Microsoft Azure AZ-801 — Section 4: Secure a hybrid Active Directory (AD) infrastructure Part 2
32. Manage account security on a read-only domain controller (RODC)
Now I’d like to show you a couple of different ways that we could set up a RODC. All right. A read-only domain controller.
The first method I’m going to show you is known as just prestaging a RODC server. Now, this is the way you would do things if you have not set up a server yet, that’s going to be your RODC server, but you plan on setting up a server that’s going to be RODC server in the future.
So, perhaps you are located in New York, but you’ve got an office in Birmingham, Alabama. That’s really small. It’s only got ten people and you’re going to be, maybe, sending a server down there or shipping a server down there and you just want to be able to plug it in and have it and have somebody just step through configuring it real quick. Then you could do that. You wouldn’t even have to be present when this promotion occurs if you do what’s called prestaging.
So, let me show you how prestaging works. All right. Here we are on NYC-DC1. This is our domain controller and we’re going to open up Server Manager. Of course, you can click Start and go to Server Manager if you don’t know how to get in there. From there, we’re going to go to the Tools menu and we’re going to go to Active Directory Users and Computers. So, we’re going to bring up Active Directory Users and Computers now. And from there you’ll notice you have the OU, the organizational unit, which is a folder here. That’s going to contain Domain Controllers. And currently we only have one domain controller.
So, if we wanted to do what’s called prestaging a RODC, we can right click that container. And you’ll see an option as Pre-create a Read-Only Domain Controller. Now, remember you can’t just right click anything, it’s got to be that container, Domain Controllers. So, we’re going to click to pre-create RODC account. We’re going to click Next on the welcome screen. It says which privileges, which credentials are you going to use to do this? So, I’m going to use my administrator credentials in order to do this. All right. Specify the account credentials to use in the installation. So, it’s going to be my admin credentials. You could specify some alternative credentials if you want to. All right. But we’re going to use the ones that we have signed in. All right. So, we’re going to click Next. It says, “What do you want the computer to name to me?” I would just name it. I’m just going to call it rodc-test. This is just a demo anyway. So, rodc-test. All right. I’m going to click Next. It’s going to verify there’s not already a computer out there named rodc-test. There cannot be a computer out there with this name right now. You have to remember this is your prestaging, or you’re setting this up before you even have a server configured yet. Then it says, “Which site do you want to go with?” I’m not explaining Active Directory sites right now, so we’re just going to go with this default site, not explaining sites at the moment. This would be the location. Technically, I’ll say that if you had a location in Birmingham, Alabama, you might have a Birmingham site and you would specify that, but not going to explain that right now. Next. It’s going to check DNS information. All right. And essentially just verifying if there’s a DNS name out there, if there’s a certain IP address or something that goes with this, then at that point, it will pop that up.
Of course, you can also speed this process up by disabling your network adapter card. It won’t take as long, which sometimes I get annoyed by it taking so long. So, if I want to cause us to get done quickly, what I’ll do is I’ll go right here to Ethernet change adapter options and I’ll just disable the NIC real quick and then re-enable it. And that will trigger it to finish a little quicker. As you can see, it didn’t. It’s done now. Sometimes it can take like 5 minutes for it to finish and this way it just kind of gets it to skip searching DNS a whole lot.
Do you want to put DNS on the RODC? You can. Do you want it to be a global catalog server? You can. I’m not going to make it be a DNS, but I will allow it to be global catalog. I’m going to go ahead and click Next. All right.
So, this is important right here. This is very important. This says, “The user group that you specify will be able to attach a server to the RODC account that you are creating now and complete the RODC installation. They will also have local administrative privileges.
So, imagine if I was somebody in Birmingham, Alabama, I’m in New York City, we have Birmingham, Alabama, and we just have like ten people that work in that office and they’re all salespeople, so they’re not like IT-savvy people. However, I could specify one of their names. Let’s say, it’s the sales manager, whoever that is, and I could give them admin privileges just locally on this server so they can help me configure this server once we have the server in that office. Literally, what I’m wanting to happen is I’m wanting somebody to basically just be able to plug the server in and they can they’ll be able to install AD DS with these admin privileges and it’s going to finish doing everything. They’re not going to have to configure anything. All they got to do is couple of clicks and it’s going to finish. So, that’s what this is going to do. This is going to give an account the authority to do that. All right. Now, in my case, I’m just going to put myself in there. So, I’m just going to choose myself. But in the real world, if you had somebody in that office you wanted to point to, you could. All right. At that point, I’m going to click Next and we’re going to click Next again. And we’ve officially created a little pre-staged RODC account.
So, at that point, you would be able to set up a server and as long as you named it rodc-test and you join the domain, that person in that office could log in with their credentials and they could finish the setup. All they got to do is a couple of clicks and it’s officially set up.
This was, you know, in the in the earlier 2000s, this was considered beneficial for you to have this kind of connection setup. To be honest with you, almost nobody ever uses this anymore to set up a RODC. Most everybody, if they’re going to set up a RODC, they can do it remotely using remote desktop. Or they would just install RODC locally, and they would just ship the server down to the office and that would be an easy way to deal with it. Okay.
Alternatively, something else I want to show you here. You’ll notice the little black arrows pointing down. That’s just to indicate that currently there has been no server that has occupied this yet. You’ll notice it says Unoccupied. So, the server hasn’t gotten control of it yet. But the other thing I want to show you, if we right click this object and we go to Properties here, you’re going to see the Password Replication Policy. So, this is where I can go and I can specify which accounts it’s going to cache for password authentication in that office. So, currently you’re going to say it’s going to deny everybody except one group. So, if I had a sales person, I could put that sales person into this allowed RODC password group and that anybody that’s in that group, it’s going to synchronize their password unless they’re an admin, unless there’s a deny.
So, I don’t have any additional users, but I’ll show you. Like I’ll just create one real quick. We’ll call this see John Smith. Logon name is going to be just johnsmith. All right. Let me put a password in for the user and we’ll make the user change password. Right now, we’re going to put John Smith in that group. So, if you’ll notice, you have that group. Let’s go right here to John Smith. We’re going to click Member of, we’re going to do a quick search for the word password. Easiest thing to do, let’s just say Find Now, all right? And you’ll see Allowed RODC Password Replication. So, we’re going to double click on that, click Okay, and it’s now a member of that group. So, John Smith, who, maybe, John Smith is, you know, in that office, the Birmingham office. All right. And he is, maybe, like a sales manager or something. So, it’s, you know, it’s in that group. It’s going to cache his credentials. So, that is how you configure RODC so that it will cache somebody’s credentials.
The other way that you could have done this is just to go straight over to the server. So, I have NYC-SVR1 right now and I could jump over to that server. Let’s jump over. Here we are. This is NYC-SVR1. It is not a domain controller. I could go ahead and say Manage, Add Roles and Features. Next. Next. Next. And we’re going to install Active Directory just like we would a normal domain controller. So, Next, Next, Next. And install. We’ll give that a moment and let it install. Once AD DS is done installing, you can just click Okay to that. At that point, we’re going to go up to this little warning symbol. We’re going to click Promote the server to a domain controller. All right. And it’s going to say Add a domain controller to an existing domain. RODC, of course, is going to be joined to an existing domain. So, that is definitely going to be the object or the option that we go with. All right. From there, we’re going to go ahead and click Next. All right.
Now, warning! If you get an error message, if you’re doing this with me and you get an error message just trying this out, it usually means that your computer is no longer pointing to the domain controller for DNS. So, what you need to do is you need to jump over to the domain controller. You need to go to a command prompt, you need to do an IP config and find out what the address is of your domain controller. Jump back over to the server, you’ll go up here to Local server. Go back over here to your Ethernet, Assigned by DHCP. Just click on that. Go to the Properties of your adapter and verify that you’ve got the correct address in right here. It’s very important. If you don’t, you’re going to get an error. That’s if you’re doing this with me.
So, we could have a DNS installed on this machine. We could have a global catalog. And this is where we can choose RODC right here. So, at that point, we could choose RODC, directory services restore mode password, just like we’ve done before. We can click Next. All right. We can specify. It says, “Accounts that will be allowed to replicate.” Go ahead and specify the account passwords that are going to be replicated and cached. We can specify those if we want. All right. So, you want to replicate with any domain controller? That’s fine.
By the way, you can if you have a backed up copy of Active Directory, you can do Install from media to let you specify the backed up copy of Active Directory. That’s a great way to save time if you’re replicating a large big database across a slow connection. If you had a copy of directory on a flash drive, even if it’s an out-of-date copy, it will update once it’s done.
So, I’m going to go ahead and click Next. Now, we specify our database log location and at that point we’re now officially ready to pull the trigger. It would do the Prerequisite Check. We click Install. We’ve got ourselves a RODC. I’m not actually going to do that to this server because I have other usage for this server that I I want to use it for. But now you’ve seen exactly how you can set up a road server.
33. Harden domain controllers
Let’s go over the concepts now of hardening a domain controller. Now, that besides the common stuff, like of course, keeping the domain controller updated and limiting physical access to it and making sure that there’s only certain admins that have the ability to log on to those are pretty common sense things, right? The other big thing to look at would be policies. There are group policies that we can implement that can strengthen the fences of a domain controller. And this is also going to go back to the whole problem of the fact that domain stores have been around now for decades and they’ve some of them have just been upgraded over the years. And some of these old settings from like the 1990s even could still be enabled on our domain stores. And so we want to we want to make sure that we check certain criteria to make sure that our domain controllers are strengthened against certain types of attacks.
So, let me show you a little bit about how we’re going to do that. Here we are on my NYC-DC1. I’m going to open up Server Manager. Then we’re going to go Tools and we’ll go to Group Policy Management. The first thing to be aware of here is that you have a GPO dedicated to your domain controllers, which is this guy right here, and that’s really what you want to focus on, that GPO is attached to your domain controllers. You, which of course, affects all of your domain controllers. So, we’re just going to edit that GPO. And what we want to focus on is going to be under Computer Configuration Policies, Windows settings, and then underneath this security settings area here. And then from there you have local policies and then you have security options. So, these are the types of things that you want to be thinking about in regards to your domain controllers. So, you want to kind of educate yourself on some of these policies, on some of the things that you might want to allow or disallow for your users.
Another thing, though, is user rights assignment. So, this gets into who has privileges over your domain controllers to do whatever it may be. Right now, you’ll notice that it says everyone has the ability to has access this computer across the network. All right. So, you actually would want to you might want to take away that everyone group. You might not want to allow that everyone group on their right. That’s a consideration. Take off the everyone group, you might say. Well, would that stop regular users from authenticating to a domain? Sure. No regular users would still be able to authenticate to domain controller, but you wouldn’t allow anonymous connections to even touch that domain controller. That’s just an example of it. Add workstations to the domain. Right now, authenticated users can add workstations to the domain. Actually, one thing they don’t tell you is that regular users can join up to ten computers to the domain. An individual user can do that. Believe it or not, you might not want regular users doing that, so you might want to just make it or only admins can do that. What about things like log on locally? Right now you can see that all of these groups here can do that. Arguably, you could say, Well, I only want it minister, or I only want administrators and, maybe, backup operators so they can back data up. So, you might want to remove everything except administrators and backup operators.
And then things like changing the system time. I might not want server operators doing that. I might only want the local service. You have to allow that. The system needs to be able to change its own time. But then the administrators, why is it such a problem for anybody to change the system time? The reason it’s a problem is because of Kerberos. Kerberos only allows a five-minute leeway period. If the if the time is off more than 5 minutes, you won’t see it in this policy. It’s actually going to be the Kerberos policy set in the domain policy here. But if you look under security and then local policy and then sorry, account policy. In the Kerberos, you can see it gives a five-minute leave away period. That basically means that if people’s clocks are off more than 5 minutes in either direction, thennobody can log on. That person cannot log on whether it’s a server, the server won’t be able to authenticate or whether it’s a client operating system. If it’s more than 5 minutes off, it won’t be able to the person will not be able to log on. This is why you don’t want people messing with time.
Now, one thing people ask me sometimes is, well, what about time zones? Are time zones going to affect this? Absolutely not. Time zones don’t matter when it comes to comes to this. They don’t they do not affect this at all. All right. So, let’s go back over here. So, you got all these various options here. How about things like let’s c deny access to this computer across the network? You might want to deny the guest here. All right, so there’s a group called Guess we might not want guest users connecting ever, you know, accessing across the network for shut from a remote system. Let’s see right now server operators can do that, but I might only want admins being able to do that. All right. Let’s jump back over to security options. And one of the big ones is if we look down here at network security. Let me find it. Okay, here it is right here. LAN manager authentication level. All right. LAN manager is the old protocol. That was back in the 1990s. There’s even some cases where there are some services left over from the eighties, from back in the Dos LAN manager days. And of course, when NT came out, they came out with new technology LAN manager. But right now Windows could potentially communicate with legacy systems. So, what they recommend you do is choose this option right here. Send NTLMv2 responses only. Refuse LM & NTLM. And that means that it’ll still allow what’s called NTLMv2, but it will not communicate using LM and NTLM.
So, that adds a layer of security to this. And by the way, I’m purposely not changing any of this stuff right now. I don’t want to I don’t want to affect anything on this domain controller at the moment because I’m going to be doing some other demonstrations. I’m just showing you what you would consider implementing, though, in an environment and the kinds of things Microsoft is really wanting you to think about when it comes to hardening a domain controller. That’s why you’ll notice I’m not actually clicking okay on this stuff. All right. But anyway. All right. So, that NTLM thing is obviously something to keep in mind as well.
Let’s see, we have network security. Uh, let’s see. Restrict into LM. And I was looking for the Audit. Yes. So, there it is. Audit incoming NTLM. So, this is one that you would generally want to turn on. This is going to turn on auditing. It’s going to show you if anybody’s trying to authenticate, using the older standards. So, enable auditing for domain accounts or all accounts, all accounts being the better one in that way, what’ll happen is if we go over here to event viewer right click start, go to event viewer, your audit log, your security log will pick up on this guy right here. This log here, we’ll pick up on anything that’s trying to authenticate and you’ll have log entries that will show up right here. I got a lot of log entries right now, so it’s taken a while to pop up, but that’s basically where those log entries will show up at. So, definitely turning on auditing is usually a good idea.
Anyway, one thing you want to think about in the real world when it comes to securing this is familiarizing yourself with some of this stuff, some of these policies. I mean, there’s hundreds and hundreds there’s actually thousands of policies, but hundreds, when you start getting into the security side of this securing a DC. So, it’s impossible to explain every one of these right now, but you can kind of familiarize yourself with some of the list here. You can double click on the some of them are pretty self-explanatory, but they do have an explained Tab that’ll help you understand it. But anyway, these two areas here are the two big areas you want to think about, and that’s what I want you to remember. There’s actually three things I want you to remember from this. I want you to remember that it’s the domain default domain controllers’ policy GPO that you would want to edit for domain controllers. The second thing is, I want you to remember the second. And third thing I want you to remember is that this is going to be under these security settings. And the two main areas are user write assignment. These are the rights people have. And then security options. That’s going to involve the different security features turn on and off on that to make sure. All right. So, that is hopefully going to now give you an idea of how we can harden the keys in Active Directory.