Clean Up Your Room – Uh, I Mean, Directory
I don’t make my kids clean their rooms just to facilitate harmonious feng shui. They’re busy tirelessly mining through millions of Legos and, when scooping up all those pieces seems overwhelming or uninteresting, I try to explain why. An organized room is a healthier – and safer – place to play.
There’s a clear parallel here with AD: a clean Active Directory is a healthy Active Directory. The health of AD affects the well-being of other applications and systems. For example: how long can your CEO or manager go without e-mail? Exchange and Active Directory are tied together like Daisy and Violet Hilton at a creepy 1920’s side show attraction (look it up). I’ve seen perfectly healthy Exchange databases crash and become corrupt because the domain controllers had inadequate resources to correctly replicate mailbox information.
Exchange is easy to pick on, but many modern applications rely heavily on AD. Any type of cloud application – think Office 365 – will require synching and/or federating AD to an outside directory. When you’re paying per user, stale objects can be expensive to migrate or sync.
Directory security is also directly related to AD hygiene. Stale objects, like test or temporary accounts or user accounts that were never de-provisioned put systems and data at risk. Nested security groups become difficult to manage when it’s time to unravel entangled permissions and access rights.
Any assessment or health check performed on Active Directory is an inanimate, point-in-time snapshot of the environment. This is an excellent starting point, but Active Directory is a living database. AD objects and attributes are constantly changing. For a more accurate picture, invest in a management platform that not only assesses the directory’s current condition, but also monitors and reports on configuration changes over time.
STEALTHbits now offers a free download of their StealthAUDIT AD Assessment that allows you to quickly and easily assess your Active Directory and plan your own Active Directory cleanup. Since many large organizations have multiple teams that manage different aspects of Active Directory, I like to organize the report types according to domain controller functions and directory services. Here’s the key information to gather for each report type:
- Gather information about the Domain Controllers and DNS servers. Whether you’re using AD integrated DNS or not, 90% of all AD issues are DNS-related. Determining how these two services work together is critical. It’s also important to make sure these systems have the recommended computing power for your environment.
- Gather information about the FSMO role holders, global catalog and bridgehead servers. This will identify the function that each domain controller performs in your environment.
- Document free space on all shares that exist on domain controllers and Windows DNS servers. Ideally, domain controllers should be hardened and limited to only one function: providing directory services.
- Verify replication health. Collect the statistics for items such as LastSuccessfulDateTime, NumberOfFails and FailureReason. Replication is often overlooked until troubleshooting after a problem. Be aware of replication issues before the cause a problem.
- Verify DNS health. Collect the statistics for dynamic updates and queries. Similar to AD replication health, you want to find issues before they cause problems.
- Document Forest/Domain functional level, AD sites, trusts and federations.
- Review the Default Password Policy.
- Document the Default Domain Controller Policy Settings and create a mapping of GPOs to OUs – how are policies applied to OUs and child objects?
- Identify state users, computers and groups and document the account type, OS type and days since last logon.
- Document toxic group conditions such as empty groups, circular nesting and cross forest nesting.
Because Active Directory directly impacts the availability of so many systems and users, cleanup projects that follow assessments can take time. To track progress efficiently, I recommend enabling automatic report generation and then keeping the history of these reports in the StealthAUDIT SQL database. Additionally, the StealthAUDIT SQL database is an open architecture that allows standard T-SQL queries, so the data collections can be pulled into key enterprise management solutions such as SIEM, IAM and other investigative tools.
With this documentation in hand, you can demonstrate risk mitigation and validate the success of your AD cleanup projects. You will be able to prove that an organized directory is a healthier – and safer – place to play. Uh, I mean work.