNS non-balancing
Client1
DNS1
DNS1
DNS2
DNS2
Client2
Client3
DNS1
DNS1
DNS2
DNS2
DNS Client Settings
 HKLM\System\CurrentControlSet\Services\Tc
pip\Parameters
 Timetouts
 DNSQueryTimeouts
 Disjoint namespace on multihomed machines
 DisjointNameSpace
 PrioritizeRecordData
 GPO – DNS Suffix appending on Vista+
DNS Server UDP Pool
 After applying KB 953230, DNS Server
reserves 2500 UDP ports
 HKLM\System\CurrentControlSet\Services\D
NS\Parameters
 SocketPoolSize = DWORD = 2500
 DNSCMD /Config /SocketPoolSize 2500
DNS Cache Pollution
 server: idtt.com authoritative DNS server
 question: test.idtt.com, type A
 answer: no records
 authority answer:
 idtt.com SOA
 idtt.com NS ns37.domaincontrol.com
 ns37.domaincontrol.com A 216.69.185.19
Active Directory Troubleshooting
GENERAL BEST PRACTICE
General Best Practice
 Create and assign subnets for any possible




client IP
Limit the general (site unaware) DNS
registration of DCs
Enable Try next closest site and Force
rediscovery options
Enable DNS Aging and Scavenging
Alter clients’ DNS settings to rotate the DNS
server addresses
Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security |
[email protected] | www.sevecek.com |
THANK YOU!

similar documents