Active Directory Audit Compliance Experts
Miles Consulting Corp's Active Directory consulting team can guide your organization
to best utilize AD Domain Services (DS) for its advanced auditing
capabilities to track changes in the Active Directory objects. Using Windows Server
2008, you can have a password policy that removes the restriction of a single password
policy per domain. Active Directory DS has the capability to stop and restart
the Active Directory Service.
|
|
|
|
Fine-Grained Password Policies
|
|
Fine-grained password policy removes the restriction of a single password policy
for domain.
|
|
|
|
Set
Attributes on Password Settings Object:
Precendense
Password Settings
Account Lockout Setings
Distinguished name of Users and/or Groups the settings apply to
PasswordSettings objects stored in - Password Settings Container on=Password Setting
Container, on=System, dc=northwind, dc=com
At User Logon and password Change, check if a Password Setting Object has been assigned
to this user.
|
|
|
|
Requires Windows Server 2008 Domain Mode
|
|
Password Settings override Domain Password Policy
|
|
|
If multiple policies applied, then lower number precendense wins! Only one set of
Password Settings can apply to a user.
|
|
Password Settings Object applied to a user when above settings applied to a group.
|
|
Must be Global Security Groups
|
|
|
|
|
|
GlobalNames Zone
|
|
Resolution of single-label, static, global names for services using DNS
|
|
|
- All authorilative DNS servers for a domain must be running Windows Server 2008 to
provide GlobalNames support for clients
- Implemented as a Regular Forward Lookup zone, which must be named "GlobalNames"
- GlobalNames zone should be Active Directory integrated and replicated forest wide.
- The GlobalNames zone is manually configured with CNAME records to redirect from
server's host name to fully Qualified Domain Name
|
|
Complex Single-forest or Multiple-forest deployments require additional DNS configuration
for GlobalNames functionality.
|
|
Authoritative DNS servers, which also have a copy of the GNZ, will first check the
GNZ for datat to respond.
|
|
No client DNS suffix changes required.
|
|
|
|
|
|
|
|
Restartable Active Directory Service
|
|
Active Directory Domain Services (AD DS) in Windows Server 2008 has the capability
to start and stop the Active Directory Service via the MMC or command line.
|
|
|
|
Stop/Start DS without Reboot
If the DC is contracted while the DC service is stopped, server acts as member server.
Another DC is used for logon, and normal Group Policy is applied.
|
|
|
|
Restarting AD requires membership of the built-in Administrators group on the DC
|
|
If another DC cannot be contacted, administartor can log on either by using cached
credentials or using the DSRM credentials.
|
|
Reduces times required for offline operations.
|
|
|
Directory Service States
AD DS Started
AD DS Stopped (Ntds.dit offline)
AD Directory Restore Mode
|
|
|
|
|
|
Audit Object Changes
|
|
Active Directory (AD DS and AD LDS) in Windows Server 2008 has the capability to
log changes made to AD objects.
|
|
|
Audit Controls
Global Audit Policy (Audit Active Directory Changes)
Security Audit Entry on Objects.
Schema - Set per attribute to prevent changes logging.
|
|
|
|