FUNCTIONAL LEVELS AND FSMO

Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CISA |ondrej@sevecek.com | www.sevecek.com |

FUNCTIONAL LEVELSActive Directory Troubleshooting

Domain vs. Forest levels

Forest level

defines the least possible domain level in the whole forest

can be raised by Schema FSMO only

Domain level

defines the least possible DC version hosting the domain

requires PDC to be raised

Domain Levels

Windows 2000 Mixed = NT4.0

not supported by Windows 2008+

Windows 2000 Native

Windows 2003

Windows 2008

Windows 2008 R2

Windows 2012

Windows 2000 Native level

Forest level

cannot be lower than this

Domain level

universal groups

group nesting

group conversions between security/distribution

sIDhistory

Windows 2003 level

Forest level forest trust (Kerberos enabled) domain rename linked value replication (merge) RODC can be deployed deactivation and redefinition of attributes in schema

Domain level domain controller rename redircmp, redirusr lastLogonTimestamp constrained delegation, protocol transition selective authentication

Windows 2008 level

Forest level

Domain level

granular (fine-grained) password policies

personal virtual desktops

last interactive logon information

AES support for Kerberos

DFS replication for SYSVOL

Windows 2008 R2 level

Forest level

recycle bin

Domain level

authentication assurance

automatic SPN management for managed service accounts

Level invariant operations

Try next closest site 2003- cannot return this information to clients

should be removed

Confidential attributes would be revealed (do not require Full Control) by 2000 DCs

RODC can work even in 2003 domain requires at least one 2008 DC to download from

Computed attributes msDS-UserAccountDisabled (2008+)

msDS-User-Account-Control-Computed (2003+)

msDS-UserPasswordExpiryTimeComputed (2008+)

Level invariant operations

LDAP_MATCHING_RULE_IN_CHAIN since Windows 2003 SP1

objectClass being indexed in addition to objectCategory since Windows 2008

Restore snapshot of a virtual DC since Windows 2012

Managed Service Accounts must have 2008 R2 schema (DFL 2008 R2 offers

automatic SPN management) must run on 2008 R2 member servers

Level invariant operations

MD5 Digest hashes

since Windows 2003

sIDCompatibilityVersion

linkId automatic generation

Windows 2003+

OID 1.2.840.113556.1.2.50

FSMO ROLESActive Directory Troubleshooting

FSMO Roles

Forest wide Schema Master

Domain Naming Master

Domain wide PDC Emulator

RID Master

Infrastructure Master

Site wide "FSMO" Intersite Topology Generator (ISTG), dynamical

skipping from a DC to a DC if one shuts down for more than 75 minutes

Finding FSMOs

DSQUERY * dc=idtt,dc=local -filter (fsmoRoleOwner=*) -attr distinguishedNamefsmoRoleOwner

CN=configuration,DC=idtt,DC=local

CN=schema,DC=configuration,DC=idtt,DC=local

FSMO Transfer vs. Seizure

Transfer requires both to be online

After seizure the original owner must not start again

NTDSUTIL

Roles

Connections

Connect to server srv2.idtt.local

Quit

Transfer / Seize

Transfer/seizure permissions

Role Group Operational attributeControl Access Right

fSMORoleOwner

Schema Schema Admins

becomeSchemaMasterChange-Schema-Master

CN=Schema,CN=Configuration,DC=...

Domain Naming

Enterprise Admins

becomeDomainMasterChange-Domain-Master

CN=Partitions,CN=Configuration,DC=...

PDC Emulator

Domain Admins

becomePDCChange-PDC

DC=...

RID DomainAdmins

becomeRIDMasterChange-RID-Master

CN=RID Manager$,CN=System,DC=...

Infrastructure DomainAdmins

becomeInfrastructureMasterChange-Infrastructure-Master

CN=Infrastructure,DC=...

Domain Naming Master

“Installation of a new domain”

Prevents name collisions

The only DC that can accept changes into CN=Partitions,CN=Configuration,DC=root-domain

Schema Master

Enables modifications of schema partition

new classes

new attributes

class/attribute relationship

inclusion in GC

default security descriptor

PDC Emulator

Immediate password changes

“Forwarded” account lockout

failed logons are forwarded for another trial at PDC

Time authority

other DCs synchronize with PDC

domain members synchronize with their current DC

AdminSDHolder

Trust password creation and maintenance

GPMC operation target

Transfering PDC from 2000 to 2003

Creates new BUILTIN groups Builtin\Remote Desktop Users

Builtin\Network Configuration Operators

Performance Monitor Users

Performance Log Users

Builtin\Incoming Forest Trust Builders

Builtin\Performance Monitoring Users

Builtin\Performance Logging Users

Builtin\Windows Authorization Access Group

Builtin\Terminal Server License Servers

Changes some memberships

Transfering PDC from 2003 to 2008

Also happens when a new RODC is added

Newly created groups Builtin\IIS_IUSRS

Builtin\Cryptographic Operators

Allowed RODC Password Replication Group

Denied RODC Password Replication Group

Read-only Domain Controllers

Builtin\Event Log Readers

Builtin\Certificate Service DCOM Access

Enterprise Read-only Domain Controllers

Trust

If you trust a bank, you would create an account there

You will also have to remember some access code (password) to access that account

Trust

Trusting domain Trusted

domain

TDO

Password Trust user account

HashTrust

Trust creation

TDO in trusting domain

stores full password

password maintained by PDC emulator

changed regularly every 30 days (same policy as computers)

CN=System,DC=...

Trust object in the trusted domain

just a user account (hidden$)

CN=Users,DC=...

Trust passwords and NTLM

Trusting domain

DC1

SRV

Trusted domain

DC2

Kamil Password

SRV

Password

Trust password

“Secure channel”

Shortcut trusts

idtt.local

am.idtt.local

ny.am.idtt.local

eu.idtt.local

paris.eu.idtt.local

Trust Creation

Both FQDNs must be resolvable mutually

Each part of the trust can be created separately

After the initial manual password set, the password is reset automatically to some random form

Trust maintenance

Netlogon on PDC

Changes password regularly

every 30 days

the same policy as computer passwords

Updates name routing mappings

every service restart

Time synchronization

Time must be within +/- 5 minutes

“performance” setting for Kerberos

Authentication problems

accessing servers that are out of sync

DC replication

NTP time synchronization

DC

PDC

DC

SRV Cl Cl

DC

PDC

DC

SRV Cl Cl

NTP time synchronization

w32tm /query /configuration

w32tm /query /status

PDC: w32tm /config /syncfromflags:AllSync/manualpeerlist:"tik.cesnet.cz tak.cesnet.cz" AnnounceFlags = 5

DC: w32tm /config /syncfromflags:NT5DS or use GPO

NTP packets are signed by keys generated by windows authentication

RID Master

Allocates RID pools for DCs to create new security principals

Required during DCPROMO

not required for RODC promotion (if one RID available to create the RODC object on any writable DC)

Infrastructure Master

Updates DN references to objects in different domains

only required in multidomain forest

only required when having some nonGCcomputers

Cannot run on GC

would not see the differences

Group membership

Sales

member

member

member

member

Stored in local databaseComplete control over moves/deletes

CN=Kamil,OU=London,DC=mainoffice,DC=idtt,DC=...

CN=Judith,OU=Paris,DC=mainoffice,DC=idtt,DC=...

Stored in remote databaseHow do we track moves/deletes?

CN=Victor,OU=Roma,DC=italy,DC=idtt,DC=...

CN=Stan,OU=Venezia,DC=italy,DC=idtt,DC=...

Group membership

Sales

member

member

member

member

Stored in local databaseComplete control over moves/deletes

CN=Kamil,OU=London,DC=mainoffice,DC=idtt,DC=...

CN=Judith,OU=Paris,DC=mainoffice,DC=idtt,DC=...

Referencing local phantomsStores GUID + DN of the real object

Victor-GUID

Stan-GUID

Infrastructure master vs. GC

checkPhantoms scan

Every 2 days

HKLM\System\CurrentControlSet\Services\NTDS\Parameters

Days per database phantom scan = DWORD

checkPhantoms

Must be runon Infra FSMO

Availability design

Global Catalogue security – every logon

PDC mgmt – some logons, time synchronization security? – AdminSDHolder

Infrastructure security – other domain references

RID mgmt – newly created objects, DC installation

Schema, Naming mgmt – schema, new domains

RID/Naming transfer replication

Old RID New RID

DC

DCRID NewRID

RID OldRID

tries the original FSMO owner first

updates the reference immediately even without replication(no fail)

PDC transfer replication

Old PDC New PDC

DC

DCPDC NewPDC

PDC OldPDC

uses the original PDC until new information is replicated

NTP and password replication goes to wrong destination

Initial Synchronization

FSMO roles after restart must replicate

at least one partner

for the FSMO’s partition only

Windows 2003 RTM and older

only in-site automatically

intersite only on regular schedule

Windows 2003 SP1 and newer

any partner in any site in a random order immediatelly

Requirements for promoting DCs

http://www.sevecek.com/Lists/Posts/Post.aspx?ID=251

New DC in the same domain Domain Admins RID FSMO for writable DC in order to obtain initial RID

pool

New domain in the same forest Enterprise Admins Naming FSMO to create the new partition Domain Admins in the trusting/trusted domain PDC in the trusted/trusting domain

Schema FSMO if installing newer version