In this post, we look at some interesting ways to run Active Directory better and more securely. But it is also worth taking a look at the articles listed at the end of the text, in which we examine the individual points in more detail.
- Activate and check the Active Directory recycle bin
The recycle bin in Active Directory can be used to restore deleted objects when other options are no longer available. To make this possible, the AD recycle bin must be activated. You should also check from time to time whether it is still available or whether objects are being collected in the trash. Although the wastebasket cannot be deactivated, its function should be checked every now and then. For more info Computer Repairs in Canberra
For example, the trash can be activated from the context menu of the forest in the Active Directory management center. If the recycle bin is active, the option to deactivate it is greyed out. The Active Directory Management Center collects deleted objects in the OU “Deleted Objects”.
- Protect important organizational units from deletion
By default, most organizational units are protected from accidental deletion. To do this, the “Object before accidental deletion” option is activated on the “Object” tab in the properties of the OU. If the checkmark is removed, the OU can be deleted again.
For the tab to be displayed, the “Advanced Features” option must be activated in the Active Directory Users and Computers console via “View”.
- Protect AD locations, important groups and users from deletion
The option to prevent accidental deletion can also be activated for other objects – also in the management of Active Directory sites and services. Of course, other objects can also be protected in this way, such as groups and user accounts. It is worth setting this setting for, particularly delicate objects.
- Regular diagnosis of the domain controller and replication
Even if the Active Directory is supposed to run stably, it makes sense to test the status of the domain controller from time to time with “dcdiag” and “repadmin / showers”. With “dcdiag / v” a comprehensive analysis can be carried out. So problems in the domain are recognized very quickly. The execution takes only a few seconds. Errors can be entered into a search engine to correct the problem.
- Delete or deactivate accounts that are no longer required
User accounts that have not been used for a while should be deactivated or even deleted for security reasons. This avoids security gaps in which attackers use accounts that are no longer required to attack the domain.
- Configure and check time synchronization
For Active Directory to work, the time on the various servers must not diverge too much, especially on the domain controllers. It is, therefore, worthwhile to regularly check the time on the domain controllers and to check the time synchronization. The PDC master in the environment must also function correctly. The easiest way to check the time in the command prompt is with the “net time” command. With “net time \\ <Computer>” the time can be queried over the network. This makes it easy to determine whether all servers and domain controllers are still running synchronously.
- Check operations master
The operations masters have an important task in Active Directory. The function of the operations master should be checked regularly. It is important that the domain controller, which is configured as the operations master, also works and is still available in the network.
- Check administrators group memberships
Administrators should periodically review which user accounts in your forest have administrator privileges. The best way to do this is to check the groups that can be found in Active Directory Users and Computers (dsa.msc) in the “Users” OU.
- Check Active Directory sites and subnets
The various locations and subnets can be found in the “Active Directory Sites and Services” snap-in. It should be checked regularly whether the subnets are still assigned to the correct locations and whether the domain controllers are still available. “Latest / digestive” can be used on the command line to test whether a domain controller is assigned to its correct location. Below the individual sites, it should be checked whether the replication connections between the domain controllers still exist and are working.
- Check and clean up DNS databases
Name resolution plays an important role in Active Directory. On important servers, you should check from time to time with “nslookup” whether the domain controllers and other servers can still be reached. The DNS servers should also be checked. Outdated entries should be removed from the DNS zones. In addition, the settings of the DNS server should be checked regularly.