Active Directory - Backup, Restore
Knowledge Base Questions & Answers
What must be done to backup AD (Active Directory)?
System state’s data backup must be done to backup of AD.
What data contains System State?
System State contains:
-
AD (database including other files in NTDS folder) (only on DC (Domain Controller)).
-
Boot and system files.
-
DFSR (Distributed File System Replication) staging.
-
AD CS (Active Directory Certificate Services) (only if Certificate Authority server is installed).
-
Cluster Service Database (only if Failover Cluster server is installed).
-
COM+ class registration database.
-
File system junctions.
-
Group Policies settings (only on DC).
-
IIS (Internet Information Services) meta-directory (only if IIS server is installed).
-
Registry
-
Netlogon shared folders: default profiles, system policies, logon/logoff/startup/shutdown scripts.
-
SYSVOL (System Volume) folder (only on DC).
What are AD Restore types?
There are two AD Restore types:
-
Non-Authoritative Restore (D2 restore).
-
Authoritative Restore (D4 restore).
What is Non-Authoritative Restore of AD?
-
Non-Authoritative Restore is the default method to restore AD, and it is using when its data lost or corrupted.
-
It restores a DC to its state at the time of backup. After restoring of DC, the local copy of SYSVOL is compared with its replication partners. After restarting DC, SYSVOL replicates any necessary changes to itself, bringing restored DC up-to-date with the other DCs within the domain.
-
To perform a Non-Authoritative restore, DC must be started in DSRM (Directory Services Restore Mode).
What is the Authoritative Restore of AD?
-
Authoritative Restore performs restoring of DC from backup, and after making up necessary configurations, the AD marks the local SYSVOL as authoritative and replicates it to the other DCs within the domain.
-
It has abilities to restore only particular objects.
For example, if OU (Organizational Unit) was deleted. The Authoritative Restore will be able to restore just this object.
-
To perform an Authoritative restore, DC must be started in DSRM.
-
Authoritative Restores need to use ntdsutil utility.
-
Authoritative Restore often needed when human error is involved, such as when an administrator accidentally deletes some objects and that change replicated to the other DCs and the object cannot be recreated easily.
What is DSRM (Directory Services Restore Mode)?
-
DSRM is a special boot mode, which is using for repairing or recovering AD.
-
It is used to login to the computer when AD has failed or needs to be restored on DC.
Active Directory - Security
Knowledge Base Questions & Answers
What are AD (Active Directory) permissions?
-
AD (Active Directory) permissions refer to the rights and privileges granted to Users, Groups, or Computers in AD.
-
They determine what actions can be performed on objects, such as reading, writing, creating, deleting, modifying, or having full control.
-
Example: User Bob needs to be able to reset passwords for “User Accounts” in a specific OU (Organizational Unit). To grant Bob this permission, you would assign him the “Reset Password” permission on the OU’s “Access Control List.”
What is “Access Control,” and how is it implemented?
-
“Access Control” involves managing Users, Groups, and Computers permissions and privileges.
-
It uses ACEs (Access Control Entries) to define and enforce permissions for AD objects.
-
You configure permissions and privileges on the object itself.
-
Example: you have folder “First1”. You configure it regarding who can access it and what kind of work he can do.
What is Authentication?
-
Authentication is the process of verifying the identity of a user or entity accessing a system or resource in AAD.
-
It ensures that the provided credentials are valid and trustworthy.
What is the role of Authorization?
-
Authorization determines what actions or operations an authenticated user or entity can perform on a resource in AD.
-
It involves granting or denying access based on assigned permissions and security policy.
What is Kerberos authentication?
-
Kerberos authentication is a secure method used in AD to verify the identity of Users and Services.
-
It protects against password-based attacks and enables SSO (Single Sign-On.)
What is “AD DS (Active Directory Domain Services) Auditing,” and how is it implemented?
-
“AD DS (Active Directory Domain Services) Auditing” is the process of monitoring and recording events in AD.
-
It helps track user activities, changes to AD objects, and access attempts for security and compliance purposes. For example:
-
User logon and logoff events.
-
Changes to user accounts, group memberships, and passwords.
-
Creation, modification, or deletion of AD objects.
-
-
“AD DS Auditing” is implemented by creating and configuring an “Auditing GPO (Group Policy Object).” This GPO defines the specific events and activities that should be monitored and recorded for security and compliance purposes.
What is SID (Security Identifier)?
-
SID (Security Identifier) is a unique identifier assigned to each User, Group, or Computer account within the Windows environment.
-
It identifies and controls access to resources within the Windows environment.
What is PAM (Privileged Access Management)?
-
PAM (Privileged Access Management) is a set of practices, processes, and technologies designed to control and monitor privileged accounts and access within an organization’s IT (Information Technology) infrastructure.
-
It focuses on managing and securing accounts with elevated privileges, such as administrator or service accounts, with extensive control and access rights.
What is SSO (Single Sign-On)?
SSO (Single Sign-On) is a feature that allows users to authenticate themselves once and gain access to multiple systems or applications without providing credentials again.
What is EFS (Encrypting File System)?
-
EFS (Encrypting File System) provides file-level encryption to protect sensitive data stored on NTFS (New Technology File System) volumes.
-
It allows users to encrypt individual files and folders on their local computer, making the data unreadable without the appropriate encryption key.
Experience-Based/Practical Questions & Answers
How many unsuccessful login attempts can the administrator’s account make in an AD environment before being locked out?
-
Unlimited.
-
By default, the administrator’s account in AD does not have a lockout policy applied.
If the administrator deleted AD’s user and created a new account with the same username and password, would the SID and permissions be the same?
-
If an AD user account is deleted and then recreated with the same username, the new account will have a different SID.
-
SID is generated when the account is created and is unique to each. Therefore, the newly created account will have a new and distinct SID, and it will not have the same permissions or inherit the permissions of the previous account.
What happens to an AD user account’s SID and permissions when renamed?
When an AD user account is renamed, the SID of the account remains the same. As a result, the renamed account will retain the same permissions as the original account, as the permissions are tied to the SID.
What benefits does SSO provide in an organization with a large number of roaming users?
SSO can provide several benefits and enable various capabilities in an organization with many roaming users. Some of the things that can be done with SSO in such an environment include:
-
SSO allows roaming users to access multiple applications and systems with single credentials.
-
It enables centralized user authentication, storing and managing user credentials in a central identity provider.
-
It allows for implementing strong authentication factors such as MFA (Multi-Factor Authentication).
Is it possible to retrieve a list of users who have not logged in to the Domain for the past few months?
Yes. It is possible. You need to use the command get-aduser with additional parameters.
How can EFS encrypted files be recovered?
Recovering EFS encrypted files can be complex and requires the original encryption certificate and the associated private key.
What are the eight main security risks or threats associated with AD?
Organizations need to be aware of several security risks and threats associated with AD. Here are some of the main ones:
-
Unauthorized access - If attackers gain unauthorized access to AD, they can potentially compromise the entire network.
-
Weak passwords.
-
Malware.
-
Ransomware.
-
Insider threats.
-
Phishing attacks.
-
DoS (Denial-of-Service) attacks.
-
Lack of patching and updates.
How can you secure an AD environment?
Here are some best practices:
-
Implement strong password policies.
-
Implement account lockout policies.
-
Enable MFA.
-
Least privilege principle.
-
Limit administrative access.
-
Use group-based access control.
-
Regularly update and patch systems.
-
DR plan.
-
Implement IDPS (Intrusion Detection and Prevention Systems). It monitors network traffic and detects suspicious or anomalous behavior related to password attacks. IDPS can help block and prevent such attacks in real-time. It is third-party devices or software.
-
Use SIEM (Security Information and Event Management) tools to analyze real-time AD events. It is third-party devices or software.
What are the additional things regarding AD security in a multi-domain or multi-forest environment?
-
Implement the right “Trust Relationships.”
-
Implement ADFS (Active Directory Federation Services) to enable SSO and federated identity management across Domains or Forests.
-
Use selective authentication.
-
Configure firewalling.