NIST's guidance for a Zero Trust Architecture

Top Read Articles

Active Directory Maintenance Checklist

With so many moving parts related to AD, it is important to know how to monitor, report, fix, and diagnose issues related to the different supporting technologies. Identifying bottlenecks and resolving them before they cause much harm improves productivity, efficient usage of resources, consistency of data and services, and reduces the number of help desk tickets.

The key aspects that help support and maintain AD include the following:

  • DNS
    • Checking zones and removing obsolete zonesThe cleanup and removal of stale zones and resource records is required to prevent its accumulation in zone data and improve responsiveness.
    • Checking name servers and removing WINS dependenciesActive Directory is DNS intensive and WINS dependencies can be removed.
    • Checking DNS for dormant static records and configuring DNS scavengingDNS scavenging removes stale and orphaned DNS records from the database.
    • Clearing DNS cacheClearing all entries from the DNS forwarding cache helps in updating new DNS information. 
    • Updating root hintsRoot hints configure authoritative servers of non-root zones to discover other authoritative servers that exist in other subtrees or higher levels.
    • Allowing only secure dynamic updates for all DNS zonesEnsures that only authenticated users can submit DNS updates using a secure method that prevents IP addresses from being hijacked.
    • Securing DNS Server It secures access control of the DNS Server service.
  • AD Replication
    • Checking if replication is working properly and within acceptable limitsReplication is critical to the availability and consistency of data across domain controllers. If replication fails between DCs several aspects of AD would become unavailable.
    • Verifying if all DCs are communicating with the central monitoring console and examining all replication alerts on DCsExamining and resolving alerts regularly can avoid service outages to some extent. A communication failure between the DC and the monitoring infrastructure creates problems in receiving these alerts.
    • Verifying that all DCs are running with the same service pack and hot fix patchesIf DCs run with different versions of software, it may cause problems.
    • Reviewing trust relationships in the forest and removing broken trustsCommunication and authentication between domains or forests require trusts. Any broken or stale trust relationship between domains should be removed.
  • AD Backups
    • Capturing system state information related to the AD database, logs, registry, boot files, SYSVOL and other system filesRegular backups help in restoring the most recent information in AD.
  • DHCP
    • Checking logs and monitoring real-time dataChecking logs identifies critical DHCP related events. It is recommended to implement a proactive monitoring solution for real-time data.
  • Others
    • Checking event logsEvent logs help in identifying if anyone has performed a sensitive administrative task. It is important to keep the log data secure and safe from tampering for performing accurate log forensic analysis.
    • Managing privileged accountsManaging users and groups that possess administrative privileges is necessary to prevent security breaches. Tracking changes made to privileged accounts helps detect malicious activity. 
    • Checking for inactive user accountsHaving unused or inactive user accounts in AD is a security concern as attacks on or using them may go unnoticed. It is best to remove such accounts.
Related posts
Top Read Articles

Forest Functional Level

Top Read Articles

Group Policy Backup

Top Read Articles

Local Group Policy Editor

Leave a Reply

Your email address will not be published. Required fields are marked *