Your Active Directory is a 24/7 service. The Internet has erased the physical boundary that once existed between the office building and the outside world. IT systems that might once have only been accessible from an adjustable-height chair are now in-hand anywhere, anytime. Every service depends on Active Directory, the gatekeeper by which all interactions between devices, systems and users must pass; Active Directory must be running.
As with any other service, the key to maintaining your Active Directory lies in proper management with a continuous improvement lifecycle; design, transition, operate. In this blog post, I will discuss the service life cycle as it applies to Active Directory to help keep your environment running smoothly and to rapidly address service impacts.
Active Directory best practices have evolved quite a bit since 2000, when the first iterations of the product came out. Newer features and improvements mean that all but a few specific cases will require only a simple single forest/domain model. Additionally, regular reassessment of the Active Directory business requirements is critical to meeting the needs of your dependent services.
Consider time synchronization; many environments make use of Active Directory for organization-wide time sync. Active Directory only provides loose time synchronization () and yet many common enterprise systems require very tight synchronization throughout the forest – NetApp authentication will fail if root dispersion is greater than 10 seconds (https://kb.netapp.com/support/index?page=content&id=1012660), which is a regular occurrence in a global Active Directory environment with a default configuration.
In the security space, it is very important to push toward eliminating compromised protocols and common issues. Do you have LDAP simple binds enabled on your domain controllers? In the default domain controller configuration, your password may be traversing the network in clear text.
You should regularly take stock of your Active Directory and determine if improvements are needed; at a technical level, this often involves performing health checks and design reviews. At a broader service level, you’ll need to collect business requirements and assessing your Active Directory’s efficacy against them.
Active Directory is a robust directory service that has redundancy and resiliency built in. In my experience, most outages arise from administrator error. While it is impossible to eliminate this variable when managing your Active Directory, having processes in place to mitigate the risks of human fallibility is critical to ensuring a highly available Active Directory environment.
Change management protocols must exist for all Active Directory infrastructure, and changes should be well-communicated to dependent services, with all risks identified. And for all but the most trivial changes, a tested and well-understood rollback plan should exist. For Active Directory schema changes, this means having a tested forest recovery process in place. Simply knowing what changes have occurred in the past 24 hours affords huge advantages if you find yourself in the middle of a critical incident.
Managing updates to Active Directory is very simple. Active Directory patches are included with operating system patches; all recommended and critical patches should be applied as soon as possible. In addition, your patching processes should allow for the deployment of any security patches released outside the normal patch cycle, because a security compromise in Active Directory will affect ll your dependent systems.
Once patches are released, vulnerabilities rapidly give rise to attacks found in the wild. For example, Microsoft released a patch for MS14-068 in November 2014 to correct a critical vulnerability that allowed anyone with a normal user credential to elevate permissions to a domain administrator account. Less than a month later, TrustedSec (https://www.trustedsec.com/december-2014/ms14-068-full-compromise-step-step/) published a thorough walkthrough of the steps taken to exploit the vulnerability. To determine if the domain controller is vulnerable, the researcher checks the server uptime. If your domain controllers have uptimes that are over one month, you aren’t patching often enough.
Finally, the day-to-day management of the Active Directory program itself is critically important to maintaining an available service.
Establish a single team that is accountable for the operation of your Active Directory, and only people on that team should be domain administrators. What’s more, these employees must have a clear understanding and acceptance of the processes they need to follow for any nontrivial changes.
Ensure any problems and major incidents are reviewed for lessons learned. These exercises will often lead to suggestions for improvements to your monitoring systems, which should be followed up on.
Maintaining Active Directory in a healthy state requires that a range of activities function together. Although it is often ignored while it is working effectively, Active Directory can fail catastrophically if it is not properly maintained. Since all your services are tied to its reliability, it is important to follow typical service management practices to help prevent problems before they become significant.